Changeset 224131 in webkit
- Timestamp:
- Oct 27, 2017 2:35:14 PM (7 years ago)
- Location:
- trunk/Source/WebCore
- Files:
-
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/WebCore/ChangeLog
r224128 r224131 1 2017-10-27 Ryan Haddad <ryanhaddad@apple.com> 2 3 Unreviewed, rolling out r224011. 4 5 xsl LayoutTests hit an assertion added with this change since 6 r223999 was rolled out. 7 8 Reverted changeset: 9 10 "Assert that no script is executed during style recalc" 11 https://bugs.webkit.org/show_bug.cgi?id=178845 12 https://trac.webkit.org/changeset/224011 13 1 14 2017-10-27 Antoine Quint <graouts@apple.com> 2 15 -
trunk/Source/WebCore/dom/Document.cpp
r224116 r224131 1790 1790 // hits a null-dereference due to security code always assuming the document has a SecurityOrigin. 1791 1791 1792 { 1793 NoEventDispatchAssertion noEventDispatchAssertion; 1794 styleScope().flushPendingUpdate(); 1795 frameView.willRecalcStyle(); 1796 } 1792 styleScope().flushPendingUpdate(); 1793 1794 frameView.willRecalcStyle(); 1797 1795 1798 1796 InspectorInstrumentationCookie cookie = InspectorInstrumentation::willRecalculateStyle(*this); 1799 1797 1798 m_inStyleRecalc = true; 1800 1799 bool updatedCompositingLayers = false; 1801 1800 { 1802 1801 Style::PostResolutionCallbackDisabler disabler(*this); 1803 1802 WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates; 1804 NoEventDispatchAssertion noEventDispatchAssertion;1805 1806 m_inStyleRecalc = true;1807 1803 1808 1804 if (m_pendingStyleRecalcShouldForce) … … 1853 1849 if (m_renderView->needsLayout()) 1854 1850 frameView.scheduleRelayout(); 1855 1856 // Usually this is handled by post-layout.1857 if (!frameView.needsLayout())1858 frameView.frame().selection().scheduleAppearanceUpdateAfterStyleChange();1859 1860 // As a result of the style recalculation, the currently hovered element might have been1861 // detached (for example, by setting display:none in the :hover style), schedule another mouseMove event1862 // to check if any other elements ended up under the mouse pointer due to re-layout.1863 if (m_hoveredElement && !m_hoveredElement->renderer())1864 frameView.frame().mainFrame().eventHandler().dispatchFakeMouseMoveEventSoon();1865 1866 ++m_styleRecalcCount;1867 // FIXME: Assert ASSERT(!needsStyleRecalc()) here. Do we still have some cases where it's not true?1868 1851 } 1869 1852 … … 1873 1856 implicitClose(); 1874 1857 } 1858 1859 ++m_styleRecalcCount; 1875 1860 1876 1861 InspectorInstrumentation::didRecalculateStyle(cookie); … … 1882 1867 frameView.viewportContentsChanged(); 1883 1868 1869 // Usually this is handled by post-layout. 1870 if (!frameView.needsLayout()) 1871 frameView.frame().selection().scheduleAppearanceUpdateAfterStyleChange(); 1872 1873 // As a result of the style recalculation, the currently hovered element might have been 1874 // detached (for example, by setting display:none in the :hover style), schedule another mouseMove event 1875 // to check if any other elements ended up under the mouse pointer due to re-layout. 1876 if (m_hoveredElement && !m_hoveredElement->renderer()) 1877 frameView.frame().mainFrame().eventHandler().dispatchFakeMouseMoveEventSoon(); 1878 1884 1879 if (m_gotoAnchorNeededAfterStylesheetsLoad && !styleScope().hasPendingSheets()) 1885 1880 frameView.scrollToFragment(m_url); 1881 1882 // FIXME: Ideally we would ASSERT(!needsStyleRecalc()) here but we have some cases where it is not true. 1886 1883 } 1887 1884 … … 1921 1918 bool Document::updateStyleIfNeeded() 1922 1919 { 1923 { 1924 NoEventDispatchAssertion noEventDispatchAssertion; 1925 ASSERT(isMainThread()); 1926 ASSERT(!view() || !view()->isPainting()); 1927 1928 if (!view() || view()->isInRenderTreeLayout()) 1929 return false; 1930 1931 styleScope().flushPendingUpdate(); 1932 1933 if (!needsStyleRecalc()) 1934 return false; 1935 } 1920 ASSERT(isMainThread()); 1921 ASSERT(!view() || !view()->isPainting()); 1922 1923 if (!view() || view()->isInRenderTreeLayout()) 1924 return false; 1925 1926 styleScope().flushPendingUpdate(); 1927 1928 if (!needsStyleRecalc()) 1929 return false; 1936 1930 1937 1931 resolveStyle(); -
trunk/Source/WebCore/dom/Element.cpp
r224053 r224131 342 342 { 343 343 Ref<Element> clone = cloneElementWithoutChildren(targetDocument); 344 345 // It's safe to dispatch events on the cloned node since author scripts have no access to it yet.346 // This is needed for SVGUseElement::cloneTarget.347 NoEventDispatchAssertion::EventAllowedScope allowedScope(clone.get());348 349 344 cloneChildNodes(clone); 350 345 return clone; … … 354 349 { 355 350 Ref<Element> clone = cloneElementWithoutAttributesAndChildren(targetDocument); 356 357 // It's safe to dispatch events on the cloned node since author scripts have no access to it yet.358 // This is needed for SVGUseElement::cloneTarget.359 NoEventDispatchAssertion::EventAllowedScope allowedScope(clone.get());360 361 351 // This will catch HTML elements in the wrong namespace that are not correctly copied. 362 352 // This is a sanity check as HTML overloads some of the DOM methods. -
trunk/Source/WebCore/dom/EventDispatcher.cpp
r224011 r224131 131 131 bool EventDispatcher::dispatchEvent(Node& node, Event& event) 132 132 { 133 ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::isEvent DispatchAllowedInSubtree(node));133 ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::isEventAllowedInMainThread()); 134 134 Ref<Node> protectedNode(node); 135 135 RefPtr<FrameView> view = node.document().view(); … … 149 149 if (!event.target()) 150 150 return true; 151 152 ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::isEventAllowedInMainThread()); 151 153 152 154 InputElementClickState clickHandlingState; -
trunk/Source/WebCore/svg/SVGUseElement.cpp
r224011 r224131 217 217 { 218 218 if (auto root = userAgentShadowRoot()) { 219 // Safe because SVG use element's shadow tree is never used to fire synchronous events during layout or DOM mutations.220 219 NoEventDispatchAssertion::EventAllowedScope scope(*root); 221 220 root->removeChildren(); … … 245 244 } 246 245 247 { 248 // Safe because the cloned shadow tree has never been exposed to author scripts. 249 auto& shadowRoot = ensureUserAgentShadowRoot(); 250 NoEventDispatchAssertion::EventAllowedScope scope(shadowRoot); 251 cloneTarget(shadowRoot, *target); 252 expandUseElementsInShadowTree(); 253 expandSymbolElementsInShadowTree(); 254 updateRelativeLengthsInformation(); 255 } 256 246 cloneTarget(ensureUserAgentShadowRoot(), *target); 247 expandUseElementsInShadowTree(); 248 expandSymbolElementsInShadowTree(); 257 249 transferEventListenersToShadowTree(); 250 251 updateRelativeLengthsInformation(); 258 252 259 253 // When we invalidate the other shadow trees, it's important that we don't … … 437 431 { 438 432 Ref<SVGElement> targetClone = static_cast<SVGElement&>(target.cloneElementWithChildren(document()).get()); 439 // Safe because the newy cloned nodes in the shadow tree has not been exposed to author scripts yet.440 NoEventDispatchAssertion::EventAllowedScope scope(targetClone);441 433 associateClonesWithOriginals(targetClone.get(), target); 442 434 removeDisallowedElementsFromSubtree(targetClone.get()); … … 471 463 472 464 auto replacementClone = SVGGElement::create(document()); 473 // Safe because the use element's shadow tree is not exposed to author scripts, and we don't fire synchronous events during layout & DOM layout.474 NoEventDispatchAssertion::EventAllowedScope scope(replacementClone);475 476 465 cloneDataAndChildren(replacementClone.get(), originalClone); 477 466 … … 507 496 508 497 auto replacementClone = SVGSVGElement::create(document()); 509 // Safe because the newly created SVG element and the newly created shadow tree has not been exposed to author scripts yet.510 NoEventDispatchAssertion::EventAllowedScope scope(replacementClone);511 498 cloneDataAndChildren(replacementClone.get(), originalClone); 512 499 … … 520 507 void SVGUseElement::transferEventListenersToShadowTree() const 521 508 { 522 // FIXME: Don't directly add event listeners on each descendant. Copy event listeners on the use element instead.523 509 for (auto& descendant : descendantsOfType<SVGElement>(*userAgentShadowRoot())) { 524 510 if (EventTargetData* data = descendant.correspondingElement()->eventTargetData())
Note: See TracChangeset
for help on using the changeset viewer.