Bug 140455

Summary: [Win] Crashes due to invalid RenderLayer::m_enclosingPaginationLayer
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: bfulgham, hyatt, sabouhallawa, simon.fraser
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: InRadar
See Also: https://bugs.webkit.org/show_bug.cgi?id=135514
https://bugs.webkit.org/show_bug.cgi?id=87431
Bug Depends on: 135514    
Bug Blocks:    
Attachments:
Description Flags
Some dump analysis. none

Description Brent Fulgham 2015-01-14 10:48:33 PST 
I have found that a number of layout tests are crashing on Windows in release builds because the RenderLayer's m_enclosingPaginationLayer is invalid.

Debugging indicates the following:

1. In RenderLayer::updatePagination(), the RenderLayer sets its m_enclosingPaginationLayer to the result of parent()->enclosingPaginationLayer(IncludeCompositedPaginatedLayers); This is a valid RenderLayer.
2. Later, the RenderLayer we assigned in the first step is deleted during a later stage of layout.
3. RenderLayer::m_enclosingPaginationLayer is not set to nullptr, and becomes a dangling pointer.
4. Later, RenderLayer::hasCompositedLayerInEnclosingPaginationChain() is called, which attempts to call 'isComposited' through the garbage m_enclosingPaginationLayer.

The issue seems to be that the destruction of the RenderLayer referenced by m_enclosingPaginationLayer is not communicated back to the RenderLayer holding this pointer, so it doesn't know that the value is invalid.
Comment 1 Simon Fraser (smfr) 2015-01-14 10:59:17 PST 
Smells like rdar://problem/17873488
Comment 2 Brent Fulgham 2015-01-14 11:23:54 PST 
I wonder if this is only hit in WK1?
Comment 3 Brent Fulgham 2015-01-14 11:28:53 PST 
I am seeing this with the test "fast/dynamic/layer-no-longer-paginated.html"
Comment 4 Brent Fulgham 2015-01-14 11:53:03 PST 
Created attachment 244627 [details]
Some dump analysis.
Comment 5 Simon Fraser (smfr) 2015-01-14 12:02:30 PST 
This is exactly rdar://problem/17873488
Comment 6 Brent Fulgham 2015-01-14 13:30:29 PST 

*** This bug has been marked as a duplicate of bug 135514 ***