125776 2013-12-16 05:36:01 -0800 [CoordinatedGraphics] Segmentation fault at CoordinatedGraphicsScene::clearImageBackingContents 2014-01-20 03:09:52 -0800 1 1 1 Unclassified WebKit WebKit Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 edbalint webkit-unassigned cmarcelo commit-queue edbalint kondapallykalyan luiz noam yoon oldest_to_newest 960036 0 edbalint 2013-12-16 05:36:01 -0800 The bug occurs on flickr.com webpage: scroll down to "Spectaculr" section and then scroll up to the top of the page and click on "Sign in" (or any other link) -> Segmentation fault - the browser crashes. The cause of the problem is that if an image becomes visible and then after a while it becomes invisible a clearContentsTimer starts. The Timer fires after 3 seconds. If the current image becomes visible in these 3 seconds the Timer stops. If the 3 seconds elapse the Timer fires. The CoordinatedImageBacking object which contains the Timer will call CompositingCoordinator::clearImageBackingContents which will append its imageID to m_state.imagesToClear. After this, if you scroll or move the mouse over a link the image will be cleared (because CoordinatedGraphicsScene::syncImageBackings calls CoordinatedGraphicsScene::clearImageBackingContents). Segmentation fault occurs if the time between the image becoming invisible and moving the mouse over the link is less than 3 seconds. In this case the imageID appends to m_state.imagesToClear but it won't be cleared until clicking on the link. But if you click on the link, the imageID will append to m_state.imagesToRemove too. Then CoordinatedGraphicsScene::syncImageBackings calls CoordinatedGraphicsScene::removeImageBacking. This method removes the image from m_imageBackings but then CoordinatedGraphicsScene::clearImageBackingContents is called and it wants to clear the image with the same ID which image was removed before. This causes the segmentation fault. I've found a possible fix: If CoordinatedGraphicsScene::removeImageBacking is called, it removes the current imageID from m_state.imagesToClear. 960038 1 219308 edbalint 2013-12-16 05:38:00 -0800 Created attachment 219308 proposed patch 969784 2 219308 ossy 2014-01-20 02:42:59 -0800 Comment on attachment 219308 proposed patch r=me 969791 3 219308 commit-queue 2014-01-20 03:09:46 -0800 Comment on attachment 219308 proposed patch Clearing flags on attachment: 219308 Committed r162329: <http://trac.webkit.org/changeset/162329> 969792 4 commit-queue 2014-01-20 03:09:52 -0800 All reviewed patches have been landed. Closing bug. 219308 2013-12-16 05:38:00 -0800 2014-01-20 03:09:45 -0800 proposed patch flickr_segmentation_fix3.diff text/plain 1615 edbalint ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCBkNTY4NTUzLi44OTE2YzAxIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTYg QEAKKzIwMTMtMTItMTYgIEVkaXQgQmFsaW50ICA8ZWRiYWxpbnRAaW5mLnUtc3plZ2VkLmh1Pgor CisgICAgICAgIFtDb29yZGluYXRlZEdyYXBoaWNzXSBTZWdtZW50YXRpb24gZmF1bHQgYXQgIENv b3JkaW5hdGVkR3JhcGhpY3NTY2VuZTo6Y2xlYXJJbWFnZUJhY2tpbmdDb250ZW50cworCisgICAg ICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xMjU3NzYKKworICAg ICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBVbmV4cGVjdGVkIGJl aGF2aW9yIG9jY3VycyBpbiBzb21lIHRlc3QgY2FzZXMgd2hpY2ggbGVhZHMgdG8gc2VnbWVudGF0 aW9uIGZhdWx0LgorCisgICAgICAgICogcGxhdGZvcm0vZ3JhcGhpY3MvdGV4bWFwL2Nvb3JkaW5h dGVkL0NvbXBvc2l0aW5nQ29vcmRpbmF0b3IuY3BwOgorICAgICAgICAoV2ViQ29yZTo6Q29tcG9z aXRpbmdDb29yZGluYXRvcjo6cmVtb3ZlSW1hZ2VCYWNraW5nKToKKwogMjAxMy0xMS0yNyAgU2Vy Z2lvIFZpbGxhciBTZW5pbiAgPHN2aWxsYXJAaWdhbGlhLmNvbT4KIAogICAgICAgICBbQ1NTIEdy aWQgTGF5b3V0XSBGaXggdGhlIHByZWZlcnJlZCBsb2dpY2FsIHdpZHRocyBjb2RlIHRvIHdvcmsg d2l0aCBzcGFubmluZyBncmlkIGl0ZW1zCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9wbGF0 Zm9ybS9ncmFwaGljcy90ZXhtYXAvY29vcmRpbmF0ZWQvQ29tcG9zaXRpbmdDb29yZGluYXRvci5j cHAgYi9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9ncmFwaGljcy90ZXhtYXAvY29vcmRpbmF0ZWQv Q29tcG9zaXRpbmdDb29yZGluYXRvci5jcHAKaW5kZXggODBjMmQzOC4uZmQ5YjgxMSAxMDA2NDQK LS0tIGEvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vZ3JhcGhpY3MvdGV4bWFwL2Nvb3JkaW5hdGVk L0NvbXBvc2l0aW5nQ29vcmRpbmF0b3IuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3Jt L2dyYXBoaWNzL3RleG1hcC9jb29yZGluYXRlZC9Db21wb3NpdGluZ0Nvb3JkaW5hdG9yLmNwcApA QCAtMjM1LDYgKzIzNSwxMCBAQCB2b2lkIENvbXBvc2l0aW5nQ29vcmRpbmF0b3I6OnJlbW92ZUlt YWdlQmFja2luZyhDb29yZGluYXRlZEltYWdlQmFja2luZ0lEIGltYWdlSQogICAgIG1faW1hZ2VC YWNraW5ncy5yZW1vdmUoaW1hZ2VJRCk7CiAKICAgICBtX3N0YXRlLmltYWdlc1RvUmVtb3ZlLmFw cGVuZChpbWFnZUlEKTsKKworICAgIHNpemVfdCBpbWFnZUlEUG9zaXRpb24gPSBtX3N0YXRlLmlt YWdlc1RvQ2xlYXIuZmluZChpbWFnZUlEKTsKKyAgICBpZiAoaW1hZ2VJRFBvc2l0aW9uICE9IG5v dEZvdW5kKQorICAgICAgICBtX3N0YXRlLmltYWdlc1RvQ2xlYXIucmVtb3ZlKGltYWdlSURQb3Np dGlvbik7CiB9CiAKIHZvaWQgQ29tcG9zaXRpbmdDb29yZGluYXRvcjo6Zmx1c2hQZW5kaW5nSW1h Z2VCYWNraW5nQ2hhbmdlcygpCg==