[webkit-changes] [289776] trunk

Mon, 14 Feb 2022 15:34:52 -0800

Title: [289776] trunk
Revision
289776
Author
[email protected]
Date
2022-02-14 15:33:58 -0800 (Mon, 14 Feb 2022)

Log Message

Fix crash with deeply nested async overflow scroll
https://bugs.webkit.org/show_bug.cgi?id=236599
Source/WebCore:

rdar://88656665

Reviewed by Alan Bujtas.

mergeClippingScopesRecursive() already does the append of the rects; doing so
before calling recursing triggers double appends, hence exponentially growing
rect lists.

Test: compositing/layer-creation/clipping-scope/deeply-nested-overflow.html

* rendering/LayerOverlapMap.cpp:
(WebCore::OverlapMapContainer::mergeClippingScopesRecursive):

LayoutTests:

Reviewed by Alan Bujtas.

* compositing/layer-creation/clipping-scope/deeply-nested-overflow-expected.txt: Added.
* compositing/layer-creation/clipping-scope/deeply-nested-overflow.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (289775 => 289776)


--- trunk/LayoutTests/ChangeLog	2022-02-14 23:33:19 UTC (rev 289775)
+++ trunk/LayoutTests/ChangeLog	2022-02-14 23:33:58 UTC (rev 289776)
@@ -1,3 +1,13 @@
+2022-02-14  Simon Fraser  <[email protected]>
+
+        Fix crash with deeply nested async overflow scroll
+        https://bugs.webkit.org/show_bug.cgi?id=236599
+
+        Reviewed by Alan Bujtas.
+
+        * compositing/layer-creation/clipping-scope/deeply-nested-overflow-expected.txt: Added.
+        * compositing/layer-creation/clipping-scope/deeply-nested-overflow.html: Added.
+
 2022-02-07  Jon Lee  <[email protected]>
 
         Enable accelerated drawing in the iOS simulator

Added: trunk/LayoutTests/compositing/layer-creation/clipping-scope/deeply-nested-overflow-expected.txt (0 => 289776)


--- trunk/LayoutTests/compositing/layer-creation/clipping-scope/deeply-nested-overflow-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/compositing/layer-creation/clipping-scope/deeply-nested-overflow-expected.txt	2022-02-14 23:33:58 UTC (rev 289776)
@@ -0,0 +1 @@
+This test should not crash.

Added: trunk/LayoutTests/compositing/layer-creation/clipping-scope/deeply-nested-overflow.html (0 => 289776)


--- trunk/LayoutTests/compositing/layer-creation/clipping-scope/deeply-nested-overflow.html	                        (rev 0)
+++ trunk/LayoutTests/compositing/layer-creation/clipping-scope/deeply-nested-overflow.html	2022-02-14 23:33:58 UTC (rev 289776)
@@ -0,0 +1,42 @@
+<!DOCTYPE html> <!-- webkit-test-runner [ AsyncOverflowScrollingEnabled=true ] -->
+<html>
+<head>
+<style>
+    .container {
+        width: 600px;
+        border: 1px solid gray;
+        overflow-x: auto;
+        margin: 10px;
+    }
+    
+    .inner {
+        padding: 10px;
+        background-color: blue;
+    }
+</style>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    window.addEventListener('load', () => {
+        const depth = 256;
+        
+        let currParent = document.body;
+        for (let i = 0; i < depth; ++i) {
+            
+            let div = document.createElement('div');
+            div.className = 'container';
+            currParent.appendChild(div);
+            currParent = div;
+        }
+        
+        let div = document.createElement('div');
+        div.className = 'inner';
+        div.textContent = 'This test should not crash.';
+        currParent.appendChild(div);
+    }, false);
+</script>
+</head>
+<body>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (289775 => 289776)


--- trunk/Source/WebCore/ChangeLog	2022-02-14 23:33:19 UTC (rev 289775)
+++ trunk/Source/WebCore/ChangeLog	2022-02-14 23:33:58 UTC (rev 289776)
@@ -1,3 +1,20 @@
+2022-02-14  Simon Fraser  <[email protected]>
+
+        Fix crash with deeply nested async overflow scroll
+        https://bugs.webkit.org/show_bug.cgi?id=236599
+        rdar://88656665
+
+        Reviewed by Alan Bujtas.
+
+        mergeClippingScopesRecursive() already does the append of the rects; doing so
+        before calling recursing triggers double appends, hence exponentially growing
+        rect lists.
+
+        Test: compositing/layer-creation/clipping-scope/deeply-nested-overflow.html
+
+        * rendering/LayerOverlapMap.cpp:
+        (WebCore::OverlapMapContainer::mergeClippingScopesRecursive):
+
 2022-02-14  Patrick Angle  <[email protected]>
 
         Web Inspector: Element tooltips in overlays should use same encodable/decodable Label type as grid overlays

Modified: trunk/Source/WebCore/rendering/LayerOverlapMap.cpp (289775 => 289776)


--- trunk/Source/WebCore/rendering/LayerOverlapMap.cpp	2022-02-14 23:33:19 UTC (rev 289775)
+++ trunk/Source/WebCore/rendering/LayerOverlapMap.cpp	2022-02-14 23:33:58 UTC (rev 289776)
@@ -195,10 +195,9 @@
 
     for (auto& sourceChildScope : sourceScope.children) {
         ClippingScope* destChild = destScope.childWithLayer(sourceChildScope.layer);
-        if (destChild) {
-            destChild->rectList.append(sourceChildScope.rectList);
+        if (destChild)
             mergeClippingScopesRecursive(sourceChildScope, *destChild);
-        } else {
+        else {
             // New child, just copy the whole subtree.
             destScope.addChild(sourceChildScope);
         }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to