[Webkit-unassigned] [Bug 240283] [GTK] Crash in WebCore::TextureMapperLayer::paintSelf
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 25 03:22:57 PDT 2022
https://bugs.webkit.org/show_bug.cgi?id=240283
--- Comment #8 from Miguel Gomez <magomez at igalia.com> ---
So, recapitulating (sorry for the noise, I'm using this to order my ideas): when we have a proxy assigned to a layer, there are 4 cases that can happen after there has been a layerFlush and we're adopting the new state in the composition stage:
1- The layer is removed from the tree and the proxy is not assigned to any other layer: the deletion of the layer causes an invalidation of the proxy and both are destroyed afterwards. This works fine.
2- The layer is removed from the tree and the proxy is reassigned to a new layer: the deletion of the first layer causes the invalidation of the proxy, which is then activated on the second layer. As the first layer is destroyed, we don't have to worry about dangling references from it to the proxy's currentBuffer. This works fine.
3- The layer is kept in the tree and the proxy gets disassociated from it and not used by any other layer: we detect that the proxy is not used anymore and call invalidate on it, but the layer keeps a reference to the proxy's currentBuffer, which has been deleted during invalidate, which leads to a crash when trying to render the layer. This would require the fix in comment 7.
4- The layer is kept in the tree and the proxy gets associated to a new layer: as we detect that the proxy is still being used it's not invalidated, but it gets activated on the second layer. The first layer keeps a reference to the proxy's currentBuffer, which will be destroyed a bit later when swapBuffers is called on the proxy. This leads to a crash when trying to render the first layer. This would require the fix in comment 6.
I'm pretty sure that this crash is happening due to situations 3 or 4 (I suspect it's 3, as that would explain why started happening on 2.36.2), but I can't confirm which one cause I haven't been able to reproduce the issue. But I suspect that if one of those situations can happen, the other can too, so we probably need to fix both cases.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220525/990e72de/attachment.htm>
More information about the webkit-unassigned
mailing list