Bug 148442

Summary: Fix crash due to animationDidEnd called on deallocated RemoteLayerTreeHost
Product: WebKit Reporter: Wenson Hsieh <wenson_hsieh>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, thorton, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test case that reproduces the bug
none
Patch
none
Patch none

Description Wenson Hsieh 2015-08-25 13:09:20 PDT 
WebKit may crash when calling -[PlatformCAAnimationRemote animationDidStop] if the PlatformCAAnimationRemote's layer tree host has been deallocated.
Comment 1 Wenson Hsieh 2015-08-25 13:10:18 PDT 
<rdar://problem/21609257>
Comment 2 Wenson Hsieh 2015-08-26 13:33:50 PDT 
Reproducible nearly 100% of the time -- visit http://whsieh.github.io/examples/layerhost-crash.html and click the link. Works best when running an iOS simulator on a debug build where you can see the stack trace upon the crash.
Comment 3 Wenson Hsieh 2015-08-26 13:35:17 PDT 
Created attachment 259975 [details]
Test case that reproduces the bug

Click the link to open a new tab. The new tab will crash while exiting.
Comment 4 Wenson Hsieh 2015-08-26 13:41:53 PDT 
Created attachment 259977 [details]
Patch
Comment 5 Tim Horton 2015-08-26 13:48:31 PDT 
Comment on attachment 259977 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259977&action=review

> Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm:145
>      m_layers.remove(layerID);

1) You can do the hash table lookup only once.

2) Should you also cover the case in clearLayers()?
Comment 6 Wenson Hsieh 2015-08-26 13:57:44 PDT 
Comment on attachment 259977 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259977&action=review

>> Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm:145
>>      m_layers.remove(layerID);
> 
> 1) You can do the hash table lookup only once.
> 
> 2) Should you also cover the case in clearLayers()?

1. Good point. Fixed.

2. clearLayers is only invoked in the destructor of RemoteLayerTreeHost, which ensures that all animation delegates are first invalidated. It might be better to lift the invalidation logic from ~RemoteLayerTreeHost to clearLayers() instead though.
Comment 7 Tim Horton 2015-08-26 14:00:18 PDT 
(In reply to comment #6)
> Comment on attachment 259977 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=259977&action=review
> 
> >> Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm:145
> >>      m_layers.remove(layerID);
> > 
> > 1) You can do the hash table lookup only once.
> > 
> > 2) Should you also cover the case in clearLayers()?
> 
> 1. Good point. Fixed.
> 
> 2. clearLayers is only invoked in the destructor of RemoteLayerTreeHost,
> which ensures that all animation delegates are first invalidated. It might
> be better to lift the invalidation logic from ~RemoteLayerTreeHost to
> clearLayers() instead though.

Ah! No, that's probably fine. OK.
Comment 8 Wenson Hsieh 2015-08-26 14:05:58 PDT 
Created attachment 259980 [details]
Patch
Comment 9 Tim Horton 2015-08-26 14:07:38 PDT 
Please consider making your test a layout test (it seems like a pretty easy one).
Comment 10 WebKit Commit Bot 2015-08-26 14:54:57 PDT 
Comment on attachment 259980 [details]
Patch

Clearing flags on attachment: 259980

Committed r188991: <http://trac.webkit.org/changeset/188991>
Comment 11 WebKit Commit Bot 2015-08-26 14:55:01 PDT 
All reviewed patches have been landed.  Closing bug.