https://bugs.webkit.org/show_bug.cgi?id=145964
Reviewed by Simon Fraser.
Source/WebCore:
Test: svg/as-object/mutate-on-load.html
* page/FrameView.cpp:
(WebCore::FrameView::forceLayoutParentViewIfNeeded): Don't do a synchronous layout here,
because it can lead indirectly to unwanted layout reentrancy. Instead schedule a layout.
LayoutTests:
* svg/as-object/mutate-on-load-expected.html: Added.
* svg/as-object/mutate-on-load.html: Added.
* svg/as-object/resources/embedded-mutates-on-load.svg: Added.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@185567
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2015-06-15 Darin Adler <darin@apple.com>
+
+ REGRESSION (r182215): Reproducible crash at drawsvg.org due to reentrant layout
+ https://bugs.webkit.org/show_bug.cgi?id=145964
+
+ Reviewed by Simon Fraser.
+
+ * svg/as-object/mutate-on-load-expected.html: Added.
+ * svg/as-object/mutate-on-load.html: Added.
+ * svg/as-object/resources/embedded-mutates-on-load.svg: Added.
+
2015-06-15 Michael Saboff <msaboff@apple.com>
JIT bug - fails when inspector closed, works when open
--- /dev/null
+<svg viewbox="0 0 66 220" width="66px">
+<rect width="6" height="0" x="0" y="0"/>
+<rect width="54" height="206" x="6" y="20"/>
+</svg>
--- /dev/null
+<embed type="image/svg+xml" width="66px" src="resources/embedded-mutates-on-load.svg"/>\r
--- /dev/null
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg xmlns="http://www.w3.org/2000/svg" onload="runTest()" viewBox="0 0 66 220" width="100%" height="100%">
+<script type="text/ecmascript"><![CDATA[
+
+ function runTest() {
+ document.getElementById("a").setAttribute("height", "0");
+ document.getElementById("b").addEventListener("mousewheel",function() {});
+ }
+
+]]></script>
+
+ <rect id="a" width="6" x="0"/>
+ <rect id="b" width="54" height="206" x="6" y="20"/>
+
+</svg>
+2015-06-15 Darin Adler <darin@apple.com>
+
+ REGRESSION (r182215): Reproducible crash at drawsvg.org due to reentrant layout
+ https://bugs.webkit.org/show_bug.cgi?id=145964
+
+ Reviewed by Simon Fraser.
+
+ Test: svg/as-object/mutate-on-load.html
+
+ * page/FrameView.cpp:
+ (WebCore::FrameView::forceLayoutParentViewIfNeeded): Don't do a synchronous layout here,
+ because it can lead indirectly to unwanted layout reentrancy. Instead schedule a layout.
+
2015-06-15 Matt Rajca <mrajca@apple.com>
Media Session: Active participating elements can change while being iterated
// FrameView for a layout. After that the RenderEmbeddedObject (ownerRenderer) carries the
// correct size, which RenderSVGRoot::computeReplacedLogicalWidth/Height rely on, when laying
// out for the first time, or when the RenderSVGRoot size has changed dynamically (eg. via <script>).
- Ref<FrameView> frameView(ownerRenderer->view().frameView());
- // Mark the owner renderer as needing layout.
ownerRenderer->setNeedsLayoutAndPrefWidthsRecalc();
-
- // Synchronously enter layout, to layout the view containing the host object/embed/iframe.
- frameView->layout();
+ ownerRenderer->view().frameView().scheduleRelayout();
}
void FrameView::layout(bool allowSubtree)
git://git.webkit.org / WebKit-https.git / commitdiff
