[webkit-changes] [243263] trunk/Source/WebCore

[graouts]

Title: [243263] trunk/Source/WebCore

Revision

243263

Author

grao...@webkit.org

Date

2019-03-20 17:14:04 -0700 (Wed, 20 Mar 2019)

Log Message

DumpRenderTree crashes under WebAnimation::isRelevant when running imported/mozilla/css-transitions/test_document-get-animations.html in GuardMalloc
https://bugs.webkit.org/show_bug.cgi?id=196028
<rdar://problem/46842707>

Reviewed by Dean Jackson.

Instead of keeping a ListHashSet of raw pointers, we are now using a Vector of WeakPtrs.

* animation/AnimationTimeline.cpp:
(WebCore::AnimationTimeline::forgetAnimation):
(WebCore::AnimationTimeline::animationTimingDidChange):
(WebCore::AnimationTimeline::cancelDeclarativeAnimation):
* animation/AnimationTimeline.h:
* animation/DocumentTimeline.cpp:
(WebCore::DocumentTimeline::getAnimations const):

Modified Paths

• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/animation/AnimationTimeline.cpp
• trunk/Source/WebCore/animation/AnimationTimeline.h
• trunk/Source/WebCore/animation/DocumentTimeline.cpp

Diff

Modified: trunk/Source/WebCore/ChangeLog (243262 => 243263)

--- trunk/Source/WebCore/ChangeLog	2019-03-21 00:07:37 UTC (rev 243262)
+++ trunk/Source/WebCore/ChangeLog	2019-03-21 00:14:04 UTC (rev 243263)
@@ -1,3 +1,21 @@
+2019-03-20  Antoine Quint  <grao...@apple.com>
+
+        DumpRenderTree crashes under WebAnimation::isRelevant when running imported/mozilla/css-transitions/test_document-get-animations.html in GuardMalloc
+        https://bugs.webkit.org/show_bug.cgi?id=196028
+        <rdar://problem/46842707>
+
+        Reviewed by Dean Jackson.
+
+        Instead of keeping a ListHashSet of raw pointers, we are now using a Vector of WeakPtrs.
+
+        * animation/AnimationTimeline.cpp:
+        (WebCore::AnimationTimeline::forgetAnimation):
+        (WebCore::AnimationTimeline::animationTimingDidChange):
+        (WebCore::AnimationTimeline::cancelDeclarativeAnimation):
+        * animation/AnimationTimeline.h:
+        * animation/DocumentTimeline.cpp:
+        (WebCore::DocumentTimeline::getAnimations const):
+
 2019-03-20  Said Abou-Hallawa  <sabouhall...@apple.com>
 
         Remove the SVG tear off objects for SVGColorAnimator

Modified: trunk/Source/WebCore/animation/AnimationTimeline.cpp (243262 => 243263)

--- trunk/Source/WebCore/animation/AnimationTimeline.cpp	2019-03-21 00:07:37 UTC (rev 243262)
+++ trunk/Source/WebCore/animation/AnimationTimeline.cpp	2019-03-21 00:14:04 UTC (rev 243263)
@@ -56,13 +56,13 @@
 
 void AnimationTimeline::forgetAnimation(WebAnimation* animation)
 {
-    m_allAnimations.remove(animation);
+    m_allAnimations.removeFirst(animation);
 }
 
 void AnimationTimeline::animationTimingDidChange(WebAnimation& animation)
 {
     if (m_animations.add(&animation)) {
-        m_allAnimations.add(&animation);
+        m_allAnimations.append(makeWeakPtr(&animation));
         auto* timeline = animation.timeline();
         if (timeline && timeline != this)
             timeline->removeAnimation(animation);
@@ -492,7 +492,7 @@
 {
     animation.cancelFromStyle();
     removeAnimation(animation);
-    m_allAnimations.remove(&animation);
+    m_allAnimations.removeFirst(&animation);
 }
 
 } // namespace WebCore

Modified: trunk/Source/WebCore/animation/AnimationTimeline.h (243262 => 243263)

--- trunk/Source/WebCore/animation/AnimationTimeline.h	2019-03-21 00:07:37 UTC (rev 243262)
+++ trunk/Source/WebCore/animation/AnimationTimeline.h	2019-03-21 00:14:04 UTC (rev 243263)
@@ -77,7 +77,7 @@
 protected:
     explicit AnimationTimeline();
 
-    ListHashSet<WebAnimation*> m_allAnimations;
+    Vector<WeakPtr<WebAnimation>> m_allAnimations;
     ListHashSet<RefPtr<WebAnimation>> m_animations;
     HashMap<Element*, PropertyToTransitionMap> m_elementToCompletedCSSTransitionByCSSPropertyID;
 

Modified: trunk/Source/WebCore/animation/DocumentTimeline.cpp (243262 => 243263)

--- trunk/Source/WebCore/animation/DocumentTimeline.cpp	2019-03-21 00:07:37 UTC (rev 243262)
+++ trunk/Source/WebCore/animation/DocumentTimeline.cpp	2019-03-21 00:14:04 UTC (rev 243263)
@@ -132,7 +132,7 @@
 
     // First, let's get all qualifying animations in their right group.
     for (const auto& animation : m_allAnimations) {
-        if (!animation->isRelevant() || animation->timeline() != this || !is<KeyframeEffect>(animation->effect()))
+        if (!animation || !animation->isRelevant() || animation->timeline() != this || !is<KeyframeEffect>(animation->effect()))
             continue;
 
         auto* target = downcast<KeyframeEffect>(animation->effect())->target();
@@ -139,12 +139,12 @@
         if (!target || !target->isDescendantOf(*m_document))
             continue;
 
-        if (is<CSSTransition>(animation) && downcast<CSSTransition>(animation)->owningElement())
-            cssTransitions.append(animation);
-        else if (is<CSSAnimation>(animation) && downcast<CSSAnimation>(animation)->owningElement())
-            cssAnimations.append(animation);
+        if (is<CSSTransition>(animation.get()) && downcast<CSSTransition>(animation.get())->owningElement())
+            cssTransitions.append(animation.get());
+        else if (is<CSSAnimation>(animation.get()) && downcast<CSSAnimation>(animation.get())->owningElement())
+            cssAnimations.append(animation.get());
         else
-            webAnimations.append(animation);
+            webAnimations.append(animation.get());
     }
 
     // Now sort CSS Transitions by their composite order.

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes