[webkit-changes] [WebKit/WebKit] cc7c4e: [IFC][Invalidation] Partial invalidation with cont...

Alan Baradlay noreply at github.com
Fri Apr 21 05:51:37 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: cc7c4e03e0e9016b08f91714cac7eec20b91da24
      https://github.com/WebKit/WebKit/commit/cc7c4e03e0e9016b08f91714cac7eec20b91da24
  Author: Alan Baradlay <zalan at apple.com>
  Date:   2023-04-21 (Fri, 21 Apr 2023)

  Changed paths:
    A LayoutTests/fast/inline/invalidation-crash-under-memory-pressure-expected.txt
    A LayoutTests/fast/inline/invalidation-crash-under-memory-pressure.html
    M Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.cpp
    M Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.h
    M Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp

  Log Message:
  -----------
  [IFC][Invalidation] Partial invalidation with content removal crashes when under memory pressure
https://bugs.webkit.org/show_bug.cgi?id=255744
<rdar://107132083>

Reviewed by Antti Koivisto.

Under memory pressure we choose not to proceed with partial invalidation.
However at this point we already removed the associated layout box from the tree and instead of retaining it
until after the subsequent layout (see InlineDamage) we simply let it get destroyed when returning from the current scope.
Since display content still holds a weak reference to this box, CheckedPtr's release assert kicks in.

Let's not mutate the layout tree unless we managed to run partial invalidation.

* LayoutTests/fast/inline/invalidation-crash-under-memory-pressure-expected.txt: Added.
* LayoutTests/fast/inline/invalidation-crash-under-memory-pressure.html: Added.
* Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.cpp:
(WebCore::Layout::InlineInvalidation::textWillBeRemoved):
(WebCore::Layout::InlineInvalidation::inlineLevelBoxWillBeRemoved):
* Source/WebCore/layout/formattingContexts/inline/invalidation/InlineInvalidation.h:
(WebCore::Layout::InlineInvalidation::textWillBeRemoved):
* Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:
(WebCore::LayoutIntegration::LineLayout::removedFromTree):

Canonical link: https://commits.webkit.org/263234@main

More information about the webkit-changes mailing list