Issue 848056 link

Starred by 2 users

Issue metadata

Status:	Available
Owner:	----
Cc:	pdr@chromium.org f...@opera.com vmp...@chromium.org
Components:	Blink>Paint Blink>SVG
EstimatedDays:	----
NextAction:	----
OS:	Linux , Android , Windows , Chrome , Mac
Pri:	2
Type:	Bug
merge-merged-3440

Should delay filter building after PrePaint

Project Member Reported by wangxianzhu@chromium.org, May 30 2018

Issue description

Currently we build filters during PrePaint. If the filter references some resources that has not been PrePaint clean, we may crash on document lifecycle violation or reference dirty paint properties.

<svg>
  <filter id="filter">
    <feImage id="feImage"></feImage>
  </filter>
</svg>
<div style="filter: url(#filter)"></div>
<svg id="svg">
  <foreignObject id="foreignObject">FO</foreignObject>
</svg>
<script>
setTimeout(function() {
  feImage.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#svg');
}, 200);
</script>

This is the root cause of  bug 847019 , and might be the root cause of bug 846227.

 Bug 847019  also has another situation: circular references of filter and feImage resource:
<svg>
  <filter id="filter">
    <feImage id="feImage"></feImage>
  </filter>
</svg>
<svg id="svg">
  <foreignObject id="foreignObject" filter="#filter">FO</foreignObject>
</svg>
setTimeout(function() {
  feImage.setAttributeNS('http://www.w3.org/1999/xlink', 'xlink:href', '#svg');
}, 200);
</script>

Project Member

Comment 1 by bugdroid1@chromium.org, May 31 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b92721ffcf7a29479e205c722c6d8e06228c9221

commit b92721ffcf7a29479e205c722c6d8e06228c9221
Author: Xianzhu Wang <wangxianzhu@chromium.org>
Date: Thu May 31 16:20:00 2018

[PE] Avoid crash when updating filter which references a foreign object

For now we update filters during PrePaint. If the filter reference
a foreign object, we may enter PaintLayerPainter::PaintContents for
the layer of foreign object without proper paint properties.

Now skip painting in the case. crbug.com/848056 will track the
solution for the root cause.

Bug:  847019 ,846227,848056
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: I5862268bc75d51526cafe3cd0fc5114bf0efa415
Reviewed-on: https://chromium-review.googlesource.com/1080147
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#563267}
[add] https://crrev.com/b92721ffcf7a29479e205c722c6d8e06228c9221/third_party/WebKit/LayoutTests/paint/filters/feimage-circular-reference-foreign-object-crash.html
[add] https://crrev.com/b92721ffcf7a29479e205c722c6d8e06228c9221/third_party/WebKit/LayoutTests/paint/filters/feimage-reference-foreign-object-crash.html
[modify] https://crrev.com/b92721ffcf7a29479e205c722c6d8e06228c9221/third_party/blink/renderer/core/paint/paint_layer_painter.cc

Project Member

Comment 2 by bugdroid1@chromium.org, Jun 6 2018

Labels: merge-merged-3440

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/37ea3d17b12d523f53c435d83345c185732763b5

commit 37ea3d17b12d523f53c435d83345c185732763b5
Author: Xianzhu Wang <wangxianzhu@chromium.org>
Date: Wed Jun 06 21:21:40 2018

[PE] Avoid crash when updating filter which references a foreign object

For now we update filters during PrePaint. If the filter reference
a foreign object, we may enter PaintLayerPainter::PaintContents for
the layer of foreign object without proper paint properties.

Now skip painting in the case. crbug.com/848056 will track the
solution for the root cause.

TBR=wangxianzhu@chromium.org

(cherry picked from commit b92721ffcf7a29479e205c722c6d8e06228c9221)

Bug:  847019 ,846227,848056
Cq-Include-Trybots: master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2
Change-Id: I5862268bc75d51526cafe3cd0fc5114bf0efa415
Reviewed-on: https://chromium-review.googlesource.com/1080147
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Commit-Queue: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#563267}
Reviewed-on: https://chromium-review.googlesource.com/1089801
Reviewed-by: Xianzhu Wang <wangxianzhu@chromium.org>
Cr-Commit-Position: refs/branch-heads/3440@{#222}
Cr-Branched-From: 010ddcfda246975d194964ccf20038ebbdec6084-refs/heads/master@{#561733}
[add] https://crrev.com/37ea3d17b12d523f53c435d83345c185732763b5/third_party/WebKit/LayoutTests/paint/filters/feimage-circular-reference-foreign-object-crash.html
[add] https://crrev.com/37ea3d17b12d523f53c435d83345c185732763b5/third_party/WebKit/LayoutTests/paint/filters/feimage-reference-foreign-object-crash.html
[modify] https://crrev.com/37ea3d17b12d523f53c435d83345c185732763b5/third_party/blink/renderer/core/paint/paint_layer_painter.cc

►

Issue 848056 link

Issue metadata

Should delay filter building after PrePaint

Issue description

Comment 1 by bugdroid1@chromium.org, May 31 2018

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Jun 6 2018

Comment 2 Deleted

Sign in to add a comment