Context Navigation

← Previous Changeset
Next Changeset →

Changeset 208370 in webkit

Timestamp:

Nov 3, 2016, 10:08:29 PM (8 years ago)

Author:

Antti Koivisto

Message:

Source/WebCore:
REGRESSION (r207669): Crash under media controls shadow root construction
https://bugs.webkit.org/show_bug.cgi?id=164381
<rdar://problem/28935401>

Reviewed by Simon Fraser.

The problem is that we are running a script for media control UA shadow tree in HTMLMediaElement::insertedInto.
It is not safe to run scripts in insertedInto as the tree is in inconsistent state. Instead finishedInsertingSubtree
callback should be used.

Test: media/media-controls-shadow-construction-crash.html

Seen on https://www.theguardian.com/artanddesign/video/2013/oct/14/banksy-central-park-new-york-video

html/HTMLMediaElement.cpp:

(WebCore::HTMLMediaElement::insertedInto):
(WebCore::HTMLMediaElement::finishedInsertingSubtree):

Move configureMediaControls() to finishedInsertingSubtree().

html/HTMLMediaElement.h:
style/StyleTreeResolver.cpp:

(WebCore::Style::TreeResolver::resolveComposedTree):

Add an assert to make the bad state easier to hit in tests.

LayoutTests:
REGRESSION (r207669): Crash under SVGRenderSupport::updateMaskedAncestorShouldIsolateBlending
https://bugs.webkit.org/show_bug.cgi?id=164381
<rdar://problem/28935401>

Reviewed by Simon Fraser.

media/media-controls-shadow-construction-crash-expected.txt: Added.
media/media-controls-shadow-construction-crash.html: Added.

Location:

trunk

Files:

: 2 added
: 5 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/media/media-controls-shadow-construction-crash-expected.txt (added)
LayoutTests/media/media-controls-shadow-construction-crash.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/html/HTMLMediaElement.cpp (modified) (1 diff)
Source/WebCore/html/HTMLMediaElement.h (modified) (1 diff)
Source/WebCore/style/StyleTreeResolver.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-              r208363
+              r208370
+-11-03  Antti Koivisto  <antti@apple.com>
+        REGRESSION (r207669): Crash under SVGRenderSupport::updateMaskedAncestorShouldIsolateBlending
+        https://bugs.webkit.org/show_bug.cgi?id=164381
+        <rdar://problem/28935401>
+        Reviewed by Simon Fraser.
+        * media/media-controls-shadow-construction-crash-expected.txt: Added.
+        * media/media-controls-shadow-construction-crash.html: Added.
 -11-03  Myles C. Maxfield  <mmaxfield@apple.com>

trunk/Source/WebCore/ChangeLog

-              r208366
+              r208370
+-11-03  Antti Koivisto  <antti@apple.com>
+        REGRESSION (r207669): Crash under media controls shadow root construction
+        https://bugs.webkit.org/show_bug.cgi?id=164381
+        <rdar://problem/28935401>
+        Reviewed by Simon Fraser.
+        The problem is that we are running a script for media control UA shadow tree in HTMLMediaElement::insertedInto.
+        It is not safe to run scripts in insertedInto as the tree is in inconsistent state. Instead finishedInsertingSubtree
+        callback should be used.
+        Test: media/media-controls-shadow-construction-crash.html
+        Seen on https://www.theguardian.com/artanddesign/video/2013/oct/14/banksy-central-park-new-york-video
+        * html/HTMLMediaElement.cpp:
+        (WebCore::HTMLMediaElement::insertedInto):
+        (WebCore::HTMLMediaElement::finishedInsertingSubtree):
+            Move configureMediaControls() to finishedInsertingSubtree().
+        * html/HTMLMediaElement.h:
+        * style/StyleTreeResolver.cpp:
+        (WebCore::Style::TreeResolver::resolveComposedTree):
+            Add an assert to make the bad state easier to hit in tests.
 -11-03  Ryosuke Niwa  <rniwa@webkit.org>

trunk/Source/WebCore/html/HTMLMediaElement.cpp

r208329	r208370
808	808	}
809	809
	810	return InsertionShouldCallFinishedInsertingSubtree;
	811	}
	812
	813	void HTMLMediaElement::finishedInsertingSubtree()
	814	{
810	815	configureMediaControls();
811		~~return InsertionDone;~~
812	816	}
813	817

trunk/Source/WebCore/html/HTMLMediaElement.h

r208329	r208370
522	522	bool childShouldCreateRenderer(const Node&) const override;
523	523	InsertionNotificationRequest insertedInto(ContainerNode&) override;
	524	void finishedInsertingSubtree() override;
524	525	void removedFrom(ContainerNode&) override;
525	526	void didRecalcStyle(Style::Change) override;

trunk/Source/WebCore/style/StyleTreeResolver.cpp

r207458	r208370
358	358	auto& parent = this->parent();
359	359
	360	ASSERT(node.inDocument());
360	361	ASSERT(node.containingShadowRoot() == scope().shadowRoot);
361	362	ASSERT(node.parentElement() == parent.element \|\| is<ShadowRoot>(node.parentNode()) \|\| node.parentElement()->shadowRoot());

Note: See TracChangeset for help on using the changeset viewer.