Changeset 224159 in webkit

Timestamp:

Oct 29, 2017 3:15:55 AM (6 years ago)

Author:

rniwa@webkit.org

Message:

Assert that no script is executed during style recalc
​https://bugs.webkit.org/show_bug.cgi?id=178845
<rdar://problem/35106129>

Reviewed by Antti Koivisto.

This patch adds NoEventDispatchAssertion to Document::updateStyle and Document::updateStyleIfNeeded
to make sure we don't start mutating DOM in the middle of a style update.

Added NoEventDispatchAssertion::EventAllowedScope for various places in SVGUseElement to update its
shadow tree since that happens while updating the style.

No new tests since there should be no behavioral change.

• dom/Document.cpp:

(WebCore::Document::resolveStyle): Added NoEventDispatchAssertion while flushing pending stylesheets
and calling FrameView::willRecalcStyle, and while the style tree solver is in works. Also moved in
the code to update the selection and schedule to dispatch a fake mouse event into the same scope.
Also increment m_styleRecalcCount in the same code since post resolution callbacks could run author
scripts which in turn trigger another (recursive) style recalc.
(WebCore::Document::updateStyleIfNeeded): Put everything but the call to resolveStyle in a scope with
NoEventDispatchAssertion.

• dom/Element.cpp:

(WebCore::Element::cloneElementWithChildren): Added NoEventDispatchAssertion::EventAllowedScope to the
newly cloned element for SVG use element's shadow tree.
(WebCore::Element::cloneElementWithoutChildren): Ditto.

• dom/EventDispatcher.cpp:

(WebCore::EventDispatcher::dispatchEvent): Make the assertion more precise to workaround the fact SVG
use elements update its shadow tree in the middle of style updates. Also removed a redundant assertion
since the result of NoEventDispatchAssertion::isEventDispatchAllowedInSubtree cannot chance without
pushing or popoing the stack frame.

• svg/SVGUseElement.cpp:

(WebCore::SVGUseElement::clearShadowTree):
(WebCore::SVGUseElement::updateShadowTree): Added NoEventDispatchAssertion to the user-agent shadow root
of a SVG use element. Since this is a newly created shadow tree which hasn't been exposed to author
scripts, it's safe to mutate them during the style recalc even though it's not the best design.
(WebCore::SVGUseElement::cloneTarget const): Ditto.
(WebCore::SVGUseElement::expandUseElementsInShadowTree const): Ditto.
(WebCore::SVGUseElement::expandSymbolElementsInShadowTree const): Ditto.
(WebCore::SVGUseElement::transferEventListenersToShadowTree const):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• dom/Document.cpp (modified) (5 diffs)
• dom/Element.cpp (modified) (2 diffs)
• dom/EventDispatcher.cpp (modified) (2 diffs)
• svg/SVGUseElement.cpp (modified) (6 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-10-29  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Assert that no script is executed during style recalc
+        https://bugs.webkit.org/show_bug.cgi?id=178845
+        <rdar://problem/35106129>
+
+        Reviewed by Antti Koivisto.
+
+        This patch adds NoEventDispatchAssertion to Document::updateStyle and Document::updateStyleIfNeeded
+        to make sure we don't start mutating DOM in the middle of a style update.
+
+        Added NoEventDispatchAssertion::EventAllowedScope for various places in SVGUseElement to update its
+        shadow tree since that happens while updating the style.
+
+        No new tests since there should be no behavioral change.
+
+        * dom/Document.cpp:
+        (WebCore::Document::resolveStyle): Added NoEventDispatchAssertion while flushing pending stylesheets
+        and calling FrameView::willRecalcStyle, and while the style tree solver is in works. Also moved in
+        the code to update the selection and schedule to dispatch a fake mouse event into the same scope.
+        Also increment m_styleRecalcCount in the same code since post resolution callbacks could run author
+        scripts which in turn trigger another (recursive) style recalc.
+        (WebCore::Document::updateStyleIfNeeded): Put everything but the call to resolveStyle in a scope with
+        NoEventDispatchAssertion.
+        * dom/Element.cpp:
+        (WebCore::Element::cloneElementWithChildren): Added NoEventDispatchAssertion::EventAllowedScope to the
+        newly cloned element for SVG use element's shadow tree.
+        (WebCore::Element::cloneElementWithoutChildren): Ditto.
+        * dom/EventDispatcher.cpp:
+        (WebCore::EventDispatcher::dispatchEvent): Make the assertion more precise to workaround the fact SVG
+        use elements update its shadow tree in the middle of style updates. Also removed a redundant assertion
+        since the result of NoEventDispatchAssertion::isEventDispatchAllowedInSubtree cannot chance without
+        pushing or popoing the stack frame.
+        * svg/SVGUseElement.cpp:
+        (WebCore::SVGUseElement::clearShadowTree):
+        (WebCore::SVGUseElement::updateShadowTree): Added NoEventDispatchAssertion to the user-agent shadow root
+        of a SVG use element. Since this is a newly created shadow tree which hasn't been exposed to author
+        scripts, it's safe to mutate them during the style recalc even though it's not the best design.
+        (WebCore::SVGUseElement::cloneTarget const): Ditto.
+        (WebCore::SVGUseElement::expandUseElementsInShadowTree const): Ditto.
+        (WebCore::SVGUseElement::expandSymbolElementsInShadowTree const): Ditto.
+        (WebCore::SVGUseElement::transferEventListenersToShadowTree const):
+
 2017-10-28  Dean Jackson  <dino@apple.com>
 

trunk/Source/WebCore/dom/Document.cpp

@@ -1793 +1793 @@
     // hits a null-dereference due to security code always assuming the document has a SecurityOrigin.
 
-    styleScope().flushPendingUpdate();
-
-    frameView.willRecalcStyle();
+    {
+        NoEventDispatchAssertion noEventDispatchAssertion;
+        styleScope().flushPendingUpdate();
+        frameView.willRecalcStyle();
+    }
 
     InspectorInstrumentationCookie cookie = InspectorInstrumentation::willRecalculateStyle(*this);
 
-    m_inStyleRecalc = true;
     bool updatedCompositingLayers = false;
     {
         Style::PostResolutionCallbackDisabler disabler(*this);
         WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
+        NoEventDispatchAssertion noEventDispatchAssertion;
+
+        m_inStyleRecalc = true;
 
         if (m_pendingStyleRecalcShouldForce)
@@ -1852 +1856 @@
         if (m_renderView->needsLayout())
             frameView.layoutContext().scheduleLayout();
+
+        // Usually this is handled by post-layout.
+        if (!frameView.needsLayout())
+            frameView.frame().selection().scheduleAppearanceUpdateAfterStyleChange();
+
+        // As a result of the style recalculation, the currently hovered element might have been
+        // detached (for example, by setting display:none in the :hover style), schedule another mouseMove event
+        // to check if any other elements ended up under the mouse pointer due to re-layout.
+        if (m_hoveredElement && !m_hoveredElement->renderer())
+            frameView.frame().mainFrame().eventHandler().dispatchFakeMouseMoveEventSoon();
+
+        ++m_styleRecalcCount;
+        // FIXME: Assert ASSERT(!needsStyleRecalc()) here. Do we still have some cases where it's not true?
     }
 
@@ -1859 +1876 @@
         implicitClose();
     }
-    
-    ++m_styleRecalcCount;
 
     InspectorInstrumentation::didRecalculateStyle(cookie);
@@ -1870 +1885 @@
         frameView.viewportContentsChanged();
 
-    // Usually this is handled by post-layout.
-    if (!frameView.needsLayout())
-        frameView.frame().selection().scheduleAppearanceUpdateAfterStyleChange();
-
-    // As a result of the style recalculation, the currently hovered element might have been
-    // detached (for example, by setting display:none in the :hover style), schedule another mouseMove event
-    // to check if any other elements ended up under the mouse pointer due to re-layout.
-    if (m_hoveredElement && !m_hoveredElement->renderer())
-        frameView.frame().mainFrame().eventHandler().dispatchFakeMouseMoveEventSoon();
-
     if (m_gotoAnchorNeededAfterStylesheetsLoad && !styleScope().hasPendingSheets())
         frameView.scrollToFragment(m_url);
-
-    // FIXME: Ideally we would ASSERT(!needsStyleRecalc()) here but we have some cases where it is not true.
 }
 
@@ -1921 +1924 @@
 bool Document::updateStyleIfNeeded()
 {
-    ASSERT(isMainThread());
-    ASSERT(!view() || !view()->isPainting());
-
-    if (!view() || view()->layoutContext().isInRenderTreeLayout())
-        return false;
-
-    styleScope().flushPendingUpdate();
-
-    if (!needsStyleRecalc())
-        return false;
+    {
+        NoEventDispatchAssertion noEventDispatchAssertion;
+        ASSERT(isMainThread());
+        ASSERT(!view() || !view()->isPainting());
+
+        if (!view() || view()->layoutContext().isInRenderTreeLayout())
+            return false;
+
+        styleScope().flushPendingUpdate();
+
+        if (!needsStyleRecalc())
+            return false;
+    }
 
     resolveStyle();

trunk/Source/WebCore/dom/Element.cpp

@@ -342 +342 @@
 {
     Ref<Element> clone = cloneElementWithoutChildren(targetDocument);
+
+    // It's safe to dispatch events on the cloned node since author scripts have no access to it yet.
+    // This is needed for SVGUseElement::cloneTarget.
+    NoEventDispatchAssertion::EventAllowedScope allowedScope(clone.get());
+
     cloneChildNodes(clone);
     return clone;
@@ -349 +354 @@
 {
     Ref<Element> clone = cloneElementWithoutAttributesAndChildren(targetDocument);
+
+    // It's safe to dispatch events on the cloned node since author scripts have no access to it yet.
+    // This is needed for SVGUseElement::cloneTarget.
+    NoEventDispatchAssertion::EventAllowedScope allowedScope(clone.get());
+
     // This will catch HTML elements in the wrong namespace that are not correctly copied.
     // This is a sanity check as HTML overloads some of the DOM methods.

trunk/Source/WebCore/dom/EventDispatcher.cpp

@@ -131 +131 @@
 bool EventDispatcher::dispatchEvent(Node& node, Event& event)
 {
-    ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::isEventAllowedInMainThread());
+    ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::isEventDispatchAllowedInSubtree(node));
     Ref<Node> protectedNode(node);
     RefPtr<FrameView> view = node.document().view();
@@ -149 +149 @@
     if (!event.target())
         return true;
-
-    ASSERT_WITH_SECURITY_IMPLICATION(NoEventDispatchAssertion::isEventAllowedInMainThread());
 
     InputElementClickState clickHandlingState;

trunk/Source/WebCore/svg/SVGUseElement.cpp

@@ -217 +217 @@
 {
     if (auto root = userAgentShadowRoot()) {
+        // Safe because SVG use element's shadow tree is never used to fire synchronous events during layout or DOM mutations.
         NoEventDispatchAssertion::EventAllowedScope scope(*root);
         root->removeChildren();
@@ -244 +245 @@
     }
 
-    cloneTarget(ensureUserAgentShadowRoot(), *target);
-    expandUseElementsInShadowTree();
-    expandSymbolElementsInShadowTree();
+    {
+        // Safe because the cloned shadow tree has never been exposed to author scripts.
+        auto& shadowRoot = ensureUserAgentShadowRoot();
+        NoEventDispatchAssertion::EventAllowedScope scope(shadowRoot);
+        cloneTarget(shadowRoot, *target);
+        expandUseElementsInShadowTree();
+        expandSymbolElementsInShadowTree();
+        updateRelativeLengthsInformation();
+    }
+
     transferEventListenersToShadowTree();
-
-    updateRelativeLengthsInformation();
 
     // When we invalidate the other shadow trees, it's important that we don't
@@ -431 +437 @@
 {
     Ref<SVGElement> targetClone = static_cast<SVGElement&>(target.cloneElementWithChildren(document()).get());
+    // Safe because the newy cloned nodes in the shadow tree has not been exposed to author scripts yet.
+    NoEventDispatchAssertion::EventAllowedScope scope(targetClone);
     associateClonesWithOriginals(targetClone.get(), target);
     removeDisallowedElementsFromSubtree(targetClone.get());
@@ -463 +471 @@
 
         auto replacementClone = SVGGElement::create(document());
+        // Safe because the use element's shadow tree is not exposed to author scripts, and we don't fire synchronous events during layout & DOM layout.
+        NoEventDispatchAssertion::EventAllowedScope scope(replacementClone);
+
         cloneDataAndChildren(replacementClone.get(), originalClone);
 
@@ -496 +507 @@
 
         auto replacementClone = SVGSVGElement::create(document());
+        // Safe because the newly created SVG element and the newly created shadow tree has not been exposed to author scripts yet.
+        NoEventDispatchAssertion::EventAllowedScope scope(replacementClone);
         cloneDataAndChildren(replacementClone.get(), originalClone);
 
@@ -507 +520 @@
 void SVGUseElement::transferEventListenersToShadowTree() const
 {
+    // FIXME: Don't directly add event listeners on each descendant. Copy event listeners on the use element instead.
     for (auto& descendant : descendantsOfType<SVGElement>(*userAgentShadowRoot())) {
         if (EventTargetData* data = descendant.correspondingElement()->eventTargetData())