Changeset 236306 in webkit

Timestamp:

Sep 20, 2018 10:37:01 PM (6 years ago)

Author:

dino@apple.com

Message:

Restrict the total combined size of backdrop filters
​https://bugs.webkit.org/show_bug.cgi?id=189812
<rdar://problem/44532782>

Reviewed by Simon Fraser.

Source/WebCore:

If the total area of all backdrop filters on the page gets
too large, the universe collapses in on itself and we enter
the Quantum Realm (i.e. crash horribly).

Put a hard limit on the total coverage, and ignore any backdrop
filters after the limit. This might break some content, but
such content is likely not doing things in the most optimal manner.
There isn't any reason to have a backdrop larger than the size of
the screen, because you'd be better off applying a foreground
filter to the main content and showing something above it.

Tests: css3/filters/backdrop/resource-use-add-more-layers.html

css3/filters/backdrop/resource-use-excessive.html
css3/filters/backdrop/resource-use-ok.html
css3/filters/backdrop/resource-use-remove-some-layers.html

• platform/graphics/ca/GraphicsLayerCA.cpp: Pick a fairly small maximum size. We

can consider increasing this if necessary, and as devices with less RAM are
upgraded.
(WebCore::GraphicsLayerCA::recursiveCommitChanges): Gather the accumulated size
of backdrop filters into the commit state as we are recursing through the tree.
(WebCore::GraphicsLayerCA::commitLayerChangesBeforeSublayers): Force any layer
with backdrop filters, or any that is removing backdrop filters, into an update.
(WebCore::GraphicsLayerCA::updateBackdropFilters): Update the logic to first
check if this backdrop layer causes us to exceed the total allowed size, and if
it does, forbid it from getting the GraphicsLayer that composits the backdrop.

• platform/graphics/ca/GraphicsLayerCA.h: Remove const from some parameters so

that we can use the CommitState to hold the accumulated size.

LayoutTests:

Tests that have an acceptable number of backdrops, an excessive
number of backdrops, and then some that add and remove backdrops
at various points in the tree to confirm we do recursive checks
correctly.

• css3/filters/backdrop/layer-tree-as-text.js: Added.
• css3/filters/backdrop/resource-use-add-more-layers-expected.txt: Added.
• css3/filters/backdrop/resource-use-add-more-layers.html: Added.
• css3/filters/backdrop/resource-use-excessive-expected.txt: Added.
• css3/filters/backdrop/resource-use-excessive.html: Added.
• css3/filters/backdrop/resource-use-ok-expected.txt: Added.
• css3/filters/backdrop/resource-use-ok.html: Added.
• css3/filters/backdrop/resource-use-remove-some-layers-expected.txt: Added.
• css3/filters/backdrop/resource-use-remove-some-layers.html: Added.
• css3/filters/backdrop/resource-use.css: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/css3/filters/backdrop/layer-tree-as-text.js (added)
• LayoutTests/css3/filters/backdrop/resource-use-add-more-layers-expected.txt (added)
• LayoutTests/css3/filters/backdrop/resource-use-add-more-layers.html (added)
• LayoutTests/css3/filters/backdrop/resource-use-excessive-expected.txt (added)
• LayoutTests/css3/filters/backdrop/resource-use-excessive.html (added)
• LayoutTests/css3/filters/backdrop/resource-use-ok-expected.txt (added)
• LayoutTests/css3/filters/backdrop/resource-use-ok.html (added)
• LayoutTests/css3/filters/backdrop/resource-use-remove-some-layers-expected.txt (added)
• LayoutTests/css3/filters/backdrop/resource-use-remove-some-layers.html (added)
• LayoutTests/css3/filters/backdrop/resource-use.css (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp (modified) (7 diffs)
• Source/WebCore/platform/graphics/ca/GraphicsLayerCA.h (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2018-09-20  Dean Jackson  <dino@apple.com>
+
+        Restrict the total combined size of backdrop filters
+        https://bugs.webkit.org/show_bug.cgi?id=189812
+        <rdar://problem/44532782>
+
+        Reviewed by Simon Fraser.
+
+        Tests that have an acceptable number of backdrops, an excessive
+        number of backdrops, and then some that add and remove backdrops
+        at various points in the tree to confirm we do recursive checks
+        correctly.
+
+        * css3/filters/backdrop/layer-tree-as-text.js: Added.
+        * css3/filters/backdrop/resource-use-add-more-layers-expected.txt: Added.
+        * css3/filters/backdrop/resource-use-add-more-layers.html: Added.
+        * css3/filters/backdrop/resource-use-excessive-expected.txt: Added.
+        * css3/filters/backdrop/resource-use-excessive.html: Added.
+        * css3/filters/backdrop/resource-use-ok-expected.txt: Added.
+        * css3/filters/backdrop/resource-use-ok.html: Added.
+        * css3/filters/backdrop/resource-use-remove-some-layers-expected.txt: Added.
+        * css3/filters/backdrop/resource-use-remove-some-layers.html: Added.
+        * css3/filters/backdrop/resource-use.css: Added.
+
 2018-09-20  Truitt Savell  <tsavell@apple.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2018-09-20  Dean Jackson  <dino@apple.com>
+
+        Restrict the total combined size of backdrop filters
+        https://bugs.webkit.org/show_bug.cgi?id=189812
+        <rdar://problem/44532782>
+
+        Reviewed by Simon Fraser.
+
+        If the total area of all backdrop filters on the page gets
+        too large, the universe collapses in on itself and we enter
+        the Quantum Realm (i.e. crash horribly).
+
+        Put a hard limit on the total coverage, and ignore any backdrop
+        filters after the limit. This might break some content, but
+        such content is likely not doing things in the most optimal manner.
+        There isn't any reason to have a backdrop larger than the size of
+        the screen, because you'd be better off applying a foreground
+        filter to the main content and showing something above it.
+
+        Tests: css3/filters/backdrop/resource-use-add-more-layers.html
+               css3/filters/backdrop/resource-use-excessive.html
+               css3/filters/backdrop/resource-use-ok.html
+               css3/filters/backdrop/resource-use-remove-some-layers.html
+
+        * platform/graphics/ca/GraphicsLayerCA.cpp: Pick a fairly small maximum size. We
+        can consider increasing this if necessary, and as devices with less RAM are
+        upgraded.
+        (WebCore::GraphicsLayerCA::recursiveCommitChanges): Gather the accumulated size
+        of backdrop filters into the commit state as we are recursing through the tree.
+        (WebCore::GraphicsLayerCA::commitLayerChangesBeforeSublayers): Force any layer
+        with backdrop filters, or any that is removing backdrop filters, into an update.
+        (WebCore::GraphicsLayerCA::updateBackdropFilters): Update the logic to first
+        check if this backdrop layer causes us to exceed the total allowed size, and if
+        it does, forbid it from getting the GraphicsLayer that composits the backdrop.
+
+        * platform/graphics/ca/GraphicsLayerCA.h: Remove const from some parameters so
+        that we can use the CommitState to hold the accumulated size.
+
 2018-09-20  Benjamin Poulain  <benjamin@webkit.org>
 

trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp

@@ -48 +48 @@
 #include <limits.h>
 #include <pal/spi/cf/CFUtilitiesSPI.h>
+#include <wtf/CheckedArithmetic.h>
 #include <wtf/MathExtras.h>
 #include <wtf/NeverDestroyed.h>
@@ -89 +90 @@
 
 // Derived empirically: <rdar://problem/13401861>
-static const int cMaxLayerTreeDepth = 250;
+static const unsigned cMaxLayerTreeDepth = 250;
+
+// About 10 screens of an iPhone 6 Plus. <rdar://problem/44532782>
+static const unsigned cMaxTotalBackdropFilterArea = 1242 * 2208 * 10;
 
 // If we send a duration of 0 to CA, then it will use the default duration
@@ -1488 +1492 @@
 // rootRelativeTransformForScaling is a transform from the root, but for layers with transform animations, it cherry-picked the state of the
 // animation that contributes maximally to the scale (on every layer with animations down the hierarchy).
-void GraphicsLayerCA::recursiveCommitChanges(const CommitState& commitState, const TransformState& state, float pageScaleFactor, const FloatPoint& positionRelativeToBase, bool affectedByPageScale)
+void GraphicsLayerCA::recursiveCommitChanges(CommitState& commitState, const TransformState& state, float pageScaleFactor, const FloatPoint& positionRelativeToBase, bool affectedByPageScale)
 {
     if (!needsCommit(commitState))
@@ -1585 +1589 @@
     }
 
+    commitState.totalBackdropFilterArea = childCommitState.totalBackdropFilterArea;
+
     if (GraphicsLayerCA* replicaLayer = downcast<GraphicsLayerCA>(m_replicaLayer.get()))
         replicaLayer->recursiveCommitChanges(childCommitState, localState, pageScaleFactor, baseRelativePosition, affectedByPageScale);
@@ -1779 +1785 @@
         updateFilters();
 
-    if (m_uncommittedChanges & BackdropFiltersChanged)
-        updateBackdropFilters();
+    // If there are backdrop filters, we need to always check the resource usage
+    // because something up the tree may have changed its usage.
+    if (m_uncommittedChanges & BackdropFiltersChanged || needsBackdrop())
+        updateBackdropFilters(commitState);
 
     if (m_uncommittedChanges & BackdropFiltersRectChanged)
@@ -2127 +2135 @@
 }
 
-void GraphicsLayerCA::updateBackdropFilters()
-{
-    if (m_backdropFilters.isEmpty()) {
+void GraphicsLayerCA::updateBackdropFilters(CommitState& commitState)
+{
+    bool canHaveBackdropFilters = needsBackdrop();
+
+    if (canHaveBackdropFilters) {
+        Checked<unsigned, RecordOverflow> backdropFilterArea = Checked<unsigned>(static_cast<int>(m_backdropFiltersRect.rect().width())) * Checked<unsigned>(static_cast<int>(m_backdropFiltersRect.rect().height()));
+        if (backdropFilterArea.hasOverflowed())
+            canHaveBackdropFilters = false;
+        else {
+            Checked<unsigned, RecordOverflow> newTotalBackdropFilterArea = Checked<unsigned, RecordOverflow>(commitState.totalBackdropFilterArea) + backdropFilterArea;
+            if (newTotalBackdropFilterArea.hasOverflowed() || newTotalBackdropFilterArea.unsafeGet() > cMaxTotalBackdropFilterArea)
+                canHaveBackdropFilters = false;
+            else
+                commitState.totalBackdropFilterArea = newTotalBackdropFilterArea.unsafeGet();
+        }
+    }
+
+    if (!canHaveBackdropFilters) {
         if (m_backdropLayer) {
             m_backdropLayer->removeFromSuperlayer();
@@ -2137 +2160 @@
         return;
     }
+
+    // If nothing actually changed, no need to touch the layer properties.
+    if (!(m_uncommittedChanges & BackdropFiltersChanged))
+        return;
 
     bool madeLayer = !m_backdropLayer;

trunk/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.h

@@ -155 +155 @@
 
     struct CommitState {
-        int treeDepth { 0 };
+        unsigned treeDepth { 0 };
+        unsigned totalBackdropFilterArea { 0 };
         bool ancestorHadChanges { false };
         bool ancestorHasTransformAnimation { false };
@@ -163 +164 @@
     };
     bool needsCommit(const CommitState&);
-    void recursiveCommitChanges(const CommitState&, const TransformState&, float pageScaleFactor = 1, const FloatPoint& positionRelativeToBase = FloatPoint(), bool affectedByPageScale = false);
+    void recursiveCommitChanges(CommitState&, const TransformState&, float pageScaleFactor = 1, const FloatPoint& positionRelativeToBase = FloatPoint(), bool affectedByPageScale = false);
 
     WEBCORE_EXPORT void flushCompositingState(const FloatRect&) override;
@@ -425 +426 @@
     void updateOpacityOnLayer();
     void updateFilters();
-    void updateBackdropFilters();
+    void updateBackdropFilters(CommitState&);
     void updateBackdropFiltersRect();