Merge r245300 - Do not try to issue repaint while the render tree is …

…being destroyed. https://bugs.webkit.org/show_bug.cgi?id=197461 <rdar://problem/50368992> Reviewed by Simon Fraser. Source/WebCore: Test: http/tests/svg/crash-on-reload-with-filter.html We don't need to compute repaint rects when the render tree is getting torn down. We'll issue a full repaint at some point. Also during full render tree destruction the inline tree state is undefined. We should avoid accessing it. * rendering/svg/RenderSVGResourceContainer.cpp: (WebCore::RenderSVGResourceContainer::markAllClientLayersForInvalidation): LayoutTests: * http/tests/svg/crash-on-reload-with-filter-expected.txt: Added. * http/tests/svg/crash-on-reload-with-filter.html: Added. * http/tests/svg/resources/finishTest.html: Added.
WebKit · May 17, 2019 · ac52a25 · ac52a25
1 parent fe1ef53
commit ac52a25
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 0 deletions.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,15 @@
+2019-05-14  Zalan Bujtas  <zalan@apple.com>
+
+        Do not try to issue repaint while the render tree is being destroyed.
+        https://bugs.webkit.org/show_bug.cgi?id=197461
+        <rdar://problem/50368992>
+
+        Reviewed by Simon Fraser.
+
+        * http/tests/svg/crash-on-reload-with-filter-expected.txt: Added.
+        * http/tests/svg/crash-on-reload-with-filter.html: Added.
+        * http/tests/svg/resources/finishTest.html: Added.
+
 2019-05-04  Tadeu Zagallo  <tzagallo@apple.com>
 
         TypedArrays should not store properties that are canonical numeric indices

diff --git a/LayoutTests/http/tests/svg/crash-on-reload-with-filter-expected.txt b/LayoutTests/http/tests/svg/crash-on-reload-with-filter-expected.txt
@@ -0,0 +1 @@
+Pass if no crash or assert.
diff --git a/LayoutTests/http/tests/svg/crash-on-reload-with-filter.html b/LayoutTests/http/tests/svg/crash-on-reload-with-filter.html
@@ -0,0 +1,11 @@
+<div style="display: inline-block;"></div>
+<svg><filter id="svgfilter"><feOffset/></filter></svg>
+<span style="-webkit-text-emphasis: '-';"></span>
+<video style="filter: url(#svgfilter);"></video>
+<script>
+document.body.offsetHeight;
+location = "resources/finishTest.html";
+
+if (window.testRunner)
+    testRunner.waitUntilDone();
+</script>
diff --git a/LayoutTests/http/tests/svg/resources/finishTest.html b/LayoutTests/http/tests/svg/resources/finishTest.html
@@ -0,0 +1,6 @@
+Pass if no crash or assert.<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.notifyDone();
+}
+</script>
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2019-05-14  Zalan Bujtas  <zalan@apple.com>
+
+        Do not try to issue repaint while the render tree is being destroyed.
+        https://bugs.webkit.org/show_bug.cgi?id=197461
+        <rdar://problem/50368992>
+
+        Reviewed by Simon Fraser.
+
+        Test: http/tests/svg/crash-on-reload-with-filter.html
+
+        We don't need to compute repaint rects when the render tree is getting torn down. We'll issue a full repaint at some point.
+        Also during full render tree destruction the inline tree state is undefined. We should avoid accessing it.
+
+        * rendering/svg/RenderSVGResourceContainer.cpp:
+        (WebCore::RenderSVGResourceContainer::markAllClientLayersForInvalidation):
+
 2019-05-09  Brent Fulgham  <bfulgham@apple.com>
 
         Correct delayed load event handling

diff --git a/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp b/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp
@@ -122,6 +122,10 @@ void RenderSVGResourceContainer::markAllClientsForInvalidation(InvalidationMode
 
 void RenderSVGResourceContainer::markAllClientLayersForInvalidation()
 {
+    if (m_clientLayers.isEmpty())
+        return;
+    if ((*m_clientLayers.begin())->renderer().renderTreeBeingDestroyed())
+        return;
     for (auto* clientLayer : m_clientLayers)
         clientLayer->filterNeedsRepaint();
 }