Bug 30403

Summary: REGRESSION(r49385): crashes in SVGImage due to static EmptyPluginHalterClient
Product: WebKit Reporter: Dimitri Glazkov (Google) <dglazkov>
Component: SVGAssignee: Jon Honeycutt <jhoneycutt>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, eric, jhoneycutt, mitz, mrowe
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Bug Depends on: 30119    
Bug Blocks:    
Attachments:
Description Flags
SVGImage crash fix, v1.
none
SVGImage crash fix, v2.
none
SVGImage crash fix, v2. none

Dimitri Glazkov (Google)
Reported 2009-10-15 13:08:56 PDT
After http://trac.webkit.org/changeset/49385, the PluginHalter started owning PluginHalterClient, which now makes it necessary for the EmptyPluginHalterClient instance in SVGImage to be non-static (since it can be deleted once PluginHalter is destroyed). This was caught as a crash in build.chromium.org build bot, when this sequence of tests is run: LayoutTests/svg/W3C-SVG-1.1/struct-image-01-t.svg LayoutTests/svg/W3C-SVG-1.1/struct-image-03-t.svg LayoutTests/svg/W3C-SVG-1.1/struct-image-04-t.svg LayoutTests/svg/W3C-SVG-1.1/struct-image-05-b.svg LayoutTests/svg/W3C-SVG-1.1/struct-image-06-t.svg LayoutTests/svg/W3C-SVG-1.1/struct-image-07-t.svg LayoutTests/svg/W3C-SVG-1.1/struct-image-08-t.svg LayoutTests/svg/W3C-SVG-1.1/struct-image-09-t.svg LayoutTests/svg/W3C-SVG-1.1/struct-image-10-t.svg LayoutTests/svg/carto.net/scrollbar.svg LayoutTests/svg/carto.net/selectionlist.svg The crash occurs when the garbage collection attempts to discard CachedImage holding SVGImage. SVGImage destructor clears its fake page, which destroys PluginHalter and then PluginHalterClient. Doing so results in the static instance being destroyed.
Attachments
SVGImage crash fix, v1. (2.57 KB, patch)
2009-10-15 13:13 PDT, Dimitri Glazkov (Google) 		no flags
DetailsFormatted DiffDiff
SVGImage crash fix, v2. (3.03 KB, patch)
2009-10-16 08:57 PDT, Dimitri Glazkov (Google) 		no flags
DetailsFormatted DiffDiff
SVGImage crash fix, v2. (2.55 KB, patch)
2009-10-16 08:59 PDT, Dimitri Glazkov (Google) 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Dimitri Glazkov (Google)
Comment 1 2009-10-15 13:13:20 PDT
Created attachment 41242 [details] SVGImage crash fix, v1.
Dimitri Glazkov (Google)
Comment 2 2009-10-15 13:14:53 PDT
I attempted to write one layout test to trigger the crash, but so far had no luck.
Dimitri Glazkov (Google)
Comment 3 2009-10-15 13:21:26 PDT
Adding mitz since he reviewed the http://trac.webkit.org/changeset/49385.
Eric Seidel (no email)
Comment 4 2009-10-15 20:58:46 PDT
Comment on attachment 41242 [details] SVGImage crash fix, v1. I would put a comment next to the code, explaining the ownership, and why it's non-static. Something like: // Create a new EmptyPluginHalterClient, because FooBar owns the client and will destroy it.
Eric Seidel (no email)
Comment 5 2009-10-15 20:59:02 PDT
mitz or whoever was involved in the original patch should really review this though.
Jon Honeycutt
Comment 6 2009-10-15 21:17:45 PDT
Thanks for investigating this, Dimitri! As Eric said on IRC, we should make PluginHalter / PluginHalterClient behave like the other controllers stored on Page, i.e., the PluginHalter should notify its client when it is being destroyed, and the client may then choose to clean itself up.
Dimitri Glazkov (Google)
Comment 7 2009-10-15 21:25:27 PDT
Sounds good. To stop the crasheage while this is being refactored, perhaps we could check in mine or even a simpler patch that passes 0 as client?
Jon Honeycutt
Comment 8 2009-10-15 22:32:39 PDT
Yes, passing 0 here is a good idea.
Dimitri Glazkov (Google)
Comment 9 2009-10-16 08:57:35 PDT
Created attachment 41286 [details] SVGImage crash fix, v2.
Dimitri Glazkov (Google)
Comment 10 2009-10-16 08:58:21 PDT
Comment on attachment 41286 [details] SVGImage crash fix, v2. ugh.
Dimitri Glazkov (Google)
Comment 11 2009-10-16 08:59:10 PDT
Created attachment 41287 [details] SVGImage crash fix, v2.
Eric Seidel (no email)
Comment 12 2009-10-16 08:59:56 PDT
Yes. If you're used to git-send-bugzilla, bugzilla-tool post-commits' behavior is confusing, I agree. :(
Eric Seidel (no email)
Comment 13 2009-10-16 09:01:10 PDT
Comment on attachment 41287 [details] SVGImage crash fix, v2. This looks OK. We still need a bug to fix the ownership semantics of PluginHalterClient I think. Also, why do we even have EmptyPluginHalterClient defined if we don't use it here anymore?
Dimitri Glazkov (Google)
Comment 14 2009-10-16 09:04:59 PDT
Yup. That's why I changed the bug ownership to Jon. This is just a fix for the crash.
Eric Seidel (no email)
Comment 15 2009-10-16 09:06:54 PDT
Comment on attachment 41287 [details] SVGImage crash fix, v2. OK. It's just a little strange of a state to leave the tree in. :) But alright.
Dimitri Glazkov (Google)
Comment 16 2009-10-16 09:56:25 PDT
Comment on attachment 41287 [details] SVGImage crash fix, v2. git svn rebase is taking foreeeeeveeeer.
WebKit Commit Bot
Comment 17 2009-10-16 10:35:59 PDT
Comment on attachment 41287 [details] SVGImage crash fix, v2. Clearing flags on attachment: 41287 Committed r49685: <http://trac.webkit.org/changeset/49685>
WebKit Commit Bot
Comment 18 2009-10-16 10:36:03 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.