[webkit-changes] [236871] trunk

[graouts]

Title: [236871] trunk

Revision

236871

Author

grao...@webkit.org

Date

2018-10-05 03:57:43 -0700 (Fri, 05 Oct 2018)

Log Message

[Web Animations] REGRESSION (r236809): crash under AnimationTimeline::updateCSSAnimationsForElement()
https://bugs.webkit.org/show_bug.cgi?id=190307
<rdar://problem/45009901>

Reviewed by Dean Jackson.

Source/WebCore:

We could crash with an invalid access to cssAnimationsByName since cancelOrRemoveDeclarativeAnimation() already
does the job of clearing the m_elementToCSSAnimationByName entry for this particular element if there are no
animations targeting it anymore. This started happening in r236809 when we switched from a simple call to to cancel()
to a call to cancelOrRemoveDeclarativeAnimation(). We can safely remove the removal here since cancelOrRemoveDeclarativeAnimation()
will already have performed this task safely if needed.

* animation/AnimationTimeline.cpp:
(WebCore::AnimationTimeline::updateCSSAnimationsForElement):

LayoutTests:

This test was also crashing even though it should not have been using the new animation engine. Adding the
flag to opt into the legacy animation engine.

* legacy-animation-engine/animations/animation-shorthand-removed.html:

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/legacy-animation-engine/animations/animation-shorthand-removed.html
• trunk/Source/WebCore/ChangeLog
• trunk/Source/WebCore/animation/AnimationTimeline.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (236870 => 236871)

--- trunk/LayoutTests/ChangeLog	2018-10-05 10:56:31 UTC (rev 236870)
+++ trunk/LayoutTests/ChangeLog	2018-10-05 10:57:43 UTC (rev 236871)
@@ -1,3 +1,16 @@
+2018-10-05  Antoine Quint  <grao...@apple.com>
+
+        [Web Animations] REGRESSION (r236809): crash under AnimationTimeline::updateCSSAnimationsForElement()
+        https://bugs.webkit.org/show_bug.cgi?id=190307
+        <rdar://problem/45009901>
+
+        Reviewed by Dean Jackson.
+
+        This test was also crashing even though it should not have been using the new animation engine. Adding the
+        flag to opt into the legacy animation engine.
+
+        * legacy-animation-engine/animations/animation-shorthand-removed.html:
+
 2018-10-04  Chris Dumez  <cdu...@apple.com>
 
         A Document / Window should lose its browsing context as soon as its iframe is removed from the document

Modified: trunk/LayoutTests/legacy-animation-engine/animations/animation-shorthand-removed.html (236870 => 236871)

--- trunk/LayoutTests/legacy-animation-engine/animations/animation-shorthand-removed.html	2018-10-05 10:56:31 UTC (rev 236870)
+++ trunk/LayoutTests/legacy-animation-engine/animations/animation-shorthand-removed.html	2018-10-05 10:57:43 UTC (rev 236871)
@@ -1,4 +1,4 @@
-<html>
+<html><!-- webkit-test-runner [ experimental:WebAnimationsCSSIntegrationEnabled=false ] -->
 <head>
 <title>Test removal of animation shorthand property</title>
 <style type="text/css" media="screen">

Modified: trunk/Source/WebCore/ChangeLog (236870 => 236871)

--- trunk/Source/WebCore/ChangeLog	2018-10-05 10:56:31 UTC (rev 236870)
+++ trunk/Source/WebCore/ChangeLog	2018-10-05 10:57:43 UTC (rev 236871)
@@ -1,3 +1,20 @@
+2018-10-05  Antoine Quint  <grao...@apple.com>
+
+        [Web Animations] REGRESSION (r236809): crash under AnimationTimeline::updateCSSAnimationsForElement()
+        https://bugs.webkit.org/show_bug.cgi?id=190307
+        <rdar://problem/45009901>
+
+        Reviewed by Dean Jackson.
+
+        We could crash with an invalid access to cssAnimationsByName since cancelOrRemoveDeclarativeAnimation() already
+        does the job of clearing the m_elementToCSSAnimationByName entry for this particular element if there are no
+        animations targeting it anymore. This started happening in r236809 when we switched from a simple call to to cancel()
+        to a call to cancelOrRemoveDeclarativeAnimation(). We can safely remove the removal here since cancelOrRemoveDeclarativeAnimation()
+        will already have performed this task safely if needed.
+
+        * animation/AnimationTimeline.cpp:
+        (WebCore::AnimationTimeline::updateCSSAnimationsForElement):
+
 2018-10-04  Jer Noble  <jer.no...@apple.com>
 
         Add support for reporting "display composited video frames" through the VideoPlaybackQuality object.

Modified: trunk/Source/WebCore/animation/AnimationTimeline.cpp (236870 => 236871)

--- trunk/Source/WebCore/animation/AnimationTimeline.cpp	2018-10-05 10:56:31 UTC (rev 236870)
+++ trunk/Source/WebCore/animation/AnimationTimeline.cpp	2018-10-05 10:57:43 UTC (rev 236871)
@@ -276,10 +276,6 @@
         if (auto animation = cssAnimationsByName.take(nameOfAnimationToRemove))
             cancelOrRemoveDeclarativeAnimation(animation);
     }
-
-    // Remove the map of CSSAnimations by animation name for this element if it's now empty.
-    if (cssAnimationsByName.isEmpty())
-        m_elementToCSSAnimationByName.remove(&element);
 }
 
 RefPtr<WebAnimation> AnimationTimeline::cssAnimationForElementAndProperty(Element& element, CSSPropertyID property)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes