[Webkit-unassigned] [Bug 240283] [GTK] Crash in WebCore::TextureMapperLayer::paintSelf

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 25 02:36:38 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=240283

--- Comment #7 from Miguel Gomez <magomez at igalia.com> ---
Ah! and another theory, a bit simpler and that would explain why this stared happening on 2.36.2, after https://github.com/WebKit/WebKit/commit/fb8ed3d7e9868de82621015783d1f0cc1080b4e4 was added.

This would involve a proxy being disassociated from a layer during the layerFlush, but the layer being kept alive.

Before the mentioned commit, during composition, invalidate wouldn't be called on the proxy, and the layer would keep painting the proxy's currentBuffer, which lead to use-after-free when the proxy was destroyed.

With the commit, invalidate is now called on the proxy as we detect that it's not being used anymore. But even with that, we're not removing the layer's reference to the proxy's currentBuffer. And as the currentBuffer is freed when invalidate is called, trying to paint the layer would cause a crash like this.

To fix this we would need to remove the targetLayer's reference to the currentBuffer during invalidate (which makes a lot of sense IMO).

diff --git a/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp b/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp
index 8d60d142089f..89dec13a6c28 100644
--- a/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp
+++ b/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp
@@ -94,7 +94,10 @@ void TextureMapperPlatformLayerProxyGL::invalidate()
     {
         Locker locker { m_lock };
         m_compositor = nullptr;
-        m_targetLayer = nullptr;
+        if (m_targetLayer) {
+            m_targetLayer->setContentsLayer(nullptr);
+            m_targetLayer = nullptr;
+        }

         m_currentBuffer = nullptr;
         m_pendingBuffer = nullptr;

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220525/42c02f36/attachment.htm>

More information about the webkit-unassigned mailing list