ancestorOverflowLayer should not cross frame boundaries.

ancestorOverflowLayer should not cross frame boundaries.

First off, we don't want sticky on the document to have any effect. Secondly,
there seems to be no chain from the child frame's root PaintLayer to the parent
which means that we do not correctly clean up ancestorOverflowLayers when
layers in the parent are removed.

BUG=679170
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2644633003
Cr-Commit-Position: refs/heads/master@{#444824}
Committed: https://chromium.googlesource.com/chromium/src/+/a10ba600a7ad192660ded5dbe0ef94a559724452

[flackr, 2017-01-18 22:50:23]

Description was changed from

==========
ancestorOverflowLayer should not cross frame boundaries.

First off, we don't want sticky on the document to have any effect. Secondly,
there seems to be no chain from the child frame's root PaintLayer to the parent
which means that we do not correctly clean up ancestorOverflowLayers when
layers in the parent are removed.

BUG=679170
==========

to

==========
ancestorOverflowLayer should not cross frame boundaries.

First off, we don't want sticky on the document to have any effect. Secondly,
there seems to be no chain from the child frame's root PaintLayer to the parent
which means that we do not correctly clean up ancestorOverflowLayers when
layers in the parent are removed.

BUG=679170
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
==========

[flackr, 2017-01-18 22:52:41]

flackr@chromium.org changed reviewers:
+ pdr@chromium.org

[flackr, 2017-01-18 22:52:42]

I found the cause of this crash. PrePaintTreeWalk::walk propagates the
ancestorOverflowLayer from the parent frame into the child frame however there
does not seem to be a PaintLayer chain between them which means it is never
properly cleaned up when the parent layer is removed.

[pdr., 2017-01-19 03:34:03]

pdr@chromium.org changed reviewers:
+ chrishtr@chromium.org

[pdr., 2017-01-19 03:34:03]

https://codereview.chromium.org/2644633003/diff/1/third_party/WebKit/Source/c...
File third_party/WebKit/Source/core/paint/PrePaintTreeWalk.cpp (right):

https://codereview.chromium.org/2644633003/diff/1/third_party/WebKit/Source/c...
third_party/WebKit/Source/core/paint/PrePaintTreeWalk.cpp:56: //
ancestorOverflowLayer does not cross frame boundaries.
Nice find, I think you are correct.

Can we just set ancestorOverflowPaintLayer to nullptr here?

Also, does this mean we can remove the isRootLayer() check in
updateAuxiliaryObjectProperties?

[flackr, 2017-01-19 13:45:36]

https://codereview.chromium.org/2644633003/diff/1/third_party/WebKit/Source/c...
File third_party/WebKit/Source/core/paint/PrePaintTreeWalk.cpp (right):

https://codereview.chromium.org/2644633003/diff/1/third_party/WebKit/Source/c...
third_party/WebKit/Source/core/paint/PrePaintTreeWalk.cpp:56: //
ancestorOverflowLayer does not cross frame boundaries.
On 2017/01/19 03:34:03, pdr. wrote:
> Nice find, I think you are correct.
> 
> Can we just set ancestorOverflowPaintLayer to nullptr here?

Yes.
> 
> Also, does this mean we can remove the isRootLayer() check in
> updateAuxiliaryObjectProperties?

Ah sorry, I missed that we had this, we still need to keep this if we set
ancestorOverflowPaintLayer to nullptr here since the root layer doesn't have an
overflow clip but does need to be the ancestor overflow layer to its
descendants.

[pdr., 2017-01-19 17:42:59]

LGTM

[flackr, 2017-01-19 18:12:27]

The CQ bit was checked by flackr@chromium.org

[commit-bot: I haz the power, 2017-01-19 18:12:59]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-01-19 19:59:42]

CQ is committing da patch.

Bot data: {"patchset_id": 20001, "attempt_start_ts": 1484849547053450,
"parent_rev": "191d9a603c5b154dcf3ba8efeeb632cd80c4e411", "commit_rev":
"a10ba600a7ad192660ded5dbe0ef94a559724452"}

[commit-bot: I haz the power, 2017-01-19 20:00:37]

Description was changed from

==========
ancestorOverflowLayer should not cross frame boundaries.

First off, we don't want sticky on the document to have any effect. Secondly,
there seems to be no chain from the child frame's root PaintLayer to the parent
which means that we do not correctly clean up ancestorOverflowLayers when
layers in the parent are removed.

BUG=679170
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
==========

to

==========
ancestorOverflowLayer should not cross frame boundaries.

First off, we don't want sticky on the document to have any effect. Secondly,
there seems to be no chain from the child frame's root PaintLayer to the parent
which means that we do not correctly clean up ancestorOverflowLayers when
layers in the parent are removed.

BUG=679170
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2

Review-Url: https://codereview.chromium.org/2644633003
Cr-Commit-Position: refs/heads/master@{#444824}
Committed:
https://chromium.googlesource.com/chromium/src/+/a10ba600a7ad192660ded5dbe0ef...
==========

[commit-bot: I haz the power, 2017-01-19 20:00:38]

Committed patchset #2 (id:20001) as
https://chromium.googlesource.com/chromium/src/+/a10ba600a7ad192660ded5dbe0ef...