[webkit-changes] [94467] branches/chromium/835/Source/WebCore/platform/graphics/chromium/ LayerRendererChromium.cpp

Fri, 02 Sep 2011 17:20:02 -0700

Title: [94467] branches/chromium/835/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp
Revision
94467
Author
e...@google.com
Date
2011-09-02 17:20:41 -0700 (Fri, 02 Sep 2011)

Log Message

[chromium] Fix crash when compositing is disabled during painting
https://bugs.webkit.org/show_bug.cgi?id=66981

Reviewed by James Robinson.

This fixes a use-after-free and a null pointer deref introduced by r93940.
See also: http://codereview.chromium.org/7739008/

* platform/graphics/chromium/LayerRendererChromium.cpp:
(WebCore::LayerRendererChromium::clearRootCCLayerImpl):
(WebCore::LayerRendererChromium::updateLayers):

Modified Paths

Diff

Modified: branches/chromium/835/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp (94466 => 94467)


--- branches/chromium/835/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp	2011-09-03 00:17:39 UTC (rev 94466)
+++ branches/chromium/835/Source/WebCore/platform/graphics/chromium/LayerRendererChromium.cpp	2011-09-03 00:20:41 UTC (rev 94467)
@@ -198,7 +198,7 @@
 {
     if (m_rootCCLayerImpl)
         clearRenderSurfacesOnCCLayerImplRecursive(m_rootCCLayerImpl.get());
-    m_computedRenderSurfaceLayerList.clear();
+    m_computedRenderSurfaceLayerList = adoptPtr(new LayerList());
     m_rootCCLayerImpl.clear();
 }
 
@@ -304,8 +304,13 @@
         m_rootCCLayerImpl = TreeSynchronizer::synchronizeTrees(m_rootLayer.get(), m_rootCCLayerImpl.get());
     }
 
-    m_computedRenderSurfaceLayerList = adoptPtr(new LayerList());
-    updateLayers(*m_computedRenderSurfaceLayerList);
+    OwnPtr<LayerList> temporaryLayerList = adoptPtr(new LayerList());
+    updateLayers(*temporaryLayerList);
+
+    if (m_rootLayer)
+        m_computedRenderSurfaceLayerList = temporaryLayerList.release();
+    else
+        m_computedRenderSurfaceLayerList = adoptPtr(new LayerList());
 }
 
 void LayerRendererChromium::drawLayers()
@@ -381,6 +386,10 @@
         m_rootLayerContentTiler->updateRect(m_rootLayerTextureUpdater.get());
     }
 
+    // Painting could turn off compositing, so check for the root layer.
+    if (!m_rootLayer)
+        return;
+
     m_contentsTextureManager->reduceMemoryToLimit(textureMemoryReclaimLimitBytes);
     updateCompositorResources(renderSurfaceLayerList);
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to