[GTK] Crash in WebCore::TextureMapperLayer::paintSelf

https://bugs.webkit.org/show_bug.cgi?id=240283 Reviewed by Carlos Garcia Campos. There are 4 cases that can happen after there has been a layerFlush and we're adopting the new state in the composition stage: 1. The layer is removed from the tree and the proxy is not assigned to any other layer: the deletion of the layer causes an invalidation of the proxy and both are destroyed afterwards. This works fine. 2. The layer is removed from the tree and the proxy is reassigned to a new layer: the deletion of the first layer causes the invalidation of the proxy, which is then activated on the second layer. As the first layer is destroyed, we don't have to worry about dangling references from it to the proxy's currentBuffer. This works fine. 3. The layer is kept in the tree and the proxy gets disassociated from it and not used by any other layer: we detect that the proxy is not used anymore and call invalidate on it, but the layer keeps a reference to the proxy's currentBuffer, which has been deleted during invalidate, which leads to a crash when trying to render the layer. 4. The layer is kept in the tree and the proxy gets associated to a new layer: as we detect that the proxy is still being used it's not invalidated, but it gets activated on the second layer. The first layer keeps a reference to the proxy's currentBuffer, which will be destroyed a bit later when swapBuffers is called on the proxy. This leads to a crash when trying to render the first layer. This patch addresses cases 3. and 4. described above. * Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp: (WebCore::TextureMapperPlatformLayerProxyGL::activateOnCompositingThread): Ensure that the layer no longer keeps a reference to the current buffer if the proxy is already active on a different layer. (WebCore::TextureMapperPlatformLayerProxyGL::invalidate): Ensure that the invalidated layer does not keep a reference to the current buffer. Canonical link: https://commits.webkit.org/251754@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@295749 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jun 22, 2022 · e840e34 · e840e34
1 parent 501d056
commit e840e34
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp b/Source/WebCore/platform/graphics/texmap/TextureMapperPlatformLayerProxyGL.cpp
@@ -65,6 +65,9 @@ void TextureMapperPlatformLayerProxyGL::activateOnCompositingThread(Compositor*
     {
         Locker locker { m_lock };
         m_compositor = compositor;
+        // If the proxy is already active on another layer, remove the layer's reference to the current buffer.
+        if (m_targetLayer)
+            m_targetLayer->setContentsLayer(nullptr);
         m_targetLayer = targetLayer;
         if (m_targetLayer && m_currentBuffer)
             m_targetLayer->setContentsLayer(m_currentBuffer.get());
@@ -94,7 +97,10 @@ void TextureMapperPlatformLayerProxyGL::invalidate()
     {
         Locker locker { m_lock };
         m_compositor = nullptr;
-        m_targetLayer = nullptr;
+        if (m_targetLayer) {
+            m_targetLayer->setContentsLayer(nullptr);
+            m_targetLayer = nullptr;
+        }
 
         m_currentBuffer = nullptr;
         m_pendingBuffer = nullptr;