Changeset 229505 in webkit

Timestamp:

Mar 10, 2018 11:31:14 AM (6 years ago)

Author:

Alan Bujtas

Message:

Turn off offset*/scroll* optimization for input elements with shadow content
​https://bugs.webkit.org/show_bug.cgi?id=182383
<rdar://problem/37114190>

Reviewed by Antti Koivisto.

Source/WebCore:

We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
the previously computed values even when some part of the tree is dirty.
In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
for the root, while true (needs layout) for the shadow content.
This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.

Test: fast/forms/scrollheight-with-mutation-crash.html

• dom/Document.cpp:

(WebCore::Document::updateLayoutIfDimensionsOutOfDate):

LayoutTests:

• fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
• fast/forms/scrollheight-with-mutation-crash.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt (added)
• LayoutTests/fast/forms/scrollheight-with-mutation-crash.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/dom/Document.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-03-09  Zalan Bujtas  <zalan@apple.com>
+
+        Turn off offset*/scroll* optimization for input elements with shadow content
+        https://bugs.webkit.org/show_bug.cgi?id=182383
+        <rdar://problem/37114190>
+
+        Reviewed by Antti Koivisto.
+
+        * fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
+        * fast/forms/scrollheight-with-mutation-crash.html: Added.
+
 2018-03-10  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-03-09  Zalan Bujtas  <zalan@apple.com>
+
+        Turn off offset*/scroll* optimization for input elements with shadow content
+        https://bugs.webkit.org/show_bug.cgi?id=182383
+        <rdar://problem/37114190>
+
+        Reviewed by Antti Koivisto.
+
+        We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
+        In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
+        the previously computed values even when some part of the tree is dirty.
+        In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
+        for the root, while true (needs layout) for the shadow content.
+        This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.
+
+        Test: fast/forms/scrollheight-with-mutation-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::updateLayoutIfDimensionsOutOfDate):
+
 2018-03-10  Wenson Hsieh  <wenson_hsieh@apple.com>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -2075 +2075 @@
     }
 
+    // Turn off this optimization for input elements with shadow content.
+    if (is<HTMLInputElement>(element))
+        requireFullLayout = true;
+
     bool isVertical = renderer && !renderer->isHorizontalWritingMode();
     bool checkingLogicalWidth = ((dimensionsCheck & WidthDimensionsCheck) && !isVertical) || ((dimensionsCheck & HeightDimensionsCheck) && isVertical);