Title: [230607] branches/safari-605.1.33.1-branch
Revision
230607
Author
kocsen_ch...@apple.com
Date
2018-04-12 16:27:43 -0700 (Thu, 12 Apr 2018)

Log Message

Cherry-pick r229505. rdar://problem/39371567

    Turn off offset*/scroll* optimization for input elements with shadow content
    https://bugs.webkit.org/show_bug.cgi?id=182383
    <rdar://problem/37114190>

    Reviewed by Antti Koivisto.

    Source/WebCore:

    We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
    In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
    the previously computed values even when some part of the tree is dirty.
    In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
    for the root, while true (needs layout) for the shadow content.
    This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.

    Test: fast/forms/scrollheight-with-mutation-crash.html

    * dom/Document.cpp:
    (WebCore::Document::updateLayoutIfDimensionsOutOfDate):

    LayoutTests:

    * fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
    * fast/forms/scrollheight-with-mutation-crash.html: Added.

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229505 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-605.1.33.1-branch/LayoutTests/ChangeLog (230606 => 230607)


--- branches/safari-605.1.33.1-branch/LayoutTests/ChangeLog	2018-04-12 23:24:14 UTC (rev 230606)
+++ branches/safari-605.1.33.1-branch/LayoutTests/ChangeLog	2018-04-12 23:27:43 UTC (rev 230607)
@@ -1,3 +1,45 @@
+2018-04-12  Kocsen Chung  <kocsen_ch...@apple.com>
+
+        Cherry-pick r229505. rdar://problem/39371567
+
+    Turn off offset*/scroll* optimization for input elements with shadow content
+    https://bugs.webkit.org/show_bug.cgi?id=182383
+    <rdar://problem/37114190>
+    
+    Reviewed by Antti Koivisto.
+    
+    Source/WebCore:
+    
+    We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
+    In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
+    the previously computed values even when some part of the tree is dirty.
+    In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
+    for the root, while true (needs layout) for the shadow content.
+    This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.
+    
+    Test: fast/forms/scrollheight-with-mutation-crash.html
+    
+    * dom/Document.cpp:
+    (WebCore::Document::updateLayoutIfDimensionsOutOfDate):
+    
+    LayoutTests:
+    
+    * fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
+    * fast/forms/scrollheight-with-mutation-crash.html: Added.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229505 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-03-09  Zalan Bujtas  <za...@apple.com>
+
+            Turn off offset*/scroll* optimization for input elements with shadow content
+            https://bugs.webkit.org/show_bug.cgi?id=182383
+            <rdar://problem/37114190>
+
+            Reviewed by Antti Koivisto.
+
+            * fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
+            * fast/forms/scrollheight-with-mutation-crash.html: Added.
+
 2018-02-28  Jason Marcell  <jmarc...@apple.com>
 
         Cherry-pick r229086. rdar://problem/37991718

Added: branches/safari-605.1.33.1-branch/LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt (0 => 230607)


--- branches/safari-605.1.33.1-branch/LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt	                        (rev 0)
+++ branches/safari-605.1.33.1-branch/LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt	2018-04-12 23:27:43 UTC (rev 230607)
@@ -0,0 +1 @@
+PASS if no crash.  

Added: branches/safari-605.1.33.1-branch/LayoutTests/fast/forms/scrollheight-with-mutation-crash.html (0 => 230607)


--- branches/safari-605.1.33.1-branch/LayoutTests/fast/forms/scrollheight-with-mutation-crash.html	                        (rev 0)
+++ branches/safari-605.1.33.1-branch/LayoutTests/fast/forms/scrollheight-with-mutation-crash.html	2018-04-12 23:27:43 UTC (rev 230607)
@@ -0,0 +1,20 @@
+<style>
+input:enabled { 
+    content: url(#foo);
+    width: 10vmin;
+}
+
+keygen {
+    -webkit-transform: scale(12, 125);
+}
+</style>
+PASS if no crash.
+<keygen id=keygen>
+<input id=input type="search">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.offsetHeight;
+keygen.remove();
+input.scrollHeight;
+</script>

Modified: branches/safari-605.1.33.1-branch/Source/WebCore/ChangeLog (230606 => 230607)


--- branches/safari-605.1.33.1-branch/Source/WebCore/ChangeLog	2018-04-12 23:24:14 UTC (rev 230606)
+++ branches/safari-605.1.33.1-branch/Source/WebCore/ChangeLog	2018-04-12 23:27:43 UTC (rev 230607)
@@ -1,3 +1,54 @@
+2018-04-12  Kocsen Chung  <kocsen_ch...@apple.com>
+
+        Cherry-pick r229505. rdar://problem/39371567
+
+    Turn off offset*/scroll* optimization for input elements with shadow content
+    https://bugs.webkit.org/show_bug.cgi?id=182383
+    <rdar://problem/37114190>
+    
+    Reviewed by Antti Koivisto.
+    
+    Source/WebCore:
+    
+    We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
+    In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
+    the previously computed values even when some part of the tree is dirty.
+    In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
+    for the root, while true (needs layout) for the shadow content.
+    This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.
+    
+    Test: fast/forms/scrollheight-with-mutation-crash.html
+    
+    * dom/Document.cpp:
+    (WebCore::Document::updateLayoutIfDimensionsOutOfDate):
+    
+    LayoutTests:
+    
+    * fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
+    * fast/forms/scrollheight-with-mutation-crash.html: Added.
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229505 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-03-09  Zalan Bujtas  <za...@apple.com>
+
+            Turn off offset*/scroll* optimization for input elements with shadow content
+            https://bugs.webkit.org/show_bug.cgi?id=182383
+            <rdar://problem/37114190>
+
+            Reviewed by Antti Koivisto.
+
+            We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
+            In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
+            the previously computed values even when some part of the tree is dirty.
+            In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
+            for the root, while true (needs layout) for the shadow content.
+            This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.
+
+            Test: fast/forms/scrollheight-with-mutation-crash.html
+
+            * dom/Document.cpp:
+            (WebCore::Document::updateLayoutIfDimensionsOutOfDate):
+
 2018-02-28  Jason Marcell  <jmarc...@apple.com>
 
         Cherry-pick r229086. rdar://problem/37991718

Modified: branches/safari-605.1.33.1-branch/Source/WebCore/dom/Document.cpp (230606 => 230607)


--- branches/safari-605.1.33.1-branch/Source/WebCore/dom/Document.cpp	2018-04-12 23:24:14 UTC (rev 230606)
+++ branches/safari-605.1.33.1-branch/Source/WebCore/dom/Document.cpp	2018-04-12 23:27:43 UTC (rev 230607)
@@ -2079,6 +2079,10 @@
         requireFullLayout = true;
     }
 
+    // Turn off this optimization for input elements with shadow content.
+    if (is<HTMLInputElement>(element))
+        requireFullLayout = true;
+
     bool isVertical = renderer && !renderer->isHorizontalWritingMode();
     bool checkingLogicalWidth = ((dimensionsCheck & WidthDimensionsCheck) && !isVertical) || ((dimensionsCheck & HeightDimensionsCheck) && isVertical);
     bool checkingLogicalHeight = ((dimensionsCheck & HeightDimensionsCheck) && !isVertical) || ((dimensionsCheck & WidthDimensionsCheck) && isVertical);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to