[Webkit-unassigned] [Bug 179304] [GTK] Many webpages can crash the browser in WebCore::CoordinatedGraphicsLayer::transformedVisibleRect

Tue Apr 17 18:23:47 PDT 2018

https://bugs.webkit.org/show_bug.cgi?id=179304

--- Comment #17 from Carlos Eduardo Ramalho <cadubentzen at gmail.com> ---
The crash happens basically because m_coordinator is null at 

FloatRect rect = m_cachedInverseTransform.clampedBoundsOfProjectedQuad(FloatQuad(m_coordinator->visibleContentsRect()));

And it happens after AC goes through on -> off -> on. 

> Just wait 30 seconds and scroll down a bit (I don't know what triggers the bug, but I always get the crash).

We have to wait a few seconds because there is a 5s timer to free the resources when turning AC off. 

When AC is turned off, all CoordinatedGraphicsLayers should be destroyed, I believe. However in this page some layers are not destroyed and left with a null m_coordinator, which happens in CompositingCoordinator destructor:

for (auto& registeredLayer : m_registeredLayers.values())
    registeredLayer->setCoordinator(nullptr);

Then, when AC is on again, those same layers are reused with m_coordinator == nullptr and results in the crash.

> https://www.harrypotterplatform934.com/pages/faqs

In this page in specific, the node that causes the crash is a div inside of an iframe that has css animation on translateY property (which is what triggers AC on I guess). The iframe has 0px width and 0px height though so it does not show on the screen and I'm not sure GraphicsLayers should be created for it in this case. This page however is quite big and the CSS properties are maybe changed via JS. So other pages would help understand this more easily.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180418/233743f9/attachment.html>