Title: [202330] trunk/Source/WebCore
- Revision
- 202330
- Author
- [email protected]
- Date
- 2016-06-22 09:58:17 -0700 (Wed, 22 Jun 2016)
Log Message
Crash under GraphicsLayerCA::recursiveCommitChanges() with deep layer trees
https://bugs.webkit.org/show_bug.cgi?id=159023
rdar://problem/25377842
Reviewed by Tim Horton.
Having an on-stack DisplayList::Recorder increased the stack frame size significantly,
causing stack exhaustion with deep layer trees, despite the existing depth check.
Make the Recorder heap-allocated to fix this.
Tested by LayoutTests/compositing//layer-creation/deep-tree.html.
* platform/graphics/ca/GraphicsLayerCA.cpp:
(WebCore::GraphicsLayerCA::recursiveCommitChanges):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (202329 => 202330)
--- trunk/Source/WebCore/ChangeLog 2016-06-22 16:55:49 UTC (rev 202329)
+++ trunk/Source/WebCore/ChangeLog 2016-06-22 16:58:17 UTC (rev 202330)
@@ -1,3 +1,21 @@
+2016-06-22 Simon Fraser <[email protected]>
+
+ Crash under GraphicsLayerCA::recursiveCommitChanges() with deep layer trees
+ https://bugs.webkit.org/show_bug.cgi?id=159023
+ rdar://problem/25377842
+
+ Reviewed by Tim Horton.
+
+ Having an on-stack DisplayList::Recorder increased the stack frame size significantly,
+ causing stack exhaustion with deep layer trees, despite the existing depth check.
+
+ Make the Recorder heap-allocated to fix this.
+
+ Tested by LayoutTests/compositing//layer-creation/deep-tree.html.
+
+ * platform/graphics/ca/GraphicsLayerCA.cpp:
+ (WebCore::GraphicsLayerCA::recursiveCommitChanges):
+
2016-06-22 Carlos Garcia Campos <[email protected]>
[GTK] Add support for variadic parameters to GObject DOM bindings
Modified: trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp (202329 => 202330)
--- trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp 2016-06-22 16:55:49 UTC (rev 202329)
+++ trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp 2016-06-22 16:58:17 UTC (rev 202330)
@@ -1439,7 +1439,8 @@
FloatRect initialClip(boundsOrigin(), size());
GraphicsContext context;
- DisplayList::Recorder recorder(context, *m_displayList, initialClip, AffineTransform());
+ // The Recorder is large, so heap-allocate.
+ std::unique_ptr<DisplayList::Recorder> recorder = std::make_unique<DisplayList::Recorder>(context, *m_displayList, initialClip, AffineTransform());
paintGraphicsLayerContents(context, FloatRect(FloatPoint(), size()));
#ifdef LOG_RECORDING_TIME
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
