[BlackBerry] Dangling pointer in WebPagePrivate::setCompositor() message

https://bugs.webkit.org/show_bug.cgi?id=87590

Patch by Arvid Nilsson <anilsson@rim.com> on 2012-05-28
Reviewed by Rob Buis.

A crash would be seen in GuardedPointerBase::getWithGuardLocked when
attempting to unpickle and execute serialized call to setCompositor.

The problem was that the message had been created with a dangling
pointer as the target. The web page failed to inform its compositor
that it was being destroyed due to an early return in
WebPagePrivate::destroyCompositor.

The root cause was that a method called "destroyCompositor" was being
called in two situations, when navigating to a new page as well as when
actually deleting the web page. And in one case, we really only wanted
to free up some memory by clearing textures, while in the other case we
really did want to destroy the compositor.

Fixed by calling a method to release textures when that's what we want
to do, and calling a method to destroy the compositor when that's what
we want to do, and making that latter method unconditional.

Reviewed internally by Jeff Rogers.

PR #156765

* Api/WebPage.cpp:
(BlackBerry::WebKit::WebPagePrivate::setLoadState):
(BlackBerry::WebKit::WebPagePrivate::destroyCompositor):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@118702 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 7c3c1cfd
...@@ -884,8 +884,10 @@ void WebPagePrivate::setLoadState(LoadState state) ...@@ -884,8 +884,10 @@ void WebPagePrivate::setLoadState(LoadState state)
#endif #endif
#if USE(ACCELERATED_COMPOSITING) #if USE(ACCELERATED_COMPOSITING)
if (isAcceleratedCompositingActive() && !compositorDrawsRootLayer()) if (isAcceleratedCompositingActive()) {
syncDestroyCompositorOnCompositingThread(); Platform::userInterfaceThreadMessageClient()->dispatchSyncMessage(
Platform::createMethodCallMessage(&WebPagePrivate::destroyLayerResources, this));
}
#endif #endif
m_previousContentsSize = IntSize(); m_previousContentsSize = IntSize();
m_backingStore->d->resetRenderQueue(); m_backingStore->d->resetRenderQueue();
...@@ -5895,12 +5897,6 @@ bool WebPagePrivate::createCompositor() ...@@ -5895,12 +5897,6 @@ bool WebPagePrivate::createCompositor()
void WebPagePrivate::destroyCompositor() void WebPagePrivate::destroyCompositor()
{ {
// We shouldn't release the compositor unless we created and own the
// context. If the compositor was created from the WebPageCompositor API,
// keep it around and reuse it later.
if (!m_ownedContext)
return;
// m_compositor is a RefPtr, so it may live on beyond this point. // m_compositor is a RefPtr, so it may live on beyond this point.
// Disconnect the compositor from us // Disconnect the compositor from us
m_compositor->setPage(0); m_compositor->setPage(0);
......
2012-05-28 Arvid Nilsson <anilsson@rim.com>
[BlackBerry] Dangling pointer in WebPagePrivate::setCompositor() message
https://bugs.webkit.org/show_bug.cgi?id=87590
Reviewed by Rob Buis.
A crash would be seen in GuardedPointerBase::getWithGuardLocked when
attempting to unpickle and execute serialized call to setCompositor.
The problem was that the message had been created with a dangling
pointer as the target. The web page failed to inform its compositor
that it was being destroyed due to an early return in
WebPagePrivate::destroyCompositor.
The root cause was that a method called "destroyCompositor" was being
called in two situations, when navigating to a new page as well as when
actually deleting the web page. And in one case, we really only wanted
to free up some memory by clearing textures, while in the other case we
really did want to destroy the compositor.
Fixed by calling a method to release textures when that's what we want
to do, and calling a method to destroy the compositor when that's what
we want to do, and making that latter method unconditional.
Reviewed internally by Jeff Rogers.
PR #156765
* Api/WebPage.cpp:
(BlackBerry::WebKit::WebPagePrivate::setLoadState):
(BlackBerry::WebKit::WebPagePrivate::destroyCompositor):
2012-05-28 Arvid Nilsson <anilsson@rim.com> 2012-05-28 Arvid Nilsson <anilsson@rim.com>
[BlackBerry] Add a default tap highlight [BlackBerry] Add a default tap highlight
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment