<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[203449] trunk/Source/WebKit2</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/203449">203449</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-07-20 05:17:37 -0700 (Wed, 20 Jul 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>[Threaded Compositor] Web Process crash when the layer tree host is destroyed
https://bugs.webkit.org/show_bug.cgi?id=159922
Reviewed by Sergio Villar Senin.
It happens when the layer tree host is destroyed after the didChangeVisibleRect is scheduled to be run in the
main thread, but before it's actually dispatched. In that case the threaded compositor client points to a
deleted object and crashes when trying to dereference it.
* Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:
(WebKit::ThreadedCompositor::~ThreadedCompositor): Add an assert to ensure invalidate is always called before
the object is deleted.
(WebKit::ThreadedCompositor::invalidate): Terminate the compositing thread and nullify the client.
(WebKit::ThreadedCompositor::didChangeVisibleRect): Return early if the client is null when the task is
dispatched in the main thread.
* Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h: Add invalidate().
* WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp:
(WebKit::ThreadedCoordinatedLayerTreeHost::invalidate): Invalidate the ThreadedCompositor and chain up.
* WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebKit2ChangeLog">trunk/Source/WebKit2/ChangeLog</a></li>
<li><a href="#trunkSourceWebKit2SharedCoordinatedGraphicsthreadedcompositorThreadedCompositorcpp">trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp</a></li>
<li><a href="#trunkSourceWebKit2SharedCoordinatedGraphicsthreadedcompositorThreadedCompositorh">trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h</a></li>
<li><a href="#trunkSourceWebKit2WebProcessWebPageCoordinatedGraphicsThreadedCoordinatedLayerTreeHostcpp">trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp</a></li>
<li><a href="#trunkSourceWebKit2WebProcessWebPageCoordinatedGraphicsThreadedCoordinatedLayerTreeHosth">trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebKit2ChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/ChangeLog (203448 => 203449)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/ChangeLog 2016-07-20 08:50:16 UTC (rev 203448)
+++ trunk/Source/WebKit2/ChangeLog 2016-07-20 12:17:37 UTC (rev 203449)
</span><span class="lines">@@ -1,3 +1,25 @@
</span><ins>+2016-07-20 Carlos Garcia Campos <cgarcia@igalia.com>
+
+ [Threaded Compositor] Web Process crash when the layer tree host is destroyed
+ https://bugs.webkit.org/show_bug.cgi?id=159922
+
+ Reviewed by Sergio Villar Senin.
+
+ It happens when the layer tree host is destroyed after the didChangeVisibleRect is scheduled to be run in the
+ main thread, but before it's actually dispatched. In that case the threaded compositor client points to a
+ deleted object and crashes when trying to dereference it.
+
+ * Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp:
+ (WebKit::ThreadedCompositor::~ThreadedCompositor): Add an assert to ensure invalidate is always called before
+ the object is deleted.
+ (WebKit::ThreadedCompositor::invalidate): Terminate the compositing thread and nullify the client.
+ (WebKit::ThreadedCompositor::didChangeVisibleRect): Return early if the client is null when the task is
+ dispatched in the main thread.
+ * Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h: Add invalidate().
+ * WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp:
+ (WebKit::ThreadedCoordinatedLayerTreeHost::invalidate): Invalidate the ThreadedCompositor and chain up.
+ * WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h:
+
</ins><span class="cx"> 2016-07-19 Brian Burg <bburg@apple.com>
</span><span class="cx">
</span><span class="cx"> Web Automation: WebAutomationSessionProxy's HashMaps should support '0' as valid keys
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedCoordinatedGraphicsthreadedcompositorThreadedCompositorcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp (203448 => 203449)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp 2016-07-20 08:50:16 UTC (rev 203448)
+++ trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.cpp 2016-07-20 12:17:37 UTC (rev 203449)
</span><span class="lines">@@ -56,7 +56,13 @@
</span><span class="cx">
</span><span class="cx"> ThreadedCompositor::~ThreadedCompositor()
</span><span class="cx"> {
</span><ins>+ ASSERT(!m_client);
+}
+
+void ThreadedCompositor::invalidate()
+{
</ins><span class="cx"> terminateCompositingThread();
</span><ins>+ m_client = nullptr;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void ThreadedCompositor::setNativeSurfaceHandleForCompositing(uint64_t handle)
</span><span class="lines">@@ -174,7 +180,8 @@
</span><span class="cx"> void ThreadedCompositor::didChangeVisibleRect()
</span><span class="cx"> {
</span><span class="cx"> RunLoop::main().dispatch([this, protectedThis = makeRef(*this), visibleRect = m_viewportController->visibleContentsRect(), scale = m_viewportController->pageScaleFactor()] {
</span><del>- m_client->setVisibleContentsRect(visibleRect, FloatPoint::zero(), scale);
</del><ins>+ if (m_client)
+ m_client->setVisibleContentsRect(visibleRect, FloatPoint::zero(), scale);
</ins><span class="cx"> });
</span><span class="cx">
</span><span class="cx"> scheduleDisplayImmediately();
</span></span></pre></div>
<a id="trunkSourceWebKit2SharedCoordinatedGraphicsthreadedcompositorThreadedCompositorh"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h (203448 => 203449)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h 2016-07-20 08:50:16 UTC (rev 203448)
+++ trunk/Source/WebKit2/Shared/CoordinatedGraphics/threadedcompositor/ThreadedCompositor.h 2016-07-20 12:17:37 UTC (rev 203449)
</span><span class="lines">@@ -75,6 +75,8 @@
</span><span class="cx"> void scrollTo(const WebCore::IntPoint&);
</span><span class="cx"> void scrollBy(const WebCore::IntSize&);
</span><span class="cx">
</span><ins>+ void invalidate();
+
</ins><span class="cx"> private:
</span><span class="cx"> ThreadedCompositor(Client*);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessWebPageCoordinatedGraphicsThreadedCoordinatedLayerTreeHostcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp (203448 => 203449)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp 2016-07-20 08:50:16 UTC (rev 203448)
+++ trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.cpp 2016-07-20 12:17:37 UTC (rev 203449)
</span><span class="lines">@@ -54,6 +54,12 @@
</span><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void ThreadedCoordinatedLayerTreeHost::invalidate()
+{
+ m_compositor->invalidate();
+ CoordinatedLayerTreeHost::invalidate();
+}
+
</ins><span class="cx"> void ThreadedCoordinatedLayerTreeHost::scrollNonCompositedContents(const WebCore::IntRect& rect)
</span><span class="cx"> {
</span><span class="cx"> m_compositor->scrollTo(rect.location());
</span></span></pre></div>
<a id="trunkSourceWebKit2WebProcessWebPageCoordinatedGraphicsThreadedCoordinatedLayerTreeHosth"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h (203448 => 203449)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h 2016-07-20 08:50:16 UTC (rev 203448)
+++ trunk/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/ThreadedCoordinatedLayerTreeHost.h 2016-07-20 12:17:37 UTC (rev 203449)
</span><span class="lines">@@ -58,6 +58,8 @@
</span><span class="cx"> void contentsSizeChanged(const WebCore::IntSize&) override;
</span><span class="cx"> void didChangeViewportProperties(const WebCore::ViewportAttributes&) override;
</span><span class="cx">
</span><ins>+ void invalidate() override;
+
</ins><span class="cx"> #if PLATFORM(GTK)
</span><span class="cx"> void setNativeSurfaceHandleForCompositing(uint64_t) override;
</span><span class="cx"> #endif
</span></span></pre>
</div>
</div>
</body>
</html>