Bug 140455

Summary: [Win] Crashes due to invalid RenderLayer::m_enclosingPaginationLayer
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: bfulgham, hyatt, sabouhallawa, simon.fraser
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: InRadar
See Also: https://bugs.webkit.org/show_bug.cgi?id=135514
https://bugs.webkit.org/show_bug.cgi?id=87431
Bug Depends on: 135514    
Bug Blocks:    
Attachments:
Description Flags
Some dump analysis. none

Brent Fulgham
Reported 2015-01-14 10:48:33 PST
I have found that a number of layout tests are crashing on Windows in release builds because the RenderLayer's m_enclosingPaginationLayer is invalid. Debugging indicates the following: 1. In RenderLayer::updatePagination(), the RenderLayer sets its m_enclosingPaginationLayer to the result of parent()->enclosingPaginationLayer(IncludeCompositedPaginatedLayers); This is a valid RenderLayer. 2. Later, the RenderLayer we assigned in the first step is deleted during a later stage of layout. 3. RenderLayer::m_enclosingPaginationLayer is not set to nullptr, and becomes a dangling pointer. 4. Later, RenderLayer::hasCompositedLayerInEnclosingPaginationChain() is called, which attempts to call 'isComposited' through the garbage m_enclosingPaginationLayer. The issue seems to be that the destruction of the RenderLayer referenced by m_enclosingPaginationLayer is not communicated back to the RenderLayer holding this pointer, so it doesn't know that the value is invalid.
Attachments
Some dump analysis. (21.02 KB, application/octet-stream)
2015-01-14 11:53 PST, Brent Fulgham 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2015-01-14 10:59:17 PST
Smells like rdar://problem/17873488
Brent Fulgham
Comment 2 2015-01-14 11:23:54 PST
I wonder if this is only hit in WK1?
Brent Fulgham
Comment 3 2015-01-14 11:28:53 PST
I am seeing this with the test "fast/dynamic/layer-no-longer-paginated.html"
Brent Fulgham
Comment 4 2015-01-14 11:53:03 PST
Created attachment 244627 [details] Some dump analysis.
Simon Fraser (smfr)
Comment 5 2015-01-14 12:02:30 PST
This is exactly rdar://problem/17873488
Brent Fulgham
Comment 6 2015-01-14 13:30:29 PST
*** This bug has been marked as a duplicate of bug 135514 ***
Note You need to log in before you can comment on or make changes to this bug.