[webkit-changes] [240849] trunk/Source/WebCore

[simon . fraser]

Title: [240849] trunk/Source/WebCore

Revision

240849

Author

simon.fra...@apple.com

Date

2019-02-01 08:45:15 -0800 (Fri, 01 Feb 2019)

Log Message

REGRESSION (r240698): fast/scrolling/sticky-to-fixed.html can cause a crash
https://bugs.webkit.org/show_bug.cgi?id=194134
rdar://problem/47721210

Reviewed by Daniel Bates.

fast/scrolling/sticky-to-fixed.html changes the scrolling node type, which causes
scrollingCoordinator->insertNode() to return a different ScrollingNodeID to the one
passed in. We have to handle this, removing the node for the nodeID and unregistering
the layer with the old nodeID.

* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::attachScrollingNode):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (240848 => 240849)

--- trunk/Source/WebCore/ChangeLog	2019-02-01 14:36:31 UTC (rev 240848)
+++ trunk/Source/WebCore/ChangeLog	2019-02-01 16:45:15 UTC (rev 240849)
@@ -1,3 +1,19 @@
+2019-02-01  Simon Fraser  <simon.fra...@apple.com>
+
+        REGRESSION (r240698): fast/scrolling/sticky-to-fixed.html can cause a crash
+        https://bugs.webkit.org/show_bug.cgi?id=194134
+        rdar://problem/47721210
+
+        Reviewed by Daniel Bates.
+
+        fast/scrolling/sticky-to-fixed.html changes the scrolling node type, which causes
+        scrollingCoordinator->insertNode() to return a different ScrollingNodeID to the one
+        passed in. We have to handle this, removing the node for the nodeID and unregistering
+        the layer with the old nodeID.
+
+        * rendering/RenderLayerCompositor.cpp:
+        (WebCore::RenderLayerCompositor::attachScrollingNode):
+
 2019-02-01  Carlos Garcia Campos  <cgar...@igalia.com>
 
         REGRESSION(r239915): css3/font-feature-font-face-local.html failing on WPE

Modified: trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp (240848 => 240849)

--- trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp	2019-02-01 14:36:31 UTC (rev 240848)
+++ trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp	2019-02-01 16:45:15 UTC (rev 240849)
@@ -3782,8 +3782,15 @@
 
     if (nodeType == ScrollingNodeType::Subframe && !treeState.parentNodeID)
         nodeID = scrollingCoordinator->createNode(nodeType, nodeID);
-    else
-        nodeID = scrollingCoordinator->insertNode(nodeType, nodeID, treeState.parentNodeID.valueOr(0), treeState.nextChildIndex);
+    else {
+        auto newNodeID = scrollingCoordinator->insertNode(nodeType, nodeID, treeState.parentNodeID.valueOr(0), treeState.nextChildIndex);
+        if (newNodeID != nodeID) {
+            // We'll get a new nodeID if the type changed (and not if the node is new).
+            scrollingCoordinator->unparentChildrenAndDestroyNode(nodeID);
+            m_scrollingNodeToLayerMap.remove(nodeID);
+        }
+        nodeID = newNodeID;
+    }
 
     ASSERT(nodeID);
     if (!nodeID)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes