[Webkit-unassigned] [Bug 190169] New: RenderBox::clippedOverflowRectForRepaint() should not use enclosingLayer()->hasVisibleContent()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 1 15:12:49 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=190169

            Bug ID: 190169
           Summary: RenderBox::clippedOverflowRectForRepaint() should not
                    use enclosingLayer()->hasVisibleContent()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: simon.fraser at apple.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

RenderBox::clippedOverflowRectForRepaint() calls enclosingLayer()->hasVisibleContent(), but hasVisibleContent() relies on an up-to-date RenderLayer tree with updated z-order lists, which we can't guarantee at the time when clippedOverflowRectForRepaint() is called (i.e. during layout). Here's an example of a bad stack:

2   com.apple.WebCore                   0x000000076b2537aa WebCore::RenderLayer::hasVisibleContent() const + 122 (RenderLayer.cpp:956)
3   com.apple.WebCore                   0x000000076b14a754 WebCore::RenderBox::clippedOverflowRectForRepaint(WebCore::RenderLayerModelObject const*) const + 68 (RenderBox.cpp:2120)
4   com.apple.WebCore                   0x000000076b372946 WebCore::RenderText::clippedOverflowRectForRepaint(WebCore::RenderLayerModelObject const*) const + 214 (RenderText.cpp:1399)
5   com.apple.WebCore                   0x000000076b2eb4b5 WebCore::RenderObject::repaint() const + 133 (RenderObject.cpp:900)
6   com.apple.WebCore                   0x000000076b55ad12 WebCore::RenderTreeBuilder::detachFromRenderElement(WebCore::RenderElement&, WebCore::RenderObject&) + 578 (RenderTreeBuilder.cpp:795)
7   com.apple.WebCore                   0x000000076b570f14 WebCore::RenderTreeBuilder::Inline::splitInlines(WebCore::RenderInline&, WebCore::RenderBlock*, WebCore::RenderBlock*, WebCore::RenderBlock*, WebCore::RenderObject*, WebCore::RenderBoxModelObject*) + 4084
8   com.apple.WebCore                   0x000000076b56fa3f WebCore::RenderTreeBuilder::Inline::splitFlow(WebCore::RenderInline&, WebCore::RenderObject*, std::__1::unique_ptr<WebCore::RenderBlock, WebCore::RenderObjectDeleter>, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderBoxModelObject*) + 4655 (RenderTreeBuilderInline.cpp:246)
9   com.apple.WebCore                   0x000000076b56debf WebCore::RenderTreeBuilder::Inline::attachIgnoringContinuation(WebCore::RenderInline&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 1551 (RenderTreeBuilderInline.cpp:188)
10  com.apple.WebCore                   0x000000076b56c662 WebCore::RenderTreeBuilder::Inline::attach(WebCore::RenderInline&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 1282 (RenderTreeBuilderInline.cpp:116)
11  com.apple.WebCore                   0x000000076b558611 WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 12049 (RenderTreeBuilder.cpp:298)
12  com.apple.WebCore                   0x000000076b55b254 WebCore::RenderTreeBuilder::attach(WebCore::RenderTreePosition&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>) + 516 (RenderTreeBuilder.cpp:363)
13  com.apple.WebCore                   0x000000076b5870a5 WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) + 2517 (RenderTreeUpdater.cpp:397)
14  com.apple.WebCore                   0x000000076b58521a WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) + 970 (RenderTreeUpdater.cpp:338)
15  com.apple.WebCore                   0x000000076b584752 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 1138 (RenderTreeUpdater.cpp:204)
16  com.apple.WebCore                   0x000000076b583fcd WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 1005
17  com.apple.WebCore                   0x000000076a01abe8 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 2072 (Document.cpp:1916)
18  com.apple.WebCore                   0x000000076a01c3dd WebCore::Document::updateStyleIfNeeded() + 493 (Document.cpp:2024)
19  com.apple.WebCore                   0x000000076a034f43 WebCore::Document::finishedParsing() + 595 (Document.cpp:5524)
20  com.apple.WebCore                   0x000000076a5c7cb8 WebCore::HTMLConstructionSite::finishedParsing() + 24 (HTMLConstructionSite.cpp:420)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181001/ad63b04e/attachment.html>

More information about the webkit-unassigned mailing list