- Revision
- 173830
- Author
- [email protected]
- Date
- 2014-09-22 03:40:58 -0700 (Mon, 22 Sep 2014)
Log Message
Merge r173806 - [CSS Regions] Assertion failure and null dereference crash when using animations and regions
https://bugs.webkit.org/show_bug.cgi?id=136918
Reviewed by Andrei Bucur.
Source/WebCore:
In some situations, for instance when an image has an attached animation, the style change caused by the animation
triggers a geometry update for the backing store associated with the image's layer. This may occur before
the layout for the image has finished.
Moreover, if the image in such situation - having a composited layer - is displayed in a region,
sicne the layout did not finish yet, the mappings between the layers of the elements collected in the named flow
and the regions associated with the named flow are not updated and cannot be used.
Therefore in those situations, we have to bail out early and use these mappings only after the layout has finished.
This patch also changes RenderLayerBacking method updateAfterDescendents -> updateAfterDescendants.
Test: fast/regions/animated-image-in-region.html
* rendering/RenderFlowThread.cpp:
(WebCore::RenderFlowThread::cachedRegionForCompositedLayer):
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::calculateClipRects):
* rendering/RenderLayerBacking.cpp:
(WebCore::RenderLayerBacking::updateAfterDescendants):
* rendering/RenderLayerBacking.h:
* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::rebuildCompositingLayerTree):
(WebCore::RenderLayerCompositor::updateLayerTreeGeometry):
(WebCore::RenderLayerCompositor::updateCompositingDescendantGeometry):
LayoutTests:
* fast/regions/animated-image-in-region-expected.txt: Added.
* fast/regions/animated-image-in-region.html: Added.
Modified Paths
Added Paths
Diff
Modified: releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog (173829 => 173830)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog 2014-09-22 10:34:43 UTC (rev 173829)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/ChangeLog 2014-09-22 10:40:58 UTC (rev 173830)
@@ -1,3 +1,13 @@
+2014-09-22 Mihnea Ovidenie <[email protected]>
+
+ [CSS Regions] Assertion failure and null dereference crash when using animations and regions
+ https://bugs.webkit.org/show_bug.cgi?id=136918
+
+ Reviewed by Andrei Bucur.
+
+ * fast/regions/animated-image-in-region-expected.txt: Added.
+ * fast/regions/animated-image-in-region.html: Added.
+
2014-09-17 Philippe Normand <[email protected]>
[GStreamer] Cannot play Vimeo video
Added: releases/WebKitGTK/webkit-2.6/LayoutTests/fast/regions/animated-image-in-region-expected.txt (0 => 173830)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/fast/regions/animated-image-in-region-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/fast/regions/animated-image-in-region-expected.txt 2014-09-22 10:40:58 UTC (rev 173830)
@@ -0,0 +1,7 @@
+Test that an animated image displayed in a region is correctly animated.
+
+On success, you should see an image of an iPad displayed inside a black border box and no crash.
+
+PASS
+
+
Added: releases/WebKitGTK/webkit-2.6/LayoutTests/fast/regions/animated-image-in-region.html (0 => 173830)
--- releases/WebKitGTK/webkit-2.6/LayoutTests/fast/regions/animated-image-in-region.html (rev 0)
+++ releases/WebKitGTK/webkit-2.6/LayoutTests/fast/regions/animated-image-in-region.html 2014-09-22 10:40:58 UTC (rev 173830)
@@ -0,0 +1,44 @@
+
+<!DOCTYPE html>
+
+<html>
+ <head>
+ <style>
+ .region {
+ -webkit-flow-from: flow;
+ width: 320px;
+ height: 320px;
+ border: 5px solid black;
+ }
+
+ #img {
+ -webkit-flow-into: flow;
+ width: 300px;
+ height: 300px;
+ }
+
+ .spin {
+ -webkit-animation-name: spin;
+ -webkit-animation-duration: 0.1s;
+ -webkit-animation-timing-function: linear;
+ }
+
+ @-webkit-keyframes spin {
+ from { -webkit-transform: rotateZ(0deg);}
+ to { -webkit-transform: rotateZ(360deg); }
+ }
+ </style>
+ </head>
+
+ <body>
+ <p>Test that an animated image displayed in a region is correctly animated.</p>
+ <p>On success, you should see an image of an iPad displayed inside a black border box and no crash.</p>
+ <p>PASS</p>
+ <div class="region"></div>
+ <img id="img" class="spin" src="" />
+ <script>
+ if (window.testRunner)
+ window.testRunner.dumpAsText();
+ </script>
+ </body>
+</html>
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog (173829 => 173830)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog 2014-09-22 10:34:43 UTC (rev 173829)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/ChangeLog 2014-09-22 10:40:58 UTC (rev 173830)
@@ -1,3 +1,36 @@
+2014-09-22 Mihnea Ovidenie <[email protected]>
+
+ [CSS Regions] Assertion failure and null dereference crash when using animations and regions
+ https://bugs.webkit.org/show_bug.cgi?id=136918
+
+ Reviewed by Andrei Bucur.
+
+ In some situations, for instance when an image has an attached animation, the style change caused by the animation
+ triggers a geometry update for the backing store associated with the image's layer. This may occur before
+ the layout for the image has finished.
+
+ Moreover, if the image in such situation - having a composited layer - is displayed in a region,
+ sicne the layout did not finish yet, the mappings between the layers of the elements collected in the named flow
+ and the regions associated with the named flow are not updated and cannot be used.
+
+ Therefore in those situations, we have to bail out early and use these mappings only after the layout has finished.
+
+ This patch also changes RenderLayerBacking method updateAfterDescendents -> updateAfterDescendants.
+
+ Test: fast/regions/animated-image-in-region.html
+
+ * rendering/RenderFlowThread.cpp:
+ (WebCore::RenderFlowThread::cachedRegionForCompositedLayer):
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::calculateClipRects):
+ * rendering/RenderLayerBacking.cpp:
+ (WebCore::RenderLayerBacking::updateAfterDescendants):
+ * rendering/RenderLayerBacking.h:
+ * rendering/RenderLayerCompositor.cpp:
+ (WebCore::RenderLayerCompositor::rebuildCompositingLayerTree):
+ (WebCore::RenderLayerCompositor::updateLayerTreeGeometry):
+ (WebCore::RenderLayerCompositor::updateCompositingDescendantGeometry):
+
2014-09-21 Christophe Dumez <[email protected]>
Fix post-mortem nits for r173724
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderFlowThread.cpp (173829 => 173830)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderFlowThread.cpp 2014-09-22 10:34:43 UTC (rev 173829)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderFlowThread.cpp 2014-09-22 10:40:58 UTC (rev 173830)
@@ -251,7 +251,12 @@
RenderNamedFlowFragment* RenderFlowThread::cachedRegionForCompositedLayer(RenderLayer& childLayer) const
{
- ASSERT(m_layerToRegionMap);
+ if (!m_layerToRegionMap) {
+ ASSERT(needsLayout());
+ ASSERT(m_layersToRegionMappingsDirty);
+ return nullptr;
+ }
+
RenderNamedFlowFragment* namedFlowFragment = m_layerToRegionMap->get(&childLayer);
ASSERT(!namedFlowFragment || m_regionList.contains(namedFlowFragment));
return namedFlowFragment;
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayer.cpp (173829 => 173830)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayer.cpp 2014-09-22 10:34:43 UTC (rev 173829)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayer.cpp 2014-09-22 10:40:58 UTC (rev 173830)
@@ -6539,7 +6539,7 @@
else if (isComposited()) {
// FIXME: updating geometry here is potentially harmful, because layout is not up-to-date.
backing()->updateGeometry();
- backing()->updateAfterDescendents();
+ backing()->updateAfterDescendants();
}
if (oldStyle) {
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayerBacking.cpp (173829 => 173830)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayerBacking.cpp 2014-09-22 10:34:43 UTC (rev 173829)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayerBacking.cpp 2014-09-22 10:40:58 UTC (rev 173830)
@@ -954,7 +954,7 @@
compositor().updateScrollCoordinatedStatus(m_owningLayer);
}
-void RenderLayerBacking::updateAfterDescendents()
+void RenderLayerBacking::updateAfterDescendants()
{
bool isSimpleContainer = false;
if (!m_owningLayer.isRootLayer()) {
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayerBacking.h (173829 => 173830)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayerBacking.h 2014-09-22 10:34:43 UTC (rev 173829)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayerBacking.h 2014-09-22 10:40:58 UTC (rev 173830)
@@ -80,7 +80,7 @@
void updateGeometry();
// Update state the requires that descendant layers have been updated.
- void updateAfterDescendents();
+ void updateAfterDescendants();
// Update contents and clipping structure.
void updateDrawsContent();
Modified: releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayerCompositor.cpp (173829 => 173830)
--- releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayerCompositor.cpp 2014-09-22 10:34:43 UTC (rev 173829)
+++ releases/WebKitGTK/webkit-2.6/Source/WebCore/rendering/RenderLayerCompositor.cpp 2014-09-22 10:40:58 UTC (rev 173830)
@@ -1538,7 +1538,7 @@
}
if (RenderLayerBacking* layerBacking = layer.backing())
- layerBacking->updateAfterDescendents();
+ layerBacking->updateAfterDescendants();
}
void RenderLayerCompositor::rebuildRegionCompositingLayerTree(RenderNamedFlowFragment* region, Vector<GraphicsLayer*>& childList, int depth)
@@ -1775,7 +1775,7 @@
}
if (RenderLayerBacking* layerBacking = layer.backing())
- layerBacking->updateAfterDescendents();
+ layerBacking->updateAfterDescendants();
}
// Recurs down the RenderLayer tree until its finds the compositing descendants of compositingAncestor and updates their geometry.
@@ -1792,7 +1792,7 @@
layerBacking->updateGeometry();
if (compositedChildrenOnly) {
- layerBacking->updateAfterDescendents();
+ layerBacking->updateAfterDescendants();
return;
}
}
@@ -1832,7 +1832,7 @@
if (&layer != &compositingAncestor) {
if (RenderLayerBacking* layerBacking = layer.backing())
- layerBacking->updateAfterDescendents();
+ layerBacking->updateAfterDescendants();
}
}
