Changeset 249497 in webkit

Timestamp:

Sep 4, 2019 1:42:08 PM (5 years ago)

Author:

Alan Bujtas

Message:

[LFC] Assert on FormattingContext escaping
​https://bugs.webkit.org/show_bug.cgi?id=201464
<rdar://problem/55029574>

Reviewed by Antti Koivisto.

This patch asserts on accidental formatting context escaping. This is only a correctness issue at the moment,
since we don't support multithreaded subtree layout yet.
Normally we should not need to access display boxes in different formatting contexts during layout, but there are a few, justified cases when it is required.

• layout/FormattingContext.cpp:

(WebCore::Layout::FormattingContext::displayBoxForLayoutBox const):

• layout/FormattingContext.h:

(WebCore::Layout::FormattingContext::displayBoxForLayoutBox const): Deleted.

• layout/FormattingContextGeometry.cpp:

(WebCore::Layout::FormattingContext::Geometry::contentHeightForFormattingContextRoot const):
(WebCore::Layout::FormattingContext::Geometry::staticVerticalPositionForOutOfFlowPositioned const):
(WebCore::Layout::FormattingContext::Geometry::staticHorizontalPositionForOutOfFlowPositioned const):

• layout/FormattingContextQuirks.cpp:

(WebCore::Layout::FormattingContext::Quirks::heightValueOfNearestContainingBlockWithFixedHeight):

• layout/floats/FloatingContext.cpp:

(WebCore::Layout::FloatingContext::absoluteDisplayBoxCoordinates const):
(WebCore::Layout::FloatingContext::mapToFloatingStateRoot const):
(WebCore::Layout::FloatingContext::mapTopToFloatingStateRoot const):
(WebCore::Layout::FloatingContext::mapPointFromFormattingContextRootToFloatingStateRoot const):

• page/FrameViewLayoutContext.cpp:

(WebCore::layoutUsingFormattingContext):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• layout/FormattingContext.cpp (modified) (1 diff)
• layout/FormattingContext.h (modified) (1 diff)
• layout/FormattingContextGeometry.cpp (modified) (6 diffs)
• layout/FormattingContextQuirks.cpp (modified) (2 diffs)
• layout/floats/FloatingContext.cpp (modified) (4 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2019-09-04  Zalan Bujtas  <zalan@apple.com>
+
+        [LFC] Assert on FormattingContext escaping
+        https://bugs.webkit.org/show_bug.cgi?id=201464
+        <rdar://problem/55029574>
+
+        Reviewed by Antti Koivisto.
+
+        This patch asserts on accidental formatting context escaping. This is only a correctness issue at the moment,
+        since we don't support multithreaded subtree layout yet.
+        Normally we should not need to access display boxes in different formatting contexts during layout, but there are a few, justified cases when it is required.
+
+        * layout/FormattingContext.cpp:
+        (WebCore::Layout::FormattingContext::displayBoxForLayoutBox const):
+        * layout/FormattingContext.h:
+        (WebCore::Layout::FormattingContext::displayBoxForLayoutBox const): Deleted.
+        * layout/FormattingContextGeometry.cpp:
+        (WebCore::Layout::FormattingContext::Geometry::contentHeightForFormattingContextRoot const):
+        (WebCore::Layout::FormattingContext::Geometry::staticVerticalPositionForOutOfFlowPositioned const):
+        (WebCore::Layout::FormattingContext::Geometry::staticHorizontalPositionForOutOfFlowPositioned const):
+        * layout/FormattingContextQuirks.cpp:
+        (WebCore::Layout::FormattingContext::Quirks::heightValueOfNearestContainingBlockWithFixedHeight):
+        * layout/floats/FloatingContext.cpp:
+        (WebCore::Layout::FloatingContext::absoluteDisplayBoxCoordinates const):
+        (WebCore::Layout::FloatingContext::mapToFloatingStateRoot const):
+        (WebCore::Layout::FloatingContext::mapTopToFloatingStateRoot const):
+        (WebCore::Layout::FloatingContext::mapPointFromFormattingContextRootToFloatingStateRoot const):
+        * page/FrameViewLayoutContext.cpp:
+        (WebCore::layoutUsingFormattingContext):
+
 2019-09-04  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/WebCore/layout/FormattingContext.cpp

@@ -184 +184 @@
 }
 
+Display::Box& FormattingContext::displayBoxForLayoutBox(const Box& layoutBox, Optional<EscapeType> escapeType) const
+{
+    UNUSED_PARAM(escapeType);
+
+#ifndef NDEBUG
+    auto isOkToAccessDisplayBox = [&] {
+        // 1. Highly common case of accessing the formatting root's display box itself. This is formatting context escaping in the strict sense, since
+        // the formatting context root box lives in the parent formatting context.
+        // This happens e.g. when a block level box box needs to stretch horizontally and checks its containing block for horizontal space (this should probably be limited to reading horizontal constraint values).
+        if (&layoutBox == &root())
+            return true;
+
+        // 2. Special case when accessing the ICB's display box
+        if (layoutBox.isInitialContainingBlock()) {
+            // There has to be a valid reason to access the ICB.
+            if (!escapeType)
+                return false;
+            return *escapeType == EscapeType::AccessParentFormattingContext || *escapeType == EscapeType::AccessAncestorFormattingContext;
+        }
+
+        // 3. Most common case of accessing box/containing block display box within the same formatting context tree.
+        if (&layoutBox.formattingContextRoot() == &root())
+            return true;
+
+        if (!escapeType)
+            return false;
+
+        // 4. Accessing child formatting context subtree is relatively rare. It happens when e.g a shrink to fit (out-of-flow block level) box checks the content width.
+        // Checking the content width means to get display boxes from the established formatting context (we try to access display boxes in a child formatting context)
+        if (*escapeType == EscapeType::AccessChildFormattingContext && &layoutBox.formattingContextRoot().formattingContextRoot() == &root())
+            return true;
+
+        // 5. Float box top/left values are mapped relative to the FloatState's root. Inline formatting contexts(A) inherit floats from parent
+        // block formatting contexts(B). Floats in these inline formatting contexts(A) need to be mapped to the parent, block formatting context(B).
+        if (*escapeType == EscapeType::AccessParentFormattingContext && &layoutBox.formattingContextRoot() == &root().formattingContextRoot())
+            return true;
+
+        // 6. Finding the first containing block with fixed height quirk. See Quirks::heightValueOfNearestContainingBlockWithFixedHeight
+        if (*escapeType == EscapeType::AccessAncestorFormattingContext) {
+            auto& targetFormattingRoot = layoutBox.formattingContextRoot();
+            auto* ancestorFormattingContextRoot = &root().formattingContextRoot();
+            while (true) {
+                if (&targetFormattingRoot == ancestorFormattingContextRoot)
+                    return true;
+                if (ancestorFormattingContextRoot->isInitialContainingBlock())
+                    return false;
+                ancestorFormattingContextRoot = &ancestorFormattingContextRoot->formattingContextRoot();
+            }
+
+        }
+        return false;
+    };
+#endif
+    ASSERT(isOkToAccessDisplayBox());
+    return layoutState().displayBoxForLayoutBox(layoutBox);
+}
+
 #ifndef NDEBUG
 void FormattingContext::validateGeometryConstraintsAfterLayout() const

trunk/Source/WebCore/layout/FormattingContext.h

@@ -70 +70 @@
     bool isTableFormattingContext() const { return root().establishesTableFormattingContext(); }
 
-    Display::Box& displayBoxForLayoutBox(const Box& layoutBox) const { return layoutState().displayBoxForLayoutBox(layoutBox); }
+    enum class EscapeType {
+        AccessChildFormattingContext,
+        AccessParentFormattingContext,
+        AccessAncestorFormattingContext
+    };
+    Display::Box& displayBoxForLayoutBox(const Box&, Optional<EscapeType> = WTF::nullopt) const;
     bool hasDisplayBox(const Box& layoutBox) const { return layoutState().hasDisplayBox(layoutBox); }
 

trunk/Source/WebCore/layout/FormattingContextGeometry.cpp

@@ -121 +121 @@
     } else if (formattingRootContainer.establishesBlockFormattingContext() || layoutBox.isDocumentBox()) {
         if (formattingRootContainer.hasInFlowChild()) {
-            auto& firstDisplayBox = formattingContext.displayBoxForLayoutBox(*formattingRootContainer.firstInFlowChild());
-            auto& lastDisplayBox = formattingContext.displayBoxForLayoutBox(*formattingRootContainer.lastInFlowChild());
+            auto& firstDisplayBox = formattingContext.displayBoxForLayoutBox(*formattingRootContainer.firstInFlowChild(), EscapeType::AccessChildFormattingContext);
+            auto& lastDisplayBox = formattingContext.displayBoxForLayoutBox(*formattingRootContainer.lastInFlowChild(), EscapeType::AccessChildFormattingContext);
             top = firstDisplayBox.rectWithMargin().top();
             bottom = lastDisplayBox.rectWithMargin().bottom();
@@ -206 +206 @@
     if (auto* previousInFlowSibling = layoutBox.previousInFlowSibling()) {
         // Add sibling offset
-        auto& previousInFlowDisplayBox = formattingContext.displayBoxForLayoutBox(*previousInFlowSibling);
+        auto& previousInFlowDisplayBox = formattingContext.displayBoxForLayoutBox(*previousInFlowSibling, FormattingContext::EscapeType::AccessChildFormattingContext);
         top += previousInFlowDisplayBox.bottom() + previousInFlowDisplayBox.nonCollapsedMarginAfter();
     } else {
         ASSERT(layoutBox.parent());
-        top = formattingContext.displayBoxForLayoutBox(*layoutBox.parent()).contentBoxTop();
+        top = formattingContext.displayBoxForLayoutBox(*layoutBox.parent(), FormattingContext::EscapeType::AccessChildFormattingContext).contentBoxTop();
     }
 
@@ -217 +217 @@
     // Start with the parent since we pretend that this box is normal flow.
     for (auto* container = layoutBox.parent(); container != &containingBlock; container = container->containingBlock()) {
-        auto& displayBox = formattingContext.displayBoxForLayoutBox(*container);
+        auto& displayBox = formattingContext.displayBoxForLayoutBox(*container, FormattingContext::EscapeType::AccessChildFormattingContext);
         // Display::Box::top is the border box top position in its containing block's coordinate system.
         top += displayBox.top();
@@ -235 +235 @@
     auto& formattingContext = this->formattingContext();
     ASSERT(layoutBox.parent());
-    auto left = formattingContext.displayBoxForLayoutBox(*layoutBox.parent()).contentBoxLeft();
+    auto left = formattingContext.displayBoxForLayoutBox(*layoutBox.parent(), FormattingContext::EscapeType::AccessChildFormattingContext).contentBoxLeft();
 
     // Resolve left all the way up to the containing block.
@@ -241 +241 @@
     // Start with the parent since we pretend that this box is normal flow.
     for (auto* container = layoutBox.parent(); container != &containingBlock; container = container->containingBlock()) {
-        auto& displayBox = formattingContext.displayBoxForLayoutBox(*container);
+        auto& displayBox = formattingContext.displayBoxForLayoutBox(*container, FormattingContext::EscapeType::AccessChildFormattingContext);
         // Display::Box::left is the border box left position in its containing block's coordinate system.
         left += displayBox.left();
@@ -247 +247 @@
     }
     // Move the static position relative to the padding box. This is very specific to abolutely positioned boxes.
-    auto paddingBoxLeft = formattingContext.displayBoxForLayoutBox(containingBlock).paddingBoxLeft();
+    auto paddingBoxLeft = formattingContext.displayBoxForLayoutBox(containingBlock, FormattingContext::EscapeType::AccessChildFormattingContext).paddingBoxLeft();
     return left - paddingBoxLeft;
 }

trunk/Source/WebCore/layout/FormattingContextQuirks.cpp

@@ -51 +51 @@
         // -and it's totally insane because now we freely travel across formatting context boundaries and computed margins are nonexistent.
         if (containingBlock->isBodyBox() || containingBlock->isDocumentBox()) {
-            auto& displayBox = formattingContext.displayBoxForLayoutBox(*containingBlock);
+            auto& displayBox = formattingContext.displayBoxForLayoutBox(*containingBlock, FormattingContext::EscapeType::AccessAncestorFormattingContext);
 
-            auto usedValues = UsedHorizontalValues { formattingContext.displayBoxForLayoutBox(*containingBlock->containingBlock()).contentBoxWidth() };
+            auto usedValues = UsedHorizontalValues { formattingContext.displayBoxForLayoutBox(*containingBlock->containingBlock(), FormattingContext::EscapeType::AccessAncestorFormattingContext).contentBoxWidth() };
             auto verticalMargin = formattingContext.geometry().computedVerticalMargin(*containingBlock, usedValues);
             auto verticalPadding = displayBox.paddingTop().valueOr(0) + displayBox.paddingBottom().valueOr(0);
@@ -63 +63 @@
     }
     // Initial containing block has to have a height.
-    return formattingContext.displayBoxForLayoutBox(layoutBox.initialContainingBlock()).contentBox().height() - bodyAndDocumentVerticalMarginPaddingAndBorder;
+    return formattingContext.displayBoxForLayoutBox(layoutBox.initialContainingBlock(), FormattingContext::EscapeType::AccessAncestorFormattingContext).contentBox().height() - bodyAndDocumentVerticalMarginPaddingAndBorder;
 }
 

trunk/Source/WebCore/layout/floats/FloatingContext.cpp

@@ -426 +426 @@
 
     if (&containingBlock == &floatingState().root()) {
-        auto containingBlockDisplayBox = formattingContext().displayBoxForLayoutBox(containingBlock);
+        auto containingBlockDisplayBox = formattingContext().displayBoxForLayoutBox(containingBlock, FormattingContext::EscapeType::AccessParentFormattingContext);
         return { displayBox, { }, {  containingBlockDisplayBox.contentBoxLeft(), containingBlockDisplayBox.contentBoxRight() } };
     }
@@ -437 +437 @@
 {
     auto& floatingStateRoot = floatingState().root();
-    auto& displayBox = formattingContext().displayBoxForLayoutBox(floatBox);
+    auto& displayBox = formattingContext().displayBoxForLayoutBox(floatBox, FormattingContext::EscapeType::AccessParentFormattingContext);
     auto topLeft = displayBox.topLeft();
     for (auto* containingBlock = floatBox.containingBlock(); containingBlock && containingBlock != &floatingStateRoot; containingBlock = containingBlock->containingBlock())
-        topLeft.moveBy(formattingContext().displayBoxForLayoutBox(*containingBlock).topLeft());
+        topLeft.moveBy(formattingContext().displayBoxForLayoutBox(*containingBlock, FormattingContext::EscapeType::AccessParentFormattingContext).topLeft());
 
     auto mappedDisplayBox = Display::Box(displayBox);
@@ -450 +450 @@
 {
     auto& floatingStateRoot = floatingState().root();
-    auto top = formattingContext().displayBoxForLayoutBox(floatBox).top();
+    auto top = formattingContext().displayBoxForLayoutBox(floatBox, FormattingContext::EscapeType::AccessParentFormattingContext).top();
     for (auto* container = floatBox.containingBlock(); container && container != &floatingStateRoot; container = container->containingBlock())
-        top += formattingContext().displayBoxForLayoutBox(*container).top();
+        top += formattingContext().displayBoxForLayoutBox(*container, FormattingContext::EscapeType::AccessParentFormattingContext).top();
     return top;
 }
@@ -464 +464 @@
     auto mappedPosition = position;
     for (auto* container = &from; container && container != &to; container = container->containingBlock())
-        mappedPosition.moveBy(formattingContext().displayBoxForLayoutBox(*container).topLeft());
+        mappedPosition.moveBy(formattingContext().displayBoxForLayoutBox(*container, FormattingContext::EscapeType::AccessParentFormattingContext).topLeft());
     return mappedPosition;
 }