Skip to site navigation (Press enter)

[webkit-changes] [187050] trunk/Source/WebKit2

wenson_hsieh Mon, 20 Jul 2015 17:23:17 -0700

Title: [187050] trunk/Source/WebKit2

Revision: 187050
Author: wenson_hs...@apple.com
Date: 2015-07-20 17:23:05 -0700 (Mon, 20 Jul 2015)

Log Message

Fix crash due to RemoteLayerTreeDisplayRefreshMonitor outliving RemoteLayerTreeDrawingArea
https://bugs.webkit.org/show_bug.cgi?id=147124
<rdar://problem/21582858>


Reviewed by Simon Fraser.

Refactors RemoteLayerTreeDisplayRefreshMonitor to use a weak pointer rather than a reference
to its RemoteLayerTreeDrawingArea, since the drawing area may be deallocated before the monitor
in some rare cases. This rarely caused pages using requestAnimationFrame to crash on iOS. However,
this should not be the case: logically, a RemoteLayerTreeDrawingArea should always outlive its
refresh monitors. Refer to https://bugs.webkit.org/show_bug.cgi?id=147128 for more details.

* WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.h:
* WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.mm:
(WebKit::RemoteLayerTreeDisplayRefreshMonitor::RemoteLayerTreeDisplayRefreshMonitor):
(WebKit::RemoteLayerTreeDisplayRefreshMonitor::~RemoteLayerTreeDisplayRefreshMonitor): On destruction, checks
    first to see whether or not the drawing area has been deallocated before telling it to update its monitors.
(WebKit::RemoteLayerTreeDisplayRefreshMonitor::requestRefreshCallback):
* WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.h:
(WebKit::RemoteLayerTreeDrawingArea::createWeakPtr): Creates and returns a new weak pointer to itself.
* WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.mm:
(WebKit::RemoteLayerTreeDrawingArea::RemoteLayerTreeDrawingArea):

Modified Paths

trunk/Source/WebKit2/ChangeLog
trunk/Source/WebKit2/WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.h
trunk/Source/WebKit2/WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.mm
trunk/Source/WebKit2/WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.h
trunk/Source/WebKit2/WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.mm

Diff

Modified: trunk/Source/WebKit2/ChangeLog (187049 => 187050)


--- trunk/Source/WebKit2/ChangeLog	2015-07-21 00:12:13 UTC (rev 187049)
+++ trunk/Source/WebKit2/ChangeLog	2015-07-21 00:23:05 UTC (rev 187050)
@@ -1,3 +1,28 @@
+2015-07-20  Wenson Hsieh  <wenson_hs...@apple.com>
+
+        Fix crash due to RemoteLayerTreeDisplayRefreshMonitor outliving RemoteLayerTreeDrawingArea
+        https://bugs.webkit.org/show_bug.cgi?id=147124
+        <rdar://problem/21582858>
+
+        Reviewed by Simon Fraser.
+
+        Refactors RemoteLayerTreeDisplayRefreshMonitor to use a weak pointer rather than a reference
+        to its RemoteLayerTreeDrawingArea, since the drawing area may be deallocated before the monitor
+        in some rare cases. This rarely caused pages using requestAnimationFrame to crash on iOS. However,
+        this should not be the case: logically, a RemoteLayerTreeDrawingArea should always outlive its
+        refresh monitors. Refer to https://bugs.webkit.org/show_bug.cgi?id=147128 for more details.
+
+        * WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.h:
+        * WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.mm:
+        (WebKit::RemoteLayerTreeDisplayRefreshMonitor::RemoteLayerTreeDisplayRefreshMonitor):
+        (WebKit::RemoteLayerTreeDisplayRefreshMonitor::~RemoteLayerTreeDisplayRefreshMonitor): On destruction, checks
+            first to see whether or not the drawing area has been deallocated before telling it to update its monitors.
+        (WebKit::RemoteLayerTreeDisplayRefreshMonitor::requestRefreshCallback):
+        * WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.h:
+        (WebKit::RemoteLayerTreeDrawingArea::createWeakPtr): Creates and returns a new weak pointer to itself.
+        * WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.mm:
+        (WebKit::RemoteLayerTreeDrawingArea::RemoteLayerTreeDrawingArea):
+
 2015-07-20  Alex Christensen  <achristen...@webkit.org>
 
         [Content Extensions] Cache actions with domains that match everything

Modified: trunk/Source/WebKit2/WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.h (187049 => 187050)


--- trunk/Source/WebKit2/WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.h	2015-07-21 00:12:13 UTC (rev 187049)
+++ trunk/Source/WebKit2/WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.h	2015-07-21 00:23:05 UTC (rev 187050)
@@ -49,7 +49,7 @@
 private:
     explicit RemoteLayerTreeDisplayRefreshMonitor(PlatformDisplayID, RemoteLayerTreeDrawingArea&);
 
-    RemoteLayerTreeDrawingArea& m_drawingArea;
+    WeakPtr<RemoteLayerTreeDrawingArea> m_drawingArea;
 };
 
 }

Modified: trunk/Source/WebKit2/WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.mm (187049 => 187050)


--- trunk/Source/WebKit2/WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.mm	2015-07-21 00:12:13 UTC (rev 187049)
+++ trunk/Source/WebKit2/WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.mm	2015-07-21 00:23:05 UTC (rev 187050)
@@ -36,22 +36,23 @@
 
 RemoteLayerTreeDisplayRefreshMonitor::RemoteLayerTreeDisplayRefreshMonitor(PlatformDisplayID displayID, RemoteLayerTreeDrawingArea& drawingArea)
     : DisplayRefreshMonitor(displayID)
-    , m_drawingArea(drawingArea)
+    , m_drawingArea(drawingArea.createWeakPtr())
 {
 }
 
 RemoteLayerTreeDisplayRefreshMonitor::~RemoteLayerTreeDisplayRefreshMonitor()
 {
-    m_drawingArea.willDestroyDisplayRefreshMonitor(this);
+    if (m_drawingArea)
+        m_drawingArea->willDestroyDisplayRefreshMonitor(this);
 }
 
 bool RemoteLayerTreeDisplayRefreshMonitor::requestRefreshCallback()
 {
-    if (!isActive())
+    if (!m_drawingArea || !isActive())
         return false;
 
     if (!isScheduled())
-        static_cast<DrawingArea&>(m_drawingArea).scheduleCompositingLayerFlush();
+        static_cast<DrawingArea&>(*m_drawingArea.get()).scheduleCompositingLayerFlush();
 
     setIsActive(true);
     setIsScheduled(true);

Modified: trunk/Source/WebKit2/WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.h (187049 => 187050)


--- trunk/Source/WebKit2/WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.h	2015-07-21 00:12:13 UTC (rev 187049)
+++ trunk/Source/WebKit2/WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.h	2015-07-21 00:23:05 UTC (rev 187050)
@@ -56,6 +56,8 @@
 
     uint64_t nextTransactionID() const { return m_currentTransactionID + 1; }
 
+    WeakPtr<RemoteLayerTreeDrawingArea> createWeakPtr() { return m_weakPtrFactory.createWeakPtr(); }
+    
 private:
     // DrawingArea
     virtual void setNeedsDisplay() override;
@@ -166,6 +168,8 @@
 
     WebCore::GraphicsLayer* m_contentLayer;
     WebCore::GraphicsLayer* m_viewOverlayRootLayer;
+    
+    WeakPtrFactory<RemoteLayerTreeDrawingArea> m_weakPtrFactory;
 };
 
 } // namespace WebKit

Modified: trunk/Source/WebKit2/WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.mm (187049 => 187050)


--- trunk/Source/WebKit2/WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.mm	2015-07-21 00:12:13 UTC (rev 187049)
+++ trunk/Source/WebKit2/WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.mm	2015-07-21 00:23:05 UTC (rev 187050)
@@ -72,6 +72,7 @@
     , m_currentTransactionID(0)
     , m_contentLayer(nullptr)
     , m_viewOverlayRootLayer(nullptr)
+    , m_weakPtrFactory(this)
 {
     webPage.corePage()->settings().setForceCompositingMode(true);
 #if PLATFORM(IOS)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes