[webkit-changes] [WebKit/WebKit] fe1e48: Invalidate GlyphDisplayListCache entries in more p...

Cameron McCormack noreply at github.com
Mon Jan 22 14:26:58 PST 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: fe1e4812260edf0b2117c1f78ddecd7c3d584f86
      https://github.com/WebKit/WebKit/commit/fe1e4812260edf0b2117c1f78ddecd7c3d584f86
  Author: Cameron McCormack <heycam at apple.com>
  Date:   2024-01-22 (Mon, 22 Jan 2024)

  Changed paths:
    M Source/WebCore/Headers.cmake
    M Source/WebCore/Sources.txt
    M Source/WebCore/WebCore.xcodeproj/project.pbxproj
    M Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayBox.h
    M Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContent.cpp
    M Source/WebCore/layout/integration/inline/LayoutIntegrationInlineContent.cpp
    M Source/WebCore/layout/integration/inline/LayoutIntegrationInlineContent.h
    M Source/WebCore/rendering/GlyphDisplayListCache.cpp
    M Source/WebCore/rendering/GlyphDisplayListCache.h
    A Source/WebCore/rendering/GlyphDisplayListCacheRemoval.cpp
    A Source/WebCore/rendering/GlyphDisplayListCacheRemoval.h
    M Source/WebCore/rendering/LegacyInlineBox.h
    M Source/WebCore/rendering/LegacyInlineTextBox.cpp
    M Source/WebCore/rendering/LegacyInlineTextBox.h
    M Source/WebCore/rendering/ReferencedSVGResources.cpp
    M Source/WebCore/rendering/TextPainter.h

  Log Message:
  -----------
  Invalidate GlyphDisplayListCache entries in more places
https://bugs.webkit.org/show_bug.cgi?id=267843
rdar://119833765

Reviewed by Simon Fraser.

With IFC, we currently remove entries from the GlyphDisplayListCache in
the InlineDisplay::Content destructor, and in some of the
LayoutIntegration::InlineContent mutation methods. But we are not
removing enough entries, since we use InlineDisplay::Box pointers as the
GlyphDisplayListCache::m_entriesForLayoutRun keys, but we store
InlineDisplay::Box objects in vectors, so they can move around in memory.

This can cause us to replay the wrong display list, if we're unlucky
enough to place an InlineDisplay::Box at the same address as one of the
stale pointers. (This is not a security issue, since we only use the
InlineDisplay::Box pointer as an opaque key, and we always hold a strong
reference to the display list stored in the map.)

Change to remove entries from the GlyphDisplayListCache in the
destructor of InlineDisplay::Box instead. Store a bit on InlineDisplay::Box
and LegacyInlineTextBox to record whether the box is present in the
GlyphDisplayListCache, and only attempt to remove it if the bit is set.
This avoids the overhead of hashing the pointer and looking up the
GlyphDisplayListCache map in the common case of the cache not being
engaged (and, for InlineDisplay::Box, if it's not a text box).

(This does add an explicit destructor to InlineDisplay::Box, but the
class already has a non-trivial destructor due to the CheckedPtr it
stores.)

* Source/WebCore/Headers.cmake:
* Source/WebCore/Sources.txt:
* Source/WebCore/WebCore.xcodeproj/project.pbxproj:
* Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayBox.h:
(WebCore::InlineDisplay::Box::setIsInGlyphDisplayListCache):
(WebCore::InlineDisplay::Box::Box):
(WebCore::InlineDisplay::Box::~Box):
(WebCore::InlineDisplay::Box::removeFromGlyphDisplayListCache):
* Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContent.cpp:
(WebCore::InlineDisplay::Content::clear):
(WebCore::InlineDisplay::Content::set):
(WebCore::InlineDisplay::Content::remove):
(WebCore::InlineDisplay::invalidateGlyphCache): Deleted.
* Source/WebCore/layout/integration/inline/LayoutIntegrationInlineContent.cpp:
(WebCore::LayoutIntegration::InlineContent::~InlineContent): Deleted.
* Source/WebCore/layout/integration/inline/LayoutIntegrationInlineContent.h:
* Source/WebCore/rendering/GlyphDisplayListCache.cpp:
(WebCore::GlyphDisplayListCache::getDisplayList):
(WebCore::GlyphDisplayListCache::get):
* Source/WebCore/rendering/GlyphDisplayListCache.h:
(WebCore::GlyphDisplayListCache::get): Deleted.
* Source/WebCore/rendering/GlyphDisplayListCacheRemoval.cpp: Added.
(WebCore::removeBoxFromGlyphDisplayListCache):
* Source/WebCore/rendering/GlyphDisplayListCacheRemoval.h: Added.
* Source/WebCore/rendering/LegacyInlineBox.h:
(WebCore::LegacyInlineBox::isInGlyphDisplayListCache const):
(WebCore::LegacyInlineBox::setIsInGlyphDisplayListCache):
* Source/WebCore/rendering/LegacyInlineTextBox.cpp:
(WebCore::LegacyInlineTextBox::~LegacyInlineTextBox):
* Source/WebCore/rendering/LegacyInlineTextBox.h:
(WebCore::LegacyInlineTextBox::removeFromGlyphDisplayListCache):
* Source/WebCore/rendering/TextPainter.h:
(WebCore::TextPainter::setGlyphDisplayListIfNeeded):
(WebCore::TextPainter::removeGlyphDisplayList): Deleted.

Canonical link: https://commits.webkit.org/273320@main

More information about the webkit-changes mailing list