Do not try to issue repaint while the render tree is being destroyed. https://bugs.webkit.org/show_bug.cgi?id=197461 <rdar://problem/50368992> Reviewed by Simon Fraser. Source/WebCore: Test: http/tests/svg/crash-on-reload-with-filter.html We don't need to compute repaint rects when the render tree is getting torn down. We'll issue a full repaint at some point. Also during full render tree destruction the inline tree state is undefined. We should avoid accessing it. * rendering/svg/RenderSVGResourceContainer.cpp: (WebCore::RenderSVGResourceContainer::markAllClientLayersForInvalidation): LayoutTests: * http/tests/svg/crash-on-reload-with-filter-expected.txt: Added. * http/tests/svg/crash-on-reload-with-filter.html: Added. * http/tests/svg/resources/finishTest.html: Added. git-svn-id: http://svn.webkit.org/repository/webkit/trunk@245300 268f45cc-cd09-0410-ab3c-d52691b4dbfc

commit: 2f7484f3925068c273866e5366abfba76ffdf860 [log] [tgz]
author: zalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue May 14 20:03:46 2019 +0000
committer: zalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Tue May 14 20:03:46 2019 +0000
tree: 4d436a2582a80bb2ac40e80f580fdb7d8314c2a1
parent: bc8b45293df25604c32ffb764d15ad9a124f2d2b [diff]
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index f8b7e09..04e9c2a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog

@@ -1,3 +1,15 @@
+2019-05-14  Zalan Bujtas  <zalan@apple.com>
+
+        Do not try to issue repaint while the render tree is being destroyed.
+        https://bugs.webkit.org/show_bug.cgi?id=197461
+        <rdar://problem/50368992>
+
+        Reviewed by Simon Fraser.
+
+        * http/tests/svg/crash-on-reload-with-filter-expected.txt: Added.
+        * http/tests/svg/crash-on-reload-with-filter.html: Added.
+        * http/tests/svg/resources/finishTest.html: Added.
+
 2019-05-14  Youenn Fablet  <youenn@apple.com>
 
         A service worker process should app nap when all its clients app nap

diff --git a/LayoutTests/http/tests/svg/crash-on-reload-with-filter-expected.txt b/LayoutTests/http/tests/svg/crash-on-reload-with-filter-expected.txt
new file mode 100644
index 0000000..166765e
--- /dev/null
+++ b/LayoutTests/http/tests/svg/crash-on-reload-with-filter-expected.txt

@@ -0,0 +1 @@
+Pass if no crash or assert.

diff --git a/LayoutTests/http/tests/svg/crash-on-reload-with-filter.html b/LayoutTests/http/tests/svg/crash-on-reload-with-filter.html
new file mode 100644
index 0000000..83cee37
--- /dev/null
+++ b/LayoutTests/http/tests/svg/crash-on-reload-with-filter.html

@@ -0,0 +1,11 @@
+<div style="display: inline-block;"></div>
+<svg><filter id="svgfilter"><feOffset/></filter></svg>
+<span style="-webkit-text-emphasis: '-';"></span>
+<video style="filter: url(#svgfilter);"></video>
+<script>
+document.body.offsetHeight;
+location = "resources/finishTest.html";
+
+if (window.testRunner)
+    testRunner.waitUntilDone();
+</script>

diff --git a/LayoutTests/http/tests/svg/resources/finishTest.html b/LayoutTests/http/tests/svg/resources/finishTest.html
new file mode 100644
index 0000000..4cbde81
--- /dev/null
+++ b/LayoutTests/http/tests/svg/resources/finishTest.html

@@ -0,0 +1,6 @@
+Pass if no crash or assert.<script>
+if (window.testRunner) {
+    testRunner.dumpAsText();
+    testRunner.notifyDone();
+}
+</script>

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 11afe4f..97d94df 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog

@@ -1,3 +1,19 @@
+2019-05-14  Zalan Bujtas  <zalan@apple.com>
+
+        Do not try to issue repaint while the render tree is being destroyed.
+        https://bugs.webkit.org/show_bug.cgi?id=197461
+        <rdar://problem/50368992>
+
+        Reviewed by Simon Fraser.
+
+        Test: http/tests/svg/crash-on-reload-with-filter.html
+
+        We don't need to compute repaint rects when the render tree is getting torn down. We'll issue a full repaint at some point.
+        Also during full render tree destruction the inline tree state is undefined. We should avoid accessing it.
+
+        * rendering/svg/RenderSVGResourceContainer.cpp:
+        (WebCore::RenderSVGResourceContainer::markAllClientLayersForInvalidation):
+
 2019-05-14  Youenn Fablet  <youenn@apple.com>
 
         A service worker process should app nap when all its clients app nap

diff --git a/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp b/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp
index 9310435..cddc375 100644
--- a/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp
+++ b/Source/WebCore/rendering/svg/RenderSVGResourceContainer.cpp

@@ -122,6 +122,10 @@
 
 void RenderSVGResourceContainer::markAllClientLayersForInvalidation()
 {
+    if (m_clientLayers.isEmpty())
+        return;
+    if ((*m_clientLayers.begin())->renderer().renderTreeBeingDestroyed())
+        return;
     for (auto* clientLayer : m_clientLayers)
         clientLayer->filterNeedsRepaint();
 }
commit	2f7484f3925068c273866e5366abfba76ffdf860	[log] [tgz]
author	zalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Tue May 14 20:03:46 2019 +0000
committer	zalan@apple.com <zalan@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>	Tue May 14 20:03:46 2019 +0000
tree	4d436a2582a80bb2ac40e80f580fdb7d8314c2a1
parent	bc8b45293df25604c32ffb764d15ad9a124f2d2b [diff]