- Revision
- 222554
- Author
- [email protected]
- Date
- 2017-09-27 08:32:55 -0700 (Wed, 27 Sep 2017)
Log Message
REGRESSION (r222040): Crash navigating out of gfycat.com url
https://bugs.webkit.org/show_bug.cgi?id=177531
Source/WebCore:
<rdar://problem/34602601>
Reviewed by Geoff Garen.
Animation structures are normally removed when the render tree is torn down.
However there are cases where we can instantiate animation without creating a renderer
and we need to make sure animations are canceled in these cases too.
CompositeAnimations should also ref the element but that can be done separately.
Test: fast/animation/animation-element-removal.html
* dom/Element.cpp:
(WebCore::Element::removedFrom):
Ensure animations are canceled when element is removed from the tree.
(WebCore::Element::clearHasPendingResources):
(WebCore::Element::hasCSSAnimation const):
(WebCore::Element::setHasCSSAnimation):
(WebCore::Element::clearHasCSSAnimation):
Add a bit so we don't need to do hash lookups for every removal.
* dom/Element.h:
* dom/ElementRareData.h:
(WebCore::ElementRareData::hasCSSAnimation const):
(WebCore::ElementRareData::setHasCSSAnimation):
(WebCore::ElementRareData::ElementRareData):
* page/animation/CSSAnimationController.cpp:
(WebCore::CSSAnimationControllerPrivate::ensureCompositeAnimation):
Test for the bit.
(WebCore::CSSAnimationControllerPrivate::clear):
(WebCore::CSSAnimationController::cancelAnimations):
LayoutTests:
Reviewed by Geoff Garen.
* fast/animation/animation-element-removal-expected.txt: Added.
* fast/animation/animation-element-removal.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (222553 => 222554)
--- trunk/LayoutTests/ChangeLog 2017-09-27 14:45:13 UTC (rev 222553)
+++ trunk/LayoutTests/ChangeLog 2017-09-27 15:32:55 UTC (rev 222554)
@@ -1,3 +1,13 @@
+2017-09-27 Antti Koivisto <[email protected]>
+
+ REGRESSION (r222040): Crash navigating out of gfycat.com url
+ https://bugs.webkit.org/show_bug.cgi?id=177531
+
+ Reviewed by Geoff Garen.
+
+ * fast/animation/animation-element-removal-expected.txt: Added.
+ * fast/animation/animation-element-removal.html: Added.
+
2017-09-27 Per Arne Vollan <[email protected]>
Mark accessibility/image-load-on-delay.html as a failure on Windows.
Added: trunk/LayoutTests/fast/animation/animation-element-removal-expected.txt (0 => 222554)
--- trunk/LayoutTests/fast/animation/animation-element-removal-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/animation/animation-element-removal-expected.txt 2017-09-27 15:32:55 UTC (rev 222554)
@@ -0,0 +1 @@
+This test passes if it doesn't hit an assert
Added: trunk/LayoutTests/fast/animation/animation-element-removal.html (0 => 222554)
--- trunk/LayoutTests/fast/animation/animation-element-removal.html (rev 0)
+++ trunk/LayoutTests/fast/animation/animation-element-removal.html 2017-09-27 15:32:55 UTC (rev 222554)
@@ -0,0 +1,24 @@
+<html>
+<head>
+<style>
+foo { animation: anim 0s infinite alternate;}
+</style>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+function js() {
+var test = document.getElementById("test");
+document.createElement("div").insertAdjacentElement("afterBegin",test);
+window._onpageshow_ = function() {
+ setTimeout(() => {
+ location.href = "" _onload_="testRunner.notifyDone()">This test passes if it doesn't hit an assert`;
+ }, 10);
+};
+}
+</script>
+</head>
+<body _onload_=js()>
+<svg>
+<foo id="test">
Modified: trunk/Source/WebCore/ChangeLog (222553 => 222554)
--- trunk/Source/WebCore/ChangeLog 2017-09-27 14:45:13 UTC (rev 222553)
+++ trunk/Source/WebCore/ChangeLog 2017-09-27 15:32:55 UTC (rev 222554)
@@ -1,3 +1,44 @@
+2017-09-27 Antti Koivisto <[email protected]>
+
+ REGRESSION (r222040): Crash navigating out of gfycat.com url
+ https://bugs.webkit.org/show_bug.cgi?id=177531
+ <rdar://problem/34602601>
+
+ Reviewed by Geoff Garen.
+
+ Animation structures are normally removed when the render tree is torn down.
+ However there are cases where we can instantiate animation without creating a renderer
+ and we need to make sure animations are canceled in these cases too.
+
+ CompositeAnimations should also ref the element but that can be done separately.
+
+ Test: fast/animation/animation-element-removal.html
+
+ * dom/Element.cpp:
+ (WebCore::Element::removedFrom):
+
+ Ensure animations are canceled when element is removed from the tree.
+
+ (WebCore::Element::clearHasPendingResources):
+ (WebCore::Element::hasCSSAnimation const):
+ (WebCore::Element::setHasCSSAnimation):
+ (WebCore::Element::clearHasCSSAnimation):
+
+ Add a bit so we don't need to do hash lookups for every removal.
+
+ * dom/Element.h:
+ * dom/ElementRareData.h:
+ (WebCore::ElementRareData::hasCSSAnimation const):
+ (WebCore::ElementRareData::setHasCSSAnimation):
+ (WebCore::ElementRareData::ElementRareData):
+ * page/animation/CSSAnimationController.cpp:
+ (WebCore::CSSAnimationControllerPrivate::ensureCompositeAnimation):
+
+ Test for the bit.
+
+ (WebCore::CSSAnimationControllerPrivate::clear):
+ (WebCore::CSSAnimationController::cancelAnimations):
+
2017-09-27 Joanmarie Diggs <[email protected]>
[ATK] atk_table_cell_get_position() should return values of aria-rowindex and aria-colindex, if present
Modified: trunk/Source/WebCore/dom/Element.cpp (222553 => 222554)
--- trunk/Source/WebCore/dom/Element.cpp 2017-09-27 14:45:13 UTC (rev 222553)
+++ trunk/Source/WebCore/dom/Element.cpp 2017-09-27 15:32:55 UTC (rev 222554)
@@ -29,6 +29,7 @@
#include "AXObjectCache.h"
#include "Attr.h"
#include "AttributeChangeInvalidation.h"
+#include "CSSAnimationController.h"
#include "CSSParser.h"
#include "Chrome.h"
#include "ChromeClient.h"
@@ -1764,9 +1765,12 @@
if (hasPendingResources())
document().accessSVGExtensions().removeElementFromPendingResources(this);
+ Frame* frame = document().frame();
+ if (frame)
+ frame->animation().cancelAnimations(*this);
#if PLATFORM(MAC)
- if (Frame* frame = document().frame())
+ if (frame)
frame->mainFrame().removeLatchingStateForTarget(*this);
#endif
}
@@ -3531,9 +3535,28 @@
void Element::clearHasPendingResources()
{
- ensureElementRareData().setHasPendingResources(false);
+ if (!hasRareData())
+ return;
+ elementRareData()->setHasPendingResources(false);
}
+bool Element::hasCSSAnimation() const
+{
+ return hasRareData() && elementRareData()->hasCSSAnimation();
+}
+
+void Element::setHasCSSAnimation()
+{
+ ensureElementRareData().setHasCSSAnimation(true);
+}
+
+void Element::clearHasCSSAnimation()
+{
+ if (!hasRareData())
+ return;
+ elementRareData()->setHasCSSAnimation(false);
+}
+
bool Element::canContainRangeEndPoint() const
{
return !equalLettersIgnoringASCIICase(attributeWithoutSynchronization(roleAttr), "img");
Modified: trunk/Source/WebCore/dom/Element.h (222553 => 222554)
--- trunk/Source/WebCore/dom/Element.h 2017-09-27 14:45:13 UTC (rev 222553)
+++ trunk/Source/WebCore/dom/Element.h 2017-09-27 15:32:55 UTC (rev 222554)
@@ -449,6 +449,10 @@
void clearHasPendingResources();
virtual void buildPendingResource() { };
+ bool hasCSSAnimation() const;
+ void setHasCSSAnimation();
+ void clearHasCSSAnimation();
+
#if ENABLE(FULLSCREEN_API)
WEBCORE_EXPORT bool containsFullScreenElement() const;
void setContainsFullScreenElement(bool);
Modified: trunk/Source/WebCore/dom/ElementRareData.h (222553 => 222554)
--- trunk/Source/WebCore/dom/ElementRareData.h 2017-09-27 14:45:13 UTC (rev 222553)
+++ trunk/Source/WebCore/dom/ElementRareData.h 2017-09-27 15:32:55 UTC (rev 222554)
@@ -107,6 +107,9 @@
bool hasPendingResources() const { return m_hasPendingResources; }
void setHasPendingResources(bool has) { m_hasPendingResources = has; }
+ bool hasCSSAnimation() const { return m_hasCSSAnimation; }
+ void setHasCSSAnimation(bool value) { m_hasCSSAnimation = value; }
+
private:
int m_tabIndex;
unsigned short m_childIndex;
@@ -118,6 +121,7 @@
unsigned m_containsFullScreenElement : 1;
#endif
unsigned m_hasPendingResources : 1;
+ unsigned m_hasCSSAnimation : 1;
unsigned m_childrenAffectedByHover : 1;
unsigned m_childrenAffectedByDrag : 1;
// Bits for dynamic child matching.
@@ -160,6 +164,7 @@
, m_containsFullScreenElement(false)
#endif
, m_hasPendingResources(false)
+ , m_hasCSSAnimation(false)
, m_childrenAffectedByHover(false)
, m_childrenAffectedByDrag(false)
, m_childrenAffectedByLastChildRules(false)
Modified: trunk/Source/WebCore/page/animation/CSSAnimationController.cpp (222553 => 222554)
--- trunk/Source/WebCore/page/animation/CSSAnimationController.cpp 2017-09-27 14:45:13 UTC (rev 222553)
+++ trunk/Source/WebCore/page/animation/CSSAnimationController.cpp 2017-09-27 15:32:55 UTC (rev 222554)
@@ -85,6 +85,8 @@
CompositeAnimation& CSSAnimationControllerPrivate::ensureCompositeAnimation(Element& element)
{
+ element.setHasCSSAnimation();
+
auto result = m_compositeAnimations.ensure(&element, [&] {
return CompositeAnimation::create(*this);
});
@@ -97,6 +99,12 @@
bool CSSAnimationControllerPrivate::clear(Element& element)
{
+ ASSERT(element.hasCSSAnimation() == m_compositeAnimations.contains(&element));
+
+ if (!element.hasCSSAnimation())
+ return false;
+ element.clearHasCSSAnimation();
+
auto it = m_compositeAnimations.find(&element);
if (it == m_compositeAnimations.end())
return false;
