Title: [232596] trunk/Source/WebCore
- Revision
- 232596
- Author
- [email protected]
- Date
- 2018-06-07 12:51:43 -0700 (Thu, 07 Jun 2018)
Log Message
[ASan / StressGC] DumpRenderTree crashed in com.apple.WebCore: WebCore::EventTarget::ref + 16
https://bugs.webkit.org/show_bug.cgi?id=186207
<rdar://problem/40568747>
Reviewed by Dean Jackson.
Ensure that we clear the DOM event queue for declarative animations once an animation is cleared for
an element since the element can be deleted before events get dispatched asynchronouly for this animation.
We also only call AnimationTimeline::removeAnimationsForElement() from RenderTreeUpdater::tearDownRenderers()
in the case where we're tearing down the whole document as otherwise this would yield early clearing of the event
queue in the case where an element would get a "display: none" style.
* animation/AnimationTimeline.cpp:
(WebCore::AnimationTimeline::removeAnimationsForElement):
* animation/DeclarativeAnimation.cpp:
(WebCore::DeclarativeAnimation::~DeclarativeAnimation):
(WebCore::DeclarativeAnimation::prepareAnimationForRemoval):
* animation/DeclarativeAnimation.h:
* animation/WebAnimation.cpp:
(WebCore::WebAnimation::prepareAnimationForRemoval):
* animation/WebAnimation.h:
* rendering/updating/RenderTreeUpdater.cpp:
(WebCore::RenderTreeUpdater::tearDownRenderers):
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (232595 => 232596)
--- trunk/Source/WebCore/ChangeLog 2018-06-07 19:48:48 UTC (rev 232595)
+++ trunk/Source/WebCore/ChangeLog 2018-06-07 19:51:43 UTC (rev 232596)
@@ -1,3 +1,30 @@
+2018-06-07 Antoine Quint <[email protected]>
+
+ [ASan / StressGC] DumpRenderTree crashed in com.apple.WebCore: WebCore::EventTarget::ref + 16
+ https://bugs.webkit.org/show_bug.cgi?id=186207
+ <rdar://problem/40568747>
+
+ Reviewed by Dean Jackson.
+
+ Ensure that we clear the DOM event queue for declarative animations once an animation is cleared for
+ an element since the element can be deleted before events get dispatched asynchronouly for this animation.
+
+ We also only call AnimationTimeline::removeAnimationsForElement() from RenderTreeUpdater::tearDownRenderers()
+ in the case where we're tearing down the whole document as otherwise this would yield early clearing of the event
+ queue in the case where an element would get a "display: none" style.
+
+ * animation/AnimationTimeline.cpp:
+ (WebCore::AnimationTimeline::removeAnimationsForElement):
+ * animation/DeclarativeAnimation.cpp:
+ (WebCore::DeclarativeAnimation::~DeclarativeAnimation):
+ (WebCore::DeclarativeAnimation::prepareAnimationForRemoval):
+ * animation/DeclarativeAnimation.h:
+ * animation/WebAnimation.cpp:
+ (WebCore::WebAnimation::prepareAnimationForRemoval):
+ * animation/WebAnimation.h:
+ * rendering/updating/RenderTreeUpdater.cpp:
+ (WebCore::RenderTreeUpdater::tearDownRenderers):
+
2018-06-07 Don Olmstead <[email protected]>
[CoordGraphics] Fix compilation errors around USE(COORDINATED_GRAPHICS)
Modified: trunk/Source/WebCore/animation/AnimationTimeline.cpp (232595 => 232596)
--- trunk/Source/WebCore/animation/AnimationTimeline.cpp 2018-06-07 19:48:48 UTC (rev 232595)
+++ trunk/Source/WebCore/animation/AnimationTimeline.cpp 2018-06-07 19:51:43 UTC (rev 232596)
@@ -153,7 +153,7 @@
void AnimationTimeline::removeAnimationsForElement(Element& element)
{
for (auto& animation : animationsForElement(element)) {
- animation->setEffectInternal(nullptr);
+ animation->prepareAnimationForRemoval();
removeAnimation(animation.releaseNonNull());
}
}
Modified: trunk/Source/WebCore/animation/DeclarativeAnimation.cpp (232595 => 232596)
--- trunk/Source/WebCore/animation/DeclarativeAnimation.cpp 2018-06-07 19:48:48 UTC (rev 232595)
+++ trunk/Source/WebCore/animation/DeclarativeAnimation.cpp 2018-06-07 19:51:43 UTC (rev 232596)
@@ -47,6 +47,11 @@
DeclarativeAnimation::~DeclarativeAnimation()
{
+}
+
+void DeclarativeAnimation::prepareAnimationForRemoval()
+{
+ WebAnimation::prepareAnimationForRemoval();
m_eventQueue.close();
}
Modified: trunk/Source/WebCore/animation/DeclarativeAnimation.h (232595 => 232596)
--- trunk/Source/WebCore/animation/DeclarativeAnimation.h 2018-06-07 19:48:48 UTC (rev 232595)
+++ trunk/Source/WebCore/animation/DeclarativeAnimation.h 2018-06-07 19:51:43 UTC (rev 232596)
@@ -45,6 +45,7 @@
const Animation& backingAnimation() const { return m_backingAnimation; }
void setBackingAnimation(const Animation&);
void invalidateDOMEvents(Seconds elapsedTime = 0_s);
+ void prepareAnimationForRemoval() final;
void setTimeline(RefPtr<AnimationTimeline>&&) final;
void cancel() final;
Modified: trunk/Source/WebCore/animation/WebAnimation.cpp (232595 => 232596)
--- trunk/Source/WebCore/animation/WebAnimation.cpp 2018-06-07 19:48:48 UTC (rev 232595)
+++ trunk/Source/WebCore/animation/WebAnimation.cpp 2018-06-07 19:51:43 UTC (rev 232596)
@@ -70,6 +70,11 @@
{
}
+void WebAnimation::prepareAnimationForRemoval()
+{
+ setEffectInternal(nullptr);
+}
+
void WebAnimation::suspendEffectInvalidation()
{
++m_suspendCount;
Modified: trunk/Source/WebCore/animation/WebAnimation.h (232595 => 232596)
--- trunk/Source/WebCore/animation/WebAnimation.h 2018-06-07 19:48:48 UTC (rev 232595)
+++ trunk/Source/WebCore/animation/WebAnimation.h 2018-06-07 19:51:43 UTC (rev 232596)
@@ -109,6 +109,7 @@
void unsuspendEffectInvalidation();
void setSuspended(bool);
bool isSuspended() const { return m_isSuspended; }
+ virtual void prepareAnimationForRemoval();
String description();
Modified: trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp (232595 => 232596)
--- trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp 2018-06-07 19:48:48 UTC (rev 232595)
+++ trunk/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp 2018-06-07 19:51:43 UTC (rev 232596)
@@ -554,7 +554,7 @@
if (teardownType == TeardownType::Full || teardownType == TeardownType::RendererUpdateCancelingAnimations) {
if (RuntimeEnabledFeatures::sharedFeatures().webAnimationsCSSIntegrationEnabled()) {
- if (timeline)
+ if (timeline && document.renderTreeBeingDestroyed())
timeline->removeAnimationsForElement(element);
} else
animationController.cancelAnimations(element);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
