Title: [272794] trunk
- Revision
- 272794
- Author
- commit-qu...@webkit.org
- Date
- 2021-02-12 11:08:28 -0800 (Fri, 12 Feb 2021)
Log Message
Crash in WebCore::RenderThemeMac::paintSearchFieldResultsDecorationPart() from large scale
https://bugs.webkit.org/show_bug.cgi?id=221635
Patch by Julian Gonzalez <julian_a_gonza...@apple.com> on 2021-02-12
Reviewed by Darin Adler.
Source/WebCore:
Test: platform/mac/editing/style/large-scale-crash.html
paintSearchFieldResultsDecorationPart(), unlike other functions like
paintSearchField(), paintSearchFieldCancelButton(), etc. has been
calling [NSButton:drawWithFrame:inView] directly. When a very large
scale has been applied however, this can lead to an assertion below us.
First draw the cell to an ImageBuffer using
paintCellAndSetFocusedElementNeedsRepaintIfNecessary(), as other
functions are already doing (as of 213352).
Thanks to Aditya Keerthi for pointing out this difference
and help with the fix.
* rendering/RenderThemeMac.mm:
(WebCore::RenderThemeMac::paintSearchFieldResultsDecorationPart):
LayoutTests:
Add a test with a very large value of scale that tests that
we do not trigger the assertion here.
Thanks to Ryosuke Niwa for help in cleaning up the test
and making it more reliable.
* fast/rendering/searchfield-scale-crash-expected.txt: Added.
* fast/rendering/searchfield-scale-crash.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (272793 => 272794)
--- trunk/LayoutTests/ChangeLog 2021-02-12 19:05:48 UTC (rev 272793)
+++ trunk/LayoutTests/ChangeLog 2021-02-12 19:08:28 UTC (rev 272794)
@@ -1,3 +1,18 @@
+2021-02-12 Julian Gonzalez <julian_a_gonza...@apple.com>
+
+ Crash in WebCore::RenderThemeMac::paintSearchFieldResultsDecorationPart() from large scale
+ https://bugs.webkit.org/show_bug.cgi?id=221635
+
+ Reviewed by Darin Adler.
+
+ Add a test with a very large value of scale that tests that
+ we do not trigger the assertion here.
+ Thanks to Ryosuke Niwa for help in cleaning up the test
+ and making it more reliable.
+
+ * fast/rendering/searchfield-scale-crash-expected.txt: Added.
+ * fast/rendering/searchfield-scale-crash.html: Added.
+
2021-02-12 Robert Jenner <jen...@apple.com>
[ macOS wk2 ] webgpu/whlsl/do-while-loop-break.html is a flaky failure
Added: trunk/LayoutTests/fast/rendering/searchfield-scale-crash-expected.txt (0 => 272794)
--- trunk/LayoutTests/fast/rendering/searchfield-scale-crash-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/rendering/searchfield-scale-crash-expected.txt 2021-02-12 19:08:28 UTC (rev 272794)
@@ -0,0 +1 @@
+This tests that we do not hit an assertion while rendering the page. PASS
Added: trunk/LayoutTests/fast/rendering/searchfield-scale-crash.html (0 => 272794)
--- trunk/LayoutTests/fast/rendering/searchfield-scale-crash.html (rev 0)
+++ trunk/LayoutTests/fast/rendering/searchfield-scale-crash.html 2021-02-12 19:08:28 UTC (rev 272794)
@@ -0,0 +1,32 @@
+<html>
+<head>
+<style>
+html,head,style {
+ -webkit-appearance: searchfield-results-decoration;
+ transform: scale(100);
+ writing-mode: vertical-rl;
+}
+</style>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+}
+
+_onload_ = () => {
+ document.styleSheets[0].insertRule(`* { all: initial; }`);
+ requestAnimationFrame(() => {
+ setTimeout(() => {
+ document.querySelector('style').remove();
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }, 0);
+ });
+};
+</script>
+</head>
+<body>
+This tests that we do not hit an assertion while rendering the page.
+PASS
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (272793 => 272794)
--- trunk/Source/WebCore/ChangeLog 2021-02-12 19:05:48 UTC (rev 272793)
+++ trunk/Source/WebCore/ChangeLog 2021-02-12 19:08:28 UTC (rev 272794)
@@ -1,3 +1,25 @@
+2021-02-12 Julian Gonzalez <julian_a_gonza...@apple.com>
+
+ Crash in WebCore::RenderThemeMac::paintSearchFieldResultsDecorationPart() from large scale
+ https://bugs.webkit.org/show_bug.cgi?id=221635
+
+ Reviewed by Darin Adler.
+
+ Test: platform/mac/editing/style/large-scale-crash.html
+
+ paintSearchFieldResultsDecorationPart(), unlike other functions like
+ paintSearchField(), paintSearchFieldCancelButton(), etc. has been
+ calling [NSButton:drawWithFrame:inView] directly. When a very large
+ scale has been applied however, this can lead to an assertion below us.
+ First draw the cell to an ImageBuffer using
+ paintCellAndSetFocusedElementNeedsRepaintIfNecessary(), as other
+ functions are already doing (as of 213352).
+ Thanks to Aditya Keerthi for pointing out this difference
+ and help with the fix.
+
+ * rendering/RenderThemeMac.mm:
+ (WebCore::RenderThemeMac::paintSearchFieldResultsDecorationPart):
+
2021-02-12 Stephan Szabo <stephan.sz...@sony.com>
[WinCairo][Debug] Build fix after r272772
Modified: trunk/Source/WebCore/rendering/RenderThemeMac.mm (272793 => 272794)
--- trunk/Source/WebCore/rendering/RenderThemeMac.mm 2021-02-12 19:05:48 UTC (rev 272793)
+++ trunk/Source/WebCore/rendering/RenderThemeMac.mm 2021-02-12 19:08:28 UTC (rev 272794)
@@ -2062,7 +2062,7 @@
FloatPoint paintingPos = convertToPaintingPosition(inputBox, box, localBounds.location(), r.location());
localBounds.setLocation(paintingPos);
- [[search searchButtonCell] drawWithFrame:localBounds inView:documentViewFor(box)];
+ paintCellAndSetFocusedElementNeedsRepaintIfNecessary([search searchButtonCell], inputBox, paintInfo, localBounds);
[[search searchButtonCell] setControlView:nil];
return false;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
