Title: [208370] trunk
- Revision
- 208370
- Author
- an...@apple.com
- Date
- 2016-11-03 22:08:29 -0700 (Thu, 03 Nov 2016)
Log Message
Source/WebCore:
REGRESSION (r207669): Crash under media controls shadow root construction
https://bugs.webkit.org/show_bug.cgi?id=164381
<rdar://problem/28935401>
Reviewed by Simon Fraser.
The problem is that we are running a script for media control UA shadow tree in HTMLMediaElement::insertedInto.
It is not safe to run scripts in insertedInto as the tree is in inconsistent state. Instead finishedInsertingSubtree
callback should be used.
Test: media/media-controls-shadow-construction-crash.html
Seen on https://www.theguardian.com/artanddesign/video/2013/oct/14/banksy-central-park-new-york-video
* html/HTMLMediaElement.cpp:
(WebCore::HTMLMediaElement::insertedInto):
(WebCore::HTMLMediaElement::finishedInsertingSubtree):
Move configureMediaControls() to finishedInsertingSubtree().
* html/HTMLMediaElement.h:
* style/StyleTreeResolver.cpp:
(WebCore::Style::TreeResolver::resolveComposedTree):
Add an assert to make the bad state easier to hit in tests.
LayoutTests:
REGRESSION (r207669): Crash under SVGRenderSupport::updateMaskedAncestorShouldIsolateBlending
https://bugs.webkit.org/show_bug.cgi?id=164381
<rdar://problem/28935401>
Reviewed by Simon Fraser.
* media/media-controls-shadow-construction-crash-expected.txt: Added.
* media/media-controls-shadow-construction-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (208369 => 208370)
--- trunk/LayoutTests/ChangeLog 2016-11-04 05:05:32 UTC (rev 208369)
+++ trunk/LayoutTests/ChangeLog 2016-11-04 05:08:29 UTC (rev 208370)
@@ -1,3 +1,14 @@
+2016-11-03 Antti Koivisto <an...@apple.com>
+
+ REGRESSION (r207669): Crash under SVGRenderSupport::updateMaskedAncestorShouldIsolateBlending
+ https://bugs.webkit.org/show_bug.cgi?id=164381
+ <rdar://problem/28935401>
+
+ Reviewed by Simon Fraser.
+
+ * media/media-controls-shadow-construction-crash-expected.txt: Added.
+ * media/media-controls-shadow-construction-crash.html: Added.
+
2016-11-03 Myles C. Maxfield <mmaxfi...@apple.com>
[WebGL2] Implement getBufferSubData()
Added: trunk/LayoutTests/media/media-controls-shadow-construction-crash-expected.txt (0 => 208370)
--- trunk/LayoutTests/media/media-controls-shadow-construction-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/media/media-controls-shadow-construction-crash-expected.txt 2016-11-04 05:08:29 UTC (rev 208370)
@@ -0,0 +1 @@
+
Added: trunk/LayoutTests/media/media-controls-shadow-construction-crash.html (0 => 208370)
--- trunk/LayoutTests/media/media-controls-shadow-construction-crash.html (rev 0)
+++ trunk/LayoutTests/media/media-controls-shadow-construction-crash.html 2016-11-04 05:08:29 UTC (rev 208370)
@@ -0,0 +1,10 @@
+<body>
+This test passes if it doesn't crash/assert.
+<script>
+if (window.testRunner)
+ testRunner.dumpAsText();
+document.body.innerHTML = `
+ <video controls>
+ <source></source>
+ </video>`;
+</script>
Modified: trunk/Source/WebCore/ChangeLog (208369 => 208370)
--- trunk/Source/WebCore/ChangeLog 2016-11-04 05:05:32 UTC (rev 208369)
+++ trunk/Source/WebCore/ChangeLog 2016-11-04 05:08:29 UTC (rev 208370)
@@ -1,3 +1,31 @@
+2016-11-03 Antti Koivisto <an...@apple.com>
+
+ REGRESSION (r207669): Crash under media controls shadow root construction
+ https://bugs.webkit.org/show_bug.cgi?id=164381
+ <rdar://problem/28935401>
+
+ Reviewed by Simon Fraser.
+
+ The problem is that we are running a script for media control UA shadow tree in HTMLMediaElement::insertedInto.
+ It is not safe to run scripts in insertedInto as the tree is in inconsistent state. Instead finishedInsertingSubtree
+ callback should be used.
+
+ Test: media/media-controls-shadow-construction-crash.html
+
+ Seen on https://www.theguardian.com/artanddesign/video/2013/oct/14/banksy-central-park-new-york-video
+
+ * html/HTMLMediaElement.cpp:
+ (WebCore::HTMLMediaElement::insertedInto):
+ (WebCore::HTMLMediaElement::finishedInsertingSubtree):
+
+ Move configureMediaControls() to finishedInsertingSubtree().
+
+ * html/HTMLMediaElement.h:
+ * style/StyleTreeResolver.cpp:
+ (WebCore::Style::TreeResolver::resolveComposedTree):
+
+ Add an assert to make the bad state easier to hit in tests.
+
2016-11-03 Ryosuke Niwa <rn...@webkit.org>
Add an assertion to diagnose stress GC bots test failures
Modified: trunk/Source/WebCore/html/HTMLMediaElement.cpp (208369 => 208370)
--- trunk/Source/WebCore/html/HTMLMediaElement.cpp 2016-11-04 05:05:32 UTC (rev 208369)
+++ trunk/Source/WebCore/html/HTMLMediaElement.cpp 2016-11-04 05:08:29 UTC (rev 208370)
@@ -807,8 +807,12 @@
m_muted = hasAttributeWithoutSynchronization(mutedAttr);
}
+ return InsertionShouldCallFinishedInsertingSubtree;
+}
+
+void HTMLMediaElement::finishedInsertingSubtree()
+{
configureMediaControls();
- return InsertionDone;
}
void HTMLMediaElement::pauseAfterDetachedTask()
Modified: trunk/Source/WebCore/html/HTMLMediaElement.h (208369 => 208370)
--- trunk/Source/WebCore/html/HTMLMediaElement.h 2016-11-04 05:05:32 UTC (rev 208369)
+++ trunk/Source/WebCore/html/HTMLMediaElement.h 2016-11-04 05:08:29 UTC (rev 208370)
@@ -521,6 +521,7 @@
bool rendererIsNeeded(const RenderStyle&) override;
bool childShouldCreateRenderer(const Node&) const override;
InsertionNotificationRequest insertedInto(ContainerNode&) override;
+ void finishedInsertingSubtree() override;
void removedFrom(ContainerNode&) override;
void didRecalcStyle(Style::Change) override;
Modified: trunk/Source/WebCore/style/StyleTreeResolver.cpp (208369 => 208370)
--- trunk/Source/WebCore/style/StyleTreeResolver.cpp 2016-11-04 05:05:32 UTC (rev 208369)
+++ trunk/Source/WebCore/style/StyleTreeResolver.cpp 2016-11-04 05:08:29 UTC (rev 208370)
@@ -357,6 +357,7 @@
auto& node = *it;
auto& parent = this->parent();
+ ASSERT(node.inDocument());
ASSERT(node.containingShadowRoot() == scope().shadowRoot);
ASSERT(node.parentElement() == parent.element || is<ShadowRoot>(node.parentNode()) || node.parentElement()->shadowRoot());
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
