133013 – Element within flattened frame may update its scroll state during the layout phase of the wrong RenderView

Bug 133013 - Element within flattened frame may update its scroll state during the layout phase of the wrong RenderView

Summary: Element within flattened frame may update its scroll state during the layout ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Daniel Bates

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2014-05-16 15:33 PDT by Daniel Bates
Modified:	2014-05-20 13:35 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Work-in-progress patch and layout tests (26.07 KB, patch) 2014-05-16 15:38 PDT, Daniel Bates	no flags	Details \| Formatted Diff \| Diff
Patch and layout tests (23.12 KB, patch) 2014-05-19 16:41 PDT, Daniel Bates	no flags	Details \| Formatted Diff \| Diff
Patch and layout tests (23.04 KB, patch) 2014-05-19 17:08 PDT, Daniel Bates	hyatt: review+	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Bates 2014-05-16 15:33:00 PDT

Assuming frame flattening is enabled. Consider a page with the following markup:

<div id="test-container" style="display: -webkit-flex; -webkit-flex-direction: column; height: 512px;">
    <iframe style="width: 100%; overflow: hidden" height="0" srcdoc="
        <div style='display: -webkit-flex; -webkit-flex-direction: column; height: 128px; width: 128px; background-color: blue'>
            <div id='scrollableDiv' style='display: none; overflow-y: scroll; width: 100px;'></div>
        </div>
        <script>
        window.setTimeout(function () {
            var scrollableDiv = document.getElementById('scrollableDiv');
            scrollableDiv.innerHTML = 'Supercalifragilisticexpialidocious'; /* A string that cannot be word-wrapped and exceeds the width of the scrollableDiv. */
            scrollableDiv.style.display = 'block';
        }, 0);
        </script>
    "></iframe>
</div>

Then the assertion ASSERT(m_next) fails in LayoutState::LayoutState(std::unique_ptr<LayoutState>, ...).

Comment 1 Daniel Bates 2014-05-16 15:33:26 PDT

<rdar://problem/16760154>

Comment 2 Daniel Bates 2014-05-16 15:38:58 PDT

Created attachment 231598 [details]
Work-in-progress patch and layout tests

Need to fix up layout test delayed-scroll-in-iframe-with-full-repaint-crash.html to show PASS message on success and add a ChangeLog entry. Also, consider making UpdateScrollInfoAfterLayoutDispatcher::{begin, end}Deferring() take a const RenderBlock& as an argument as a way to deter calling these methods outside of RenderBlock or RenderBlock-derived classes (or is there a better way to achieve this?).

Comment 3 Daniel Bates 2014-05-19 16:41:15 PDT

Created attachment 231736 [details]
Patch and layout tests

Comment 4 Daniel Bates 2014-05-19 17:08:49 PDT

Created attachment 231740 [details]
Patch and layout tests

Comment 5 Dave Hyatt 2014-05-20 11:20:09 PDT

Comment on attachment 231740 [details]
Patch and layout tests

r=me

Comment 6 Daniel Bates 2014-05-20 13:35:16 PDT

Committed r169128: <http://trac.webkit.org/changeset/169128>