RESOLVED FIXED 178710
RenderSVGModelObject::checkIntersection triggers layout 
https://bugs.webkit.org/show_bug.cgi?id=178710
Summary RenderSVGModelObject::checkIntersection triggers layout
Ryosuke Niwa
Reported 2017-10-23 22:49:20 PDT
Don't do that.
Attachments
Fixes the bug (2.14 KB, patch)
2017-10-23 22:50 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Address Simon's comment with a test (17.18 KB, patch)
2017-10-24 14:22 PDT, Ryosuke Niwa 		simon.fraser: review+
DetailsFormatted DiffDiff
Patch for landing (17.19 KB, patch)
2017-10-24 14:53 PDT, Ryosuke Niwa 		buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews103 for mac-elcapitan (1.18 MB, application/zip)
2017-10-24 16:11 PDT, Build Bot 		no flags
Details
Archive of layout-test-results from ews116 for mac-elcapitan (1.77 MB, application/zip)
2017-10-24 16:16 PDT, Build Bot 		no flags
Details
Patch for landing (17.17 KB, patch)
2017-10-24 16:20 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2017-10-23 22:50:58 PDT
Created attachment 324646 [details] Fixes the bug
Ryosuke Niwa
Comment 2 2017-10-23 22:51:14 PDT
<rdar://problem/35140862>
Ryosuke Niwa
Comment 3 2017-10-23 22:54:34 PDT
In particular, collectIntersectionOrEnclosureList uses ElementIterator so it's not safe to update the layout which could run arbitrary scripts at the moment...
WebKit Commit Bot
Comment 4 2017-10-24 00:41:43 PDT
Comment on attachment 324646 [details] Fixes the bug Clearing flags on attachment: 324646 Committed r223882: <https://trac.webkit.org/changeset/223882>
WebKit Commit Bot
Comment 5 2017-10-24 00:41:44 PDT
All reviewed patches have been landed. Closing bug.
Simon Fraser (smfr)
Comment 6 2017-10-24 10:31:45 PDT
Comment on attachment 324646 [details] Fixes the bug This doesn't seem right. getElementCTM() can be called from RenderSVGModelObject::checkIntersection, which is called from SVGSVGElement::checkIntersection which is exposed to JS. So now nothing forces layout before checkIntersection calls getElementCTM.
Ryosuke Niwa
Comment 7 2017-10-24 10:33:05 PDT
(In reply to Simon Fraser (smfr) from comment #6) > Comment on attachment 324646 [details] > Fixes the bug > > This doesn't seem right. getElementCTM() can be called from > RenderSVGModelObject::checkIntersection, which is called from > SVGSVGElement::checkIntersection which is exposed to JS. So now nothing > forces layout before checkIntersection calls getElementCTM. SVGSVGElement::checkIntersection triggers layout! https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/svg/SVGSVGElement.cpp#L336
Simon Fraser (smfr)
Comment 8 2017-10-24 10:34:19 PDT
(In reply to Ryosuke Niwa from comment #7) > (In reply to Simon Fraser (smfr) from comment #6) > > Comment on attachment 324646 [details] > > Fixes the bug > > > > This doesn't seem right. getElementCTM() can be called from > > RenderSVGModelObject::checkIntersection, which is called from > > SVGSVGElement::checkIntersection which is exposed to JS. So now nothing > > forces layout before checkIntersection calls getElementCTM. > > SVGSVGElement::checkIntersection triggers layout! > https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/svg/ > SVGSVGElement.cpp#L336 That's getIntersectionList, not checkIntersection.
Ryosuke Niwa
Comment 9 2017-10-24 10:35:53 PDT
(In reply to Simon Fraser (smfr) from comment #8) > (In reply to Ryosuke Niwa from comment #7) > > (In reply to Simon Fraser (smfr) from comment #6) > > > Comment on attachment 324646 [details] > > > Fixes the bug > > > > > > This doesn't seem right. getElementCTM() can be called from > > > RenderSVGModelObject::checkIntersection, which is called from > > > SVGSVGElement::checkIntersection which is exposed to JS. So now nothing > > > forces layout before checkIntersection calls getElementCTM. > > > > SVGSVGElement::checkIntersection triggers layout! > > https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/svg/ > > SVGSVGElement.cpp#L336 > > That's getIntersectionList, not checkIntersection. Oh, didn't notice those were exposed directly. Let's fix that...
Ryosuke Niwa
Comment 10 2017-10-24 10:36:10 PDT
Re-opening to address Simon's comment.
Ryosuke Niwa
Comment 11 2017-10-24 14:22:36 PDT
Created attachment 324720 [details] Address Simon's comment with a test
Ryosuke Niwa
Comment 12 2017-10-24 14:51:39 PDT
Comment on attachment 324720 [details] Address Simon's comment with a test Posting a new patch to land.
Ryosuke Niwa
Comment 13 2017-10-24 14:53:20 PDT
Created attachment 324727 [details] Patch for landing
Build Bot
Comment 14 2017-10-24 16:11:23 PDT
Comment on attachment 324727 [details] Patch for landing Attachment 324727 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/4975689 New failing tests: storage/indexeddb/detached-iframe.html
Build Bot
Comment 15 2017-10-24 16:11:24 PDT
Created attachment 324744 [details] Archive of layout-test-results from ews103 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews103 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Build Bot
Comment 16 2017-10-24 16:16:41 PDT
Comment on attachment 324727 [details] Patch for landing Attachment 324727 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/4975525 New failing tests: storage/indexeddb/detached-iframe.html
Build Bot
Comment 17 2017-10-24 16:16:42 PDT
Created attachment 324745 [details] Archive of layout-test-results from ews116 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews116 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Ryosuke Niwa
Comment 18 2017-10-24 16:20:50 PDT
Created attachment 324746 [details] Patch for landing
Ryosuke Niwa
Comment 19 2017-10-24 18:35:47 PDT
Committed r223947: <https://trac.webkit.org/changeset/223947>
Note You need to log in before you can comment on or make changes to this bug.