Context Navigation

← Previous Changeset
Next Changeset →

Changeset 182346 in webkit

Timestamp:

Apr 4, 2015, 3:39:29 PM (11 years ago)

Author:

Simon Fraser

Message:

REGRESSION (r182215): Feedly crashes when closing article
https://bugs.webkit.org/show_bug.cgi?id=143405
rdar://problem/20382734, rdar://problem/20395497

Reviewed by Tim Horton.

Source/WebCore:

Calling computeNonFastScrollableRegion() eagerly when scrollable areas come and go
is bad, because it can cause FrameView::layout() to get called in the middle of
RenderObject destruction, which leaves the render tree in a bad state.

Fix by calling computeNonFastScrollableRegion() lazily, just before scrolling tree commit.

AsyncScrollingCoordinator::frameViewNonFastScrollableRegionChanged() now just sets
a flag to say that the non-fast region needs to be recomputed, and that schedules
a scrolling tree commit. When the commit happens, we recompute the region. If the
region didn't change, and no other changes are pending, there's no need to commit.

Test: platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/compute-region-inside-delete-renderer-crash.html

page/scrolling/AsyncScrollingCoordinator.cpp:

(WebCore::AsyncScrollingCoordinator::setNonFastScrollableRegionDirty):
(WebCore::AsyncScrollingCoordinator::willCommitTree):
(WebCore::AsyncScrollingCoordinator::updateNonFastScrollableRegion):
(WebCore::AsyncScrollingCoordinator::frameViewLayoutUpdated):
(WebCore::AsyncScrollingCoordinator::frameViewNonFastScrollableRegionChanged):
(WebCore::AsyncScrollingCoordinator::scrollingStateTreeAsText): Need to eagerly update
the non-fast scrollable region.

page/scrolling/AsyncScrollingCoordinator.h:

(WebCore::AsyncScrollingCoordinator::nonFastScrollableRegionDirty):

page/scrolling/ScrollingCoordinator.cpp:

(WebCore::ScrollingCoordinator::ScrollingCoordinator):
(WebCore::ScrollingCoordinator::computeNonFastScrollableRegion):

page/scrolling/ScrollingCoordinator.h:

(WebCore::ScrollingCoordinator::willCommitTree):

page/scrolling/mac/ScrollingCoordinatorMac.mm:

(WebCore::ScrollingCoordinatorMac::commitTreeStateIfNeeded):
(WebCore::ScrollingCoordinatorMac::scheduleTreeStateCommit):
(WebCore::ScrollingCoordinatorMac::commitTreeState):

Source/WebKit2:

Fix by calling computeNonFastScrollableRegion() lazily, just before scrolling tree commit.

WebProcess/Scrolling/RemoteScrollingCoordinator.mm:

(WebKit::RemoteScrollingCoordinator::buildTransaction):

WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:

(WebKit::TiledCoreAnimationDrawingArea::flushLayers): Outdent #ifdefs.

LayoutTests:

Test that triggers a crash without the fix (thanks to Zalan for the test).

platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/compute-region-inside-delete-renderer-crash-expected.txt: Added.
platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/compute-region-inside-delete-renderer-crash.html: Added.

Location:

trunk

Files:

: 2 added
: 10 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/compute-region-inside-delete-renderer-crash-expected.txt (added)
LayoutTests/platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/compute-region-inside-delete-renderer-crash.html (added)
Source/WebCore/ChangeLog (modified) (1 diff)
Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp (modified) (4 diffs)
Source/WebCore/page/scrolling/AsyncScrollingCoordinator.h (modified) (3 diffs)
Source/WebCore/page/scrolling/ScrollingCoordinator.cpp (modified) (2 diffs)
Source/WebCore/page/scrolling/ScrollingCoordinator.h (modified) (2 diffs)
Source/WebCore/page/scrolling/mac/ScrollingCoordinatorMac.mm (modified) (3 diffs)
Source/WebKit2/ChangeLog (modified) (1 diff)
Source/WebKit2/WebProcess/Scrolling/RemoteScrollingCoordinator.mm (modified) (1 diff)
Source/WebKit2/WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-              r182345
+              r182346
+-04-04  Simon Fraser  <simon.fraser@apple.com>
+        REGRESSION (r182215): Feedly crashes when closing article
+        https://bugs.webkit.org/show_bug.cgi?id=143405
+        rdar://problem/20382734, rdar://problem/20395497
+        Reviewed by Tim Horton.
+        Test that triggers a crash without the fix (thanks to Zalan for the test).
+        * platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/compute-region-inside-delete-renderer-crash-expected.txt: Added.
+        * platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/compute-region-inside-delete-renderer-crash.html: Added.
 -04-04  Simon Fraser  <simon.fraser@apple.com>

trunk/Source/WebCore/ChangeLog

-              r182345
+              r182346
+-04-04  Simon Fraser  <simon.fraser@apple.com>
+        REGRESSION (r182215): Feedly crashes when closing article
+        https://bugs.webkit.org/show_bug.cgi?id=143405
+        rdar://problem/20382734, rdar://problem/20395497
+        Reviewed by Tim Horton.
+        Calling computeNonFastScrollableRegion() eagerly when scrollable areas come and go
+        is bad, because it can cause FrameView::layout() to get called in the middle of
+        RenderObject destruction, which leaves the render tree in a bad state.
+        Fix by calling computeNonFastScrollableRegion() lazily, just before scrolling tree commit.
+        AsyncScrollingCoordinator::frameViewNonFastScrollableRegionChanged() now just sets
+        a flag to say that the non-fast region needs to be recomputed, and that schedules
+        a scrolling tree commit. When the commit happens, we recompute the region. If the
+        region didn't change, and no other changes are pending, there's no need to commit.
+        Test: platform/mac-wk2/tiled-drawing/scrolling/non-fast-region/compute-region-inside-delete-renderer-crash.html
+        * page/scrolling/AsyncScrollingCoordinator.cpp:
+        (WebCore::AsyncScrollingCoordinator::setNonFastScrollableRegionDirty):
+        (WebCore::AsyncScrollingCoordinator::willCommitTree):
+        (WebCore::AsyncScrollingCoordinator::updateNonFastScrollableRegion):
+        (WebCore::AsyncScrollingCoordinator::frameViewLayoutUpdated):
+        (WebCore::AsyncScrollingCoordinator::frameViewNonFastScrollableRegionChanged):
+        (WebCore::AsyncScrollingCoordinator::scrollingStateTreeAsText): Need to eagerly update
+        the non-fast scrollable region.
+        * page/scrolling/AsyncScrollingCoordinator.h:
+        (WebCore::AsyncScrollingCoordinator::nonFastScrollableRegionDirty):
+        * page/scrolling/ScrollingCoordinator.cpp:
+        (WebCore::ScrollingCoordinator::ScrollingCoordinator):
+        (WebCore::ScrollingCoordinator::computeNonFastScrollableRegion):
+        * page/scrolling/ScrollingCoordinator.h:
+        (WebCore::ScrollingCoordinator::willCommitTree):
+        * page/scrolling/mac/ScrollingCoordinatorMac.mm:
+        (WebCore::ScrollingCoordinatorMac::commitTreeStateIfNeeded):
+        (WebCore::ScrollingCoordinatorMac::scheduleTreeStateCommit):
+        (WebCore::ScrollingCoordinatorMac::commitTreeState):
 -04-04  Simon Fraser  <simon.fraser@apple.com>

trunk/Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp

-              r182242
+              r182346
+}
+void AsyncScrollingCoordinator::setNonFastScrollableRegionDirty()
+{
+    m_nonFastScrollableRegionDirty = true;
+    // We have to schedule a commit, but the computed non-fast region may not have actually changed.
+    scheduleTreeStateCommit();
+}
+void AsyncScrollingCoordinator::willCommitTree()
+{
+    updateNonFastScrollableRegion();
+}
+void AsyncScrollingCoordinator::updateNonFastScrollableRegion()
+{
+    if (!m_nonFastScrollableRegionDirty)
+        return;
+    m_scrollingStateTree->rootStateNode()->setNonFastScrollableRegion(computeNonFastScrollableRegion(m_page->mainFrame(), IntPoint()));
+    m_nonFastScrollableRegionDirty = false;
+}
 void AsyncScrollingCoordinator::frameViewLayoutUpdated(FrameView& frameView)
+{
 …
     // just the root node. But right now, this concept only applies to the root.
     m_scrollingStateTree->rootStateNode()->setNonFastScrollableRegion(computeNonFastScrollableRegion(m_page->mainFrame(), IntPoint()));
+    m_nonFastScrollableRegionDirty = false;
     if (!coordinatesScrollingForFrameView(frameView))
 …
         return;
+    // FIXME: computeNonFastScrollableRegion lazily.
+    m_scrollingStateTree->rootStateNode()->setNonFastScrollableRegion(computeNonFastScrollableRegion(m_page->mainFrame(), IntPoint()));
+    setNonFastScrollableRegionDirty();
+}
 …
 String AsyncScrollingCoordinator::scrollingStateTreeAsText() const
+{
+    if (m_scrollingStateTree->rootStateNode())
+    if (m_scrollingStateTree->rootStateNode()) {
+        if (m_nonFastScrollableRegionDirty)
+            m_scrollingStateTree->rootStateNode()->setNonFastScrollableRegion(computeNonFastScrollableRegion(m_page->mainFrame(), IntPoint()));
         return m_scrollingStateTree->rootStateNode()->scrollingStateTreeAsText();
+    }
     return String();

trunk/Source/WebCore/page/scrolling/AsyncScrollingCoordinator.h

-              r182242
+              r182346
     WEBCORE_EXPORT virtual String scrollingStateTreeAsText() const override;
+    WEBCORE_EXPORT virtual void willCommitTree() override;
+    bool nonFastScrollableRegionDirty() const { return m_nonFastScrollableRegionDirty; }
 private:
 …
     void updateScrollPositionAfterAsyncScrollTimerFired();
+    void setNonFastScrollableRegionDirty();
+    void updateNonFastScrollableRegion();
     FrameView* frameViewForScrollingNode(ScrollingNodeID) const;
 …
     std::unique_ptr<ScrollingStateTree> m_scrollingStateTree;
     RefPtr<ScrollingTree> m_scrollingTree;
+    bool m_nonFastScrollableRegionDirty { false };
 };

trunk/Source/WebCore/page/scrolling/ScrollingCoordinator.cpp

-              r182345
+              r182346
 ScrollingCoordinator::ScrollingCoordinator(Page* page)
     : m_page(page)
-    , m_forceSynchronousScrollLayerPositionUpdates(false)
+{
+}
 …
     if (!frameView)
         return nonFastScrollableRegion;
+    // FIXME: should ASSERT(!frameView->needsLayout()) here, but need to fix DebugPageOverlays
+    // to not ask for regions at bad times.
     IntPoint offset = frameLocation;

trunk/Source/WebCore/page/scrolling/ScrollingCoordinator.h

-              r182242
+              r182346
     GraphicsLayer* footerLayerForFrameView(FrameView&);
+    virtual void willCommitTree() { }
     Page* m_page; // FIXME: ideally this would be a reference but it gets nulled on async teardown.
 …
     void updateSynchronousScrollingReasons(FrameView&);
     bool m_forceSynchronousScrollLayerPositionUpdates;
+    bool m_forceSynchronousScrollLayerPositionUpdates { false };
 };

trunk/Source/WebCore/page/scrolling/mac/ScrollingCoordinatorMac.mm

-              r182242
+              r182346
 void ScrollingCoordinatorMac::commitTreeStateIfNeeded()
+{
-    if (!scrollingStateTree()->hasChangedProperties())
-        return;
     commitTreeState();
     m_scrollingStateTreeCommitterTimer.stop();
 …
 void ScrollingCoordinatorMac::scheduleTreeStateCommit()
+{
     ASSERT(scrollingStateTree()->hasChangedProperties());
+    ASSERT(scrollingStateTree()->hasChangedProperties() || nonFastScrollableRegionDirty());
     if (m_scrollingStateTreeCommitterTimer.isActive())
 …
 void ScrollingCoordinatorMac::commitTreeState()
+{
+    ASSERT(scrollingStateTree()->hasChangedProperties());
+    willCommitTree();
+    if (!scrollingStateTree()->hasChangedProperties())
+        return;
     RefPtr<ThreadedScrollingTree> threadedScrollingTree = downcast<ThreadedScrollingTree>(scrollingTree());

trunk/Source/WebKit2/ChangeLog

-              r182341
+              r182346
+-04-04  Simon Fraser  <simon.fraser@apple.com>
+        REGRESSION (r182215): Feedly crashes when closing article
+        https://bugs.webkit.org/show_bug.cgi?id=143405
+        rdar://problem/20382734, rdar://problem/20395497
+        Reviewed by Tim Horton.
+        Calling computeNonFastScrollableRegion() eagerly when scrollable areas come and go
+        is bad, because it can cause FrameView::layout() to get called in the middle of
+        RenderObject destruction, which leaves the render tree in a bad state.
+        Fix by calling computeNonFastScrollableRegion() lazily, just before scrolling tree commit.
+        AsyncScrollingCoordinator::frameViewNonFastScrollableRegionChanged() now just sets
+        a flag to say that the non-fast region needs to be recomputed, and that schedules
+        a scrolling tree commit. When the commit happens, we recompute the region. If the
+        region didn't change, and no other changes are pending, there's no need to commit.
+        * WebProcess/Scrolling/RemoteScrollingCoordinator.mm:
+        (WebKit::RemoteScrollingCoordinator::buildTransaction):
+        * WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm:
+        (WebKit::TiledCoreAnimationDrawingArea::flushLayers): Outdent #ifdefs.
 -04-03  Beth Dakin  <bdakin@apple.com>

trunk/Source/WebKit2/WebProcess/Scrolling/RemoteScrollingCoordinator.mm

r182132	r182346
87	87	void RemoteScrollingCoordinator::buildTransaction(RemoteScrollingCoordinatorTransaction& transaction)
88	88	{
	89	willCommitTree();
89	90	transaction.setStateTreeToEncode(scrollingStateTree()->commit(LayerRepresentation::PlatformLayerIDRepresentation));
90	91	}

trunk/Source/WebKit2/WebProcess/WebPage/mac/TiledCoreAnimationDrawingArea.mm

-              r179409
+              r182346
         bool returnValue = m_webPage.mainFrameView()->flushCompositingStateIncludingSubframes();
     #if ENABLE(ASYNC_SCROLLING)
+#if ENABLE(ASYNC_SCROLLING)
         if (ScrollingCoordinator* scrollingCoordinator = m_webPage.corePage()->scrollingCoordinator())
             scrollingCoordinator->commitTreeStateIfNeeded();
     #endif
+#endif
         // If we have an active transient zoom, we want the zoom to win over any changes

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 182346 in webkit

Legend:

Download in other formats: