From 6814d355afdf75f7fd77ee43849efdf7e5b14ca4 Mon Sep 17 00:00:00 2001 From: sotaro Date: Tue, 29 Aug 2017 22:41:53 +0900 Subject: [PATCH] Bug 1394337 - Fix uninitialized mPipelineId by WebRenderBridgeParent::CreateDestroyed() r=kats WebRenderBridgeParent holds uninitialized mPipelineId when it was created by WebRenderBridgeParent::CreateDestroyed(). Then when CrossProcessCompositorBridgeParent::DeallocPWebRenderBridgeParent is called for the WebRenderBridgeParent, it will call EraseLayerState with some garbage uninitialized value, and so it will erase some random layer state entry. --- gfx/layers/ipc/CompositorBridgeParent.cpp | 2 +- gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp | 2 +- gfx/layers/wr/WebRenderBridgeParent.cpp | 7 ++++--- gfx/layers/wr/WebRenderBridgeParent.h | 4 ++-- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/gfx/layers/ipc/CompositorBridgeParent.cpp b/gfx/layers/ipc/CompositorBridgeParent.cpp index 0eb5435aca9a..5af05f4f736c 100644 --- a/gfx/layers/ipc/CompositorBridgeParent.cpp +++ b/gfx/layers/ipc/CompositorBridgeParent.cpp @@ -1697,7 +1697,7 @@ CompositorBridgeParent::AllocPWebRenderBridgeParent(const wr::PipelineId& aPipel RefPtr widget = mWidget; RefPtr api = wr::WebRenderAPI::Create(this, Move(widget), aSize); if (!api) { - mWrBridge = WebRenderBridgeParent::CreateDestroyed(); + mWrBridge = WebRenderBridgeParent::CreateDestroyed(aPipelineId); mWrBridge.get()->AddRef(); // IPDL reference *aIdNamespace = mWrBridge->GetIdNamespace(); *aTextureFactoryIdentifier = TextureFactoryIdentifier(LayersBackend::LAYERS_NONE); diff --git a/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp b/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp index 15125eb7305c..0cc30910c757 100644 --- a/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp +++ b/gfx/layers/ipc/CrossProcessCompositorBridgeParent.cpp @@ -217,7 +217,7 @@ CrossProcessCompositorBridgeParent::AllocPWebRenderBridgeParent(const wr::Pipeli // This could happen when this function is called after CompositorBridgeParent destruction. // This was observed during Tab move between different windows. NS_WARNING("Created child without a matching parent?"); - parent = WebRenderBridgeParent::CreateDestroyed(); + parent = WebRenderBridgeParent::CreateDestroyed(aPipelineId); parent->AddRef(); // IPDL reference *aIdNamespace = parent->GetIdNamespace(); *aTextureFactoryIdentifier = TextureFactoryIdentifier(LayersBackend::LAYERS_NONE); diff --git a/gfx/layers/wr/WebRenderBridgeParent.cpp b/gfx/layers/wr/WebRenderBridgeParent.cpp index e55dbec440c5..0cc062d822bf 100644 --- a/gfx/layers/wr/WebRenderBridgeParent.cpp +++ b/gfx/layers/wr/WebRenderBridgeParent.cpp @@ -143,8 +143,9 @@ WebRenderBridgeParent::WebRenderBridgeParent(CompositorBridgeParentBase* aCompos } } -WebRenderBridgeParent::WebRenderBridgeParent() +WebRenderBridgeParent::WebRenderBridgeParent(const wr::PipelineId& aPipelineId) : mCompositorBridge(nullptr) + , mPipelineId(aPipelineId) , mChildLayerObserverEpoch(0) , mParentLayerObserverEpoch(0) , mWrEpoch(0) @@ -156,9 +157,9 @@ WebRenderBridgeParent::WebRenderBridgeParent() } /* static */ WebRenderBridgeParent* -WebRenderBridgeParent::CreateDestroyed() +WebRenderBridgeParent::CreateDestroyed(const wr::PipelineId& aPipelineId) { - return new WebRenderBridgeParent(); + return new WebRenderBridgeParent(aPipelineId); } WebRenderBridgeParent::~WebRenderBridgeParent() diff --git a/gfx/layers/wr/WebRenderBridgeParent.h b/gfx/layers/wr/WebRenderBridgeParent.h index 8401899bba3a..d3a6eac81839 100644 --- a/gfx/layers/wr/WebRenderBridgeParent.h +++ b/gfx/layers/wr/WebRenderBridgeParent.h @@ -55,7 +55,7 @@ public: RefPtr&& aImageMgr, RefPtr&& aAnimStorage); - static WebRenderBridgeParent* CreateDestroyed(); + static WebRenderBridgeParent* CreateDestroyed(const wr::PipelineId& aPipelineId); wr::PipelineId PipelineId() { return mPipelineId; } wr::WebRenderAPI* GetWebRenderAPI() { return mApi; } @@ -198,7 +198,7 @@ public: CompositorAnimationStorage* aAnimStorage); private: - WebRenderBridgeParent(); + explicit WebRenderBridgeParent(const wr::PipelineId& aPipelineId); virtual ~WebRenderBridgeParent(); uint64_t GetLayersId() const;