Bug 235194

Summary:

<dialog> with transformed ancestor asserts under RenderGeometryMap

Product:

WebKit

Reporter:

Simon Fraser (smfr) <simon.fraser>

Component:

DOM

Assignee:

Simon Fraser (smfr) <simon.fraser>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

changseok, esprehn+autocc, ews-watchlist, fred.wang, glenn, koivisto, kondapallykalyan, mrobinson, ntim, pdr, simon.fraser, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

Safari Technology Preview

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

235272

Bug Blocks:

84635

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	koivisto: review+, ews-feeder: commit-queue-
Patch	none
Patch	none

Description Simon Fraser (smfr) 2022-01-13 11:31:39 PST

imported/w3c/web-platform-tests/html/semantics/interactive-elements/the-dialog-element/top-layer-parent-transform.html triggers an assertion:

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   JavaScriptCore                	       0x7bf6ddf9e WTFCrash + 14
1   WebCore                       	       0x7d2e0f49b WTFCrashWithInfo(int, char const*, char const*, int) + 27
2   WebCore                       	       0x7d77b6ca6 WebCore::RenderObject::offsetFromAncestorContainer(WebCore::RenderElement&) const + 262
3   WebCore                       	       0x7d7628382 WebCore::RenderBox::pushMappingToContainer(WebCore::RenderLayerModelObject const*, WebCore::RenderGeometryMap&) const + 226 (RenderBox.cpp:2361)
4   WebCore                       	       0x7d76daa8f WebCore::RenderGeometryMap::pushMappingsToAncestor(WebCore::RenderObject const*, WebCore::RenderLayerModelObject const*) + 79 (RenderGeometryMap.cpp:140)
5   WebCore                       	       0x7d76dae5d WebCore::RenderGeometryMap::pushMappingsToAncestor(WebCore::RenderLayer const*, WebCore::RenderLayer const*, bool) + 557 (RenderGeometryMap.cpp:197)
6   WebCore                       	       0x7d7702142 WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsFlag>) + 162 (RenderLayer.cpp:962)
7   WebCore                       	       0x7d7702921 WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsFlag>) + 2177 (RenderLayer.cpp:1053)
8   WebCore                       	       0x7d7702921 WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsFlag>) + 2177 (RenderLayer.cpp:1053)
9   WebCore                       	       0x7d7702921 WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsFlag>) + 2177 (RenderLayer.cpp:1053)
10  WebCore                       	       0x7d7702bda WebCore::RenderLayer::updateLayerPositionsAfterLayout(bool, bool) + 218 (RenderLayer.cpp:952)
11  WebCore                       	       0x7d6ca51e1 WebCore::FrameView::didLayout(WTF::WeakPtr<WebCore::RenderElement, WTF::EmptyCounter>) + 129 (FrameView.cpp:1319)
12  WebCore                       	       0x7d6c9abf8 WebCore::FrameViewLayoutContext::layout() + 2728 (FrameViewLayoutContext.cpp:259)
13  WebCore                       	       0x7d5f8ac56 WebCore::Document::implicitClose() + 1046 (Document.cpp:3218)
14  WebCore                       	       0x7d6aa428b WebCore::FrameLoader::checkCallImplicitClose() + 155 (FrameLoader.cpp:942)

Comment 1 Simon Fraser (smfr) 2022-01-13 21:37:36 PST

Created attachment 449140 [details]
Patch

Comment 2 Simon Fraser (smfr) 2022-01-18 09:32:49 PST

Created attachment 449398 [details]
Patch

Comment 3 Martin Robinson 2022-01-19 04:13:55 PST

*** Bug 235063 has been marked as a duplicate of this bug. ***

Comment 4 Simon Fraser (smfr) 2022-01-19 11:16:47 PST

Created attachment 449498 [details]
Patch

Comment 5 Simon Fraser (smfr) 2022-01-19 11:22:51 PST

Created attachment 449499 [details]
Patch

Comment 6 Antti Koivisto 2022-01-19 11:36:09 PST

Comment on attachment 449499 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=449499&action=review

> Source/WebCore/rendering/RenderElement.h:112
> +    RenderLayer* layerParentRespectingTopLayer() const;
> +    RenderLayer* layerNextSiblingRespectingTopLayer(RenderLayer& parentLayer) const;

Do we have non-respecting versions and what are they good for?

Could we just have these without "RespectingTopLayer" part?

Comment 7 Antti Koivisto 2022-01-19 11:49:32 PST

Comment on attachment 449499 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=449499&action=review

> Source/WebCore/rendering/RenderElement.cpp:637
> +static RenderLayer* findNextLayer(const RenderElement& currRenderer, RenderLayer& parentLayer, const RenderObject* siblingToTraverseFrom, bool checkParent = true)

I know this is just function that moves but it would nice to make it better. I suspect what it does could be expressed cleanly (by making it iterative and separation layer testing from traversal) but currently it is pretty incomprehensible.

currRenderer is not current WebKit style

It is not super clear what "next layer" here means. Next in depth-first order? siblingToTraverseFrom is really weird too.

Comment 8 Simon Fraser (smfr) 2022-01-19 12:05:16 PST

Created attachment 449504 [details]
Patch

Comment 9 Simon Fraser (smfr) 2022-01-19 12:20:00 PST

Created attachment 449506 [details]
Patch

Comment 10 Radar WebKit Bug Importer 2022-01-19 12:25:19 PST

<rdar://problem/87785288>

Comment 11 EWS 2022-01-19 19:54:37 PST

Committed r288267 (246209@main): <https://commits.webkit.org/246209@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 449506 [details].