Title: [253469] trunk
- Revision
- 253469
- Author
- aj...@chromium.org
- Date
- 2019-12-13 06:32:55 -0800 (Fri, 13 Dec 2019)
Log Message
Crash in RenderLayerBacking::updateCompositedBounds from using cleared WeakPtr from m_backingSharingLayers
https://bugs.webkit.org/show_bug.cgi?id=204648
Reviewed by Simon Fraser.
Source/WebCore:
RenderLayerBacking's clearBackingSharingProviders clears layers'
backingSharingProviders unconditionally, even when a layer's
backingSharingProvider is some other RenderLayerBacking's owning
layer. This leaves the layer in a state where its backingProviderLayer
is null, even though it appears in the other RenderLayerBacking's
m_backingSharingLayers, which leads to a crash if this layer is destroyed
and the other RenderLayerBacking tries to use its pointer to this
layer.
Avoid this inconsistency by making clearBackingSharingProviders check
whether a layer's backingSharingProvider is the current RenderLayerBacking's
owner, before clearing it.
Test: compositing/shared-backing/move-sharing-child.html
* rendering/RenderLayerBacking.cpp:
(WebCore::clearBackingSharingLayerProviders):
(WebCore::RenderLayerBacking::setBackingSharingLayers):
(WebCore::RenderLayerBacking::clearBackingSharingLayers):
LayoutTests:
* compositing/shared-backing/move-sharing-child-expected.txt: Added.
* compositing/shared-backing/move-sharing-child.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (253468 => 253469)
--- trunk/LayoutTests/ChangeLog 2019-12-13 13:47:50 UTC (rev 253468)
+++ trunk/LayoutTests/ChangeLog 2019-12-13 14:32:55 UTC (rev 253469)
@@ -1,3 +1,13 @@
+2019-12-13 Ali Juma <aj...@chromium.org>
+
+ Crash in RenderLayerBacking::updateCompositedBounds from using cleared WeakPtr from m_backingSharingLayers
+ https://bugs.webkit.org/show_bug.cgi?id=204648
+
+ Reviewed by Simon Fraser.
+
+ * compositing/shared-backing/move-sharing-child-expected.txt: Added.
+ * compositing/shared-backing/move-sharing-child.html: Added.
+
2019-12-13 Carlos Garcia Campos <cgar...@igalia.com>
[GTK] Several tests crashing after r247898 "Reorganize UIScriptController into platform-specific subclasses"
Added: trunk/LayoutTests/compositing/shared-backing/move-sharing-child-expected.txt (0 => 253469)
--- trunk/LayoutTests/compositing/shared-backing/move-sharing-child-expected.txt (rev 0)
+++ trunk/LayoutTests/compositing/shared-backing/move-sharing-child-expected.txt 2019-12-13 14:32:55 UTC (rev 253469)
@@ -0,0 +1,3 @@
+This test should not crash or assert.
+
+
Added: trunk/LayoutTests/compositing/shared-backing/move-sharing-child.html (0 => 253469)
--- trunk/LayoutTests/compositing/shared-backing/move-sharing-child.html (rev 0)
+++ trunk/LayoutTests/compositing/shared-backing/move-sharing-child.html 2019-12-13 14:32:55 UTC (rev 253469)
@@ -0,0 +1,75 @@
+<!DOCTYPE html>
+<title>
+ Tests that there is no crash when a layer's backing provider layer changes
+ and the layer is then removed.
+ </title>
+
+<style>
+ .positioned {
+ position: absolute;
+ left: 25px;
+ width: 100px;
+ height: 100px;
+ }
+
+ .composited {
+ transform: translateZ(0);
+ background-color: blue;
+ }
+
+ .stackingContext {
+ position: absolute;
+ z-index: 0;
+ }
+
+ #child1 {
+ background-color: orange;
+ }
+
+ #child2 {
+ background-color: yellow;
+ }
+
+ #grandchild {
+ background-color: pink;
+ }
+
+ #container {
+ background-color: green;
+ }
+</style>
+
+<script>
+ if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.waitUntilDone();
+ }
+
+ function triggerLayout() {
+ document.body.scrollTop;
+ }
+
+ window._onload_ = function() {
+ triggerLayout();
+
+ document.getElementById('container').classList.add("stackingContext");
+ document.getElementById('child1').classList.add("composited");
+ triggerLayout();
+
+ document.getElementById('grandchild').classList.remove("positioned");
+ triggerLayout();
+
+ if (window.testRunner)
+ testRunner.notifyDone();
+ }
+</script>
+
+<p>This test should not crash or assert.</p>
+<div class="composited positioned"></div>
+<div id="container" class="positioned">
+ <div id="child1" class="positioned"></div>
+ <div id="child2" class="positioned">
+ <div id="grandchild" class="positioned"></div>
+ </div>
+</div>
+
Modified: trunk/Source/WebCore/ChangeLog (253468 => 253469)
--- trunk/Source/WebCore/ChangeLog 2019-12-13 13:47:50 UTC (rev 253468)
+++ trunk/Source/WebCore/ChangeLog 2019-12-13 14:32:55 UTC (rev 253469)
@@ -1,3 +1,30 @@
+2019-12-13 Ali Juma <aj...@chromium.org>
+
+ Crash in RenderLayerBacking::updateCompositedBounds from using cleared WeakPtr from m_backingSharingLayers
+ https://bugs.webkit.org/show_bug.cgi?id=204648
+
+ Reviewed by Simon Fraser.
+
+ RenderLayerBacking's clearBackingSharingProviders clears layers'
+ backingSharingProviders unconditionally, even when a layer's
+ backingSharingProvider is some other RenderLayerBacking's owning
+ layer. This leaves the layer in a state where its backingProviderLayer
+ is null, even though it appears in the other RenderLayerBacking's
+ m_backingSharingLayers, which leads to a crash if this layer is destroyed
+ and the other RenderLayerBacking tries to use its pointer to this
+ layer.
+
+ Avoid this inconsistency by making clearBackingSharingProviders check
+ whether a layer's backingSharingProvider is the current RenderLayerBacking's
+ owner, before clearing it.
+
+ Test: compositing/shared-backing/move-sharing-child.html
+
+ * rendering/RenderLayerBacking.cpp:
+ (WebCore::clearBackingSharingLayerProviders):
+ (WebCore::RenderLayerBacking::setBackingSharingLayers):
+ (WebCore::RenderLayerBacking::clearBackingSharingLayers):
+
2019-12-13 Zalan Bujtas <za...@apple.com>
[LFC][IFC] Fix fast/text/simple-line-with-multiple-renderers.html
Modified: trunk/Source/WebCore/rendering/RenderLayerBacking.cpp (253468 => 253469)
--- trunk/Source/WebCore/rendering/RenderLayerBacking.cpp 2019-12-13 13:47:50 UTC (rev 253468)
+++ trunk/Source/WebCore/rendering/RenderLayerBacking.cpp 2019-12-13 14:32:55 UTC (rev 253469)
@@ -270,12 +270,13 @@
compositor().layerTiledBackingUsageChanged(layer, false);
}
-static void clearBackingSharingLayerProviders(Vector<WeakPtr<RenderLayer>>& sharingLayers)
+static void clearBackingSharingLayerProviders(Vector<WeakPtr<RenderLayer>>& sharingLayers, const RenderLayer& providerLayer)
{
for (auto& layerWeakPtr : sharingLayers) {
if (!layerWeakPtr)
continue;
- layerWeakPtr->setBackingProviderLayer(nullptr);
+ if (layerWeakPtr->backingProviderLayer() == &providerLayer)
+ layerWeakPtr->setBackingProviderLayer(nullptr);
}
}
@@ -292,7 +293,7 @@
}
}
- clearBackingSharingLayerProviders(m_backingSharingLayers);
+ clearBackingSharingLayerProviders(m_backingSharingLayers, m_owningLayer);
if (sharingLayers != m_backingSharingLayers) {
if (sharingLayers.size())
@@ -323,7 +324,7 @@
void RenderLayerBacking::clearBackingSharingLayers()
{
- clearBackingSharingLayerProviders(m_backingSharingLayers);
+ clearBackingSharingLayerProviders(m_backingSharingLayers, m_owningLayer);
m_backingSharingLayers.clear();
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
