Diff
Modified: trunk/LayoutTests/ChangeLog (262094 => 262095)
--- trunk/LayoutTests/ChangeLog 2020-05-23 04:23:48 UTC (rev 262094)
+++ trunk/LayoutTests/ChangeLog 2020-05-23 05:53:52 UTC (rev 262095)
@@ -1,3 +1,16 @@
+2020-05-22 Jack Lee <[email protected]>
+
+ ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder
+ https://bugs.webkit.org/show_bug.cgi?id=212163
+ <rdar://problem/57028096>
+
+ Reviewed by Geoffrey Garen.
+
+ Added a regression test for the crash.
+
+ * fast/rendering/nested-render-tree-update-crash-expected.txt: Added.
+ * fast/rendering/nested-render-tree-update-crash.html: Added.
+
2020-05-22 Zalan Bujtas <[email protected]>
Nullptr deref in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation when parent and beforeChild are siblings
Added: trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt (0 => 262095)
--- trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash-expected.txt 2020-05-23 05:53:52 UTC (rev 262095)
@@ -0,0 +1 @@
+Tests nested render tree update. The test passes if WebKit doesn't crash or hit an assertion.
Added: trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html (0 => 262095)
--- trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html (rev 0)
+++ trunk/LayoutTests/fast/rendering/nested-render-tree-update-crash.html 2020-05-23 05:53:52 UTC (rev 262095)
@@ -0,0 +1,13 @@
+<script>
+function run() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ obj = document.createElement("object");
+ li.appendChild(obj);
+ svg.currentScale = 0.99;
+ obj.data = "" 82)
+ ff.setAttribute("direction", "rtl");
+}
+</script>
+<body _onload_=run()><li id=li><svg id=svg><font-face-uri id=ff><tref xlink:href="" nested render tree update. The test passes if WebKit doesn't crash or hit an assertion.</span>
Modified: trunk/Source/WebCore/ChangeLog (262094 => 262095)
--- trunk/Source/WebCore/ChangeLog 2020-05-23 04:23:48 UTC (rev 262094)
+++ trunk/Source/WebCore/ChangeLog 2020-05-23 05:53:52 UTC (rev 262095)
@@ -1,3 +1,29 @@
+2020-05-22 Jack Lee <[email protected]>
+
+ ASSERTION FAILED: (!s_current || &m_view != &s_current->m_view) in RenderTreeBuilder::RenderTreeBuilder
+ https://bugs.webkit.org/show_bug.cgi?id=212163
+ <rdar://problem/57028096>
+
+ Reviewed by Geoffrey Garen.
+
+ Calling ~PostResolutionCallbackDisabler() before completing render tree updating and releasing RenderTreeBuilder
+ triggers this assertion. Therefore we added a utility function "updateRenderTree" in which PostResolutionCallback
+ is delayed until RenderTreeUpdater is released and m_inRenderTreeUpdate is cleared.
+
+ Test: fast/rendering/nested-render-tree-update-crash.html
+
+ * Headers.cmake:
+ * WebCore.xcodeproj/project.pbxproj:
+ * dom/Document.cpp:
+ (WebCore::Document::updateRenderTree):
+ (WebCore::Document::resolveStyle):
+ (WebCore::Document::updateTextRenderer):
+ * dom/Document.h:
+ * rendering/updating/RenderTreeUpdater.cpp:
+ (WebCore::RenderTreeUpdater::RenderTreeUpdater):
+ (WebCore::RenderTreeUpdater::commit):
+ * rendering/updating/RenderTreeUpdater.h:
+
2020-05-22 Simon Fraser <[email protected]>
Stuttery overflow scrolling in slow-scrolling regions (facebook messenger, feedly.com)
Modified: trunk/Source/WebCore/Headers.cmake (262094 => 262095)
--- trunk/Source/WebCore/Headers.cmake 2020-05-23 04:23:48 UTC (rev 262094)
+++ trunk/Source/WebCore/Headers.cmake 2020-05-23 05:53:52 UTC (rev 262095)
@@ -1476,6 +1476,7 @@
style/StyleChange.h
style/StyleScope.h
+ style/StyleUpdate.h
style/StyleValidity.h
svg/SVGLengthContext.h
Modified: trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj (262094 => 262095)
--- trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2020-05-23 04:23:48 UTC (rev 262094)
+++ trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj 2020-05-23 05:53:52 UTC (rev 262095)
@@ -4933,7 +4933,7 @@
E424A39E1330DF0100CF6DC9 /* LegacyTileGridTile.h in Headers */ = {isa = PBXBuildFile; fileRef = E424A39D1330DF0100CF6DC9 /* LegacyTileGridTile.h */; };
E425A49A18292B840020CFCF /* CollectionIndexCache.h in Headers */ = {isa = PBXBuildFile; fileRef = E425A49918292B840020CFCF /* CollectionIndexCache.h */; settings = {ATTRIBUTES = (Private, ); }; };
E4295FA412B0614E00D1ACE0 /* ResourceLoadPriority.h in Headers */ = {isa = PBXBuildFile; fileRef = E4295FA312B0614E00D1ACE0 /* ResourceLoadPriority.h */; settings = {ATTRIBUTES = (Private, ); }; };
- E42E76DC1C7AF77600E3614D /* StyleUpdate.h in Headers */ = {isa = PBXBuildFile; fileRef = E42E76DB1C7AF77600E3614D /* StyleUpdate.h */; };
+ E42E76DC1C7AF77600E3614D /* StyleUpdate.h in Headers */ = {isa = PBXBuildFile; fileRef = E42E76DB1C7AF77600E3614D /* StyleUpdate.h */; settings = {ATTRIBUTES = (Private, ); }; };
E43105BB16750F1600DB2FB8 /* NodeTraversal.h in Headers */ = {isa = PBXBuildFile; fileRef = E43105BA16750F1600DB2FB8 /* NodeTraversal.h */; settings = {ATTRIBUTES = (Private, ); }; };
E4343D232392778400EBBB66 /* LineLayoutTraversalSimplePath.h in Headers */ = {isa = PBXBuildFile; fileRef = E4343D212392778300EBBB66 /* LineLayoutTraversalSimplePath.h */; settings = {ATTRIBUTES = (Private, ); }; };
E4343D252392779000EBBB66 /* LineLayoutTraversalComplexPath.h in Headers */ = {isa = PBXBuildFile; fileRef = E4343D242392778F00EBBB66 /* LineLayoutTraversalComplexPath.h */; settings = {ATTRIBUTES = (Private, ); }; };
Modified: trunk/Source/WebCore/dom/Document.cpp (262094 => 262095)
--- trunk/Source/WebCore/dom/Document.cpp 2020-05-23 04:23:48 UTC (rev 262094)
+++ trunk/Source/WebCore/dom/Document.cpp 2020-05-23 05:53:52 UTC (rev 262095)
@@ -1920,6 +1920,19 @@
return hasPendingStyleRecalc() && m_needsFullStyleRebuild;
}
+void Document::updateRenderTree(std::unique_ptr<const Style::Update> styleUpdate)
+{
+ ASSERT(!inRenderTreeUpdate());
+
+ // NOTE: Preserve the order of definitions below so the destructors are called in proper sequence.
+ Style::PostResolutionCallbackDisabler callbackDisabler(*this);
+ SetForScope<bool> inRenderTreeUpdate(m_inRenderTreeUpdate, true);
+ RenderTreeUpdater updater(*this, callbackDisabler);
+ // End of ordered definitions
+
+ updater.commit(WTFMove(styleUpdate));
+}
+
void Document::resolveStyle(ResolveStyleType type)
{
ASSERT(!view() || !view()->isPainting());
@@ -2004,11 +2017,7 @@
m_inStyleRecalc = false;
if (styleUpdate) {
- SetForScope<bool> inRenderTreeUpdate(m_inRenderTreeUpdate, true);
-
- RenderTreeUpdater updater(*this);
- updater.commit(WTFMove(styleUpdate));
-
+ updateRenderTree(WTFMove(styleUpdate));
frameView.styleAndRenderTreeDidChange();
}
@@ -2042,14 +2051,10 @@
void Document::updateTextRenderer(Text& text, unsigned offsetOfReplacedText, unsigned lengthOfReplacedText)
{
- ASSERT(!m_inRenderTreeUpdate);
- SetForScope<bool> inRenderTreeUpdate(m_inRenderTreeUpdate, true);
-
auto textUpdate = makeUnique<Style::Update>(*this);
textUpdate->addText(text, { offsetOfReplacedText, lengthOfReplacedText, WTF::nullopt });
- RenderTreeUpdater renderTreeUpdater(*this);
- renderTreeUpdater.commit(WTFMove(textUpdate));
+ updateRenderTree(WTFMove(textUpdate));
}
bool Document::needsStyleRecalc() const
Modified: trunk/Source/WebCore/dom/Document.h (262094 => 262095)
--- trunk/Source/WebCore/dom/Document.h 2020-05-23 04:23:48 UTC (rev 262094)
+++ trunk/Source/WebCore/dom/Document.h 2020-05-23 05:53:52 UTC (rev 262095)
@@ -55,6 +55,7 @@
#include "SecurityPolicyViolationEvent.h"
#include "StringWithDirection.h"
#include "StyleColor.h"
+#include "StyleUpdate.h"
#include "Supplementable.h"
#include "TextResourceDecoder.h"
#include "Timer.h"
@@ -643,6 +644,7 @@
bool renderTreeBeingDestroyed() const { return m_renderTreeBeingDestroyed; }
bool hasLivingRenderTree() const { return renderView() && !renderTreeBeingDestroyed(); }
+ void updateRenderTree(std::unique_ptr<const Style::Update> styleUpdate);
bool updateLayoutIfDimensionsOutOfDate(Element&, DimensionsCheck = AllDimensionsCheck);
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp (262094 => 262095)
--- trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp 2020-05-23 04:23:48 UTC (rev 262094)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp 2020-05-23 05:53:52 UTC (rev 262095)
@@ -78,7 +78,7 @@
{
}
-RenderTreeUpdater::RenderTreeUpdater(Document& document)
+RenderTreeUpdater::RenderTreeUpdater(Document& document, Style::PostResolutionCallbackDisabler&)
: m_document(document)
, m_generatedContent(makeUnique<GeneratedContent>(*this))
, m_builder(renderView())
@@ -121,8 +121,6 @@
TraceScope scope(RenderTreeBuildStart, RenderTreeBuildEnd);
- Style::PostResolutionCallbackDisabler callbackDisabler(m_document);
-
m_styleUpdate = WTFMove(styleUpdate);
for (auto* root : findRenderingRoots(*m_styleUpdate))
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.h (262094 => 262095)
--- trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.h 2020-05-23 04:23:48 UTC (rev 262094)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.h 2020-05-23 05:53:52 UTC (rev 262095)
@@ -28,6 +28,7 @@
#include "RenderTreeBuilder.h"
#include "RenderTreePosition.h"
#include "StyleChange.h"
+#include "StyleTreeResolver.h"
#include "StyleUpdate.h"
#include <wtf/HashSet.h>
#include <wtf/Vector.h>
@@ -43,7 +44,7 @@
class RenderTreeUpdater {
public:
- RenderTreeUpdater(Document&);
+ RenderTreeUpdater(Document&, Style::PostResolutionCallbackDisabler&);
~RenderTreeUpdater();
void commit(std::unique_ptr<const Style::Update>);
