Title: [192853] trunk/Source/WebCore
- Revision
- 192853
- Author
- simon.fra...@apple.com
- Date
- 2015-11-30 18:46:09 -0800 (Mon, 30 Nov 2015)
Log Message
Fix possible crash with animated layers in reflections
https://bugs.webkit.org/show_bug.cgi?id=151689
rdar://problem/23018612
Reviewed by Darin Adler.
Reflections create additional PlatformCALayers whose owner is set to the GraphicsLayerCA.
Those PlatformCALayers need their owner pointer cleared out when the GraphicsLayerCA
is destroyed.
Tested by compositing/reflections/nested-reflection-transition.html
* platform/graphics/ca/GraphicsLayerCA.cpp:
* platform/graphics/ca/GraphicsLayerCA.h:
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (192852 => 192853)
--- trunk/Source/WebCore/ChangeLog 2015-12-01 02:29:18 UTC (rev 192852)
+++ trunk/Source/WebCore/ChangeLog 2015-12-01 02:46:09 UTC (rev 192853)
@@ -1,3 +1,20 @@
+2015-11-30 Simon Fraser <simon.fra...@apple.com>
+
+ Fix possible crash with animated layers in reflections
+ https://bugs.webkit.org/show_bug.cgi?id=151689
+ rdar://problem/23018612
+
+ Reviewed by Darin Adler.
+
+ Reflections create additional PlatformCALayers whose owner is set to the GraphicsLayerCA.
+ Those PlatformCALayers need their owner pointer cleared out when the GraphicsLayerCA
+ is destroyed.
+
+ Tested by compositing/reflections/nested-reflection-transition.html
+
+ * platform/graphics/ca/GraphicsLayerCA.cpp:
+ * platform/graphics/ca/GraphicsLayerCA.h:
+
2015-11-30 Brady Eidson <beid...@apple.com>
Modern IDB: Iterating index cursors to a specific key is busted.
Modified: trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp (192852 => 192853)
--- trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp 2015-12-01 02:29:18 UTC (rev 192852)
+++ trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp 2015-12-01 02:46:09 UTC (rev 192853)
@@ -3486,14 +3486,25 @@
shapeMaskLayer = findOrMakeClone(cloneID, m_shapeMaskLayer.get(), m_shapeMaskLayerClones.get(), cloneLevel);
}
+void GraphicsLayerCA::clearClones(std::unique_ptr<LayerMap>& layerMap)
+{
+ if (!layerMap)
+ return;
+
+ for (auto& layer : layerMap->values())
+ layer->setOwner(nullptr);
+
+ layerMap = nullptr;
+}
+
void GraphicsLayerCA::removeCloneLayers()
{
- m_layerClones = nullptr;
- m_structuralLayerClones = nullptr;
- m_contentsLayerClones = nullptr;
- m_contentsClippingLayerClones = nullptr;
- m_contentsShapeMaskLayerClones = nullptr;
- m_shapeMaskLayerClones = nullptr;
+ clearClones(m_layerClones);
+ clearClones(m_structuralLayerClones);
+ clearClones(m_contentsLayerClones);
+ clearClones(m_contentsClippingLayerClones);
+ clearClones(m_contentsShapeMaskLayerClones);
+ clearClones(m_shapeMaskLayerClones);
}
FloatPoint GraphicsLayerCA::positionForCloneRootLayer() const
Modified: trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.h (192852 => 192853)
--- trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.h 2015-12-01 02:29:18 UTC (rev 192852)
+++ trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.h 2015-12-01 02:46:09 UTC (rev 192853)
@@ -365,6 +365,8 @@
void ensureCloneLayers(CloneID, RefPtr<PlatformCALayer>& primaryLayer, RefPtr<PlatformCALayer>& structuralLayer,
RefPtr<PlatformCALayer>& contentsLayer, RefPtr<PlatformCALayer>& contentsClippingLayer, RefPtr<PlatformCALayer>& contentsShapeMaskLayer, RefPtr<PlatformCALayer>& shapeMaskLayer, CloneLevel);
+ static void clearClones(std::unique_ptr<LayerMap>&);
+
bool hasCloneLayers() const { return !!m_layerClones; }
void removeCloneLayers();
FloatPoint positionForCloneRootLayer() const;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
