Changeset 250717 in webkit

Timestamp:

Oct 4, 2019 6:39:21 AM (5 years ago)

Author:

Carlos Garcia Campos

Message:

[GTK] Crash in WebChromeClient::createDisplayRefreshMonitor
​https://bugs.webkit.org/show_bug.cgi?id=202551

Reviewed by Žan Doberšek.

The crash happens when the drawing area is destroyed due to a page close. The layer tree host is invalidated
causing a layer flush that ends up trying to create a display refresh monitor, which requires the drawing
area. We need to null-check the drawing area in WebChromeClient::createDisplayRefreshMonitor() but we should
also ensure that layer flush is not performed after layer tree host is destroyed.

• WebProcess/WebCoreSupport/WebChromeClient.cpp:

(WebKit::WebChromeClient::createDisplayRefreshMonitor const): Null-check drawing area before using it.

• WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:

(WebKit::CompositingCoordinator::CompositingCoordinator): Receive a WebPage instead of a WebCore::Page and
create the root layer here.
(WebKit::CompositingCoordinator::~CompositingCoordinator): Do not purge backing stores again, invalidate should
always be called right before the object is destroyed.
(WebKit::CompositingCoordinator::flushPendingLayerChanges): Get WebCore::Page from WebPage.
(WebKit::CompositingCoordinator::timestamp const): Ditto.
(WebKit::CompositingCoordinator::syncDisplayState): Ditto.
(WebKit::CompositingCoordinator::notifyFlushRequired): Do not continue if m_rootLayer is nullptr.
(WebKit::CompositingCoordinator::deviceScaleFactor const): Get WebCore::Page from WebPage.
(WebKit::CompositingCoordinator::pageScaleFactor const): Ditto.
(WebKit::CompositingCoordinator::createGraphicsLayer): Call attachLayer() instead of duplicating the code.
(WebKit::CompositingCoordinator::setVisibleContentsRect): Get WebCore::Page from WebPage.

• WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.h:
• WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:

(WebKit::DrawingAreaCoordinatedGraphics::discardPreviousLayerTreeHost): Do not call LayerTreeHost::invalidate()
that has been removed.

• WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:

(WebKit::LayerTreeHost::LayerTreeHost): Construct the coordinator after the sceneIntegration.
(WebKit::LayerTreeHost::~LayerTreeHost): Invalidate everything here now. We don't really need invalidate()
method since LayerTreeHost is not refcounted and we always called invalidate right before deleting the object.
(WebKit::LayerTreeHost::layerFlushTimerFired): This can't happen on invalid state anymore.

• WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.h:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• WebProcess/WebCoreSupport/WebChromeClient.cpp (modified) (1 diff)
• WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp (modified) (10 diffs)
• WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.h (modified) (7 diffs)
• WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp (modified) (2 diffs)
• WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp (modified) (6 diffs)
• WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.h (modified) (4 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-10-04  Carlos Garcia Campos  <cgarcia@igalia.com>
+
+        [GTK] Crash in WebChromeClient::createDisplayRefreshMonitor
+        https://bugs.webkit.org/show_bug.cgi?id=202551
+
+        Reviewed by Žan Doberšek.
+
+        The crash happens when the drawing area is destroyed due to a page close. The layer tree host is invalidated
+        causing a layer flush that ends up trying to create a display refresh monitor, which requires the drawing
+        area. We need to null-check the drawing area in WebChromeClient::createDisplayRefreshMonitor() but we should
+        also ensure that layer flush is not performed after layer tree host is destroyed.
+
+        * WebProcess/WebCoreSupport/WebChromeClient.cpp:
+        (WebKit::WebChromeClient::createDisplayRefreshMonitor const): Null-check drawing area before using it.
+        * WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp:
+        (WebKit::CompositingCoordinator::CompositingCoordinator): Receive a WebPage instead of a WebCore::Page and
+        create the root layer here.
+        (WebKit::CompositingCoordinator::~CompositingCoordinator): Do not purge backing stores again, invalidate should
+        always be called right before the object is destroyed.
+        (WebKit::CompositingCoordinator::flushPendingLayerChanges): Get WebCore::Page from WebPage.
+        (WebKit::CompositingCoordinator::timestamp const): Ditto.
+        (WebKit::CompositingCoordinator::syncDisplayState): Ditto.
+        (WebKit::CompositingCoordinator::notifyFlushRequired): Do not continue if m_rootLayer is nullptr.
+        (WebKit::CompositingCoordinator::deviceScaleFactor const): Get WebCore::Page from WebPage.
+        (WebKit::CompositingCoordinator::pageScaleFactor const): Ditto.
+        (WebKit::CompositingCoordinator::createGraphicsLayer): Call attachLayer() instead of duplicating the code.
+        (WebKit::CompositingCoordinator::setVisibleContentsRect): Get WebCore::Page from WebPage.
+        * WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.h:
+        * WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp:
+        (WebKit::DrawingAreaCoordinatedGraphics::discardPreviousLayerTreeHost): Do not call LayerTreeHost::invalidate()
+        that has been removed.
+        * WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp:
+        (WebKit::LayerTreeHost::LayerTreeHost): Construct the coordinator after the sceneIntegration.
+        (WebKit::LayerTreeHost::~LayerTreeHost): Invalidate everything here now. We don't really need invalidate()
+        method since LayerTreeHost is not refcounted and we always called invalidate right before deleting the object.
+        (WebKit::LayerTreeHost::layerFlushTimerFired): This can't happen on invalid state anymore.
+        * WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.h:
+
 2019-10-04  Carlos Garcia Campos  <cgarcia@igalia.com>
 

trunk/Source/WebKit/WebProcess/WebCoreSupport/WebChromeClient.cpp

@@ -892 +892 @@
 RefPtr<DisplayRefreshMonitor> WebChromeClient::createDisplayRefreshMonitor(PlatformDisplayID displayID) const
 {
-    return m_page.drawingArea()->createDisplayRefreshMonitor(displayID);
+    if (auto* drawingArea = m_page.drawingArea())
+        return drawingArea->createDisplayRefreshMonitor(displayID);
+    return nullptr;
 }
 

trunk/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.cpp

@@ -51 +51 @@
 using namespace WebCore;
 
-CompositingCoordinator::CompositingCoordinator(Page* page, CompositingCoordinator::Client& client)
+CompositingCoordinator::CompositingCoordinator(WebPage& page, CompositingCoordinator::Client& client)
     : m_page(page)
     , m_client(client)
@@ -58 +58 @@
     m_nicosia.scene = Nicosia::Scene::create();
     m_state.nicosia.scene = m_nicosia.scene;
+
+    m_rootLayer = GraphicsLayer::create(this, *this);
+#ifndef NDEBUG
+    m_rootLayer->setName("CompositingCoordinator root layer");
+#endif
+    m_rootLayer->setDrawsContent(false);
+    m_rootLayer->setSize(m_page.size());
 }
 
 CompositingCoordinator::~CompositingCoordinator()
 {
-    m_isDestructing = true;
-
-    purgeBackingStores();
+    ASSERT(!m_rootLayer);
 
     for (auto& registeredLayer : m_registeredLayers.values())
@@ -120 +125 @@
         m_overlayCompositingLayer->flushCompositingState(FloatRect(FloatPoint(), m_rootLayer->size()));
 
-    bool didSync = m_page->mainFrame().view()->flushCompositingStateIncludingSubframes();
+    bool didSync = m_page.corePage()->mainFrame().view()->flushCompositingStateIncludingSubframes();
 
     auto& coordinatedLayer = downcast<CoordinatedGraphicsLayer>(*m_rootLayer);
@@ -170 +175 @@
 double CompositingCoordinator::timestamp() const
 {
-    auto* document = m_page->mainFrame().document();
+    auto* document = m_page.corePage()->mainFrame().document();
     if (!document)
         return 0;
@@ -178 +183 @@
 void CompositingCoordinator::syncDisplayState()
 {
-    m_page->mainFrame().view()->updateLayoutAndStyleIfNeededRecursive();
+    m_page.corePage()->mainFrame().view()->updateLayoutAndStyleIfNeededRecursive();
 }
 
@@ -199 +204 @@
 }
 
-void CompositingCoordinator::createRootLayer(const IntSize& size)
-{
-    ASSERT(!m_rootLayer);
-    // Create a root layer.
-    m_rootLayer = GraphicsLayer::create(this, *this);
-#ifndef NDEBUG
-    m_rootLayer->setName("CompositingCoordinator root layer");
-#endif
-    m_rootLayer->setDrawsContent(false);
-    m_rootLayer->setSize(size);
-}
-
 void CompositingCoordinator::syncLayerState()
 {
@@ -218 +211 @@
 void CompositingCoordinator::notifyFlushRequired(const GraphicsLayer*)
 {
-    if (!m_isDestructing && !isFlushingLayerChanges())
+    if (m_rootLayer && !isFlushingLayerChanges())
         m_client.notifyFlushRequired();
 }
@@ -224 +217 @@
 float CompositingCoordinator::deviceScaleFactor() const
 {
-    return m_page->deviceScaleFactor();
+    return m_page.corePage()->deviceScaleFactor();
 }
 
 float CompositingCoordinator::pageScaleFactor() const
 {
-    return m_page->pageScaleFactor();
+    return m_page.corePage()->pageScaleFactor();
 }
 
@@ -235 +228 @@
 {
     auto layer = adoptRef(*new CoordinatedGraphicsLayer(layerType, client));
+    attachLayer(layer.ptr());
+    return layer;
+}
+
+FloatRect CompositingCoordinator::visibleContentsRect() const
+{
+    return m_visibleContentsRect;
+}
+
+void CompositingCoordinator::setVisibleContentsRect(const FloatRect& rect)
+{
+    bool contentsRectDidChange = rect != m_visibleContentsRect;
+    if (contentsRectDidChange) {
+        m_visibleContentsRect = rect;
+
+        for (auto& registeredLayer : m_registeredLayers.values())
+            registeredLayer->setNeedsVisibleRectAdjustment();
+    }
+
+    FrameView* view = m_page.corePage()->mainFrame().view();
+    if (view->useFixedLayout() && contentsRectDidChange) {
+        // Round the rect instead of enclosing it to make sure that its size stays
+        // the same while panning. This can have nasty effects on layout.
+        view->setFixedVisibleContentRect(roundedIntRect(rect));
+    }
+}
+
+void CompositingCoordinator::deviceOrPageScaleFactorChanged()
+{
+    m_rootLayer->deviceOrPageScaleFactorChanged();
+}
+
+void CompositingCoordinator::detachLayer(CoordinatedGraphicsLayer* layer)
+{
+    if (m_isPurging)
+        return;
+
+    {
+        auto& compositionLayer = layer->compositionLayer();
+        m_nicosia.state.layers.remove(compositionLayer);
+        compositionLayer->setSceneIntegration(nullptr);
+    }
+    m_registeredLayers.remove(layer->id());
+    notifyFlushRequired(layer);
+}
+
+void CompositingCoordinator::attachLayer(CoordinatedGraphicsLayer* layer)
+{
     layer->setCoordinator(this);
     {
@@ -241 +282 @@
         compositionLayer->setSceneIntegration(m_client.sceneIntegration());
     }
-    m_registeredLayers.add(layer->id(), layer.ptr());
-    layer->setNeedsVisibleRectAdjustment();
-    notifyFlushRequired(layer.ptr());
-    return layer;
-}
-
-FloatRect CompositingCoordinator::visibleContentsRect() const
-{
-    return m_visibleContentsRect;
-}
-
-void CompositingCoordinator::setVisibleContentsRect(const FloatRect& rect)
-{
-    bool contentsRectDidChange = rect != m_visibleContentsRect;
-    if (contentsRectDidChange) {
-        m_visibleContentsRect = rect;
-
-        for (auto& registeredLayer : m_registeredLayers.values())
-            registeredLayer->setNeedsVisibleRectAdjustment();
-    }
-
-    FrameView* view = m_page->mainFrame().view();
-    if (view->useFixedLayout() && contentsRectDidChange) {
-        // Round the rect instead of enclosing it to make sure that its size stays
-        // the same while panning. This can have nasty effects on layout.
-        view->setFixedVisibleContentRect(roundedIntRect(rect));
-    }
-}
-
-void CompositingCoordinator::deviceOrPageScaleFactorChanged()
-{
-    m_rootLayer->deviceOrPageScaleFactorChanged();
-}
-
-void CompositingCoordinator::detachLayer(CoordinatedGraphicsLayer* layer)
-{
-    if (m_isPurging)
-        return;
-
-    {
-        auto& compositionLayer = layer->compositionLayer();
-        m_nicosia.state.layers.remove(compositionLayer);
-        compositionLayer->setSceneIntegration(nullptr);
-    }
-    m_registeredLayers.remove(layer->id());
-    notifyFlushRequired(layer);
-}
-
-void CompositingCoordinator::attachLayer(CoordinatedGraphicsLayer* layer)
-{
-    layer->setCoordinator(this);
-    {
-        auto& compositionLayer = layer->compositionLayer();
-        m_nicosia.state.layers.add(compositionLayer);
-        compositionLayer->setSceneIntegration(m_client.sceneIntegration());
-    }
     m_registeredLayers.add(layer->id(), layer);
     layer->setNeedsVisibleRectAdjustment();

trunk/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/CompositingCoordinator.h

@@ -25 +25 @@
  */
 
-#ifndef CompositingCoordinator_h
-#define CompositingCoordinator_h
+#pragma once
 
 #if USE(COORDINATED_GRAPHICS)
 
+#include "WebPage.h"
 #include <WebCore/CoordinatedGraphicsLayer.h>
 #include <WebCore/CoordinatedGraphicsState.h>
@@ -47 +47 @@
 class GraphicsContext;
 class GraphicsLayer;
-class Page;
 }
 
@@ -65 +64 @@
     };
 
-    CompositingCoordinator(WebCore::Page*, CompositingCoordinator::Client&);
+    CompositingCoordinator(WebPage&, CompositingCoordinator::Client&);
     virtual ~CompositingCoordinator();
 
@@ -78 +77 @@
     void renderNextFrame();
 
-    void createRootLayer(const WebCore::IntSize&);
     WebCore::GraphicsLayer* rootLayer() const { return m_rootLayer.get(); }
     WebCore::GraphicsLayer* rootCompositingLayer() const { return m_rootCompositingLayer; }
@@ -114 +112 @@
     double timestamp() const;
 
-    WebCore::Page* m_page;
+    WebPage& m_page;
     CompositingCoordinator::Client& m_client;
 
@@ -132 +130 @@
 
     // We don't send the messages related to releasing resources to renderer during purging, because renderer already had removed all resources.
-    bool m_isDestructing { false };
     bool m_isPurging { false };
     bool m_isFlushingLayerChanges { false };
@@ -146 +143 @@
 
 #endif // namespace WebKit
-
-#endif // CompositingCoordinator_h

trunk/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/DrawingAreaCoordinatedGraphics.cpp

@@ -80 +80 @@
 }
 
-DrawingAreaCoordinatedGraphics::~DrawingAreaCoordinatedGraphics()
-{
-    discardPreviousLayerTreeHost();
-    if (m_layerTreeHost)
-        m_layerTreeHost->invalidate();
-}
+DrawingAreaCoordinatedGraphics::~DrawingAreaCoordinatedGraphics() = default;
 
 void DrawingAreaCoordinatedGraphics::setNeedsDisplay()
@@ -518 +513 @@
 {
     m_discardPreviousLayerTreeHostTimer.stop();
-    if (!m_previousLayerTreeHost)
-        return;
-
-    m_previousLayerTreeHost->invalidate();
     m_previousLayerTreeHost = nullptr;
 }

trunk/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.cpp

@@ -49 +49 @@
 LayerTreeHost::LayerTreeHost(WebPage& webPage)
     : m_webPage(webPage)
-    , m_coordinator(webPage.corePage(), *this)
     , m_compositorClient(*this)
     , m_surface(AcceleratedSurface::create(webPage, *this))
@@ -55 +54 @@
     , m_layerFlushTimer(RunLoop::main(), this, &LayerTreeHost::layerFlushTimerFired)
     , m_sceneIntegration(Nicosia::SceneIntegration::create(*this))
+    , m_coordinator(webPage, *this)
 {
 #if USE(GLIB_EVENT_LOOP)
@@ -60 +60 @@
     m_layerFlushTimer.setName("[WebKit] LayerTreeHost");
 #endif
-    m_coordinator.createRootLayer(m_webPage.size());
     scheduleLayerFlush();
 
@@ -85 +84 @@
 LayerTreeHost::~LayerTreeHost()
 {
-    ASSERT(!m_isValid);
+    cancelPendingLayerFlush();
+
+    m_sceneIntegration->invalidate();
+    m_coordinator.invalidate();
+    m_compositor->invalidate();
+    m_surface = nullptr;
 }
 
@@ -138 +142 @@
     m_webPage.flushPendingEditorStateUpdate();
 
-    if (!m_isValid || !m_coordinator.rootCompositingLayer())
+    if (!m_coordinator.rootCompositingLayer())
         return;
 
@@ -163 +167 @@
     m_viewOverlayRootLayer = viewOverlayRootLayer;
     m_coordinator.setViewOverlayRootLayer(viewOverlayRootLayer);
-}
-
-void LayerTreeHost::invalidate()
-{
-    ASSERT(m_isValid);
-    m_isValid = false;
-
-    cancelPendingLayerFlush();
-
-    m_sceneIntegration->invalidate();
-    m_coordinator.invalidate();
-    m_compositor->invalidate();
-    m_surface = nullptr;
 }
 

trunk/Source/WebKit/WebProcess/WebPage/CoordinatedGraphics/LayerTreeHost.h

@@ -75 +75 @@
     void setRootCompositingLayer(WebCore::GraphicsLayer*);
     void setViewOverlayRootLayer(WebCore::GraphicsLayer*);
-    void invalidate();
 
     void scrollNonCompositedContents(const WebCore::IntRect&);
@@ -184 +183 @@
     bool m_notifyAfterScheduledLayerFlush { false };
     bool m_isSuspended { false };
-    bool m_isValid { true };
     bool m_isWaitingForRenderer { false };
     bool m_scheduledWhileWaitingForRenderer { false };
@@ -192 +190 @@
     OptionSet<DiscardableSyncActions> m_discardableSyncActions;
     WebCore::GraphicsLayer* m_viewOverlayRootLayer { nullptr };
-    CompositingCoordinator m_coordinator;
     CompositorClient m_compositorClient;
     std::unique_ptr<AcceleratedSurface> m_surface;
@@ -203 +200 @@
     RunLoop::Timer<LayerTreeHost> m_layerFlushTimer;
     Ref<Nicosia::SceneIntegration> m_sceneIntegration;
+    CompositingCoordinator m_coordinator;
 #endif // USE(COORDINATED_GRAPHICS)
 };