Title: [128980] trunk/Source/WebKit2
- Revision
- 128980
- Author
- kbal...@webkit.org
- Date
- 2012-09-19 02:10:33 -0700 (Wed, 19 Sep 2012)
Log Message
[Texmap] Potential crash in TextureMapperLayer because of referencing deleted mask/replica layer
https://bugs.webkit.org/show_bug.cgi?id=96919
Reviewed by Noam Rosenthal.
Delay syncing deleted layers until flushPendingLayerChanges so the UI side state
will contain all changes related to the deletion of a layer. This saves us from
referencing a deleted layer.
* WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.cpp:
(WebKit::LayerTreeCoordinator::flushPendingLayerChanges):
(WebKit::LayerTreeCoordinator::detachLayer):
* WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.h:
(LayerTreeCoordinator):
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (128979 => 128980)
--- trunk/Source/WebKit2/ChangeLog 2012-09-19 08:50:01 UTC (rev 128979)
+++ trunk/Source/WebKit2/ChangeLog 2012-09-19 09:10:33 UTC (rev 128980)
@@ -1,3 +1,20 @@
+2012-09-19 Balazs Kelemen <kbal...@webkit.org>
+
+ [Texmap] Potential crash in TextureMapperLayer because of referencing deleted mask/replica layer
+ https://bugs.webkit.org/show_bug.cgi?id=96919
+
+ Reviewed by Noam Rosenthal.
+
+ Delay syncing deleted layers until flushPendingLayerChanges so the UI side state
+ will contain all changes related to the deletion of a layer. This saves us from
+ referencing a deleted layer.
+
+ * WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.cpp:
+ (WebKit::LayerTreeCoordinator::flushPendingLayerChanges):
+ (WebKit::LayerTreeCoordinator::detachLayer):
+ * WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.h:
+ (LayerTreeCoordinator):
+
2012-09-19 Byungwoo Lee <bw80....@samsung.com>
[EFL][WK2] waitUntilTitleChangedTo() and waitUntilLoadFinished() needs timeout.
Modified: trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.cpp (128979 => 128980)
--- trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.cpp 2012-09-19 08:50:01 UTC (rev 128979)
+++ trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.cpp 2012-09-19 09:10:33 UTC (rev 128980)
@@ -255,6 +255,11 @@
return false;
m_shouldSyncFrame = false;
+
+ for (size_t i = 0; i < m_detachedLayers.size(); ++i)
+ m_webPage->send(Messages::LayerTreeCoordinatorProxy::DeleteCompositingLayer(m_detachedLayers[i]));
+ m_detachedLayers.clear();
+
bool didSync = m_webPage->corePage()->mainFrame()->view()->syncCompositingStateIncludingSubframes();
m_nonCompositedContentLayer->syncCompositingStateForThisLayerOnly();
if (m_pageOverlayLayer)
@@ -326,7 +331,8 @@
{
m_registeredLayers.remove(layer);
m_shouldSyncFrame = true;
- m_webPage->send(Messages::LayerTreeCoordinatorProxy::DeleteCompositingLayer(layer->id()));
+ m_detachedLayers.append(layer->id());
+ scheduleLayerFlush();
}
static void updateOffsetFromViewportForSelf(RenderLayer* renderLayer)
Modified: trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.h (128979 => 128980)
--- trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.h 2012-09-19 08:50:01 UTC (rev 128979)
+++ trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.h 2012-09-19 09:10:33 UTC (rev 128980)
@@ -127,6 +127,7 @@
OwnPtr<WebCore::GraphicsLayer> m_pageOverlayLayer;
HashSet<WebCore::CoordinatedGraphicsLayer*> m_registeredLayers;
+ Vector<WebLayerID> m_detachedLayers;
HashMap<int64_t, int> m_directlyCompositedImageRefCounts;
Vector<OwnPtr<UpdateAtlas> > m_updateAtlases;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes
