[webkit-changes] [291362] trunk/Source/WebKit

[Hironori . Fujii]

Title: [291362] trunk/Source/WebKit

Revision

291362

Author

hironori.fu...@sony.com

Date

2022-03-16 13:45:42 -0700 (Wed, 16 Mar 2022)

Log Message

[WinCairo][WebGL] Crash in WebKit::WCContentBuffer::platformLayerWillBeDestroyed()
https://bugs.webkit.org/show_bug.cgi?id=237819

Reviewed by Don Olmstead.

WinCairo WTR was randomly crashing in
WCContentBuffer::platformLayerWillBeDestroyed(). It accessed a
stale pointer of WCScene::Layer.

* GPUProcess/graphics/wc/WCScene.cpp:
(WebKit::WCScene::Layer::~Layer): Clear the client of
WCContentBuffer.
(WebKit::WCScene::update):

Modified Paths

• trunk/Source/WebKit/ChangeLog
• trunk/Source/WebKit/GPUProcess/graphics/wc/WCScene.cpp

Diff

Modified: trunk/Source/WebKit/ChangeLog (291361 => 291362)

--- trunk/Source/WebKit/ChangeLog	2022-03-16 20:29:20 UTC (rev 291361)
+++ trunk/Source/WebKit/ChangeLog	2022-03-16 20:45:42 UTC (rev 291362)
@@ -1,3 +1,19 @@
+2022-03-16  Fujii Hironori  <hironori.fu...@sony.com>
+
+        [WinCairo][WebGL] Crash in WebKit::WCContentBuffer::platformLayerWillBeDestroyed()
+        https://bugs.webkit.org/show_bug.cgi?id=237819
+
+        Reviewed by Don Olmstead.
+
+        WinCairo WTR was randomly crashing in
+        WCContentBuffer::platformLayerWillBeDestroyed(). It accessed a
+        stale pointer of WCScene::Layer.
+
+        * GPUProcess/graphics/wc/WCScene.cpp:
+        (WebKit::WCScene::Layer::~Layer): Clear the client of
+        WCContentBuffer.
+        (WebKit::WCScene::update):
+
 2022-03-16  Eric Carlson  <eric.carl...@apple.com>
 
         [iOS] WebAVMediaSelectionOption should implement -mediaType

Modified: trunk/Source/WebKit/GPUProcess/graphics/wc/WCScene.cpp (291361 => 291362)

--- trunk/Source/WebKit/GPUProcess/graphics/wc/WCScene.cpp	2022-03-16 20:29:20 UTC (rev 291361)
+++ trunk/Source/WebKit/GPUProcess/graphics/wc/WCScene.cpp	2022-03-16 20:45:42 UTC (rev 291362)
@@ -45,10 +45,16 @@
     WTF_MAKE_FAST_ALLOCATED;
 public:
     Layer() = default;
+    ~Layer()
+    {
+        if (contentBuffer)
+            contentBuffer->setClient(nullptr);
+    }
 
     // WCContentBuffer::Client
     void platformLayerWillBeDestroyed() override
     {
+        contentBuffer = nullptr;
         texmapLayer.setContentsLayer(nullptr);
     }
 
@@ -55,6 +61,7 @@
     WebCore::TextureMapperLayer texmapLayer;
     std::unique_ptr<WebCore::TextureMapperSparseBackingStore> backingStore;
     std::unique_ptr<WebCore::TextureMapperLayer> backdropLayer;
+    WCContentBuffer* contentBuffer { nullptr };
 };
 
 void WCScene::initialize(WCSceneContext& context)
@@ -183,14 +190,21 @@
             layer->texmapLayer.setBackdropFiltersRect(layerUpdate.backdropFiltersRect);
         }
         if (layerUpdate.changes & WCLayerChange::PlatformLayer) {
-            if (!layerUpdate.hasPlatformLayer)
+            if (!layerUpdate.hasPlatformLayer) {
+                if (layer->contentBuffer) {
+                    layer->contentBuffer->setClient(nullptr);
+                    layer->contentBuffer = nullptr;
+                }
                 layer->texmapLayer.setContentsLayer(nullptr);
-            else {
+            } else {
                 WCContentBuffer* contentBuffer = nullptr;
                 for (auto identifier : layerUpdate.contentBufferIdentifiers)
                     contentBuffer = WCContentBufferManager::singleton().releaseContentBufferIdentifier(m_webProcessIdentifier, identifier);
                 if (contentBuffer) {
+                    if (layer->contentBuffer)
+                        layer->contentBuffer->setClient(nullptr);
                     contentBuffer->setClient(layer);
+                    layer->contentBuffer = contentBuffer;
                     layer->texmapLayer.setContentsLayer(contentBuffer->platformLayer());
                 }
             }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes