[Webkit-unassigned] [Bug 240283] [GTK] Crash in WebCore::TextureMapperLayer::paintSelf

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 25 02:18:16 PDT 2022


https://bugs.webkit.org/show_bug.cgi?id=240283

--- Comment #6 from Miguel Gomez <magomez at igalia.com> ---
I have a theory about what could be happening here.

I know that it can happen that, during a layerFlush, a proxy is reassigned from one GraphicsLayer to a different one. In the cases I found about this, the former layer is destroyed during the flush as well. Due to this, during the composition stage, the proxy is invalidated in response to the deletion of the first layer and then it's activated in the second one, and this works fine.

My theory is that it's possible for the first layer to be kept alive while the proxy is assigned to the second one. This would cause that, on the composition stage, the proxy is not invalidated (because the first layer is still alive), and it gets activated on the second layer, but the first layer still has a reference to the proxy's currentBuffer as its contentLayer. After this there will be a swapBuffers call on the proxy, that will replace the currentBuffer, and will update the contentLayer of the second layer, but the first one will still hold a pointer to the released buffer. Then, when painting, we would get a crash like this, as the first layer will try to paint a buffer that already been freed.

I need to do some debugging to check whether this scenario is possible (specially the possibility of the two layers being kept alive), but if that's the case, the fix would be something simple like:

diff --git a/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp b/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp
index 8d60d142089f..7c69c96aa365 100644
--- a/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp
+++ b/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp
@@ -65,6 +65,9 @@ void TextureMapperPlatformLayerProxyGL::activateOnCompositingThread(Compositor*
     {
         Locker locker { m_lock };
         m_compositor = compositor;
+        // If the proxy is already active on another layer, remove the layer's reference to the current buffer.
+        if (m_targetLayer)
+            m_targetLayer->setContentsLayer(nullptr);
         m_targetLayer = targetLayer;
         if (m_targetLayer && m_currentBuffer)
             m_targetLayer->setContentsLayer(m_currentBuffer.get());

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220525/f81c1667/attachment-0001.htm>


More information about the webkit-unassigned mailing list