REGRESSION (r182215): Reproducible crash at drawsvg.org due to reentrant layout
authordarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 15 Jun 2015 22:01:58 +0000 (22:01 +0000)
committerdarin@apple.com <darin@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 15 Jun 2015 22:01:58 +0000 (22:01 +0000)
https://bugs.webkit.org/show_bug.cgi?id=145964

Reviewed by Simon Fraser.

Source/WebCore:

Test: svg/as-object/mutate-on-load.html

* page/FrameView.cpp:
(WebCore::FrameView::forceLayoutParentViewIfNeeded): Don't do a synchronous layout here,
because it can lead indirectly to unwanted layout reentrancy. Instead schedule a layout.

LayoutTests:

* svg/as-object/mutate-on-load-expected.html: Added.
* svg/as-object/mutate-on-load.html: Added.
* svg/as-object/resources/embedded-mutates-on-load.svg: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@185567 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/svg/as-object/mutate-on-load-expected.html [new file with mode: 0644]
LayoutTests/svg/as-object/mutate-on-load.html [new file with mode: 0644]
LayoutTests/svg/as-object/resources/embedded-mutates-on-load.svg [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/page/FrameView.cpp

index 46cc870..ae3a590 100644 (file)
@@ -1,3 +1,14 @@
+2015-06-15  Darin Adler  <darin@apple.com>
+
+        REGRESSION (r182215): Reproducible crash at drawsvg.org due to reentrant layout
+        https://bugs.webkit.org/show_bug.cgi?id=145964
+
+        Reviewed by Simon Fraser.
+
+        * svg/as-object/mutate-on-load-expected.html: Added.
+        * svg/as-object/mutate-on-load.html: Added.
+        * svg/as-object/resources/embedded-mutates-on-load.svg: Added.
+
 2015-06-15  Michael Saboff  <msaboff@apple.com>
 
         JIT bug - fails when inspector closed, works when open
diff --git a/LayoutTests/svg/as-object/mutate-on-load-expected.html b/LayoutTests/svg/as-object/mutate-on-load-expected.html
new file mode 100644 (file)
index 0000000..ca66b46
--- /dev/null
@@ -0,0 +1,4 @@
+<svg viewbox="0 0 66 220" width="66px">
+<rect width="6" height="0" x="0" y="0"/>
+<rect width="54" height="206" x="6" y="20"/>
+</svg>
diff --git a/LayoutTests/svg/as-object/mutate-on-load.html b/LayoutTests/svg/as-object/mutate-on-load.html
new file mode 100644 (file)
index 0000000..16e9b19
--- /dev/null
@@ -0,0 +1 @@
+<embed type="image/svg+xml" width="66px" src="resources/embedded-mutates-on-load.svg"/>\r
diff --git a/LayoutTests/svg/as-object/resources/embedded-mutates-on-load.svg b/LayoutTests/svg/as-object/resources/embedded-mutates-on-load.svg
new file mode 100644 (file)
index 0000000..71495ff
--- /dev/null
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg xmlns="http://www.w3.org/2000/svg" onload="runTest()" viewBox="0 0 66 220" width="100%" height="100%">
+<script type="text/ecmascript"><![CDATA[
+
+    function runTest() {
+        document.getElementById("a").setAttribute("height", "0");
+        document.getElementById("b").addEventListener("mousewheel",function() {});
+    }
+
+]]></script>
+
+    <rect id="a" width="6" x="0"/>
+    <rect id="b" width="54" height="206" x="6" y="20"/>
+
+</svg>
index bc71871..a466f3e 100644 (file)
@@ -1,3 +1,16 @@
+2015-06-15  Darin Adler  <darin@apple.com>
+
+        REGRESSION (r182215): Reproducible crash at drawsvg.org due to reentrant layout
+        https://bugs.webkit.org/show_bug.cgi?id=145964
+
+        Reviewed by Simon Fraser.
+
+        Test: svg/as-object/mutate-on-load.html
+
+        * page/FrameView.cpp:
+        (WebCore::FrameView::forceLayoutParentViewIfNeeded): Don't do a synchronous layout here,
+        because it can lead indirectly to unwanted layout reentrancy. Instead schedule a layout.
+
 2015-06-15  Matt Rajca  <mrajca@apple.com>
 
         Media Session: Active participating elements can change while being iterated 
index 2a89880..abc63bf 100644 (file)
@@ -1131,13 +1131,9 @@ inline void FrameView::forceLayoutParentViewIfNeeded()
     // FrameView for a layout. After that the RenderEmbeddedObject (ownerRenderer) carries the
     // correct size, which RenderSVGRoot::computeReplacedLogicalWidth/Height rely on, when laying
     // out for the first time, or when the RenderSVGRoot size has changed dynamically (eg. via <script>).
-    Ref<FrameView> frameView(ownerRenderer->view().frameView());
 
-    // Mark the owner renderer as needing layout.
     ownerRenderer->setNeedsLayoutAndPrefWidthsRecalc();
-
-    // Synchronously enter layout, to layout the view containing the host object/embed/iframe.
-    frameView->layout();
+    ownerRenderer->view().frameView().scheduleRelayout();
 }
 
 void FrameView::layout(bool allowSubtree)