Bug 118143

Summary: RenderLayerCompositor destructor is fragile
Product: WebKit Reporter: Antti Koivisto <koivisto>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, esprehn+autocc, glenn, simon.fraser, zalan
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch simon.fraser: review+

Antti Koivisto
Reported 2013-06-27 11:55:03 PDT
RenderLayerCompositor destruction is fragile. With iOS tile cache implementation deleting RenderLayerCompositor may end up starting a deleted timer. This corrupts the timer heap and leads to a crash later. This happens because GraphicsLayers destructor calls back to the RenderLayerCompositor that is being deleted. frame #1: 0x0000000106b8b1e8 WebCore`WebCore::TimerBase::start(this=0x0000000121818df8, nextFireInterval=0.5, repeatInterval=0) + 168 at Timer.cpp:231 frame #2: 0x0000000104fa8932 WebCore`WebCore::TimerBase::startOneShot(this=0x0000000121818df8, interval=0.5) + 34 at Timer.h:52 frame #3: 0x00000001065cb9c4 WebCore`WebCore::RenderLayerCompositor::startInitialLayerFlushTimerIfNeeded(this=0x0000000121818c90) + 100 at RenderLayerCompositor.cpp:3545 frame #4: 0x00000001065cb8bf WebCore`WebCore::RenderLayerCompositor::scheduleLayerFlush(this=0x0000000121818c90, canThrottle=true) + 47 at RenderLayerCompositor.cpp:349 frame #5: 0x00000001065cb889 WebCore`WebCore::RenderLayerCompositor::notifyFlushRequired(this=0x0000000121818c90, layer=0x0000000114dcc9a0) + 57 at RenderLayerCompositor.cpp:335 frame #6: 0x0000000105836a63 WebCore`WebCore::GraphicsLayerCA::noteLayerPropertyChanged(this=0x0000000114dcc9a0, flags=4) + 211 at GraphicsLayerCA.cpp:3145 frame #7: 0x00000001058370be WebCore`WebCore::GraphicsLayerCA::noteSublayersChanged(this=0x0000000114dcc9a0) + 30 at GraphicsLayerCA.cpp:3126 frame #8: 0x0000000105837298 WebCore`WebCore::GraphicsLayerCA::removeFromParent(this=0x0000000114dbead0) + 56 at GraphicsLayerCA.cpp:388 frame #9: 0x000000010582ca80 WebCore`WebCore::GraphicsLayer::removeAllChildren(this=0x0000000114dcc9a0) + 160 at GraphicsLayer.cpp:251 frame #10: 0x000000010582c9ce WebCore`WebCore::GraphicsLayer::willBeDestroyed(this=0x0000000114dcc9a0) + 222 at GraphicsLayer.cpp:128 frame #11: 0x0000000105836e4b WebCore`WebCore::GraphicsLayerCA::willBeDestroyed(this=0x0000000114dcc9a0) + 235 at GraphicsLayerCA.cpp:328 frame #12: 0x0000000105836b27 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 55 at GraphicsLayerCA.cpp:307 frame #13: 0x0000000105836ab5 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 21 at GraphicsLayerCA.cpp:305 frame #14: 0x0000000105836a89 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 25 at GraphicsLayerCA.cpp:305 frame #15: 0x00000001065c80ee WebCore`void WTF::deleteOwnedPtr<WebCore::GraphicsLayer>(ptr=0x0000000114dcc9a0) + 46 at OwnPtrCommon.h:63 frame #16: 0x00000001065c8214 WebCore`WTF::OwnPtr<WebCore::GraphicsLayer>::~OwnPtr(this=0x0000000121818dd0) + 20 at OwnPtr.h:63 frame #17: 0x00000001065c74e5 WebCore`WTF::OwnPtr<WebCore::GraphicsLayer>::~OwnPtr(this=0x0000000121818dd0) + 21 at OwnPtr.h:63 frame #18: 0x00000001065c9f2d WebCore`WebCore::RenderLayerCompositor::~RenderLayerCompositor(this=0x0000000121818c90) + 557 at
Attachments
patch (3.33 KB, patch)
2013-06-27 12:05 PDT, Antti Koivisto 		simon.fraser: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Antti Koivisto
Comment 1 2013-06-27 11:58:33 PDT
<rdar://problem/14273910>
Antti Koivisto
Comment 2 2013-06-27 12:05:04 PDT
Created attachment 205624 [details] patch
Antti Koivisto
Comment 3 2013-06-27 13:10:10 PDT
http://trac.webkit.org/changeset/152121
Note You need to log in before you can comment on or make changes to this bug.