Bug 135024

Summary:	willMoveToWebPage should be called with a null WebPage on WebPage teardown.
Product:	WebKit	Reporter:	Brady Eidson <beidson>
Component:	WebKit2	Assignee:	Nobody <webkit-unassigned>
Status:	NEW ---
Severity:	Normal	CC:	thorton
Priority:	P2
Version:	528+ (Nightly build)
Hardware:	All
OS:	All

Description Brady Eidson 2014-07-17 14:03:22 PDT

willMoveToWebPage should be called with a null WebPage on WebPage teardown.

Instead the PageOverlayController is just destroyed, which just destroys each overlay, and never notifies the PageOverlay::clients

Here's a backtrace of what happens today to destroy a PageOverlay, and the willMoveToWebPage should've been called before that:

#0	0x0000000114dcf0e0 in WebKit::PageOverlay::~PageOverlay() at /Volumes/Data/git/OpenSource/Source/WebKit2/WebProcess/WebPage/PageOverlay.cpp:64
#1	0x0000000114f552af in -[WKObject dealloc] at /Volumes/Data/git/OpenSource/Source/WebKit2/Shared/Cocoa/WKObject.mm:40
#2	0x00007fff8225768c in objc_object::sidetable_release(bool) ()
#3	0x000000011529ff64 in API::Object::deref() at /Volumes/Data/git/OpenSource/Source/WebKit2/Shared/Cocoa/APIObject.mm:67
#4	0x0000000114b33d0b in void WTF::derefIfNotNull<WebKit::PageOverlay>(WebKit::PageOverlay*) at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/PassRefPtr.h:39
#5	0x0000000114b33cc8 in WTF::RefPtr<WebKit::PageOverlay>::~RefPtr() at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/RefPtr.h:55
#6	0x0000000114b2f265 in WTF::RefPtr<WebKit::PageOverlay>::~RefPtr() at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/RefPtr.h:55
#7	0x000000011503049f in WTF::VectorDestructor<true, WTF::RefPtr<WebKit::PageOverlay> >::destruct(WTF::RefPtr<WebKit::PageOverlay>*, WTF::RefPtr<WebKit::PageOverlay>*) at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/Vector.h:56
#8	0x000000011503045d in WTF::VectorTypeOperations<WTF::RefPtr<WebKit::PageOverlay> >::destruct(WTF::RefPtr<WebKit::PageOverlay>*, WTF::RefPtr<WebKit::PageOverlay>*) at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/Vector.h:220
#9	0x00000001150303c0 in WTF::Vector<WTF::RefPtr<WebKit::PageOverlay>, 0ul, WTF::CrashOnOverflow>::shrink(unsigned long) at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/Vector.h:957
#10	0x0000000115030324 in WTF::Vector<WTF::RefPtr<WebKit::PageOverlay>, 0ul, WTF::CrashOnOverflow>::~Vector() at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/Vector.h:596
#11	0x0000000115030165 in WTF::Vector<WTF::RefPtr<WebKit::PageOverlay>, 0ul, WTF::CrashOnOverflow>::~Vector() at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/Vector.h:594
#12	0x000000011502ff61 in WebKit::PageOverlayController::~PageOverlayController() at /Volumes/Data/git/OpenSource/Source/WebKit2/WebProcess/WebPage/PageOverlayController.h:45
#13	0x000000011502c625 in WebKit::PageOverlayController::~PageOverlayController() at /Volumes/Data/git/OpenSource/Source/WebKit2/WebProcess/WebPage/PageOverlayController.h:45
#14	0x00000001150dd98b in WebKit::WebPage::~WebPage() at /Volumes/Data/git/OpenSource/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:529
#15	0x00000001150de395 in WebKit::WebPage::~WebPage() at /Volumes/Data/git/OpenSource/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:489

Comment 1 Tim Horton 2014-07-17 14:07:24 PDT

This is pretty bad because there's no guarantee that PageOverlay clients don't outlive the page, and then they'll have dangling PageOverlay pointers.

Comment 2 Brady Eidson 2014-07-17 14:15:11 PDT

(In reply to comment #1)
> This is pretty bad because there's no guarantee that PageOverlay clients don't outlive the page, and then they'll have dangling PageOverlay pointers.

Yup.