Changeset 224378 in webkit

Timestamp:

Nov 2, 2017 8:48:11 PM (7 years ago)

Author:

rniwa@webkit.org

Message:

Assert that updateStyle and updateLayout are only called when it's safe to dispatch events
​https://bugs.webkit.org/show_bug.cgi?id=179157
<rdar://problem/35144778>

Reviewed by Zalan Bujtas.

Added assertions to Document::updateStyleIfNeeded and Document::updateLayout that these functions are
only called when NoEventDispatchAssertion::isEventAllowedInMainThread() is true with two exceptions:

1. Inside SVGImage::draw which triggers a layout on a separate document.
2. While doing a nested layout for a frame flattening.

No new tests since there should be no behavioral changes.

• dom/ContainerNode.cpp:

(NoEventDispatchAssertion::DisableAssertionsInScope::s_existingCount): Deleted. This is now an instance
variable of DisableAssertionsInScope.
(ContainerNode::removeNodeWithScriptAssertion): Moved childrenChanged out of the scope since it could
invoke respondToChangedSelection via HTMLTextAreaElement::childrenChanged.

• dom/Document.cpp:

(WebCore::Document::updateStyleIfNeeded): Added the assertion. Allow updateWidgetPositions() to call
this function but exit early when checking needsStyleRecalc().
(WebCore::Document::updateLayout): Added the assertion.

• dom/NoEventDispatchAssertion.h:

(WebCore::NoEventDispatchAssertion::DisableAssertionsInScope::DisableAssertionsInScope): Made this class
store the original value of s_count as an instance variable to support re-entrancy.
(WebCore::NoEventDispatchAssertion::DisableAssertionsInScope::~DisableAssertionsInScope): Ditto.

• page/LayoutContext.cpp:

(WebCore::LayoutContext::runOrScheduleAsynchronousTasks): Temporarily disable the assertion. This is safe
since SVGImage has its own document.

• svg/SVGSVGElement.cpp:

(WebCore::checkIntersectionWithoutUpdatingLayout): Extracted out of SVGSVGElement::checkIntersection.
(WebCore::checkEnclosureWithoutUpdatingLayout): Extracted out of SVGSVGElement::checkEnclosure.
(WebCore::SVGSVGElement::getIntersectionList): Use checkIntersectionWithoutUpdatingLayout to avoid
calling updateLayoutIgnorePendingStylesheets while iterating over elements.
(WebCore::SVGSVGElement::getEnclosureList): Ditto.
(WebCore::SVGSVGElement::checkIntersection):
(WebCore::SVGSVGElement::checkEnclosure):

• svg/graphics/SVGImage.cpp:

(WebCore::SVGImage::draw): Temporarily disable the assertion. This is safe as SVGImage has its own page.

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• dom/ContainerNode.cpp (modified) (2 diffs)
• dom/Document.cpp (modified) (4 diffs)
• dom/NoEventDispatchAssertion.h (modified) (1 diff)
• svg/SVGSVGElement.cpp (modified) (5 diffs)
• svg/SVGSVGElement.h (modified) (1 diff)
• svg/graphics/SVGImage.cpp (modified) (2 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2017-11-01  Ryosuke Niwa  <rniwa@webkit.org>
+
+        Assert that updateStyle and updateLayout are only called when it's safe to dispatch events
+        https://bugs.webkit.org/show_bug.cgi?id=179157
+        <rdar://problem/35144778>
+
+        Reviewed by Zalan Bujtas.
+
+        Added assertions to Document::updateStyleIfNeeded and Document::updateLayout that these functions are
+        only called when NoEventDispatchAssertion::isEventAllowedInMainThread() is true with two exceptions:
+        1. Inside SVGImage::draw which triggers a layout on a separate document.
+        2. While doing a nested layout for a frame flattening.
+
+        No new tests since there should be no behavioral changes.
+
+        * dom/ContainerNode.cpp:
+        (NoEventDispatchAssertion::DisableAssertionsInScope::s_existingCount): Deleted. This is now an instance
+        variable of DisableAssertionsInScope.
+        (ContainerNode::removeNodeWithScriptAssertion): Moved childrenChanged out of the scope since it could
+        invoke respondToChangedSelection via HTMLTextAreaElement::childrenChanged.
+        * dom/Document.cpp:
+        (WebCore::Document::updateStyleIfNeeded): Added the assertion. Allow updateWidgetPositions() to call
+        this function but exit early when checking needsStyleRecalc().
+        (WebCore::Document::updateLayout): Added the assertion.
+        * dom/NoEventDispatchAssertion.h:
+        (WebCore::NoEventDispatchAssertion::DisableAssertionsInScope::DisableAssertionsInScope): Made this class
+        store the original value of s_count as an instance variable to support re-entrancy.
+        (WebCore::NoEventDispatchAssertion::DisableAssertionsInScope::~DisableAssertionsInScope): Ditto.
+        * page/LayoutContext.cpp:
+        (WebCore::LayoutContext::runOrScheduleAsynchronousTasks): Temporarily disable the assertion. This is safe
+        since SVGImage has its own document.
+        * svg/SVGSVGElement.cpp:
+        (WebCore::checkIntersectionWithoutUpdatingLayout): Extracted out of SVGSVGElement::checkIntersection.
+        (WebCore::checkEnclosureWithoutUpdatingLayout): Extracted out of SVGSVGElement::checkEnclosure.
+        (WebCore::SVGSVGElement::getIntersectionList): Use checkIntersectionWithoutUpdatingLayout to avoid
+        calling updateLayoutIgnorePendingStylesheets while iterating over elements.
+        (WebCore::SVGSVGElement::getEnclosureList): Ditto.
+        (WebCore::SVGSVGElement::checkIntersection):
+        (WebCore::SVGSVGElement::checkEnclosure):
+        * svg/graphics/SVGImage.cpp:
+        (WebCore::SVGImage::draw): Temporarily disable the assertion. This is safe as SVGImage has its own page.
+
 2017-11-02  Alex Christensen  <achristensen@webkit.org>
 

trunk/Source/WebCore/dom/ContainerNode.cpp

@@ -73 +73 @@
 #if !ASSERT_DISABLED
 unsigned NoEventDispatchAssertion::s_count = 0;
-unsigned NoEventDispatchAssertion::DisableAssertionsInScope::s_existingCount = 0;
 NoEventDispatchAssertion::EventAllowedScope* NoEventDispatchAssertion::EventAllowedScope::s_currentScope = nullptr;
 #endif
@@ -144 +143 @@
         return false;
 
-    WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
-    NoEventDispatchAssertion::InMainThread assertNoEventDispatch;
-
-    document().nodeWillBeRemoved(childToRemove);
-
-    ASSERT_WITH_SECURITY_IMPLICATION(childToRemove.parentNode() == this);
-    ASSERT(!childToRemove.isDocumentFragment());
-
-    RefPtr<Node> previousSibling = childToRemove.previousSibling();
-    RefPtr<Node> nextSibling = childToRemove.nextSibling();
-    removeBetween(previousSibling.get(), nextSibling.get(), childToRemove);
-    notifyChildNodeRemoved(*this, childToRemove);
-
     ChildChange change;
-    change.type = is<Element>(childToRemove) ? ElementRemoved : (is<Text>(childToRemove) ? TextRemoved : NonContentsChildRemoved);
-    change.previousSiblingElement = (!previousSibling || is<Element>(*previousSibling)) ? downcast<Element>(previousSibling.get()) : ElementTraversal::previousSibling(*previousSibling);
-    change.nextSiblingElement = (!nextSibling || is<Element>(*nextSibling)) ? downcast<Element>(nextSibling.get()) : ElementTraversal::nextSibling(*nextSibling);
-    change.source = source;
+    {
+        WidgetHierarchyUpdatesSuspensionScope suspendWidgetHierarchyUpdates;
+        NoEventDispatchAssertion::InMainThread assertNoEventDispatch;
+
+        document().nodeWillBeRemoved(childToRemove);
+
+        ASSERT_WITH_SECURITY_IMPLICATION(childToRemove.parentNode() == this);
+        ASSERT(!childToRemove.isDocumentFragment());
+
+        RefPtr<Node> previousSibling = childToRemove.previousSibling();
+        RefPtr<Node> nextSibling = childToRemove.nextSibling();
+        removeBetween(previousSibling.get(), nextSibling.get(), childToRemove);
+        notifyChildNodeRemoved(*this, childToRemove);
+
+        change.type = is<Element>(childToRemove) ? ElementRemoved : (is<Text>(childToRemove) ? TextRemoved : NonContentsChildRemoved);
+        change.previousSiblingElement = (!previousSibling || is<Element>(*previousSibling)) ? downcast<Element>(previousSibling.get()) : ElementTraversal::previousSibling(*previousSibling);
+        change.nextSiblingElement = (!nextSibling || is<Element>(*nextSibling)) ? downcast<Element>(nextSibling.get()) : ElementTraversal::nextSibling(*nextSibling);
+        change.source = source;
+    }
+
+    // FIXME: Move childrenChanged into NoEventDispatchAssertion block.
     childrenChanged(change);
 

trunk/Source/WebCore/dom/Document.cpp

@@ -1924 +1924 @@
 bool Document::updateStyleIfNeeded()
 {
+    RefPtr<FrameView> frameView = view();
     {
         NoEventDispatchAssertion::InMainThread noEventDispatchAssertion;
         ASSERT(isMainThread());
-        ASSERT(!view() || !view()->isPainting());
-
-        if (!view() || view()->layoutContext().isInRenderTreeLayout())
+        ASSERT(!frameView || !frameView->isPainting());
+
+        if (!frameView || frameView->layoutContext().isInRenderTreeLayout())
             return false;
 
@@ -1938 +1939 @@
     }
 
+    // The early exit for needsStyleRecalc() is needed when updateWidgetPositions() is called in runOrScheduleAsynchronousTasks().
+    ASSERT(NoEventDispatchAssertion::InMainThread::isEventAllowed() || (frameView && frameView->isInChildFrameWithFrameFlattening()));
+
     resolveStyle();
     return true;
@@ -1944 +1948 @@
 void Document::updateLayout()
 {
+    ASSERT(isMainThread());
     ASSERT(LayoutDisallowedScope::isLayoutAllowed());
-    ASSERT(isMainThread());
 
     RefPtr<FrameView> frameView = view();
@@ -1953 +1957 @@
         return;
     }
+    ASSERT(NoEventDispatchAssertion::InMainThread::isEventAllowed() || (frameView && frameView->isInChildFrameWithFrameFlattening()));
+
 
     RenderView::RepaintRegionAccumulator repaintRegionAccumulator(renderView());

trunk/Source/WebCore/dom/NoEventDispatchAssertion.h

@@ -139 +139 @@
 
 #if !ASSERT_DISABLED
+    // FIXME: Remove this class once the sync layout inside SVGImage::draw is removed.
     class DisableAssertionsInScope {
     public:
         DisableAssertionsInScope()
         {
-            if (!isMainThread())
-                return;
-            s_existingCount = s_count;
-            s_count = 0;
+            ASSERT(isMainThread());
+            std::swap(s_count, m_originalCount);
         }
 
         ~DisableAssertionsInScope()
         {
-            s_count = s_existingCount;
-            s_existingCount = 0;
+            s_count = m_originalCount;
         }
     private:
-        WEBCORE_EXPORT static unsigned s_existingCount;
+        unsigned m_originalCount { 0 };
     };
 #else

trunk/Source/WebCore/svg/SVGSVGElement.cpp

@@ -324 +324 @@
 }
 
-Ref<NodeList> SVGSVGElement::collectIntersectionOrEnclosureList(SVGRect& rect, SVGElement* referenceElement, bool (*checkFunction)(RefPtr<SVGElement>&&, SVGRect&))
+Ref<NodeList> SVGSVGElement::collectIntersectionOrEnclosureList(SVGRect& rect, SVGElement* referenceElement, bool (*checkFunction)(SVGElement&, SVGRect&))
 {
     Vector<Ref<Element>> elements;
     for (auto& element : descendantsOfType<SVGElement>(referenceElement ? *referenceElement : *this)) {
-        if (checkFunction(&element, rect))
+        if (checkFunction(element, rect))
             elements.append(element);
     }
@@ -334 +334 @@
 }
 
+static bool checkIntersectionWithoutUpdatingLayout(SVGElement& element, SVGRect& rect)
+{
+    return RenderSVGModelObject::checkIntersection(element.renderer(), rect.propertyReference());
+}
+    
+static bool checkEnclosureWithoutUpdatingLayout(SVGElement& element, SVGRect& rect)
+{
+    return RenderSVGModelObject::checkEnclosure(element.renderer(), rect.propertyReference());
+}
+
 Ref<NodeList> SVGSVGElement::getIntersectionList(SVGRect& rect, SVGElement* referenceElement)
 {
     document().updateLayoutIgnorePendingStylesheets();
-    return collectIntersectionOrEnclosureList(rect, referenceElement, checkIntersection);
+    return collectIntersectionOrEnclosureList(rect, referenceElement, checkIntersectionWithoutUpdatingLayout);
 }
 
@@ -343 +353 @@
 {
     document().updateLayoutIgnorePendingStylesheets();
-    return collectIntersectionOrEnclosureList(rect, referenceElement, checkEnclosure);
+    return collectIntersectionOrEnclosureList(rect, referenceElement, checkEnclosureWithoutUpdatingLayout);
 }
 
@@ -351 +361 @@
         return false;
     element->document().updateLayoutIgnorePendingStylesheets();
-    return RenderSVGModelObject::checkIntersection(element->renderer(), rect.propertyReference());
+    return checkIntersectionWithoutUpdatingLayout(*element, rect);
 }
 
@@ -359 +369 @@
         return false;
     element->document().updateLayoutIgnorePendingStylesheets();
-    return RenderSVGModelObject::checkEnclosure(element->renderer(), rect.propertyReference());
+    return checkEnclosureWithoutUpdatingLayout(*element, rect);
 }
 

trunk/Source/WebCore/svg/SVGSVGElement.h

@@ -154 +154 @@
     Frame* frameForCurrentScale() const;
     void inheritViewAttributes(const SVGViewElement&);
-    Ref<NodeList> collectIntersectionOrEnclosureList(SVGRect&, SVGElement*, bool (*checkFunction)(RefPtr<SVGElement>&&, SVGRect&));
+    Ref<NodeList> collectIntersectionOrEnclosureList(SVGRect&, SVGElement*, bool (*checkFunction)(SVGElement&, SVGRect&));
 
     bool m_useCurrentView { false };

trunk/Source/WebCore/svg/graphics/SVGImage.cpp

@@ -44 +44 @@
 #include "LibWebRTCProvider.h"
 #include "MainFrame.h"
+#include "NoEventDispatchAssertion.h"
 #include "Page.h"
 #include "PageConfiguration.h"
@@ -311 +312 @@
     view->resize(containerSize());
 
-    if (view->needsLayout())
-        view->layoutContext().layout();
+    {
+        NoEventDispatchAssertion::DisableAssertionsInScope disabledScope;
+        if (view->needsLayout())
+            view->layoutContext().layout();
+    }
 
     view->paint(context, intersection(context.clipBounds(), enclosingIntRect(srcRect)));