WebKit Bugzilla
Attachment 342152 Details for
Bug 186207
: [ASan / StressGC] DumpRenderTree crashed in com.apple.WebCore: WebCore::EventTarget::ref + 16
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-186207-20180607143054.patch (text/plain), 5.62 KB, created by
Antoine Quint
on 2018-06-07 05:30:56 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Antoine Quint
Created:
2018-06-07 05:30:56 PDT
Size:
5.62 KB
patch
obsolete
>Subversion Revision: 232573 >diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog >index c27e6b45d67d7e440f531184f5f62fab7492d17d..8cd7df600f7cd94b526f911ada0a7265121a7435 100644 >--- a/Source/WebCore/ChangeLog >+++ b/Source/WebCore/ChangeLog >@@ -1,3 +1,30 @@ >+2018-06-07 Antoine Quint <graouts@apple.com> >+ >+ [ASan / StressGC] DumpRenderTree crashed in com.apple.WebCore: WebCore::EventTarget::ref + 16 >+ https://bugs.webkit.org/show_bug.cgi?id=186207 >+ <rdar://problem/40568747> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Ensure that we clear the DOM event queue for declarative animations once an animation is cleared for >+ an element since the element can be deleted before events get dispatched asynchronouly for this animation. >+ >+ We also only call AnimationTimeline::removeAnimationsForElement() from RenderTreeUpdater::tearDownRenderers() >+ in the case where we're tearing down the whole document as otherwise this would yield early clearing of the event >+ queue in the case where an element would get a "display: none" style. >+ >+ * animation/AnimationTimeline.cpp: >+ (WebCore::AnimationTimeline::removeAnimationsForElement): >+ * animation/DeclarativeAnimation.cpp: >+ (WebCore::DeclarativeAnimation::~DeclarativeAnimation): >+ (WebCore::DeclarativeAnimation::prepareAnimationForRemoval): >+ * animation/DeclarativeAnimation.h: >+ * animation/WebAnimation.cpp: >+ (WebCore::WebAnimation::prepareAnimationForRemoval): >+ * animation/WebAnimation.h: >+ * rendering/updating/RenderTreeUpdater.cpp: >+ (WebCore::RenderTreeUpdater::tearDownRenderers): >+ > 2018-06-06 Youenn Fablet <youenn@apple.com> > > HTTP Header values validation is too strict >diff --git a/Source/WebCore/animation/AnimationTimeline.cpp b/Source/WebCore/animation/AnimationTimeline.cpp >index 3334ad3270ad78f17c746b5eaad67c8c130dd8d9..f2dc31f1133451d9b0bef24a29cefff2d35b5d23 100644 >--- a/Source/WebCore/animation/AnimationTimeline.cpp >+++ b/Source/WebCore/animation/AnimationTimeline.cpp >@@ -153,7 +153,7 @@ Vector<RefPtr<WebAnimation>> AnimationTimeline::animationsForElement(Element& el > void AnimationTimeline::removeAnimationsForElement(Element& element) > { > for (auto& animation : animationsForElement(element)) { >- animation->setEffectInternal(nullptr); >+ animation->prepareAnimationForRemoval(); > removeAnimation(animation.releaseNonNull()); > } > } >diff --git a/Source/WebCore/animation/DeclarativeAnimation.cpp b/Source/WebCore/animation/DeclarativeAnimation.cpp >index 6404aa343e160ddb46480f2f7f94d5b7703a661c..646b0eb50f5eeb95f08a3728cc48a04547340857 100644 >--- a/Source/WebCore/animation/DeclarativeAnimation.cpp >+++ b/Source/WebCore/animation/DeclarativeAnimation.cpp >@@ -47,6 +47,11 @@ DeclarativeAnimation::DeclarativeAnimation(Element& target, const Animation& bac > > DeclarativeAnimation::~DeclarativeAnimation() > { >+} >+ >+void DeclarativeAnimation::prepareAnimationForRemoval() >+{ >+ WebAnimation::prepareAnimationForRemoval(); > m_eventQueue.close(); > } > >diff --git a/Source/WebCore/animation/DeclarativeAnimation.h b/Source/WebCore/animation/DeclarativeAnimation.h >index 80d280a5aa93711c7bda18bee4d0176b7cd2afb5..a9bec97a5c8c38722ac8342e54fb6cee0607e72e 100644 >--- a/Source/WebCore/animation/DeclarativeAnimation.h >+++ b/Source/WebCore/animation/DeclarativeAnimation.h >@@ -45,6 +45,7 @@ public: > const Animation& backingAnimation() const { return m_backingAnimation; } > void setBackingAnimation(const Animation&); > void invalidateDOMEvents(Seconds elapsedTime = 0_s); >+ void prepareAnimationForRemoval() final; > > void setTimeline(RefPtr<AnimationTimeline>&&) final; > void cancel() final; >diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp >index 63d74b6903105d7ead950e63b070fee2fe34aa31..9753c0183c094f3340524fb4222739838d1ccdcf 100644 >--- a/Source/WebCore/animation/WebAnimation.cpp >+++ b/Source/WebCore/animation/WebAnimation.cpp >@@ -70,6 +70,11 @@ WebAnimation::~WebAnimation() > { > } > >+void WebAnimation::prepareAnimationForRemoval() >+{ >+ setEffectInternal(nullptr); >+} >+ > void WebAnimation::suspendEffectInvalidation() > { > ++m_suspendCount; >diff --git a/Source/WebCore/animation/WebAnimation.h b/Source/WebCore/animation/WebAnimation.h >index 5314b7e84187dc0065ef921d20ec575b10f9c585..baa42f24272b0c535efde3b5ae64cfd5fad5e501 100644 >--- a/Source/WebCore/animation/WebAnimation.h >+++ b/Source/WebCore/animation/WebAnimation.h >@@ -109,6 +109,7 @@ public: > void unsuspendEffectInvalidation(); > void setSuspended(bool); > bool isSuspended() const { return m_isSuspended; } >+ virtual void prepareAnimationForRemoval(); > > String description(); > >diff --git a/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp b/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp >index 9072c7a661d85a70249c95da1055b1c2614f8a6a..fa2a4c680b098a810961564f206793f083341236 100644 >--- a/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp >+++ b/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp >@@ -554,7 +554,7 @@ void RenderTreeUpdater::tearDownRenderers(Element& root, TeardownType teardownTy > > if (teardownType == TeardownType::Full || teardownType == TeardownType::RendererUpdateCancelingAnimations) { > if (RuntimeEnabledFeatures::sharedFeatures().webAnimationsCSSIntegrationEnabled()) { >- if (timeline) >+ if (timeline && document.renderTreeBeingDestroyed()) > timeline->removeAnimationsForElement(element); > } else > animationController.cancelAnimations(element);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=342152">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
dino
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 186207
:
341782
|
341787
|
341788
|
341795
|
341796
| 342152