118143 2013-06-27 11:55:03 -0700 RenderLayerCompositor destructor is fragile 2013-06-27 13:10:10 -0700 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 koivisto webkit-unassigned commit-queue esprehn+autocc glenn simon.fraser zalan oldest_to_newest 904309 0 koivisto 2013-06-27 11:55:03 -0700 RenderLayerCompositor destruction is fragile. With iOS tile cache implementation deleting RenderLayerCompositor may end up starting a deleted timer. This corrupts the timer heap and leads to a crash later. This happens because GraphicsLayers destructor calls back to the RenderLayerCompositor that is being deleted. frame #1: 0x0000000106b8b1e8 WebCore`WebCore::TimerBase::start(this=0x0000000121818df8, nextFireInterval=0.5, repeatInterval=0) + 168 at Timer.cpp:231 frame #2: 0x0000000104fa8932 WebCore`WebCore::TimerBase::startOneShot(this=0x0000000121818df8, interval=0.5) + 34 at Timer.h:52 frame #3: 0x00000001065cb9c4 WebCore`WebCore::RenderLayerCompositor::startInitialLayerFlushTimerIfNeeded(this=0x0000000121818c90) + 100 at RenderLayerCompositor.cpp:3545 frame #4: 0x00000001065cb8bf WebCore`WebCore::RenderLayerCompositor::scheduleLayerFlush(this=0x0000000121818c90, canThrottle=true) + 47 at RenderLayerCompositor.cpp:349 frame #5: 0x00000001065cb889 WebCore`WebCore::RenderLayerCompositor::notifyFlushRequired(this=0x0000000121818c90, layer=0x0000000114dcc9a0) + 57 at RenderLayerCompositor.cpp:335 frame #6: 0x0000000105836a63 WebCore`WebCore::GraphicsLayerCA::noteLayerPropertyChanged(this=0x0000000114dcc9a0, flags=4) + 211 at GraphicsLayerCA.cpp:3145 frame #7: 0x00000001058370be WebCore`WebCore::GraphicsLayerCA::noteSublayersChanged(this=0x0000000114dcc9a0) + 30 at GraphicsLayerCA.cpp:3126 frame #8: 0x0000000105837298 WebCore`WebCore::GraphicsLayerCA::removeFromParent(this=0x0000000114dbead0) + 56 at GraphicsLayerCA.cpp:388 frame #9: 0x000000010582ca80 WebCore`WebCore::GraphicsLayer::removeAllChildren(this=0x0000000114dcc9a0) + 160 at GraphicsLayer.cpp:251 frame #10: 0x000000010582c9ce WebCore`WebCore::GraphicsLayer::willBeDestroyed(this=0x0000000114dcc9a0) + 222 at GraphicsLayer.cpp:128 frame #11: 0x0000000105836e4b WebCore`WebCore::GraphicsLayerCA::willBeDestroyed(this=0x0000000114dcc9a0) + 235 at GraphicsLayerCA.cpp:328 frame #12: 0x0000000105836b27 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 55 at GraphicsLayerCA.cpp:307 frame #13: 0x0000000105836ab5 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 21 at GraphicsLayerCA.cpp:305 frame #14: 0x0000000105836a89 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 25 at GraphicsLayerCA.cpp:305 frame #15: 0x00000001065c80ee WebCore`void WTF::deleteOwnedPtr<WebCore::GraphicsLayer>(ptr=0x0000000114dcc9a0) + 46 at OwnPtrCommon.h:63 frame #16: 0x00000001065c8214 WebCore`WTF::OwnPtr<WebCore::GraphicsLayer>::~OwnPtr(this=0x0000000121818dd0) + 20 at OwnPtr.h:63 frame #17: 0x00000001065c74e5 WebCore`WTF::OwnPtr<WebCore::GraphicsLayer>::~OwnPtr(this=0x0000000121818dd0) + 21 at OwnPtr.h:63 frame #18: 0x00000001065c9f2d WebCore`WebCore::RenderLayerCompositor::~RenderLayerCompositor(this=0x0000000121818c90) + 557 at 904310 1 koivisto 2013-06-27 11:58:33 -0700 <rdar://problem/14273910> 904314 2 205624 koivisto 2013-06-27 12:05:04 -0700 Created attachment 205624 patch 904326 3 koivisto 2013-06-27 13:10:10 -0700 http://trac.webkit.org/changeset/152121 205624 2013-06-27 12:05:04 -0700 2013-06-27 12:12:33 -0700 patch timer-corruption-crash.patch text/plain 3408 koivisto SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE1MjExOSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDMwIEBACisyMDEzLTA2LTI3ICBBbnR0aSBL b2l2aXN0byAgPGFudHRpQGFwcGxlLmNvbT4KKworICAgICAgICBSZW5kZXJMYXllckNvbXBvc2l0 b3IgZGVzdHJ1Y3RvciBpcyBmcmFnaWxlCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3Jn L3Nob3dfYnVnLmNnaT9pZD0xMTgxNDMKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9P UFMhKS4KKworICAgICAgICBXaXRoIGlPUyB0aWxlIGNhY2hlIGltcGxlbWVudGF0aW9uIGRlbGV0 aW5nIFJlbmRlckxheWVyQ29tcG9zaXRvciBtYXkgZW5kIHVwIHN0YXJ0aW5nIGEgZGVsZXRlZCB0 aW1lci4gCisgICAgICAgIFRoaXMgY29ycnVwdHMgdGhlIHRpbWVyIGhlYXAgYW5kIGxlYWRzIHRv IGEgY3Jhc2ggbGF0ZXIuIFRoaXMgaGFwcGVucyBiZWNhdXNlIEdyYXBoaWNzTGF5ZXJzIGRlc3Ry dWN0b3IgCisgICAgICAgIGNhbGxzIGJhY2sgdG8gdGhlIFJlbmRlckxheWVyQ29tcG9zaXRvciB0 aGF0IGlzIGJlaW5nIGRlbGV0ZWQuIFRoaXMgaXMgcHJldHR5IGZyYWdpbGUgaW4gZ2VuZXJhbC4K KyAgICAgICAgCisgICAgICAgIE5vIHRlc3QgYXMgdGhlcmUgaXMgbm8ga25vd24gd2F5IHRvIHJl cHJvIHRoaXMgd2l0aCBwbGFpbiB3ZWJraXQuCisKKyAgICAgICAgKiBwbGF0Zm9ybS9UaW1lci5j cHA6CisgICAgICAgIChXZWJDb3JlOjpUaW1lckJhc2U6OlRpbWVyQmFzZSk6CisgICAgICAgIChX ZWJDb3JlOjpUaW1lckJhc2U6On5UaW1lckJhc2UpOgorICAgICAgICAoV2ViQ29yZTo6VGltZXJC YXNlOjpzZXROZXh0RmlyZVRpbWUpOgorICAgICAgICAqIHBsYXRmb3JtL1RpbWVyLmg6CisgICAg ICAgIAorICAgICAgICAgICAgQXNzZXJ0IHRoYXQgdGhlIHRpbWVyIGlzIGFsaXZlIGJlZm9yZSBz dGFydGluZyBpdC4gVGhpcyB0dXJucyBidWdzIGxpa2UgdGhpcyBpbnRvIGNsZWFyIGNyYXNoIHN0 YWNrcworICAgICAgICAgICAgaW5zdGVhZCBvZiBoYXJkLXRvLWRlYnVnIHRpbWVyIGhlYXAgY29y cnVwdGlvbnMuCisKKyAgICAgICAgKiByZW5kZXJpbmcvUmVuZGVyTGF5ZXJDb21wb3NpdG9yLmNw cDoKKyAgICAgICAgKFdlYkNvcmU6OlJlbmRlckxheWVyQ29tcG9zaXRvcjo6flJlbmRlckxheWVy Q29tcG9zaXRvcik6CisgICAgICAgIAorICAgICAgICAgICAgVGFrZSBjYXJlIHRvIGRlbGV0ZSBv d25lZCBHcmFwaGljc0xheWVycyBiZWZvcmUgcHJvY2VlZGluZyB3aXRoIHRoZSByZXN0IG9mIHRo ZSBkZXN0cnVjdG9yLgorCiAyMDEzLTA2LTI3ICBSdXRoIEZvbmcgIDxydXRoX2ZvbmdAYXBwbGUu Y29tPgogCiAgICAgICAgIFBvbGlzaCBjb250ZXh0IG1lbnVzIGZvciBtZWRpYSBlbGVtZW50cwpJ bmRleDogU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vVGltZXIuY3BwCj09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNv dXJjZS9XZWJDb3JlL3BsYXRmb3JtL1RpbWVyLmNwcAkocmV2aXNpb24gMTUyMTA1KQorKysgU291 cmNlL1dlYkNvcmUvcGxhdGZvcm0vVGltZXIuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0xOTUsNiAr MTk1LDcgQEAgVGltZXJCYXNlOjpUaW1lckJhc2UoKQogICAgICwgbV9jYWNoZWRUaHJlYWRHbG9i YWxUaW1lckhlYXAoMCkKICNpZm5kZWYgTkRFQlVHCiAgICAgLCBtX3RocmVhZChjdXJyZW50VGhy ZWFkKCkpCisgICAgLCBtX3dhc0RlbGV0ZWQoZmFsc2UpCiAjZW5kaWYKIHsKIH0KQEAgLTIwMyw2 ICsyMDQsOSBAQCBUaW1lckJhc2U6On5UaW1lckJhc2UoKQogewogICAgIHN0b3AoKTsKICAgICBB U1NFUlQoIWluSGVhcCgpKTsKKyNpZm5kZWYgTkRFQlVHCisgICAgbV93YXNEZWxldGVkID0gdHJ1 ZTsKKyNlbmRpZgogfQogCiB2b2lkIFRpbWVyQmFzZTo6c3RhcnQoZG91YmxlIG5leHRGaXJlSW50 ZXJ2YWwsIGRvdWJsZSByZXBlYXRJbnRlcnZhbCkKQEAgLTM2Nyw2ICszNzEsNyBAQCB2b2lkIFRp bWVyQmFzZTo6dXBkYXRlSGVhcElmTmVlZGVkKGRvdWJsCiB2b2lkIFRpbWVyQmFzZTo6c2V0TmV4 dEZpcmVUaW1lKGRvdWJsZSBuZXdVbmFsaWduZWRUaW1lKQogewogICAgIEFTU0VSVChtX3RocmVh ZCA9PSBjdXJyZW50VGhyZWFkKCkpOworICAgIEFTU0VSVCghbV93YXNEZWxldGVkKTsKIAogICAg IGlmIChtX3VuYWxpZ25lZE5leHRGaXJlVGltZSAhPSBuZXdVbmFsaWduZWRUaW1lKQogICAgICAg ICBtX3VuYWxpZ25lZE5leHRGaXJlVGltZSA9IG5ld1VuYWxpZ25lZFRpbWU7CkluZGV4OiBTb3Vy Y2UvV2ViQ29yZS9wbGF0Zm9ybS9UaW1lci5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9XZWJDb3Jl L3BsYXRmb3JtL1RpbWVyLmgJKHJldmlzaW9uIDE1MjEwNSkKKysrIFNvdXJjZS9XZWJDb3JlL3Bs YXRmb3JtL1RpbWVyLmgJKHdvcmtpbmcgY29weSkKQEAgLTk1LDYgKzk1LDcgQEAgcHJpdmF0ZToK IAogI2lmbmRlZiBOREVCVUcKICAgICBUaHJlYWRJZGVudGlmaWVyIG1fdGhyZWFkOworICAgIGJv b2wgbV93YXNEZWxldGVkOwogI2VuZGlmCiAKICAgICBmcmllbmQgY2xhc3MgVGhyZWFkVGltZXJz OwpJbmRleDogU291cmNlL1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlckxheWVyQ29tcG9zaXRvci5j cHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlckxheWVyQ29t cG9zaXRvci5jcHAJKHJldmlzaW9uIDE1MjEwNSkKKysrIFNvdXJjZS9XZWJDb3JlL3JlbmRlcmlu Zy9SZW5kZXJMYXllckNvbXBvc2l0b3IuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0yMjUsNiArMjI1 LDkgQEAgUmVuZGVyTGF5ZXJDb21wb3NpdG9yOjpSZW5kZXJMYXllckNvbXBvcwogCiBSZW5kZXJM YXllckNvbXBvc2l0b3I6On5SZW5kZXJMYXllckNvbXBvc2l0b3IoKQogeworICAgIC8vIFRha2Ug Y2FyZSB0aGF0IHRoZSBvd25lZCBHcmFwaGljc0xheWVycyBhcmUgZGVsZXRlZCBmaXJzdCBhcyB0 aGVpciBkZXN0cnVjdG9ycyBtYXkgY2FsbCBiYWNrIGhlcmUuCisgICAgbV9jbGlwTGF5ZXIgPSBu dWxscHRyOworICAgIG1fc2Nyb2xsTGF5ZXIgPSBudWxscHRyOwogICAgIEFTU0VSVChtX3Jvb3RM YXllckF0dGFjaG1lbnQgPT0gUm9vdExheWVyVW5hdHRhY2hlZCk7CiB9CiAK