Title: [262524] trunk
- Revision
- 262524
- Author
- [email protected]
- Date
- 2020-06-03 16:22:39 -0700 (Wed, 03 Jun 2020)
Log Message
Release Assert @ WebCore::RenderTreeBuilder::RenderTreeBuilder
https://bugs.webkit.org/show_bug.cgi?id=212714
Patch by Pinki Gyanchandani <[email protected]> on 2020-06-03
Reviewed by Geoffrey Garen.
Source/WebCore:
Widget removal in the middle of building a Render Tree causes side effects, leading to Release Assert. Moved the scope for suspension of widgets
update to RenderTreeBuilder instead of having it in RenderTreeUpdater.
Also made sure that the WidgetHierarchyUpdatesSuspensionScope::moveWidgets() should handle all widgets scheduled to move, including new widgets
scheduled during moveWidgets().
Test: fast/rendering/widget-removal-in-render-tree-builder-crash.html
* rendering/RenderWidget.cpp:
(WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets):
* rendering/updating/RenderTreeBuilder.h:
* rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::tearDownRenderers):
LayoutTests:
Added a regression test.
* fast/rendering/widget-removal-in-render-tree-builder-crash-expected.txt: Added.
* fast/rendering/widget-removal-in-render-tree-builder-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (262523 => 262524)
--- trunk/LayoutTests/ChangeLog 2020-06-03 23:18:30 UTC (rev 262523)
+++ trunk/LayoutTests/ChangeLog 2020-06-03 23:22:39 UTC (rev 262524)
@@ -1,3 +1,15 @@
+2020-06-03 Pinki Gyanchandani <[email protected]>
+
+ Release Assert @ WebCore::RenderTreeBuilder::RenderTreeBuilder
+ https://bugs.webkit.org/show_bug.cgi?id=212714
+
+ Reviewed by Geoffrey Garen.
+
+ Added a regression test.
+
+ * fast/rendering/widget-removal-in-render-tree-builder-crash-expected.txt: Added.
+ * fast/rendering/widget-removal-in-render-tree-builder-crash.html: Added.
+
2020-06-03 Jacob Uphoff <[email protected]>
[ macOS wk1 debug ] svg/custom/textPath-change-id.svg is a flaky failure
Added: trunk/LayoutTests/fast/rendering/widget-removal-in-render-tree-builder-crash-expected.txt (0 => 262524)
--- trunk/LayoutTests/fast/rendering/widget-removal-in-render-tree-builder-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/rendering/widget-removal-in-render-tree-builder-crash-expected.txt 2020-06-03 23:22:39 UTC (rev 262524)
@@ -0,0 +1,5 @@
+The test passes if there is no crash.
+
+
+
+a
Added: trunk/LayoutTests/fast/rendering/widget-removal-in-render-tree-builder-crash.html (0 => 262524)
--- trunk/LayoutTests/fast/rendering/widget-removal-in-render-tree-builder-crash.html (rev 0)
+++ trunk/LayoutTests/fast/rendering/widget-removal-in-render-tree-builder-crash.html 2020-06-03 23:22:39 UTC (rev 262524)
@@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html>
+
+<script>
+var runcount = {'runTest':0}
+
+function runTest() {
+ if (window.testRunner)
+ testRunner.dumpAsText();
+
+ runcount["runTest"]++; if(runcount["runTest"] > 2) { return; }
+ element = document.createElement("command"); //HTMLUnknownElement
+ x.addEventListener("DOMSubtreeModified", runTest);
+ z.childNodes;
+ x.before(progress);
+ progress.appendChild(element)
+ window.requestAnimationFrame(runTest1);
+ iframe = document.createElement("iframe");
+ y.appendChild(iframe);
+}
+
+
+function runTest1() {
+ win = window;
+ win0 = win[0];
+ win0.focus();
+ y.slot = "y";
+}
+</script>
+
+<body>
+<p>The test passes if there is no crash.</p>
+<details id="x" open="true">
+<summary id="y"></summary>
+<details id="z" open="true" _ontoggle_="runTest()">a</details>
+</details>
+<audio cite=""
+<source slot="slot2">
+<progress id="progress" ></progress>
+
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (262523 => 262524)
--- trunk/Source/WebCore/ChangeLog 2020-06-03 23:18:30 UTC (rev 262523)
+++ trunk/Source/WebCore/ChangeLog 2020-06-03 23:22:39 UTC (rev 262524)
@@ -1,3 +1,24 @@
+2020-06-03 Pinki Gyanchandani <[email protected]>
+
+ Release Assert @ WebCore::RenderTreeBuilder::RenderTreeBuilder
+ https://bugs.webkit.org/show_bug.cgi?id=212714
+
+ Reviewed by Geoffrey Garen.
+
+ Widget removal in the middle of building a Render Tree causes side effects, leading to Release Assert. Moved the scope for suspension of widgets
+ update to RenderTreeBuilder instead of having it in RenderTreeUpdater.
+
+ Also made sure that the WidgetHierarchyUpdatesSuspensionScope::moveWidgets() should handle all widgets scheduled to move, including new widgets
+ scheduled during moveWidgets().
+
+ Test: fast/rendering/widget-removal-in-render-tree-builder-crash.html
+
+ * rendering/RenderWidget.cpp:
+ (WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets):
+ * rendering/updating/RenderTreeBuilder.h:
+ * rendering/updating/RenderTreeUpdater.cpp:
+ (WebCore::RenderTreeUpdater::tearDownRenderers):
+
2020-06-03 Wenson Hsieh <[email protected]>
[Text manipulation] Extract the value attribute in inputs of type "text" and "search"
Modified: trunk/Source/WebCore/rendering/RenderWidget.cpp (262523 => 262524)
--- trunk/Source/WebCore/rendering/RenderWidget.cpp 2020-06-03 23:18:30 UTC (rev 262523)
+++ trunk/Source/WebCore/rendering/RenderWidget.cpp 2020-06-03 23:22:39 UTC (rev 262524)
@@ -56,16 +56,18 @@
void WidgetHierarchyUpdatesSuspensionScope::moveWidgets()
{
- auto map = WTFMove(widgetNewParentMap());
- for (auto& entry : map) {
- auto& child = *entry.key;
- auto* currentParent = child.parent();
- auto* newParent = entry.value;
- if (newParent != currentParent) {
- if (currentParent)
- currentParent->removeChild(child);
- if (newParent)
- newParent->addChild(child);
+ while (!widgetNewParentMap().isEmpty()) {
+ auto map = WTFMove(widgetNewParentMap());
+ for (auto& entry : map) {
+ auto& child = *entry.key;
+ auto* currentParent = child.parent();
+ auto* newParent = entry.value;
+ if (newParent != currentParent) {
+ if (currentParent)
+ currentParent->removeChild(child);
+ if (newParent)
+ newParent->addChild(child);
+ }
}
}
}
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.h (262523 => 262524)
--- trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.h 2020-06-03 23:18:30 UTC (rev 262523)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeBuilder.h 2020-06-03 23:22:39 UTC (rev 262524)
@@ -26,6 +26,7 @@
#pragma once
#include "RenderTreePosition.h"
+#include "RenderWidget.h"
namespace WebCore {
@@ -126,6 +127,7 @@
FullScreen& fullScreenBuilder() { return *m_fullScreenBuilder; }
#endif
+ WidgetHierarchyUpdatesSuspensionScope m_widgetHierarchyUpdatesSuspensionScope;
RenderView& m_view;
RenderTreeBuilder* m_previous { nullptr };
static RenderTreeBuilder* s_current;
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp (262523 => 262524)
--- trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp 2020-06-03 23:18:30 UTC (rev 262523)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp 2020-06-03 23:22:39 UTC (rev 262524)
@@ -542,8 +542,6 @@
void RenderTreeUpdater::tearDownRenderers(Element& root, TeardownType teardownType, RenderTreeBuilder& builder)
{
- WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
-
Vector<Element*, 30> teardownStack;
auto push = [&] (Element& element) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
