WebKit2

carlosgc Wed, 20 Jul 2016 05:18:08 -0700

Title: [203449] trunk/Source/WebKit2

Revision: 203449
Author: carlo...@webkit.org
Date: 2016-07-20 05:17:37 -0700 (Wed, 20 Jul 2016)

Log Message

[Threaded Compositor] Web Process crash when the layer tree host is destroyed
https://bugs.webkit.org/show_bug.cgi?id=159922


Reviewed by Sergio Villar Senin.

It happens when the layer tree host is destroyed after the didChangeVisibleRect is scheduled to be run in the
main thread, but before it's actually dispatched. In that case the threaded compositor client points to a
deleted object and crashes when trying to dereference it.

* Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:
(WebKit::ThreadedCompositor::~ThreadedCompositor): Add an assert to ensure invalidate is always called before
the object is deleted.
(WebKit::ThreadedCompositor::invalidate): Terminate the compositing thread and nullify the client.
(WebKit::ThreadedCompositor::didChangeVisibleRect): Return early if the client is null when the task is
dispatched in the main thread.
* Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h: Add invalidate().
* WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp:
(WebKit::ThreadedCoordinatedLayerTreeHost::invalidate): Invalidate the ThreadedCompositor and chain up.
* WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h:

Modified Paths

trunk/Source/WebKit2/ChangeLog
trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp
trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h
trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp
trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h

Diff

Modified: trunk/Source/WebKit2/ChangeLog (203448 => 203449)


--- trunk/Source/WebKit2/ChangeLog	2016-07-20 08:50:16 UTC (rev 203448)
+++ trunk/Source/WebKit2/ChangeLog	2016-07-20 12:17:37 UTC (rev 203449)
@@ -1,3 +1,25 @@
+2016-07-20  Carlos Garcia Campos  <cgar...@igalia.com>
+
+        [Threaded Compositor] Web Process crash when the layer tree host is destroyed
+        https://bugs.webkit.org/show_bug.cgi?id=159922
+
+        Reviewed by Sergio Villar Senin.
+
+        It happens when the layer tree host is destroyed after the didChangeVisibleRect is scheduled to be run in the
+        main thread, but before it's actually dispatched. In that case the threaded compositor client points to a
+        deleted object and crashes when trying to dereference it.
+
+        * Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:
+        (WebKit::ThreadedCompositor::~ThreadedCompositor): Add an assert to ensure invalidate is always called before
+        the object is deleted.
+        (WebKit::ThreadedCompositor::invalidate): Terminate the compositing thread and nullify the client.
+        (WebKit::ThreadedCompositor::didChangeVisibleRect): Return early if the client is null when the task is
+        dispatched in the main thread.
+        * Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h: Add invalidate().
+        * WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp:
+        (WebKit::ThreadedCoordinatedLayerTreeHost::invalidate): Invalidate the ThreadedCompositor and chain up.
+        * WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h:
+
 2016-07-19  Brian Burg  <bb...@apple.com>
 
         Web Automation: WebAutomationSessionProxy's HashMaps should support '0' as valid keys

Modified: trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp (203448 => 203449)


--- trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp	2016-07-20 08:50:16 UTC (rev 203448)
+++ trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp	2016-07-20 12:17:37 UTC (rev 203449)
@@ -56,7 +56,13 @@
 
 ThreadedCompositor::~ThreadedCompositor()
 {
+    ASSERT(!m_client);
+}
+
+void ThreadedCompositor::invalidate()
+{
     terminateCompositingThread();
+    m_client = nullptr;
 }
 
 void ThreadedCompositor::setNativeSurfaceHandleForCompositing(uint64_t handle)
@@ -174,7 +180,8 @@
 void ThreadedCompositor::didChangeVisibleRect()
 {
     RunLoop::main().dispatch([this, protectedThis = makeRef(*this), visibleRect = m_viewportController->visibleContentsRect(), scale = m_viewportController->pageScaleFactor()] {
-        m_client->setVisibleContentsRect(visibleRect, FloatPoint::zero(), scale);
+        if (m_client)
+            m_client->setVisibleContentsRect(visibleRect, FloatPoint::zero(), scale);
     });
 
     scheduleDisplayImmediately();

Modified: trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h (203448 => 203449)


--- trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h	2016-07-20 08:50:16 UTC (rev 203448)
+++ trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h	2016-07-20 12:17:37 UTC (rev 203449)
@@ -75,6 +75,8 @@
     void scrollTo(const WebCore::IntPoint&);
     void scrollBy(const WebCore::IntSize&);
 
+    void invalidate();
+
 private:
     ThreadedCompositor(Client*);

Modified: trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp (203448 => 203449)


--- trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp	2016-07-20 08:50:16 UTC (rev 203448)
+++ trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp	2016-07-20 12:17:37 UTC (rev 203449)
@@ -54,6 +54,12 @@
 {
 }
 
+void ThreadedCoordinatedLayerTreeHost::invalidate()
+{
+    m_compositor->invalidate();
+    CoordinatedLayerTreeHost::invalidate();
+}
+
 void ThreadedCoordinatedLayerTreeHost::scrollNonCompositedContents(const WebCore::IntRect& rect)
 {
     m_compositor->scrollTo(rect.location());

Modified: trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h (203448 => 203449)


--- trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h	2016-07-20 08:50:16 UTC (rev 203448)
+++ trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h	2016-07-20 12:17:37 UTC (rev 203449)
@@ -58,6 +58,8 @@
     void contentsSizeChanged(const WebCore::IntSize&) override;
     void didChangeViewportProperties(const WebCore::ViewportAttributes&) override;
 
+    void invalidate() override;
+
 #if PLATFORM(GTK)
     void setNativeSurfaceHandleForCompositing(uint64_t) override;
 #endif

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [203449] trunk/Source/WebKit2

Log Message

Modified Paths

Diff

Modified: trunk/Source/WebKit2/ChangeLog (203448 => 203449)

Modified: trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp (203448 => 203449)

Modified: trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h (203448 => 203449)

Modified: trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp (203448 => 203449)

Modified: trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h (203448 => 203449)

Reply via email to