Bug 148442

Summary: Fix crash due to animationDidEnd called on deallocated RemoteLayerTreeHost
Product: WebKit Reporter: Wenson Hsieh <wenson_hsieh>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, thorton, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test case that reproduces the bug
none
Patch
none
Patch none

Wenson Hsieh
Reported 2015-08-25 13:09:20 PDT
WebKit may crash when calling -[PlatformCAAnimationRemote animationDidStop] if the PlatformCAAnimationRemote's layer tree host has been deallocated.
Attachments
Test case that reproduces the bug (872 bytes, application/zip)
2015-08-26 13:35 PDT, Wenson Hsieh 		no flags
Details
Patch (1.78 KB, patch)
2015-08-26 13:41 PDT, Wenson Hsieh 		no flags
DetailsFormatted DiffDiff
Patch (1.80 KB, patch)
2015-08-26 14:05 PDT, Wenson Hsieh 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Wenson Hsieh
Comment 1 2015-08-25 13:10:18 PDT
<rdar://problem/21609257>
Wenson Hsieh
Comment 2 2015-08-26 13:33:50 PDT
Reproducible nearly 100% of the time -- visit http://whsieh.github.io/examples/layerhost-crash.html and click the link. Works best when running an iOS simulator on a debug build where you can see the stack trace upon the crash.
Wenson Hsieh
Comment 3 2015-08-26 13:35:17 PDT
Created attachment 259975 [details] Test case that reproduces the bug Click the link to open a new tab. The new tab will crash while exiting.
Wenson Hsieh
Comment 4 2015-08-26 13:41:53 PDT
Created attachment 259977 [details] Patch
Tim Horton
Comment 5 2015-08-26 13:48:31 PDT
Comment on attachment 259977 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=259977&action=review > Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm:145 > m_layers.remove(layerID); 1) You can do the hash table lookup only once. 2) Should you also cover the case in clearLayers()?
Wenson Hsieh
Comment 6 2015-08-26 13:57:44 PDT
Comment on attachment 259977 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=259977&action=review >> Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm:145 >> m_layers.remove(layerID); > > 1) You can do the hash table lookup only once. > > 2) Should you also cover the case in clearLayers()? 1. Good point. Fixed. 2. clearLayers is only invoked in the destructor of RemoteLayerTreeHost, which ensures that all animation delegates are first invalidated. It might be better to lift the invalidation logic from ~RemoteLayerTreeHost to clearLayers() instead though.
Tim Horton
Comment 7 2015-08-26 14:00:18 PDT
(In reply to comment #6) > Comment on attachment 259977 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=259977&action=review > > >> Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm:145 > >> m_layers.remove(layerID); > > > > 1) You can do the hash table lookup only once. > > > > 2) Should you also cover the case in clearLayers()? > > 1. Good point. Fixed. > > 2. clearLayers is only invoked in the destructor of RemoteLayerTreeHost, > which ensures that all animation delegates are first invalidated. It might > be better to lift the invalidation logic from ~RemoteLayerTreeHost to > clearLayers() instead though. Ah! No, that's probably fine. OK.
Wenson Hsieh
Comment 8 2015-08-26 14:05:58 PDT
Created attachment 259980 [details] Patch
Tim Horton
Comment 9 2015-08-26 14:07:38 PDT
Please consider making your test a layout test (it seems like a pretty easy one).
WebKit Commit Bot
Comment 10 2015-08-26 14:54:57 PDT
Comment on attachment 259980 [details] Patch Clearing flags on attachment: 259980 Committed r188991: <http://trac.webkit.org/changeset/188991>
WebKit Commit Bot
Comment 11 2015-08-26 14:55:01 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.