Skip to site navigation (Press enter)

[webkit-changes] [229505] trunk

zalan Sat, 10 Mar 2018 11:32:13 -0800

Title: [229505] trunk

Revision: 229505
Author: za...@apple.com
Date: 2018-03-10 11:31:14 -0800 (Sat, 10 Mar 2018)

Log Message

Turn off offset*/scroll* optimization for input elements with shadow content
https://bugs.webkit.org/show_bug.cgi?id=182383
<rdar://problem/37114190>


Reviewed by Antti Koivisto.

Source/WebCore:

We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
the previously computed values even when some part of the tree is dirty.
In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
for the root, while true (needs layout) for the shadow content.
This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.

Test: fast/forms/scrollheight-with-mutation-crash.html

* dom/Document.cpp:
(WebCore::Document::updateLayoutIfDimensionsOutOfDate):

LayoutTests:

* fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
* fast/forms/scrollheight-with-mutation-crash.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/dom/Document.cpp

Added Paths

trunk/LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt
trunk/LayoutTests/fast/forms/scrollheight-with-mutation-crash.html

Diff

Modified: trunk/LayoutTests/ChangeLog (229504 => 229505)


--- trunk/LayoutTests/ChangeLog	2018-03-10 17:28:09 UTC (rev 229504)
+++ trunk/LayoutTests/ChangeLog	2018-03-10 19:31:14 UTC (rev 229505)
@@ -1,3 +1,14 @@
+2018-03-09  Zalan Bujtas  <za...@apple.com>
+
+        Turn off offset*/scroll* optimization for input elements with shadow content
+        https://bugs.webkit.org/show_bug.cgi?id=182383
+        <rdar://problem/37114190>
+
+        Reviewed by Antti Koivisto.
+
+        * fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
+        * fast/forms/scrollheight-with-mutation-crash.html: Added.
+
 2018-03-10  Wenson Hsieh  <wenson_hs...@apple.com>
 
         [macOS] Copying a table from the Numbers app and pasting into iCloud Numbers fails

Added: trunk/LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt (0 => 229505)


--- trunk/LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt	2018-03-10 19:31:14 UTC (rev 229505)
@@ -0,0 +1 @@
+PASS if no crash.

Added: trunk/LayoutTests/fast/forms/scrollheight-with-mutation-crash.html (0 => 229505)


--- trunk/LayoutTests/fast/forms/scrollheight-with-mutation-crash.html	                        (rev 0)
+++ trunk/LayoutTests/fast/forms/scrollheight-with-mutation-crash.html	2018-03-10 19:31:14 UTC (rev 229505)
@@ -0,0 +1,20 @@
+<style>
+input:enabled { 
+    content: url(#foo);
+    width: 10vmin;
+}
+
+keygen {
+    -webkit-transform: scale(12, 125);
+}
+</style>
+PASS if no crash.
+<keygen id=keygen>
+<input id=input type="search">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.offsetHeight;
+keygen.remove();
+input.scrollHeight;
+</script>

Modified: trunk/Source/WebCore/ChangeLog (229504 => 229505)


--- trunk/Source/WebCore/ChangeLog	2018-03-10 17:28:09 UTC (rev 229504)
+++ trunk/Source/WebCore/ChangeLog	2018-03-10 19:31:14 UTC (rev 229505)
@@ -1,3 +1,23 @@
+2018-03-09  Zalan Bujtas  <za...@apple.com>
+
+        Turn off offset*/scroll* optimization for input elements with shadow content
+        https://bugs.webkit.org/show_bug.cgi?id=182383
+        <rdar://problem/37114190>
+
+        Reviewed by Antti Koivisto.
+
+        We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
+        In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
+        the previously computed values even when some part of the tree is dirty.
+        In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
+        for the root, while true (needs layout) for the shadow content.
+        This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.
+
+        Test: fast/forms/scrollheight-with-mutation-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::updateLayoutIfDimensionsOutOfDate):
+
 2018-03-10  Wenson Hsieh  <wenson_hs...@apple.com>
 
         [macOS] Copying a table from the Numbers app and pasting into iCloud Numbers fails

Modified: trunk/Source/WebCore/dom/Document.cpp (229504 => 229505)


--- trunk/Source/WebCore/dom/Document.cpp	2018-03-10 17:28:09 UTC (rev 229504)
+++ trunk/Source/WebCore/dom/Document.cpp	2018-03-10 19:31:14 UTC (rev 229505)
@@ -2074,6 +2074,10 @@
         requireFullLayout = true;
     }
 
+    // Turn off this optimization for input elements with shadow content.
+    if (is<HTMLInputElement>(element))
+        requireFullLayout = true;
+
     bool isVertical = renderer && !renderer->isHorizontalWritingMode();
     bool checkingLogicalWidth = ((dimensionsCheck & WidthDimensionsCheck) && !isVertical) || ((dimensionsCheck & HeightDimensionsCheck) && isVertical);
     bool checkingLogicalHeight = ((dimensionsCheck & HeightDimensionsCheck) && !isVertical) || ((dimensionsCheck & WidthDimensionsCheck) && isVertical);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes