Bug 133013

Summary: Element within flattened frame may update its scroll state during the layout phase of the wrong RenderView
Product: WebKit Reporter: Daniel Bates <dbates>
Component: Layout and RenderingAssignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ddkilzer, esprehn+autocc, glenn, hyatt, kondapallykalyan, simon.fraser, zalan
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Work-in-progress patch and layout tests
none
Patch and layout tests
none
Patch and layout tests hyatt: review+

Daniel Bates
Reported 2014-05-16 15:33:00 PDT
Assuming frame flattening is enabled. Consider a page with the following markup: <div id="test-container" style="display: -webkit-flex; -webkit-flex-direction: column; height: 512px;"> <iframe style="width: 100%; overflow: hidden" height="0" srcdoc=" <div style='display: -webkit-flex; -webkit-flex-direction: column; height: 128px; width: 128px; background-color: blue'> <div id='scrollableDiv' style='display: none; overflow-y: scroll; width: 100px;'></div> </div> <script> window.setTimeout(function () { var scrollableDiv = document.getElementById('scrollableDiv'); scrollableDiv.innerHTML = 'Supercalifragilisticexpialidocious'; /* A string that cannot be word-wrapped and exceeds the width of the scrollableDiv. */ scrollableDiv.style.display = 'block'; }, 0); </script> "></iframe> </div> Then the assertion ASSERT(m_next) fails in LayoutState::LayoutState(std::unique_ptr<LayoutState>, ...).
Attachments
Work-in-progress patch and layout tests (26.07 KB, patch)
2014-05-16 15:38 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch and layout tests (23.12 KB, patch)
2014-05-19 16:41 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch and layout tests (23.04 KB, patch)
2014-05-19 17:08 PDT, Daniel Bates 		hyatt: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2014-05-16 15:33:26 PDT
<rdar://problem/16760154>
Daniel Bates
Comment 2 2014-05-16 15:38:58 PDT
Created attachment 231598 [details] Work-in-progress patch and layout tests Need to fix up layout test delayed-scroll-in-iframe-with-full-repaint-crash.html to show PASS message on success and add a ChangeLog entry. Also, consider making UpdateScrollInfoAfterLayoutDispatcher::{begin, end}Deferring() take a const RenderBlock& as an argument as a way to deter calling these methods outside of RenderBlock or RenderBlock-derived classes (or is there a better way to achieve this?).
Daniel Bates
Comment 3 2014-05-19 16:41:15 PDT
Created attachment 231736 [details] Patch and layout tests
Daniel Bates
Comment 4 2014-05-19 17:08:49 PDT
Created attachment 231740 [details] Patch and layout tests
Dave Hyatt
Comment 5 2014-05-20 11:20:09 PDT
Comment on attachment 231740 [details] Patch and layout tests r=me
Daniel Bates
Comment 6 2014-05-20 13:35:16 PDT
Committed r169128: <http://trac.webkit.org/changeset/169128>
Note You need to log in before you can comment on or make changes to this bug.