Diff
Modified: branches/safari-605-branch/Source/WebCore/ChangeLog (228170 => 228171)
--- branches/safari-605-branch/Source/WebCore/ChangeLog 2018-02-06 15:16:44 UTC (rev 228170)
+++ branches/safari-605-branch/Source/WebCore/ChangeLog 2018-02-06 15:16:48 UTC (rev 228171)
@@ -1,5 +1,40 @@
2018-02-06 Jason Marcell <jmarc...@apple.com>
+ Cherry-pick r228151. rdar://problem/37264535
+
+ 2018-02-05 Ryosuke Niwa <rn...@webkit.org>
+
+ Release assertion in inlineVideoFrame
+ https://bugs.webkit.org/show_bug.cgi?id=182513
+ <rdar://problem/37159363>
+
+ Reviewed by Zalan Bujtas.
+
+ The bug was caused by the fact it's not always safe to invoke updateLayout even when isSafeToUpdateStyleOrLayout
+ on a document of a flattened frame on iOS. isSafeToUpdateStyleOrLayout returns true when the frame view is in
+ the frame-flattening mode to avoid hitting a release asssertion in updateLayout of the frame. However, it's still
+ not safe to invoke updateLayout on a parent frame in this case.
+
+ As a result, inlineVideoFrame (in Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm) invokes updateLayout
+ even when the top-level document is not safe to update when the video element is in a frame-flattened document.
+
+ Fixed this bug by explicitly checking that we still have a live render tree and document hasn't been stopped.
+ Also replaced other uses of isSafeToUpdateStyleOrLayout by more explicit checks.
+
+ * accessibility/AccessibilityObject.cpp:
+ (WebCore::AccessibilityObject::updateBackingStore): Made the early exit condition added in r227006 more explicit.
+ Namely, InspectorDOMAgent::pseudoElementCreated is invoked during style recalc.
+ * dom/Document.cpp:
+ (WebCore::isSafeToUpdateStyleOrLayout): Made this local to the file.
+ (WebCore::Document::updateStyleIfNeeded):
+ (WebCore::Document::updateLayout):
+ * dom/Document.h:
+ * html/MediaElementSession.cpp:
+ (WebCore::isMainContentForPurposesOfAutoplay): Made the early exit condition added in r227529 more explicit. Don't
+ update the layout when the render tree had been destroyed or the active DOM objects had been stopped.
+
+2018-02-06 Jason Marcell <jmarc...@apple.com>
+
Cherry-pick r228143. rdar://problem/37264459
2018-02-05 Per Arne Vollan <pvol...@apple.com>
Modified: branches/safari-605-branch/Source/WebCore/accessibility/AccessibilityObject.cpp (228170 => 228171)
--- branches/safari-605-branch/Source/WebCore/accessibility/AccessibilityObject.cpp 2018-02-06 15:16:44 UTC (rev 228170)
+++ branches/safari-605-branch/Source/WebCore/accessibility/AccessibilityObject.cpp 2018-02-06 15:16:48 UTC (rev 228171)
@@ -1769,7 +1769,7 @@
// Updating the layout may delete this object.
RefPtr<AccessibilityObject> protectedThis(this);
if (auto* document = this->document()) {
- if (!document->view()->layoutContext().isInRenderTreeLayout() && !document->inRenderTreeUpdate() && document->isSafeToUpdateStyleOrLayout())
+ if (!document->view()->layoutContext().isInRenderTreeLayout() && !document->inRenderTreeUpdate() && !document->inStyleRecalc())
document->updateLayoutIgnorePendingStylesheets();
}
updateChildrenIfNecessary();
Modified: branches/safari-605-branch/Source/WebCore/dom/Document.cpp (228170 => 228171)
--- branches/safari-605-branch/Source/WebCore/dom/Document.cpp 2018-02-06 15:16:44 UTC (rev 228170)
+++ branches/safari-605-branch/Source/WebCore/dom/Document.cpp 2018-02-06 15:16:48 UTC (rev 228171)
@@ -1938,10 +1938,11 @@
return false;
}
-bool Document::isSafeToUpdateStyleOrLayout() const
+static bool isSafeToUpdateStyleOrLayout(const Document& document)
{
bool isSafeToExecuteScript = ScriptDisallowedScope::InMainThread::isScriptAllowed();
- bool isInFrameFlattening = view() && view()->isInChildFrameWithFrameFlattening();
+ auto* frameView = document.view();
+ bool isInFrameFlattening = frameView && frameView->isInChildFrameWithFrameFlattening();
bool isAssertionDisabled = ScriptDisallowedScope::LayoutAssertionDisableScope::shouldDisable();
return isSafeToExecuteScript || isInFrameFlattening || !isInWebProcess() || isAssertionDisabled;
}
@@ -1964,7 +1965,7 @@
}
// The early exit above for !needsStyleRecalc() is needed when updateWidgetPositions() is called in runOrScheduleAsynchronousTasks().
- RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout());
+ RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout(*this));
resolveStyle();
return true;
@@ -1980,7 +1981,7 @@
ASSERT_NOT_REACHED();
return;
}
- RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout());
+ RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout(*this));
RenderView::RepaintRegionAccumulator repaintRegionAccumulator(renderView());
Modified: branches/safari-605-branch/Source/WebCore/dom/Document.h (228170 => 228171)
--- branches/safari-605-branch/Source/WebCore/dom/Document.h 2018-02-06 15:16:44 UTC (rev 228170)
+++ branches/safari-605-branch/Source/WebCore/dom/Document.h 2018-02-06 15:16:48 UTC (rev 228171)
@@ -1250,7 +1250,6 @@
bool inStyleRecalc() const { return m_inStyleRecalc; }
bool inRenderTreeUpdate() const { return m_inRenderTreeUpdate; }
- WEBCORE_EXPORT bool isSafeToUpdateStyleOrLayout() const;
void updateTextRenderer(Text&, unsigned offsetOfReplacedText, unsigned lengthOfReplacedText);
Modified: branches/safari-605-branch/Source/WebCore/html/MediaElementSession.cpp (228170 => 228171)
--- branches/safari-605-branch/Source/WebCore/html/MediaElementSession.cpp 2018-02-06 15:16:44 UTC (rev 228170)
+++ branches/safari-605-branch/Source/WebCore/html/MediaElementSession.cpp 2018-02-06 15:16:48 UTC (rev 228171)
@@ -695,7 +695,7 @@
static bool isMainContentForPurposesOfAutoplay(const HTMLMediaElement& element)
{
Document& document = element.document();
- if (element.isSuspended() || !element.hasAudio() || !element.hasVideo())
+ if (!document.hasLivingRenderTree() || document.activeDOMObjectsAreStopped() || element.isSuspended() || !element.hasAudio() || !element.hasVideo())
return false;
// Elements which have not yet been laid out, or which are not yet in the DOM, cannot be main content.
@@ -715,7 +715,7 @@
return false;
// Main content elements must be in the main frame.
- if (!document.frame() || !document.frame()->isMainFrame() || !document.isSafeToUpdateStyleOrLayout())
+ if (!document.frame() || !document.frame()->isMainFrame())
return false;
MainFrame& mainFrame = document.frame()->mainFrame();
Modified: branches/safari-605-branch/Source/WebKit/ChangeLog (228170 => 228171)
--- branches/safari-605-branch/Source/WebKit/ChangeLog 2018-02-06 15:16:44 UTC (rev 228170)
+++ branches/safari-605-branch/Source/WebKit/ChangeLog 2018-02-06 15:16:48 UTC (rev 228171)
@@ -1,5 +1,23 @@
2018-02-06 Jason Marcell <jmarc...@apple.com>
+ Cherry-pick r228151. rdar://problem/37264535
+
+ 2018-02-05 Ryosuke Niwa <rn...@webkit.org>
+
+ Release assertion in inlineVideoFrame
+ https://bugs.webkit.org/show_bug.cgi?id=182513
+ <rdar://problem/37159363>
+
+ Reviewed by Zalan Bujtas.
+
+ Fixed the bug. Don't try to update the layout when there is no live render tree or active DOM objects
+ had been stopped: i.e. during a document destruction.
+
+ * WebProcess/cocoa/VideoFullscreenManager.mm:
+ (WebKit::inlineVideoFrame):
+
+2018-02-06 Jason Marcell <jmarc...@apple.com>
+
Cherry-pick r228137. rdar://problem/37264553
2018-02-05 Youenn Fablet <you...@apple.com>
Modified: branches/safari-605-branch/Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm (228170 => 228171)
--- branches/safari-605-branch/Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm 2018-02-06 15:16:44 UTC (rev 228170)
+++ branches/safari-605-branch/Source/WebKit/WebProcess/cocoa/VideoFullscreenManager.mm 2018-02-06 15:16:48 UTC (rev 228171)
@@ -59,7 +59,7 @@
static IntRect inlineVideoFrame(HTMLVideoElement& element)
{
auto& document = element.document();
- if (!document.isSafeToUpdateStyleOrLayout())
+ if (!document.hasLivingRenderTree() || document.activeDOMObjectsAreStopped())
return { };
document.updateLayoutIgnorePendingStylesheets();