Crash under PlatformCALayerRemote::recursiveBuildTransaction()

https://bugs.webkit.org/show_bug.cgi?id=259607 rdar://32076163 Reviewed by Tim Horton. In some scenarios, we can end up with a PlatformCALayerRemote which remains in a sublayer list after being deleted. The testcase has a <video> which toggles from composited to non-composited and back. This video has a mask, and a reflection. The reflection RendeLayer (the RenderReplica's layer) remains composited. When this happens, the masks layer's clone remains in the sublayer list of the "replica flattening" layer, but it's owning reference, in the LayerClones struct owned by the video layer, went away when the video stopped being composited temporarily. The real issue is that we failed to rebuild the sublayer list of the "replica flattening" layer in this case, so make sure we trigger that. * LayoutTests/compositing/reflections/video-mask-reflection-crash-expected.txt: Added. * LayoutTests/compositing/reflections/video-mask-reflection-crash.html: Added. * Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp: (WebCore::GraphicsLayerCA::setReplicatedLayer): Originally-landed-as: 265870.224@safari-7616-branch (73eb68e). rdar://116426044 Canonical link: https://commits.webkit.org/269097@main
WebKit · Oct 9, 2023 · 75cec00 · 75cec00
1 parent 946b13e
commit 75cec00
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/LayoutTests/compositing/reflections/video-mask-reflection-crash-expected.txt b/LayoutTests/compositing/reflections/video-mask-reflection-crash-expected.txt
@@ -0,0 +1,3 @@
+This test should not crash.
+
+
diff --git a/LayoutTests/compositing/reflections/video-mask-reflection-crash.html b/LayoutTests/compositing/reflections/video-mask-reflection-crash.html
@@ -0,0 +1,19 @@
+<style>
+    video {
+        mask-image: url(data:image/gif;base64,R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7);
+        -webkit-box-reflect: below 10px;
+    }
+</style>
+<script>
+    if (window.testRunner)
+        testRunner.dumpAsText();
+
+    function runTest()
+    {
+        document.getElementsByTagName('video')[0].src = "x";
+    }
+</script>
+<body onload=runTest()>
+    <p>This test should not crash.</p>
+    <video controls="controls">
+</body>
diff --git a/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp b/Source/WebCore/platform/graphics/ca/GraphicsLayerCA.cpp
@@ -557,7 +557,7 @@ void GraphicsLayerCA::setReplicatedLayer(GraphicsLayer* layer)
         return;
 
     GraphicsLayer::setReplicatedLayer(layer);
-    noteLayerPropertyChanged(ReplicatedLayerChanged);
+    noteLayerPropertyChanged(ReplicatedLayerChanged | ChildrenChanged);
 }
 
 void GraphicsLayerCA::setReplicatedByLayer(RefPtr<GraphicsLayer>&& layer)