Bug 159922

Summary: [Threaded Compositor] Web Process crash when the layer tree host is destroyed
Product: WebKit Reporter: Carlos Garcia Campos <cgarcia>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 154066    
Attachments:
Description Flags
Patch svillar: review+

Description Carlos Garcia Campos 2016-07-19 08:30:47 PDT
It happens when the layer tree host is destroyed after the didChangeVisibleRect is scheduled to be run in the main thread, but before it's actually dispatched. In that case the threaded compositor client points to a deleted object and crashes when trying to dereference it.
Comment 1 Carlos Garcia Campos 2016-07-19 08:34:06 PDT
Created attachment 284007 [details]
Patch
Comment 2 Sergio Villar Senin 2016-07-20 01:07:09 PDT
Comment on attachment 284007 [details]
Patch

Don't we have a test to reproduce the crash?
Comment 3 Carlos Garcia Campos 2016-07-20 01:09:58 PDT
(In reply to comment #2)
> Comment on attachment 284007 [details]
> Patch
> 
> Don't we have a test to reproduce the crash?

Yes, several tests crashed because of this, I found this issue running the layout tests indeed, but I don't remember which tests failed. Same for bug #159918
Comment 4 Carlos Garcia Campos 2016-07-20 05:18:43 PDT
Committed r203449: <http://trac.webkit.org/changeset/203449>