With buffers being explicitly reclaimed from backingstore geometries, we have to make sure that the previously active backingstore releases its front buffers for use in the newly active one. Previously, this clearing of backingstore tiles occurred after the dormant backingstore is reactivated, the backingstore active in the meantime would just use the back buffer anyway and leave the dormant one with dangling pointers that would just not be shown. Now that we have a counted list of back buffers, we need to be explicit about this thing upfront. The patch below fixes a crash that would occur after switching ownership of the backingstore to a different WebPage.
Created attachment 177410 [details] Patch
Comment on attachment 177410 [details] Patch Clearing flags on attachment: 177410 Committed r136483: <http://trac.webkit.org/changeset/136483>
All reviewed patches have been landed. Closing bug.
The above patch didn't cover all the cases; in particular, it did not take into account that resetTiles() would sometimes return early without having swapped the tiles and thus reclaiming them. This would cause a crash when switching back from a tab that had already been made invisible. The follow-up patch below removes the early returns, because it's safe to swap in an empty geometry at any time and we should always take the chance when we get it. Also the code that calls resetTiles() on an owner switch should be put right into setCurrentBackingStoreOwner(), so that it will also release the buffers when the BackingStore is destroyed (the function is then called with 0).
Created attachment 177817 [details] Patch
Comment on attachment 177817 [details] Patch Good stuff!
Comment on attachment 177817 [details] Patch Clearing flags on attachment: 177817 Committed r136761: <http://trac.webkit.org/changeset/136761>