Branch: refs/heads/webkitglib/2.40
Home: https://github.com/WebKit/WebKit
Commit: 5224503460cdae8668c38ab410016469e9dd6a5d
https://github.com/WebKit/WebKit/commit/5224503460cdae8668c38ab410016469e9dd6a5d
Author: Simon Fraser <[email protected]>
Date: 2023-05-03 (Wed, 03 May 2023)
Changed paths:
A
LayoutTests/scrollingcoordinator/scrolling-tree/scroller-with-proxy-nodes-loses-layer-expected.txt
A
LayoutTests/scrollingcoordinator/scrolling-tree/scroller-with-proxy-nodes-loses-layer.html
M Source/WebCore/rendering/LayerAncestorClippingStack.cpp
M Source/WebCore/rendering/RenderLayerBacking.cpp
Log Message:
-----------
Cherry-pick 263590@main (77bb4783cf75).
https://bugs.webkit.org/show_bug.cgi?id=256195
WebContent crash: Invalid message dispatched virtual void
WebKit::RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations(const
RemoteLayerTreeHost &)
https://bugs.webkit.org/show_bug.cgi?id=256195
rdar://108204370
Reviewed by Tim Horton.
262413@main added two MESSAGE_CHECK() in
RemoteScrollingCoordinatorProxyIOS::establishLayerTreeScrollingRelations()
that fire when the UI
process receives a scrolling tree with invalid cross-references;
ScrollingTreePositionedNodes or
ScrollingTreeOverflowScrollProxyNodes with invalid references to overflow
scrolling nodes.
Sites triggering this MESSAGE_CHECK() all hit a pattern where an
`overflow:scroll` element became
non-scrollable, but we failed to clean up
ScrollingTreeOverflowScrollProxyNodes that referenced this
overflow scroll. ScrollingTreeOverflowScrollProxyNodes are created when the
overflow scroller has
non paint-order descendants (typically positioned) which need to move then
the scroller scrolls;
each of these has a LayerAncestorClippingStack which tracks the layers and
scrolling tree nodes for
non paint-order ancestors that affect the given layer.
The bug was that we'd clear the LayerAncestorClippingStack without
unregistering the
ScrollingTreeOverflowScrollProxyNodes that it referenced, so when
RenderLayerBacking::updateAncestorClipping() is removing the
m_ancestorClippingStack, call
LayerAncestorClippingStack::clear() to unregister those nodes.
Also have LayerAncestorClippingStack::clear() unparent the scrolling layer
as well as the clipping
layer.
*
LayoutTests/scrollingcoordinator/scrolling-tree/scroller-with-proxy-nodes-loses-layer-expected.txt:
Added.
*
LayoutTests/scrollingcoordinator/scrolling-tree/scroller-with-proxy-nodes-loses-layer.html:
Added.
* Source/WebCore/rendering/LayerAncestorClippingStack.cpp:
(WebCore::LayerAncestorClippingStack::clear):
* Source/WebCore/rendering/RenderLayerBacking.cpp:
(WebCore::RenderLayerBacking::updateAncestorClipping):
Canonical link: https://commits.webkit.org/263590@main
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
