[webkit-changes] [185567] trunk

[darin]

Title: [185567] trunk

Revision

185567

Author

da...@apple.com

Date

2015-06-15 15:01:58 -0700 (Mon, 15 Jun 2015)

Log Message

REGRESSION (r182215): Reproducible crash at drawsvg.org due to reentrant layout
https://bugs.webkit.org/show_bug.cgi?id=145964

Reviewed by Simon Fraser.

Source/WebCore:

Test: svg/as-object/mutate-on-load.html

* page/FrameView.cpp:
(WebCore::FrameView::forceLayoutParentViewIfNeeded): Don't do a synchronous layout here,
because it can lead indirectly to unwanted layout reentrancy. Instead schedule a layout.

LayoutTests:

* svg/as-object/mutate-on-load-expected.html: Added.
* svg/as-object/mutate-on-load.html: Added.
* svg/as-object/resources/embedded-mutates-on-load.svg: Added.

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/page/FrameView.cpp

Added Paths

• trunk/LayoutTests/svg/as-object/mutate-on-load-expected.html
• trunk/LayoutTests/svg/as-object/mutate-on-load.html
• trunk/LayoutTests/svg/as-object/resources/embedded-mutates-on-load.svg

Diff

Modified: trunk/LayoutTests/ChangeLog (185566 => 185567)

--- trunk/LayoutTests/ChangeLog	2015-06-15 21:26:08 UTC (rev 185566)
+++ trunk/LayoutTests/ChangeLog	2015-06-15 22:01:58 UTC (rev 185567)
@@ -1,3 +1,14 @@
+2015-06-15  Darin Adler  <da...@apple.com>
+
+        REGRESSION (r182215): Reproducible crash at drawsvg.org due to reentrant layout
+        https://bugs.webkit.org/show_bug.cgi?id=145964
+
+        Reviewed by Simon Fraser.
+
+        * svg/as-object/mutate-on-load-expected.html: Added.
+        * svg/as-object/mutate-on-load.html: Added.
+        * svg/as-object/resources/embedded-mutates-on-load.svg: Added.
+
 2015-06-15  Michael Saboff  <msab...@apple.com>
 
         JIT bug - fails when inspector closed, works when open

Added: trunk/LayoutTests/svg/as-object/mutate-on-load-expected.html (0 => 185567)

--- trunk/LayoutTests/svg/as-object/mutate-on-load-expected.html	                        (rev 0)
+++ trunk/LayoutTests/svg/as-object/mutate-on-load-expected.html	2015-06-15 22:01:58 UTC (rev 185567)
@@ -0,0 +1,4 @@
+<svg viewbox="0 0 66 220" width="66px">
+<rect width="6" height="0" x="0" y="0"/>
+<rect width="54" height="206" x="6" y="20"/>
+</svg>

Added: trunk/LayoutTests/svg/as-object/mutate-on-load.html (0 => 185567)

--- trunk/LayoutTests/svg/as-object/mutate-on-load.html	                        (rev 0)
+++ trunk/LayoutTests/svg/as-object/mutate-on-load.html	2015-06-15 22:01:58 UTC (rev 185567)
@@ -0,0 +1 @@
+<embed type="image/svg+xml" width="66px" src=""

Added: trunk/LayoutTests/svg/as-object/resources/embedded-mutates-on-load.svg (0 => 185567)

--- trunk/LayoutTests/svg/as-object/resources/embedded-mutates-on-load.svg	                        (rev 0)
+++ trunk/LayoutTests/svg/as-object/resources/embedded-mutates-on-load.svg	2015-06-15 22:01:58 UTC (rev 185567)
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg xmlns="http://www.w3.org/2000/svg" _onload_="runTest()" viewBox="0 0 66 220" width="100%" height="100%">
+<script type="text/ecmascript"><![CDATA[
+
+    function runTest() {
+        document.getElementById("a").setAttribute("height", "0");
+        document.getElementById("b").addEventListener("mousewheel",function() {});
+    }
+
+]]></script>
+
+    <rect id="a" width="6" x="0"/>
+    <rect id="b" width="54" height="206" x="6" y="20"/>
+
+</svg>

Modified: trunk/Source/WebCore/ChangeLog (185566 => 185567)

--- trunk/Source/WebCore/ChangeLog	2015-06-15 21:26:08 UTC (rev 185566)
+++ trunk/Source/WebCore/ChangeLog	2015-06-15 22:01:58 UTC (rev 185567)
@@ -1,3 +1,16 @@
+2015-06-15  Darin Adler  <da...@apple.com>
+
+        REGRESSION (r182215): Reproducible crash at drawsvg.org due to reentrant layout
+        https://bugs.webkit.org/show_bug.cgi?id=145964
+
+        Reviewed by Simon Fraser.
+
+        Test: svg/as-object/mutate-on-load.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::forceLayoutParentViewIfNeeded): Don't do a synchronous layout here,
+        because it can lead indirectly to unwanted layout reentrancy. Instead schedule a layout.
+
 2015-06-15  Matt Rajca  <mra...@apple.com>
 
         Media Session: Active participating elements can change while being iterated 

Modified: trunk/Source/WebCore/page/FrameView.cpp (185566 => 185567)

--- trunk/Source/WebCore/page/FrameView.cpp	2015-06-15 21:26:08 UTC (rev 185566)
+++ trunk/Source/WebCore/page/FrameView.cpp	2015-06-15 22:01:58 UTC (rev 185567)
@@ -1131,13 +1131,9 @@
     // FrameView for a layout. After that the RenderEmbeddedObject (ownerRenderer) carries the
     // correct size, which RenderSVGRoot::computeReplacedLogicalWidth/Height rely on, when laying
     // out for the first time, or when the RenderSVGRoot size has changed dynamically (eg. via <script>).
-    Ref<FrameView> frameView(ownerRenderer->view().frameView());
 
-    // Mark the owner renderer as needing layout.
     ownerRenderer->setNeedsLayoutAndPrefWidthsRecalc();
-
-    // Synchronously enter layout, to layout the view containing the host object/embed/iframe.
-    frameView->layout();
+    ownerRenderer->view().frameView().scheduleRelayout();
 }
 
 void FrameView::layout(bool allowSubtree)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes