Turn off offset*/scroll* optimization for input elements with shadow content
authorzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 10 Mar 2018 19:31:14 +0000 (19:31 +0000)
committerzalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 10 Mar 2018 19:31:14 +0000 (19:31 +0000)
https://bugs.webkit.org/show_bug.cgi?id=182383
<rdar://problem/37114190>

Reviewed by Antti Koivisto.

Source/WebCore:

We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
the previously computed values even when some part of the tree is dirty.
In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
for the root, while true (needs layout) for the shadow content.
This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.

Test: fast/forms/scrollheight-with-mutation-crash.html

* dom/Document.cpp:
(WebCore::Document::updateLayoutIfDimensionsOutOfDate):

LayoutTests:

* fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
* fast/forms/scrollheight-with-mutation-crash.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229505 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt [new file with mode: 0644]
LayoutTests/fast/forms/scrollheight-with-mutation-crash.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/dom/Document.cpp

index 7cfdb658c5660e208b0cc3e09d2862e6363219cc..b31462ffb7b3e52727731f0570a5351b55dd78e6 100644 (file)
@@ -1,3 +1,14 @@
+2018-03-09  Zalan Bujtas  <zalan@apple.com>
+
+        Turn off offset*/scroll* optimization for input elements with shadow content
+        https://bugs.webkit.org/show_bug.cgi?id=182383
+        <rdar://problem/37114190>
+
+        Reviewed by Antti Koivisto.
+
+        * fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
+        * fast/forms/scrollheight-with-mutation-crash.html: Added.
+
 2018-03-10  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         [macOS] Copying a table from the Numbers app and pasting into iCloud Numbers fails
diff --git a/LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt b/LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt
new file mode 100644 (file)
index 0000000..4d91638
--- /dev/null
@@ -0,0 +1 @@
+PASS if no crash.  
diff --git a/LayoutTests/fast/forms/scrollheight-with-mutation-crash.html b/LayoutTests/fast/forms/scrollheight-with-mutation-crash.html
new file mode 100644 (file)
index 0000000..9897954
--- /dev/null
@@ -0,0 +1,20 @@
+<style>
+input:enabled { 
+    content: url(#foo);
+    width: 10vmin;
+}
+
+keygen {
+    -webkit-transform: scale(12, 125);
+}
+</style>
+PASS if no crash.
+<keygen id=keygen>
+<input id=input type="search">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.offsetHeight;
+keygen.remove();
+input.scrollHeight;
+</script>
index 5b46b66a298288ac800001f3cf8af1ed3afdc025..7857b2714e5201d024b204e5ccd99898dbae126b 100644 (file)
@@ -1,3 +1,23 @@
+2018-03-09  Zalan Bujtas  <zalan@apple.com>
+
+        Turn off offset*/scroll* optimization for input elements with shadow content
+        https://bugs.webkit.org/show_bug.cgi?id=182383
+        <rdar://problem/37114190>
+
+        Reviewed by Antti Koivisto.
+
+        We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
+        In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
+        the previously computed values even when some part of the tree is dirty.
+        In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
+        for the root, while true (needs layout) for the shadow content.
+        This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.
+
+        Test: fast/forms/scrollheight-with-mutation-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::updateLayoutIfDimensionsOutOfDate):
+
 2018-03-10  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         [macOS] Copying a table from the Numbers app and pasting into iCloud Numbers fails
index dbab0ebf5c022ce0939189b9e2022a94dc196803..2bc2065581e0101b0aa539f04f0b284db60fb4f1 100644 (file)
@@ -2074,6 +2074,10 @@ bool Document::updateLayoutIfDimensionsOutOfDate(Element& element, DimensionsChe
         requireFullLayout = true;
     }
 
+    // Turn off this optimization for input elements with shadow content.
+    if (is<HTMLInputElement>(element))
+        requireFullLayout = true;
+
     bool isVertical = renderer && !renderer->isHorizontalWritingMode();
     bool checkingLogicalWidth = ((dimensionsCheck & WidthDimensionsCheck) && !isVertical) || ((dimensionsCheck & HeightDimensionsCheck) && isVertical);
     bool checkingLogicalHeight = ((dimensionsCheck & HeightDimensionsCheck) && !isVertical) || ((dimensionsCheck & WidthDimensionsCheck) && isVertical);