Bug 134694

Summary: Crash when starting a filter transition on a reflected layer
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: Layout and RenderingAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: dino, simon.fraser, thorton
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Testcase (BYO image)
none
Patch thorton: review+

Description Simon Fraser (smfr) 2014-07-07 14:23:26 PDT 
Web process crashes when starting an animation on a reflected layer:

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: EXC_I386_GPFLT

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001151654c7 WebCore::GraphicsLayerCA::platformCALayerAnimationStarted(double) + 39 (GraphicsLayerCA.cpp:838)
1   com.apple.WebCore             	0x0000000115165516 non-virtual thunk to WebCore::GraphicsLayerCA::platformCALayerAnimationStarted(double) + 38 (GraphicsLayerCA.cpp:839)
2   com.apple.WebKit              	0x0000000110d6b1e8 WebKit::PlatformCALayerRemote::animationStarted(WTF::String const&, double) + 232 (PlatformCALayerRemote.cpp:355)
3   com.apple.WebKit              	0x0000000110ffb58e WebKit::RemoteLayerTreeContext::animationDidStart(unsigned long long, WTF::String const&, double) + 254 (RemoteLayerTreeContext.mm:137)
4   com.apple.WebKit              	0x0000000111002931 WebKit::RemoteLayerTreeDrawingArea::acceleratedAnimationDidStart(unsigned long long, WTF::String const&, double) + 81 (RemoteLayerTreeDrawingArea.mm:194)
5   com.apple.WebKit              	0x0000000110db40f7 void IPC::callMemberFunctionImpl<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double), std::__1::tuple<unsigned long long, WTF::String, double>, 0ul, 1ul, 2ul>(WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double), std::__1::tuple<unsigned long long, WTF::String, double>&&, std::index_sequence<0ul, 1ul, 2ul>) + 215 (HandleMessage.h:17)
6   com.apple.WebKit              	0x0000000110db3f48 void IPC::callMemberFunction<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double), std::__1::tuple<unsigned long long, WTF::String, double>, std::make_index_sequence<3ul> >(std::__1::tuple<unsigned long long, WTF::String, double>&&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double)) + 88 (HandleMessage.h:23)
7   com.apple.WebKit              	0x0000000110db3c64 void IPC::handleMessage<Messages::DrawingArea::AcceleratedAnimationDidStart, WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double)>(IPC::MessageDecoder&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double)) + 308 (HandleMessage.h:120)
8   com.apple.WebKit              	0x0000000110db303c WebKit::DrawingArea::didReceiveDrawingAreaMessage(IPC::Connection*, IPC::MessageDecoder&) + 1420 (DrawingAreaMessageReceiver.cpp:101)
9   com.apple.WebKit              	0x00000001112475bc WebKit::WebPage::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 220 (WebPage.cpp:3393)
10  com.apple.WebKit              	0x0000000111247747 non-virtual thunk to WebKit::WebPage::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 55 (WebPage.cpp:3419)
Comment 1 Simon Fraser (smfr) 2014-07-07 14:23:53 PDT 
Created attachment 234510 [details]
Testcase (BYO image)
Comment 2 Simon Fraser (smfr) 2014-07-07 14:25:26 PDT 
When we clone a layer, we clone the animation properties, and then "move or copy" animations appends another copy of the same animation. In the UI process, we then run two animations, but for the second fail to look it up in a map, and end up sending an empty "key" string back to the web process.
Comment 3 Simon Fraser (smfr) 2014-07-07 15:08:07 PDT 
Created attachment 234515 [details]
Patch
Comment 4 Simon Fraser (smfr) 2014-07-07 15:08:28 PDT 
*** Bug 134696 has been marked as a duplicate of this bug. ***
Comment 5 Simon Fraser (smfr) 2014-07-07 16:46:01 PDT 
https://trac.webkit.org/r170862