mirror of
https://github.com/LadybirdBrowser/ladybird
synced 2026-05-10 17:12:41 +02:00
dd6d17d60d
The scroll state collection loop in record_display_list_and_scroll_state() called paintable() on hosted documents, which asserts layout is up to date. This crashes when a nested document has stale layout but a cached display list, e.g. a render-blocked iframe whose DOM was modified by document.open(). Since scroll offsets are independent of layout freshness, use unsafe_paintable() to skip the assertion.
36 lines
990 B
HTML
36 lines
990 B
HTML
<!DOCTYPE html>
|
|
<html class="test-wait">
|
|
<body style="height: 2000px">
|
|
<iframe id="frame"></iframe>
|
|
<script>
|
|
function afterPaintAndTask(callback) {
|
|
requestAnimationFrame(() => {
|
|
requestAnimationFrame(() => {
|
|
setTimeout(callback, 0);
|
|
});
|
|
});
|
|
}
|
|
|
|
const frame = document.getElementById("frame");
|
|
frame.srcdoc = "<body><p>Content</p></body>";
|
|
|
|
frame.onload = () => {
|
|
frame.contentDocument.body.offsetHeight;
|
|
|
|
afterPaintAndTask(() => {
|
|
frame.contentDocument.open();
|
|
|
|
// Scroll the viewport so the parent needs repaint without invalidating its cached display list.
|
|
window.scrollTo(0, 1);
|
|
|
|
afterPaintAndTask(() => {
|
|
frame.contentDocument.write("<body></body>");
|
|
frame.contentDocument.close();
|
|
document.documentElement.classList.remove("test-wait");
|
|
});
|
|
});
|
|
};
|
|
</script>
|
|
</body>
|
|
</html>
|