Bug 147124

Summary: Fix crash due to RemoteLayerTreeDisplayRefreshMonitor outliving RemoteLayerTreeDrawingArea
Product: WebKit Reporter: Wenson Hsieh <wenson_hsieh>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, simon.fraser, thorton, webkit-bug-importer
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch none

Description Wenson Hsieh 2015-07-20 14:56:18 PDT 
On occasion, a RemoteLayerTreeDrawingArea may be outlived by one or more of its RemoteLayerTreeDisplayRefreshMonitors. Upon destruction of the RemoteLayerTreeDisplayRefreshMonitor, this may cause the monitor to access a method of its drawing area, which has been deallocated. This results in a crash.
Comment 1 Wenson Hsieh 2015-07-20 15:26:45 PDT 
<rdar://problem/21582858>
Comment 2 Wenson Hsieh 2015-07-20 15:35:04 PDT 
Created attachment 257135 [details]
Patch
Comment 3 Simon Fraser (smfr) 2015-07-20 15:44:38 PDT 
Comment on attachment 257135 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=257135&action=review

> Source/WebKit2/WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.mm:78
> +void RemoteLayerTreeDisplayRefreshMonitor::clearDrawingArea()
> +{
> +    m_drawingArea = nullptr;
> +}

You don't need this. The WeakPtr does this for you.

> Source/WebKit2/WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.mm:95
> +    for (RemoteLayerTreeDisplayRefreshMonitor* monitor : m_displayRefreshMonitors)
> +        monitor->clearDrawingArea();

This is not needed.
Comment 4 Wenson Hsieh 2015-07-20 16:00:59 PDT 
Comment on attachment 257135 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=257135&action=review

>> Source/WebKit2/WebProcess/WebPage/Cocoa/RemoteLayerTreeDisplayRefreshMonitor.mm:78
>> +}
> 
> You don't need this. The WeakPtr does this for you.

Fixed!

>> Source/WebKit2/WebProcess/WebPage/mac/RemoteLayerTreeDrawingArea.mm:95
>> +        monitor->clearDrawingArea();
> 
> This is not needed.

Got it -- fixed!
Comment 5 Wenson Hsieh 2015-07-20 16:02:14 PDT 
Created attachment 257139 [details]
Patch
Comment 6 Wenson Hsieh 2015-07-20 16:35:07 PDT 
From the ChangeLog: logically, a RemoteLayerTreeDrawingArea should always outlive its refresh monitors. Refer to https://bugs.webkit.org/show_bug.cgi?id=147128 for more details.
Comment 7 WebKit Commit Bot 2015-07-20 17:24:23 PDT 
Comment on attachment 257139 [details]
Patch

Clearing flags on attachment: 257139

Committed r187050: <http://trac.webkit.org/changeset/187050>
Comment 8 WebKit Commit Bot 2015-07-20 17:24:26 PDT 
All reviewed patches have been landed.  Closing bug.