Merge r229505 - Turn off offset*/scroll* optimization for input eleme…

…nts with shadow content

https://bugs.webkit.org/show_bug.cgi?id=182383
<rdar://problem/37114190>

Reviewed by Antti Koivisto.

Source/WebCore:

We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
the previously computed values even when some part of the tree is dirty.
In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
for the root, while true (needs layout) for the shadow content.
This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.

Test: fast/forms/scrollheight-with-mutation-crash.html

* dom/Document.cpp:
(WebCore::Document::updateLayoutIfDimensionsOutOfDate):

LayoutTests:

* fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
* fast/forms/scrollheight-with-mutation-crash.html: Added.

LayoutTests/ChangeLog

@@ -1,3 +1,14 @@
+2018-03-09  Zalan Bujtas  <zalan@apple.com>
+
+        Turn off offset*/scroll* optimization for input elements with shadow content
+        https://bugs.webkit.org/show_bug.cgi?id=182383
+        <rdar://problem/37114190>
+
+        Reviewed by Antti Koivisto.
+
+        * fast/forms/scrollheight-with-mutation-crash-expected.txt: Added.
+        * fast/forms/scrollheight-with-mutation-crash.html: Added.
+
 2018-04-10  Wenson Hsieh  <wenson_hsieh@apple.com>
 
         FrameSelection::appearanceUpdateTimerFired should be robust against layout passes underneath it

LayoutTests/fast/forms/scrollheight-with-mutation-crash-expected.txt

@@ -0,0 +1 @@
+PASS if no crash.  

LayoutTests/fast/forms/scrollheight-with-mutation-crash.html

@@ -0,0 +1,20 @@
+<style>
+input:enabled { 
+    content: url(#foo);
+    width: 10vmin;
+}
+
+keygen {
+    -webkit-transform: scale(12, 125);
+}
+</style>
+PASS if no crash.
+<keygen id=keygen>
+<input id=input type="search">
+<script>
+if (window.testRunner)
+    testRunner.dumpAsText();
+document.body.offsetHeight;
+keygen.remove();
+input.scrollHeight;
+</script>

Source/WebCore/ChangeLog

@@ -1,3 +1,23 @@
+2018-03-09  Zalan Bujtas  <zalan@apple.com>
+
+        Turn off offset*/scroll* optimization for input elements with shadow content
+        https://bugs.webkit.org/show_bug.cgi?id=182383
+        <rdar://problem/37114190>
+
+        Reviewed by Antti Koivisto.
+
+        We normally ensure clean tree before calling offsetHeight/Width, scrollHeight/Width.
+        In certain cases (see updateLayoutIfDimensionsOutOfDate() for details), it's okay to return
+        the previously computed values even when some part of the tree is dirty.
+        In case of shadow content, updateLayoutIfDimensionsOutOfDate() might return false (no need to layout)
+        for the root, while true (needs layout) for the shadow content.
+        This could confuse the caller (Element::scrollWidth/Height etc) and lead to incorrect result.
+
+        Test: fast/forms/scrollheight-with-mutation-crash.html
+
+        * dom/Document.cpp:
+        (WebCore::Document::updateLayoutIfDimensionsOutOfDate):
+
 2018-04-17  Michael Catanzaro  <mcatanzaro@igalia.com>
 
         [GTK] Webkit should spoof as Safari on a Mac for Outlook.com

Source/WebCore/dom/Document.cpp

@@ -2078,6 +2078,10 @@ bool Document::updateLayoutIfDimensionsOutOfDate(Element& element, DimensionsChe
         requireFullLayout = true;
     }
 
+    // Turn off this optimization for input elements with shadow content.
+    if (is<HTMLInputElement>(element))
+        requireFullLayout = true;
+
     bool isVertical = renderer && !renderer->isHorizontalWritingMode();
     bool checkingLogicalWidth = ((dimensionsCheck & WidthDimensionsCheck) && !isVertical) || ((dimensionsCheck & HeightDimensionsCheck) && isVertical);
     bool checkingLogicalHeight = ((dimensionsCheck & HeightDimensionsCheck) && !isVertical) || ((dimensionsCheck & WidthDimensionsCheck) && isVertical);