Diff
Modified: trunk/LayoutTests/ChangeLog (256904 => 256905)
--- trunk/LayoutTests/ChangeLog 2020-02-19 04:50:31 UTC (rev 256904)
+++ trunk/LayoutTests/ChangeLog 2020-02-19 04:57:30 UTC (rev 256905)
@@ -1,3 +1,17 @@
+2020-02-18 Jack Lee <[email protected]>
+
+ ASSERTION FAILED: !m_embeddedObjectsToUpdate->contains(nullptr) in WebCore::FrameView::updateEmbeddedObjects
+ https://bugs.webkit.org/show_bug.cgi?id=191532
+ <rdar://problem/46151555>
+
+ Reviewed by Darin Adler.
+
+ Add reentrancy protection for FrameView::updateEmbeddedObjects().
+ Move the common code in renderWidgetLoadingPlugin() to inherited class, HTMLPlugInElement.
+
+ * fast/text/textCombine-update-embeddedObj-assert-expected.txt: Added.
+ * fast/text/textCombine-update-embeddedObj-assert.html: Added.
+
2020-02-18 Wenson Hsieh <[email protected]>
REGRESSION (r256093): fast/events/touch/ios/block-without-overflow-scroll.html is failing
Added: trunk/LayoutTests/fast/text/textCombine-update-embeddedObj-assert-expected.txt (0 => 256905)
--- trunk/LayoutTests/fast/text/textCombine-update-embeddedObj-assert-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/text/textCombine-update-embeddedObj-assert-expected.txt 2020-02-19 04:57:30 UTC (rev 256905)
@@ -0,0 +1 @@
+Tests updating embedded objects in text-combine rendering. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/fast/text/textCombine-update-embeddedObj-assert.html (0 => 256905)
--- trunk/LayoutTests/fast/text/textCombine-update-embeddedObj-assert.html (rev 0)
+++ trunk/LayoutTests/fast/text/textCombine-update-embeddedObj-assert.html 2020-02-19 04:57:30 UTC (rev 256905)
@@ -0,0 +1,18 @@
+<style>
+body {
+ -webkit-writing-mode: vertical-lr;
+ -webkit-text-combine: horizontal;
+}
+::selection {
+ color: red;
+}
+</style>
+<script>
+ if (window.testRunner)
+ testRunner.dumpAsText();
+ function eventhandler() {
+ document.vlinkColor = "red";
+ document.createElement("object").style.color = "red";
+ }
+</script>
+<embed src="" _onbeforeload_=eventhandler()>foo<span>Tests updating embedded objects in text-combine rendering. The test passes if WebKit doesn't crash or hit an assertion.</span>
Modified: trunk/Source/WebCore/ChangeLog (256904 => 256905)
--- trunk/Source/WebCore/ChangeLog 2020-02-19 04:50:31 UTC (rev 256904)
+++ trunk/Source/WebCore/ChangeLog 2020-02-19 04:57:30 UTC (rev 256905)
@@ -1,3 +1,30 @@
+2020-02-18 Jack Lee <[email protected]>
+
+ ASSERTION FAILED: !m_embeddedObjectsToUpdate->contains(nullptr) in WebCore::FrameView::updateEmbeddedObjects
+ https://bugs.webkit.org/show_bug.cgi?id=191532
+ <rdar://problem/46151555>
+
+ Reviewed by Darin Adler.
+
+ Add reentrancy protection for FrameView::updateEmbeddedObjects().
+ Move the common code in renderWidgetLoadingPlugin() to inherited class, HTMLPlugInElement.
+
+ Test: fast/text/textCombine-update-embeddedObj-assert.html
+
+ * html/HTMLAppletElement.cpp:
+ (WebCore::HTMLAppletElement::renderWidgetLoadingPlugin const):
+ * html/HTMLEmbedElement.cpp:
+ (WebCore::HTMLEmbedElement::renderWidgetLoadingPlugin const):
+ * html/HTMLObjectElement.cpp:
+ (WebCore::HTMLObjectElement::renderWidgetLoadingPlugin const): Deleted.
+ * html/HTMLObjectElement.h:
+ * html/HTMLPlugInElement.cpp:
+ (WebCore::HTMLPlugInElement::renderWidgetLoadingPlugin const):
+ * html/HTMLPlugInElement.h:
+ * page/FrameView.cpp:
+ (WebCore::FrameView::updateEmbeddedObjects):
+ * page/FrameView.h:
+
2020-02-18 Youenn Fablet <[email protected]>
Reduce use of PlatformMediaSessionManager::sharedManager()
Modified: trunk/Source/WebCore/html/HTMLAppletElement.cpp (256904 => 256905)
--- trunk/Source/WebCore/html/HTMLAppletElement.cpp 2020-02-19 04:50:31 UTC (rev 256904)
+++ trunk/Source/WebCore/html/HTMLAppletElement.cpp 2020-02-19 04:57:30 UTC (rev 256905)
@@ -96,14 +96,7 @@
RenderWidget* HTMLAppletElement::renderWidgetLoadingPlugin() const
{
- if (!canEmbedJava())
- return nullptr;
-
- // Needs to load the plugin immediatedly because this function is called
- // when _javascript_ code accesses the plugin.
- // FIXME: <rdar://16893708> Check if dispatching events here is safe.
- document().updateLayoutIgnorePendingStylesheets(Document::RunPostLayoutTasks::Synchronously);
- return renderWidget();
+ return canEmbedJava() ? HTMLPlugInImageElement::renderWidgetLoadingPlugin() : nullptr;
}
void HTMLAppletElement::updateWidget(CreatePlugins createPlugins)
Modified: trunk/Source/WebCore/html/HTMLEmbedElement.cpp (256904 => 256905)
--- trunk/Source/WebCore/html/HTMLEmbedElement.cpp 2020-02-19 04:50:31 UTC (rev 256904)
+++ trunk/Source/WebCore/html/HTMLEmbedElement.cpp 2020-02-19 04:57:30 UTC (rev 256905)
@@ -80,14 +80,9 @@
RenderWidget* HTMLEmbedElement::renderWidgetLoadingPlugin() const
{
- RefPtr<FrameView> view = document().view();
- if (!view || (!view->layoutContext().isInRenderTreeLayout() && !view->isPainting())) {
- // Needs to load the plugin immediatedly because this function is called
- // when _javascript_ code accesses the plugin.
- // FIXME: <rdar://16893708> Check if dispatching events here is safe.
- document().updateLayoutIgnorePendingStylesheets(Document::RunPostLayoutTasks::Synchronously);
- }
- return findWidgetRenderer(this);
+ RenderWidget* widget = HTMLPlugInImageElement::renderWidgetLoadingPlugin();
+
+ return widget ? widget : findWidgetRenderer(this);
}
void HTMLEmbedElement::collectStyleForPresentationAttribute(const QualifiedName& name, const AtomString& value, MutableStyleProperties& style)
Modified: trunk/Source/WebCore/html/HTMLObjectElement.cpp (256904 => 256905)
--- trunk/Source/WebCore/html/HTMLObjectElement.cpp 2020-02-19 04:50:31 UTC (rev 256904)
+++ trunk/Source/WebCore/html/HTMLObjectElement.cpp 2020-02-19 04:57:30 UTC (rev 256905)
@@ -77,15 +77,6 @@
return result;
}
-RenderWidget* HTMLObjectElement::renderWidgetLoadingPlugin() const
-{
- // Needs to load the plugin immediatedly because this function is called
- // when _javascript_ code accesses the plugin.
- // FIXME: <rdar://16893708> Check if dispatching events here is safe.
- document().updateLayoutIgnorePendingStylesheets(Document::RunPostLayoutTasks::Synchronously);
- return renderWidget(); // This will return 0 if the renderer is not a RenderWidget.
-}
-
int HTMLObjectElement::defaultTabIndex() const
{
return 0;
Modified: trunk/Source/WebCore/html/HTMLObjectElement.h (256904 => 256905)
--- trunk/Source/WebCore/html/HTMLObjectElement.h 2020-02-19 04:50:31 UTC (rev 256904)
+++ trunk/Source/WebCore/html/HTMLObjectElement.h 2020-02-19 04:57:30 UTC (rev 256905)
@@ -59,8 +59,6 @@
private:
HTMLObjectElement(const QualifiedName&, Document&, HTMLFormElement*);
- RenderWidget* renderWidgetLoadingPlugin() const final;
-
int defaultTabIndex() const final;
void parseAttribute(const QualifiedName&, const AtomString&) final;
Modified: trunk/Source/WebCore/html/HTMLPlugInElement.cpp (256904 => 256905)
--- trunk/Source/WebCore/html/HTMLPlugInElement.cpp 2020-02-19 04:50:31 UTC (rev 256904)
+++ trunk/Source/WebCore/html/HTMLPlugInElement.cpp 2020-02-19 04:57:30 UTC (rev 256905)
@@ -157,6 +157,18 @@
return renderWidget->widget();
}
+RenderWidget* HTMLPlugInElement::renderWidgetLoadingPlugin() const
+{
+ RefPtr<FrameView> view = document().view();
+ if (!view || (!view->inUpdateEmbeddedObjects() && !view->layoutContext().isInLayout() && !view->isPainting())) {
+ // Needs to load the plugin immediatedly because this function is called
+ // when _javascript_ code accesses the plugin.
+ // FIXME: <rdar://16893708> Check if dispatching events here is safe.
+ document().updateLayoutIgnorePendingStylesheets(Document::RunPostLayoutTasks::Synchronously);
+ }
+ return renderWidget(); // This will return nullptr if the renderer is not a RenderWidget.
+}
+
bool HTMLPlugInElement::isPresentationAttribute(const QualifiedName& name) const
{
if (name == widthAttr || name == heightAttr || name == vspaceAttr || name == hspaceAttr || name == alignAttr)
Modified: trunk/Source/WebCore/html/HTMLPlugInElement.h (256904 => 256905)
--- trunk/Source/WebCore/html/HTMLPlugInElement.h 2020-02-19 04:50:31 UTC (rev 256904)
+++ trunk/Source/WebCore/html/HTMLPlugInElement.h 2020-02-19 04:57:30 UTC (rev 256905)
@@ -109,6 +109,9 @@
bool guardedDispatchBeforeLoadEvent(const String& sourceURL);
bool m_inBeforeLoadEventHandler;
+
+ // This will load the plugin if necessary.
+ virtual RenderWidget* renderWidgetLoadingPlugin() const;
private:
void swapRendererTimerFired();
@@ -116,9 +119,6 @@
bool dispatchBeforeLoadEvent(const String& sourceURL) = delete; // Generate a compile error if someone calls this by mistake.
- // This will load the plugin if necessary.
- virtual RenderWidget* renderWidgetLoadingPlugin() const = 0;
-
bool supportsFocus() const override;
bool isKeyboardFocusable(KeyboardEvent*) const override;
Modified: trunk/Source/WebCore/page/FrameView.cpp (256904 => 256905)
--- trunk/Source/WebCore/page/FrameView.cpp 2020-02-19 04:50:31 UTC (rev 256904)
+++ trunk/Source/WebCore/page/FrameView.cpp 2020-02-19 04:57:30 UTC (rev 256905)
@@ -3270,6 +3270,7 @@
bool FrameView::updateEmbeddedObjects()
{
+ SetForScope<bool> inUpdateEmbeddedObjects(m_inUpdateEmbeddedObjects, true);
if (layoutContext().isLayoutNested() || !m_embeddedObjectsToUpdate || m_embeddedObjectsToUpdate->isEmpty())
return true;
Modified: trunk/Source/WebCore/page/FrameView.h (256904 => 256905)
--- trunk/Source/WebCore/page/FrameView.h 2020-02-19 04:50:31 UTC (rev 256904)
+++ trunk/Source/WebCore/page/FrameView.h 2020-02-19 04:57:30 UTC (rev 256905)
@@ -656,6 +656,8 @@
WEBCORE_EXPORT void scrollToOffsetWithAnimation(const ScrollOffset&, ScrollType = ScrollType::Programmatic, ScrollClamping = ScrollClamping::Clamped);
+ bool inUpdateEmbeddedObjects() const { return m_inUpdateEmbeddedObjects; }
+
protected:
bool scrollContentsFastPath(const IntSize& scrollDelta, const IntRect& rectToScroll, const IntRect& clipRect) final;
void scrollContentsSlowPath(const IntRect& updateRect) final;
@@ -934,6 +936,7 @@
bool m_inAutoSize { false };
// True if autosize has been run since m_shouldAutoSize was set.
bool m_didRunAutosize { false };
+ bool m_inUpdateEmbeddedObjects { false };
};
inline void FrameView::incrementVisuallyNonEmptyPixelCount(const IntSize& size)
