| Summary: | Element within flattened frame may update its scroll state during the layout phase of the wrong RenderView | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Daniel Bates <dbates> | ||||||||
| Component: | Layout and Rendering | Assignee: | Daniel Bates <dbates> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | commit-queue, ddkilzer, esprehn+autocc, glenn, hyatt, kondapallykalyan, simon.fraser, zalan | ||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||
| Version: | 528+ (Nightly build) | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Attachments: |
|
||||||||||
Created attachment 231598 [details]
Work-in-progress patch and layout tests
Need to fix up layout test delayed-scroll-in-iframe-with-full-repaint-crash.html to show PASS message on success and add a ChangeLog entry. Also, consider making UpdateScrollInfoAfterLayoutDispatcher::{begin, end}Deferring() take a const RenderBlock& as an argument as a way to deter calling these methods outside of RenderBlock or RenderBlock-derived classes (or is there a better way to achieve this?).
Created attachment 231736 [details]
Patch and layout tests
Created attachment 231740 [details]
Patch and layout tests
Comment on attachment 231740 [details]
Patch and layout tests
r=me
Committed r169128: <http://trac.webkit.org/changeset/169128> |
Assuming frame flattening is enabled. Consider a page with the following markup: <div id="test-container" style="display: -webkit-flex; -webkit-flex-direction: column; height: 512px;"> <iframe style="width: 100%; overflow: hidden" height="0" srcdoc=" <div style='display: -webkit-flex; -webkit-flex-direction: column; height: 128px; width: 128px; background-color: blue'> <div id='scrollableDiv' style='display: none; overflow-y: scroll; width: 100px;'></div> </div> <script> window.setTimeout(function () { var scrollableDiv = document.getElementById('scrollableDiv'); scrollableDiv.innerHTML = 'Supercalifragilisticexpialidocious'; /* A string that cannot be word-wrapped and exceeds the width of the scrollableDiv. */ scrollableDiv.style.display = 'block'; }, 0); </script> "></iframe> </div> Then the assertion ASSERT(m_next) fails in LayoutState::LayoutState(std::unique_ptr<LayoutState>, ...).