Bug 1536892 - Check a frame does maintain overflow before adding to OverflowChangedTracker. r=longsonr CLOSED TREE
authorviolet <violet.bugreport@gmail.com>
Tue, 19 Mar 2019 20:33:36 +0100
changeset 465383 94b858d366031724359dee96d3594349defe7806
parent 465382 747a5da93708d6ad12832272d794b21d825a4bb9
child 465403 b5c29835be635ba6e15af8eed918f4dbdd222c3c
push id81046
push userarchaeopteryx@coole-files.de
push dateThu, 21 Mar 2019 10:48:31 +0000
treeherderautoland@94b858d36603 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerslongsonr
bugs1536892
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1536892 - Check a frame does maintain overflow before adding to OverflowChangedTracker. r=longsonr CLOSED TREE Differential Revision: https://phabricator.services.mozilla.com/D24305
layout/base/OverflowChangedTracker.h
layout/svg/crashtests/1536892.html
layout/svg/crashtests/crashtests.list
--- a/layout/base/OverflowChangedTracker.h
+++ b/layout/base/OverflowChangedTracker.h
@@ -47,16 +47,19 @@ class OverflowChangedTracker {
    * If there are pre-transform overflow areas stored for this
    * frame, then we will call FinishAndStoreOverflow with those
    * areas instead of UpdateOverflow().
    *
    * If the overflow area changes, then UpdateOverflow will also
    * be called on the parent.
    */
   void AddFrame(nsIFrame* aFrame, ChangeKind aChangeKind) {
+    MOZ_ASSERT(
+        aFrame->FrameMaintainsOverflow(),
+        "Why add a frame that doesn't maintain overflow to the tracker?");
     uint32_t depth = aFrame->GetDepthInFrameTree();
     Entry* entry = nullptr;
     if (!mEntryList.empty()) {
       entry = mEntryList.find(Entry(aFrame, depth));
     }
     if (entry == nullptr) {
       // Add new entry.
       mEntryList.insert(new Entry(aFrame, depth, aChangeKind));
@@ -132,25 +135,30 @@ class OverflowChangedTracker {
       }
 
       // If the frame style changed (e.g. positioning offsets)
       // then we need to update the parent with the overflow areas of its
       // children.
       if (overflowChanged) {
         nsIFrame* parent = frame->GetParent();
         while (parent && parent != mSubtreeRoot &&
+               parent->FrameMaintainsOverflow() &&
                parent->Combines3DTransformWithAncestors()) {
           // Passing frames in between the frame and the establisher of
           // 3D rendering context.
           parent = parent->GetParent();
           MOZ_ASSERT(parent,
                      "Root frame should never return true for "
                      "Combines3DTransformWithAncestors");
         }
-        if (parent && parent != mSubtreeRoot) {
+
+        // It's possible that the parent is already in a nondisplay context,
+        // should not add it to the list if that's true.
+        if (parent && parent != mSubtreeRoot &&
+            parent->FrameMaintainsOverflow()) {
           Entry* parentEntry =
               mEntryList.find(Entry(parent, entry->mDepth - 1));
           if (parentEntry) {
             parentEntry->mChangeKind =
                 std::max(parentEntry->mChangeKind, CHILDREN_CHANGED);
           } else {
             mEntryList.insert(
                 new Entry(parent, entry->mDepth - 1, CHILDREN_CHANGED));
new file mode 100644
--- /dev/null
+++ b/layout/svg/crashtests/1536892.html
@@ -0,0 +1,13 @@
+<style>
+* { -webkit-filter: blur(5px) }
+</style>
+<script>
+function go() {
+  a.setAttribute("text-decoration", "overline")
+}
+</script>
+<body onload=go()>
+<svg id="a">
+<marker>
+<foreignObject>
+<li style="-webkit-box-shadow:8px 0 1px">
--- a/layout/svg/crashtests/crashtests.list
+++ b/layout/svg/crashtests/crashtests.list
@@ -219,8 +219,10 @@ load 1480275.html
 load 1480224.html
 load 1502936.html
 load 1504918.svg
 load perspective-invalidation.html
 load invalid_url.html
 load 1535517-1.svg
 load 1504072.html
 load 1072758.html
+load 1536892.html
+