133013 – Element within flattened frame may update its scroll state during the layout phase of the wrong RenderView

RESOLVED FIXED 133013

Element within flattened frame may update its scroll state during the layout phase of the wrong RenderView

https://bugs.webkit.org/show_bug.cgi?id=133013

Summary Element within flattened frame may update its scroll state during the layout ...

Daniel Bates

Reported 2014-05-16 15:33:00 PDT

Assuming frame flattening is enabled. Consider a page with the following markup: <div id="test-container" style="display: -webkit-flex; -webkit-flex-direction: column; height: 512px;"> <iframe style="width: 100%; overflow: hidden" height="0" srcdoc=" <div style='display: -webkit-flex; -webkit-flex-direction: column; height: 128px; width: 128px; background-color: blue'> <div id='scrollableDiv' style='display: none; overflow-y: scroll; width: 100px;'></div> </div> <script> window.setTimeout(function () { var scrollableDiv = document.getElementById('scrollableDiv'); scrollableDiv.innerHTML = 'Supercalifragilisticexpialidocious'; /* A string that cannot be word-wrapped and exceeds the width of the scrollableDiv. */ scrollableDiv.style.display = 'block'; }, 0); </script> "></iframe> </div> Then the assertion ASSERT(m_next) fails in LayoutState::LayoutState(std::unique_ptr<LayoutState>, ...).

Attachments
Work-in-progress patch and layout tests (26.07 KB, patch) 2014-05-16 15:38 PDT, Daniel Bates	no flags	Details Formatted Diff Diff
Patch and layout tests (23.12 KB, patch) 2014-05-19 16:41 PDT, Daniel Bates	no flags	Details Formatted Diff Diff
Patch and layout tests (23.04 KB, patch) 2014-05-19 17:08 PDT, Daniel Bates	hyatt: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Daniel Bates

Comment 1 2014-05-16 15:33:26 PDT

<rdar://problem/16760154>

Daniel Bates

Comment 2 2014-05-16 15:38:58 PDT

Created attachment 231598 [details] Work-in-progress patch and layout tests Need to fix up layout test delayed-scroll-in-iframe-with-full-repaint-crash.html to show PASS message on success and add a ChangeLog entry. Also, consider making UpdateScrollInfoAfterLayoutDispatcher::{begin, end}Deferring() take a const RenderBlock& as an argument as a way to deter calling these methods outside of RenderBlock or RenderBlock-derived classes (or is there a better way to achieve this?).

Daniel Bates

Comment 3 2014-05-19 16:41:15 PDT

Created attachment 231736 [details] Patch and layout tests

Daniel Bates

Comment 4 2014-05-19 17:08:49 PDT

Created attachment 231740 [details] Patch and layout tests

Dave Hyatt

Comment 5 2014-05-20 11:20:09 PDT

Comment on attachment 231740 [details] Patch and layout tests r=me

Daniel Bates

Comment 6 2014-05-20 13:35:16 PDT

Committed r169128: <http://trac.webkit.org/changeset/169128>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

Daniel Bates

Reported

2014-05-16 15:33 PDT

Modified

2014-05-20 13:35 PDT History

CC List

8 users Show

URL

Keywords InRadar

Depends on

Blocks