Title: [188991] trunk/Source/WebKit2
- Revision
- 188991
- Author
- wenson_hs...@apple.com
- Date
- 2015-08-26 14:54:41 -0700 (Wed, 26 Aug 2015)
Log Message
Fix crash due to animationDidEnd called on deallocated RemoteLayerTreeHost
https://bugs.webkit.org/show_bug.cgi?id=148442
<rdar://problem/21609257>
Reviewed by Tim Horton.
A PlatformCAAnimationRemote's backpointer to a deallocated RemoteLayerTreeHost is not
invalidated when its host removes its reference to it.
* UIProcess/mac/RemoteLayerTreeHost.mm:
(WebKit::RemoteLayerTreeHost::layerWillBeRemoved): Invalidate a backpointer from the
PlatformCAAnimationRemotes to the RemoteLayerTreeHost.
Modified Paths
Diff
Modified: trunk/Source/WebKit2/ChangeLog (188990 => 188991)
--- trunk/Source/WebKit2/ChangeLog 2015-08-26 21:51:12 UTC (rev 188990)
+++ trunk/Source/WebKit2/ChangeLog 2015-08-26 21:54:41 UTC (rev 188991)
@@ -1,3 +1,18 @@
+2015-08-26 Wenson Hsieh <wenson_hs...@apple.com>
+
+ Fix crash due to animationDidEnd called on deallocated RemoteLayerTreeHost
+ https://bugs.webkit.org/show_bug.cgi?id=148442
+ <rdar://problem/21609257>
+
+ Reviewed by Tim Horton.
+
+ A PlatformCAAnimationRemote's backpointer to a deallocated RemoteLayerTreeHost is not
+ invalidated when its host removes its reference to it.
+
+ * UIProcess/mac/RemoteLayerTreeHost.mm:
+ (WebKit::RemoteLayerTreeHost::layerWillBeRemoved): Invalidate a backpointer from the
+ PlatformCAAnimationRemotes to the RemoteLayerTreeHost.
+
2015-08-26 Beth Dakin <bda...@apple.com>
REGRESSION: Safari navigates after a cancelled force click
Modified: trunk/Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm (188990 => 188991)
--- trunk/Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm 2015-08-26 21:51:12 UTC (rev 188990)
+++ trunk/Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm 2015-08-26 21:54:41 UTC (rev 188991)
@@ -138,7 +138,11 @@
void RemoteLayerTreeHost::layerWillBeRemoved(WebCore::GraphicsLayer::PlatformLayerID layerID)
{
- m_animationDelegates.remove(layerID);
+ auto iter = m_animationDelegates.find(layerID);
+ if (iter != m_animationDelegates.end()) {
+ [iter->value invalidate];
+ m_animationDelegates.remove(iter);
+ }
m_layers.remove(layerID);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes