Bug 134694 - Crash when starting a filter transition on a reflected layer
Summary: Crash when starting a filter transition on a reflected layer
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Simon Fraser (smfr)
URL:
Keywords:
: 134696 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-07-07 14:23 PDT by Simon Fraser (smfr)
Modified: 2014-07-07 16:46 PDT (History)
3 users (show)

See Also:

Attachments
Testcase (BYO image) (1.88 KB, text/html)
2014-07-07 14:23 PDT, Simon Fraser (smfr) 		no flags Details
Patch (6.38 KB, patch)
2014-07-07 15:08 PDT, Simon Fraser (smfr) 		thorton: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fraser (smfr) 2014-07-07 14:23:26 PDT 
Web process crashes when starting an animation on a reflected layer:

Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: EXC_I386_GPFLT

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001151654c7 WebCore::GraphicsLayerCA::platformCALayerAnimationStarted(double) + 39 (GraphicsLayerCA.cpp:838)
1   com.apple.WebCore             	0x0000000115165516 non-virtual thunk to WebCore::GraphicsLayerCA::platformCALayerAnimationStarted(double) + 38 (GraphicsLayerCA.cpp:839)
2   com.apple.WebKit              	0x0000000110d6b1e8 WebKit::PlatformCALayerRemote::animationStarted(WTF::String const&, double) + 232 (PlatformCALayerRemote.cpp:355)
3   com.apple.WebKit              	0x0000000110ffb58e WebKit::RemoteLayerTreeContext::animationDidStart(unsigned long long, WTF::String const&, double) + 254 (RemoteLayerTreeContext.mm:137)
4   com.apple.WebKit              	0x0000000111002931 WebKit::RemoteLayerTreeDrawingArea::acceleratedAnimationDidStart(unsigned long long, WTF::String const&, double) + 81 (RemoteLayerTreeDrawingArea.mm:194)
5   com.apple.WebKit              	0x0000000110db40f7 void IPC::callMemberFunctionImpl<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double), std::__1::tuple<unsigned long long, WTF::String, double>, 0ul, 1ul, 2ul>(WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double), std::__1::tuple<unsigned long long, WTF::String, double>&&, std::index_sequence<0ul, 1ul, 2ul>) + 215 (HandleMessage.h:17)
6   com.apple.WebKit              	0x0000000110db3f48 void IPC::callMemberFunction<WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double), std::__1::tuple<unsigned long long, WTF::String, double>, std::make_index_sequence<3ul> >(std::__1::tuple<unsigned long long, WTF::String, double>&&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double)) + 88 (HandleMessage.h:23)
7   com.apple.WebKit              	0x0000000110db3c64 void IPC::handleMessage<Messages::DrawingArea::AcceleratedAnimationDidStart, WebKit::DrawingArea, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double)>(IPC::MessageDecoder&, WebKit::DrawingArea*, void (WebKit::DrawingArea::*)(unsigned long long, WTF::String const&, double)) + 308 (HandleMessage.h:120)
8   com.apple.WebKit              	0x0000000110db303c WebKit::DrawingArea::didReceiveDrawingAreaMessage(IPC::Connection*, IPC::MessageDecoder&) + 1420 (DrawingAreaMessageReceiver.cpp:101)
9   com.apple.WebKit              	0x00000001112475bc WebKit::WebPage::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 220 (WebPage.cpp:3393)
10  com.apple.WebKit              	0x0000000111247747 non-virtual thunk to WebKit::WebPage::didReceiveMessage(IPC::Connection*, IPC::MessageDecoder&) + 55 (WebPage.cpp:3419)
Comment 1 Simon Fraser (smfr) 2014-07-07 14:23:53 PDT 
Created attachment 234510 [details]
Testcase (BYO image)
Comment 2 Simon Fraser (smfr) 2014-07-07 14:25:26 PDT 
When we clone a layer, we clone the animation properties, and then "move or copy" animations appends another copy of the same animation. In the UI process, we then run two animations, but for the second fail to look it up in a map, and end up sending an empty "key" string back to the web process.
Comment 3 Simon Fraser (smfr) 2014-07-07 15:08:07 PDT 
Created attachment 234515 [details]
Patch
Comment 4 Simon Fraser (smfr) 2014-07-07 15:08:28 PDT 
*** Bug 134696 has been marked as a duplicate of this bug. ***
Comment 5 Simon Fraser (smfr) 2014-07-07 16:46:01 PDT 
https://trac.webkit.org/r170862