Changeset 65681 in webkit

Timestamp:

Aug 19, 2010 10:19:40 AM (14 years ago)

Author:

Simon Fraser

Message:

2010-08-19 Simon Fraser <Simon Fraser>

Reviewed by Nikolas Zimmermann.

HTMLElement::isContentEditable() can cause an updateStyleIfNeeded() to happen in the middle of layout
​https://bugs.webkit.org/show_bug.cgi?id=21834
<rdar://problem/8093653&8261394>

If we're in the middle of layout, or painting, and something causes updateStyleIfNeeded() to
get called, then we can end up entering recalcStyle() during layout or painting. This is bad
because it can create/destry the renderers and RenderLayers which are in use by layout/painting.
This is the cause of a number of random crashers, some of which show up more frequently
in content which uses accelerated compositing.

The changes here:

1. Add an assertion in Document::updateStyleIfNeeded() that we are not laying out or painting.
2. Remove calls to updateStyleIfNeeded() in editing and caret painting code
3. Pass along information to CTM and BBox-related SVG methods to indicate whether it's safe to update style.

Tested by new assertions and existing tests.

• dom/Document.cpp: (WebCore::Document::updateStyleIfNeeded): New assertion that we are not mid-layout or painting. (WebCore::command): Call updateStyleIfNeeded() to ensure that subsequent calls to isContentEditable() return the correct result.

• dom/Element.cpp: (WebCore::Element::focus): Move the supportsFocus() call to after style has been updated.

• editing/SelectionController.cpp: (WebCore::SelectionController::localCaretRect): (WebCore::SelectionController::caretRepaintRect): (WebCore::SelectionController::paintCaret):
• editing/SelectionController.h: (WebCore::SelectionController::localCaretRectForPainting): When painting, use localCaretRectForPainting() which does not update style. Make localCaretRect() non-const so allowing it to update style without ugly casts.

• html/HTMLElement.cpp: (WebCore::HTMLElement::isContentEditable): Don't call updateStyleIfNeeded() here. (WebCore::HTMLElement::isContentRichlyEditable): Ditto. (WebCore::HTMLElement::contentEditable): Ditto.

• page/FrameView.h: (WebCore::FrameView::isMidLayout): New accessor, used for asserting.

• rendering/RenderPath.cpp: (WebCore::fillAndStrokePath): Pass DisallowStyleUpdate to getScreenCTM since we are painting.
• rendering/RenderSVGResourceContainer.cpp: (WebCore::RenderSVGResourceContainer::transformOnNonScalingStroke): This is only called when painting, so use DisallowStyleUpdate.

• svg/SVGElement.cpp: (WebCore::SVGElement::attributeChanged): Changes to the style attribute should not have side effects, since a call to Element::getAttribute() is allowed to result in a call to setAttribute() for the style attribute. To avoid updateStyleIfNeeded() during painting, this must not cause SVG to do extra work.

• svg/SVGLocatable.cpp: Pass StyleUpdateStrategy down to these methods to indicate whether it's OK to update style. (WebCore::SVGLocatable::getBBox): (WebCore::SVGLocatable::computeCTM): (WebCore::SVGLocatable::getTransformToElement):
• svg/SVGLocatable.h: (WebCore::SVGLocatable::):
• svg/SVGStyledLocatableElement.cpp: (WebCore::SVGStyledLocatableElement::getBBox): (WebCore::SVGStyledLocatableElement::getCTM): (WebCore::SVGStyledLocatableElement::getScreenCTM):
• svg/SVGStyledLocatableElement.h:
• svg/SVGStyledTransformableElement.cpp: (WebCore::SVGStyledTransformableElement::getCTM): (WebCore::SVGStyledTransformableElement::getScreenCTM): (WebCore::SVGStyledTransformableElement::getBBox):
• svg/SVGStyledTransformableElement.h:
• svg/SVGTextElement.cpp: (WebCore::SVGTextElement::getBBox): (WebCore::SVGTextElement::getCTM): (WebCore::SVGTextElement::getScreenCTM):
• svg/SVGTextElement.h:

Location:

trunk/WebCore

Files:

• ChangeLog (modified) (1 diff)
• dom/Document.cpp (modified) (2 diffs)
• dom/Element.cpp (modified) (2 diffs)
• editing/SelectionController.cpp (modified) (3 diffs)
• editing/SelectionController.h (modified) (1 diff)
• html/HTMLElement.cpp (modified) (3 diffs)
• page/FrameView.cpp (modified) (3 diffs)
• page/FrameView.h (modified) (2 diffs)
• rendering/RenderPath.cpp (modified) (1 diff)
• rendering/RenderSVGResourceContainer.cpp (modified) (1 diff)
• svg/SVGElement.cpp (modified) (1 diff)
• svg/SVGLocatable.cpp (modified) (3 diffs)
• svg/SVGLocatable.h (modified) (2 diffs)
• svg/SVGStyledLocatableElement.cpp (modified) (1 diff)
• svg/SVGStyledLocatableElement.h (modified) (1 diff)
• svg/SVGStyledTransformableElement.cpp (modified) (2 diffs)
• svg/SVGStyledTransformableElement.h (modified) (2 diffs)
• svg/SVGTextElement.cpp (modified) (1 diff)
• svg/SVGTextElement.h (modified) (1 diff)

trunk/WebCore/ChangeLog

@@ +1 @@
+2010-08-19  Simon Fraser  <simon.fraser@apple.com>
+
+        Reviewed by Nikolas Zimmermann.
+
+        HTMLElement::isContentEditable() can cause an updateStyleIfNeeded() to happen in the middle of layout
+        https://bugs.webkit.org/show_bug.cgi?id=21834
+        <rdar://problem/8093653&8261394>
+        
+        If we're in the middle of layout, or painting, and something causes updateStyleIfNeeded() to
+        get called, then we can end up entering recalcStyle() during layout or painting. This is bad
+        because it can create/destry the renderers and RenderLayers which are in use by layout/painting.
+        This is the cause of a number of random crashers, some of which show up more frequently
+        in content which uses accelerated compositing.
+        
+        The changes here:
+        1. Add an assertion in Document::updateStyleIfNeeded() that we are not laying out or painting.
+        2. Remove calls to updateStyleIfNeeded() in editing and caret painting code
+        3. Pass along information to CTM and BBox-related SVG methods to indicate whether it's safe
+           to update style.
+
+        Tested by new assertions and existing tests.
+
+        * dom/Document.cpp:
+        (WebCore::Document::updateStyleIfNeeded): New assertion that we are not mid-layout or painting.
+        (WebCore::command): Call updateStyleIfNeeded() to ensure that subsequent calls to isContentEditable()
+        return the correct result.
+
+        * dom/Element.cpp:
+        (WebCore::Element::focus): Move the supportsFocus() call to after style has been updated.
+
+        * editing/SelectionController.cpp:
+        (WebCore::SelectionController::localCaretRect):
+        (WebCore::SelectionController::caretRepaintRect):
+        (WebCore::SelectionController::paintCaret):
+        * editing/SelectionController.h:
+        (WebCore::SelectionController::localCaretRectForPainting): When painting, use localCaretRectForPainting()
+        which does not update style. Make localCaretRect() non-const so allowing it to update style without ugly casts.
+
+        * html/HTMLElement.cpp:
+        (WebCore::HTMLElement::isContentEditable): Don't call updateStyleIfNeeded() here.
+        (WebCore::HTMLElement::isContentRichlyEditable): Ditto.
+        (WebCore::HTMLElement::contentEditable): Ditto.
+
+        * page/FrameView.h:
+        (WebCore::FrameView::isMidLayout): New accessor, used for asserting.
+
+        * rendering/RenderPath.cpp:
+        (WebCore::fillAndStrokePath): Pass DisallowStyleUpdate to getScreenCTM since we are painting.
+        * rendering/RenderSVGResourceContainer.cpp:
+        (WebCore::RenderSVGResourceContainer::transformOnNonScalingStroke): This is only called when
+        painting, so use DisallowStyleUpdate.
+
+        * svg/SVGElement.cpp:
+        (WebCore::SVGElement::attributeChanged): Changes to the style attribute should not have
+        side effects, since a call to Element::getAttribute() is allowed to result in a call to
+        setAttribute() for the style attribute. To avoid updateStyleIfNeeded() during painting,
+        this must not cause SVG to do extra work.
+
+        * svg/SVGLocatable.cpp: Pass StyleUpdateStrategy down to these methods to indicate
+        whether it's OK to update style.
+        (WebCore::SVGLocatable::getBBox):
+        (WebCore::SVGLocatable::computeCTM):
+        (WebCore::SVGLocatable::getTransformToElement):
+        * svg/SVGLocatable.h:
+        (WebCore::SVGLocatable::):
+        * svg/SVGStyledLocatableElement.cpp:
+        (WebCore::SVGStyledLocatableElement::getBBox):
+        (WebCore::SVGStyledLocatableElement::getCTM):
+        (WebCore::SVGStyledLocatableElement::getScreenCTM):
+        * svg/SVGStyledLocatableElement.h:
+        * svg/SVGStyledTransformableElement.cpp:
+        (WebCore::SVGStyledTransformableElement::getCTM):
+        (WebCore::SVGStyledTransformableElement::getScreenCTM):
+        (WebCore::SVGStyledTransformableElement::getBBox):
+        * svg/SVGStyledTransformableElement.h:
+        * svg/SVGTextElement.cpp:
+        (WebCore::SVGTextElement::getBBox):
+        (WebCore::SVGTextElement::getCTM):
+        (WebCore::SVGTextElement::getScreenCTM):
+        * svg/SVGTextElement.h:
+
 2010-08-19  Ryosuke Niwa  <rniwa@webkit.org>
 

trunk/WebCore/dom/Document.cpp

@@ -1477 +1477 @@
 void Document::updateStyleIfNeeded()
 {
+    ASSERT(!view() || (!view()->isInLayout() && !view()->isPainting()));
+    
     if (!childNeedsStyleRecalc() || inPageCache())
         return;
@@ -3764 +3766 @@
     if (!frame || frame->document() != document)
         return Editor::Command();
+
+    document->updateStyleIfNeeded();
+
     return frame->editor()->command(commandName,
         userInterface ? CommandFromDOMWithUserInterface : CommandFromDOM);

trunk/WebCore/dom/Element.cpp

@@ -1294 +1294 @@
         return;
 
-    if (!supportsFocus())
-        return;
-
     // If the stylesheets have already been loaded we can reliably check isFocusable.
     // If not, we continue and set the focused node on the focus controller below so
@@ -1305 +1302 @@
             return;
     }
+
+    if (!supportsFocus())
+        return;
 
     RefPtr<Node> protect;

trunk/WebCore/editing/SelectionController.cpp

@@ -953 +953 @@
 }
 
-IntRect SelectionController::localCaretRect() const
+IntRect SelectionController::localCaretRect()
 {
     if (m_needsLayout)
-        const_cast<SelectionController*>(this)->layout();
+        layout();
     
     return m_caretRect;
@@ -988 +988 @@
 IntRect SelectionController::caretRepaintRect() const
 {
-    return absoluteBoundsForLocalRect(repaintRectForCaret(localCaretRect()));
+    return absoluteBoundsForLocalRect(repaintRectForCaret(localCaretRectForPainting()));
 }
 
@@ -1080 +1080 @@
         return;
 
-    IntRect drawingRect = localCaretRect();
+    IntRect drawingRect = localCaretRectForPainting();
     drawingRect.move(tx, ty);
     IntRect caret = intersection(drawingRect, clipRect);

trunk/WebCore/editing/SelectionController.h

@@ -101 +101 @@
 
     // Caret rect local to the caret's renderer
-    IntRect localCaretRect() const;
+    IntRect localCaretRect();
+    IntRect localCaretRectForPainting() const { return m_caretRect; }
+
     // Bounds of (possibly transformed) caret in absolute coords
     IntRect absoluteCaretBounds();

trunk/WebCore/html/HTMLElement.cpp

@@ -667 +667 @@
         return true;
 
-    // FIXME: this is a terrible thing to do here:
-    // https://bugs.webkit.org/show_bug.cgi?id=21834
-    document()->updateStyleIfNeeded();
+    // Ideally we'd call ASSERT!needsStyleRecalc()) here, but
+    // ContainerNode::setFocus() calls setNeedsStyleRecalc(), so the assertion
+    // would fire in the middle of Document::setFocusedNode().
 
     if (!renderer()) {
@@ -686 +686 @@
         return true;
 
-    document()->updateStyleIfNeeded();
-
     if (!renderer()) {
         if (parentNode())
@@ -700 +698 @@
 String HTMLElement::contentEditable() const 
 {
-    document()->updateStyleIfNeeded();
-
     if (!renderer())
         return "false";

trunk/WebCore/page/FrameView.cpp

@@ -204 +204 @@
     m_doFullRepaint = true;
     m_layoutSchedulingEnabled = true;
-    m_midLayout = false;
+    m_inLayout = false;
     m_layoutCount = 0;
     m_nestedLayoutCount = 0;
@@ -601 +601 @@
 void FrameView::layout(bool allowSubtree)
 {
-    if (m_midLayout)
+    if (m_inLayout)
         return;
 
@@ -773 +773 @@
     }
         
-    m_midLayout = true;
+    m_inLayout = true;
     beginDeferredRepaints();
     root->layout();
     endDeferredRepaints();
-    m_midLayout = false;
+    m_inLayout = false;
 
     if (subtree) {

trunk/WebCore/page/FrameView.h

@@ -89 +89 @@
     void unscheduleRelayout();
     bool layoutPending() const;
+    bool isInLayout() const { return m_inLayout; }
 
     RenderObject* layoutRoot(bool onlyDuringLayout = false) const;
@@ -318 +319 @@
     
     bool m_layoutSchedulingEnabled;
-    bool m_midLayout;
+    bool m_inLayout;
     int m_layoutCount;
     unsigned m_nestedLayoutCount;

trunk/WebCore/rendering/RenderPath.cpp

@@ -142 +142 @@
         if (style->svgStyle()->vectorEffect() == VE_NON_SCALING_STROKE) {
             SVGStyledTransformableElement* element = static_cast<SVGStyledTransformableElement*>(object->node());
-            AffineTransform transform = element->getScreenCTM();
+            AffineTransform transform = element->getScreenCTM(SVGLocatable::DisallowStyleUpdate);
             if (!transform.isInvertible())
                 return;

trunk/WebCore/rendering/RenderSVGResourceContainer.cpp

@@ -185 +185 @@
     SVGStyledTransformableElement* element = static_cast<SVGStyledTransformableElement*>(object->node());
     AffineTransform transform = resourceTransform;
-    transform.multiply(element->getScreenCTM());
+    transform.multiply(element->getScreenCTM(SVGLocatable::DisallowStyleUpdate));
     return transform;
 }

trunk/WebCore/svg/SVGElement.cpp

@@ -313 +313 @@
         return;
 
-    svgAttributeChanged(attr->name());
+    // Changes to the style attribute are processed lazily (see Element::getAttribute() and related methods),
+    // so we don't want changes to the style attribute to result in extra work here.
+    if (attr->name() != styleAttr)
+        svgAttributeChanged(attr->name());
 }
 

trunk/WebCore/svg/SVGLocatable.cpp

@@ -72 +72 @@
 }
 
-FloatRect SVGLocatable::getBBox(const SVGElement* element)
+FloatRect SVGLocatable::getBBox(const SVGElement* element, StyleUpdateStrategy styleUpdateStrategy)
 {
     ASSERT(element);
-    element->document()->updateLayoutIgnorePendingStylesheets();
+    if (styleUpdateStrategy == AllowStyleUpdate)
+        element->document()->updateLayoutIgnorePendingStylesheets();
 
     // FIXME: Eventually we should support getBBox for detached elements.
@@ -84 +85 @@
 }
 
-AffineTransform SVGLocatable::computeCTM(const SVGElement* element, CTMScope mode)
+AffineTransform SVGLocatable::computeCTM(const SVGElement* element, CTMScope mode, StyleUpdateStrategy styleUpdateStrategy)
 {
     ASSERT(element);
-    element->document()->updateLayoutIgnorePendingStylesheets();
+    if (styleUpdateStrategy == AllowStyleUpdate)
+        element->document()->updateLayoutIgnorePendingStylesheets();
 
     AffineTransform ctm;
@@ -109 +111 @@
 }
 
-AffineTransform SVGLocatable::getTransformToElement(SVGElement* target, ExceptionCode& ec) const
+AffineTransform SVGLocatable::getTransformToElement(SVGElement* target, ExceptionCode& ec, StyleUpdateStrategy styleUpdateStrategy) const
 {
-    AffineTransform ctm = getCTM();
+    AffineTransform ctm = getCTM(styleUpdateStrategy);
 
     if (target && target->isStyledLocatable()) {
-        AffineTransform targetCTM = static_cast<SVGStyledLocatableElement*>(target)->getCTM();
+        AffineTransform targetCTM = static_cast<SVGStyledLocatableElement*>(target)->getCTM(styleUpdateStrategy);
         if (!targetCTM.isInvertible()) {
             ec = SVGException::SVG_MATRIX_NOT_INVERTABLE;

trunk/WebCore/svg/SVGLocatable.h

@@ -41 +41 @@
     virtual SVGElement* farthestViewportElement() const = 0;
 
-    virtual FloatRect getBBox() const = 0;
-    virtual AffineTransform getCTM() const = 0;
-    virtual AffineTransform getScreenCTM() const = 0;
-    AffineTransform getTransformToElement(SVGElement*, ExceptionCode&) const;
+    enum StyleUpdateStrategy { AllowStyleUpdate, DisallowStyleUpdate };
+    
+    virtual FloatRect getBBox(StyleUpdateStrategy) const = 0;
+    virtual AffineTransform getCTM(StyleUpdateStrategy) const = 0;
+    virtual AffineTransform getScreenCTM(StyleUpdateStrategy) const = 0;
+    AffineTransform getTransformToElement(SVGElement*, ExceptionCode&, StyleUpdateStrategy = AllowStyleUpdate) const;
 
     static SVGElement* nearestViewportElement(const SVGElement*);
@@ -57 +59 @@
     virtual AffineTransform localCoordinateSpaceTransform(SVGLocatable::CTMScope) const { return AffineTransform(); }
 
-    static FloatRect getBBox(const SVGElement*);
-    static AffineTransform computeCTM(const SVGElement*, CTMScope);
+    static FloatRect getBBox(const SVGElement*, StyleUpdateStrategy);
+    static AffineTransform computeCTM(const SVGElement*, CTMScope, StyleUpdateStrategy);
 };
 

trunk/WebCore/svg/SVGStyledLocatableElement.cpp

@@ -51 +51 @@
 }
 
-FloatRect SVGStyledLocatableElement::getBBox() const
+FloatRect SVGStyledLocatableElement::getBBox(StyleUpdateStrategy styleUpdateStrategy) const
 {
-    return SVGLocatable::getBBox(this);
+    return SVGLocatable::getBBox(this, styleUpdateStrategy);
 }
 
-AffineTransform SVGStyledLocatableElement::getCTM() const
+AffineTransform SVGStyledLocatableElement::getCTM(StyleUpdateStrategy styleUpdateStrategy) const
 {
-    return SVGLocatable::computeCTM(this, SVGLocatable::NearestViewportScope);
+    return SVGLocatable::computeCTM(this, SVGLocatable::NearestViewportScope, styleUpdateStrategy);
 }
 
-AffineTransform SVGStyledLocatableElement::getScreenCTM() const
+AffineTransform SVGStyledLocatableElement::getScreenCTM(StyleUpdateStrategy styleUpdateStrategy) const
 {
-    return SVGLocatable::computeCTM(this, SVGLocatable::ScreenScope);
+    return SVGLocatable::computeCTM(this, SVGLocatable::ScreenScope, styleUpdateStrategy);
 }
 

trunk/WebCore/svg/SVGStyledLocatableElement.h

@@ -41 +41 @@
         virtual SVGElement* farthestViewportElement() const;
 
-        virtual FloatRect getBBox() const;
-        virtual AffineTransform getCTM() const;
-        virtual AffineTransform getScreenCTM() const;
+        virtual FloatRect getBBox(StyleUpdateStrategy = AllowStyleUpdate) const;
+        virtual AffineTransform getCTM(StyleUpdateStrategy = AllowStyleUpdate) const;
+        virtual AffineTransform getScreenCTM(StyleUpdateStrategy = AllowStyleUpdate) const;
 
         virtual AffineTransform localCoordinateSpaceTransform(SVGLocatable::CTMScope mode) const { return SVGLocatable::localCoordinateSpaceTransform(mode); }

trunk/WebCore/svg/SVGStyledTransformableElement.cpp

@@ -44 +44 @@
 }
 
-AffineTransform SVGStyledTransformableElement::getCTM() const
+AffineTransform SVGStyledTransformableElement::getCTM(StyleUpdateStrategy styleUpdateStrategy) const
 {
-    return SVGLocatable::computeCTM(this, SVGLocatable::NearestViewportScope);
+    return SVGLocatable::computeCTM(this, SVGLocatable::NearestViewportScope, styleUpdateStrategy);
 }
 
-AffineTransform SVGStyledTransformableElement::getScreenCTM() const
+AffineTransform SVGStyledTransformableElement::getScreenCTM(StyleUpdateStrategy styleUpdateStrategy) const
 {
-    return SVGLocatable::computeCTM(this, SVGLocatable::ScreenScope);
+    return SVGLocatable::computeCTM(this, SVGLocatable::ScreenScope, styleUpdateStrategy);
 }
 
@@ -102 +102 @@
 }
 
-FloatRect SVGStyledTransformableElement::getBBox() const
+FloatRect SVGStyledTransformableElement::getBBox(StyleUpdateStrategy styleUpdateStrategy) const
 {
-    return SVGTransformable::getBBox(this);
+    return SVGTransformable::getBBox(this, styleUpdateStrategy);
 }
 

trunk/WebCore/svg/SVGStyledTransformableElement.h

@@ -39 +39 @@
     virtual bool isStyledTransformable() const { return true; }
 
-    virtual AffineTransform getCTM() const;
-    virtual AffineTransform getScreenCTM() const;
+    virtual AffineTransform getCTM(StyleUpdateStrategy = AllowStyleUpdate) const;
+    virtual AffineTransform getScreenCTM(StyleUpdateStrategy = AllowStyleUpdate) const;
     virtual SVGElement* nearestViewportElement() const;
     virtual SVGElement* farthestViewportElement() const;
@@ -48 +48 @@
     virtual AffineTransform* supplementalTransform();
 
-    virtual FloatRect getBBox() const;
+    virtual FloatRect getBBox(StyleUpdateStrategy = AllowStyleUpdate) const;
 
     virtual void parseMappedAttribute(Attribute*);

trunk/WebCore/svg/SVGTextElement.cpp

@@ -69 +69 @@
 }
 
-FloatRect SVGTextElement::getBBox() const
+FloatRect SVGTextElement::getBBox(StyleUpdateStrategy styleUpdateStrategy) const
 {
-    return SVGTransformable::getBBox(this);
+    return SVGTransformable::getBBox(this, styleUpdateStrategy);
 }
 
-AffineTransform SVGTextElement::getCTM() const
+AffineTransform SVGTextElement::getCTM(StyleUpdateStrategy styleUpdateStrategy) const
 {
-    return SVGLocatable::computeCTM(this, SVGLocatable::NearestViewportScope);
+    return SVGLocatable::computeCTM(this, SVGLocatable::NearestViewportScope, styleUpdateStrategy);
 }
 
-AffineTransform SVGTextElement::getScreenCTM() const
+AffineTransform SVGTextElement::getScreenCTM(StyleUpdateStrategy styleUpdateStrategy) const
 {
-    return SVGLocatable::computeCTM(this, SVGLocatable::ScreenScope);
+    return SVGLocatable::computeCTM(this, SVGLocatable::ScreenScope, styleUpdateStrategy);
 }
 

trunk/WebCore/svg/SVGTextElement.h

@@ -39 +39 @@
         virtual SVGElement* farthestViewportElement() const;
 
-        virtual FloatRect getBBox() const;
-        virtual AffineTransform getCTM() const;
-        virtual AffineTransform getScreenCTM() const;
+        virtual FloatRect getBBox(StyleUpdateStrategy = AllowStyleUpdate) const;
+        virtual AffineTransform getCTM(StyleUpdateStrategy = AllowStyleUpdate) const;
+        virtual AffineTransform getScreenCTM(StyleUpdateStrategy = AllowStyleUpdate) const;
         virtual AffineTransform animatedLocalTransform() const;
         virtual AffineTransform* supplementalTransform();