Bug 42860

Summary:

Compositing iframe layout test crashes in WebKit2

Product:

WebKit

Reporter:

Simon Fraser (smfr) <simon.fraser>

Component:

WebKit2

Assignee:

Simon Fraser (smfr) <simon.fraser>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

sam, webkit.review.bot

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

OS:

OS X 10.5

Attachments:

Description	Flags
Part one: make DrawingArea ref-counted	none
Patch	andersca: review+

Simon Fraser (smfr)

Reported 2010-07-22 17:16:51 PDT

This test crashes: LayoutTests/compositing/iframes/iframe-size-to-zero.html because LayerBackedDrawingArea::updateLayoutRunLoopObserverFired() can cause the LayerBackedDrawingArea to get destroyed from under it.

Attachments
Part one: make DrawingArea ref-counted (5.18 KB, patch) 2010-08-02 17:57 PDT, Simon Fraser (smfr)	no flags	Details Formatted Diff Diff
Patch (38.59 KB, patch) 2010-08-03 14:33 PDT, Simon Fraser (smfr)	andersca: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Simon Fraser (smfr)

Comment 1 2010-08-02 08:50:22 PDT

*** Bug 43309 has been marked as a duplicate of this bug. ***

Simon Fraser (smfr)

Comment 2 2010-08-02 08:56:48 PDT

<rdar://problem/8259777>

Simon Fraser (smfr)

Comment 3 2010-08-02 13:46:15 PDT

Here's the stack where the drawing area is getting blown away: #0 WebKit::LayerBackedDrawingArea::platformClear (this=0x11c19c190) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit2/WebProcess/WebPage/mac/LayerBackedDrawingAreaMac.mm:54 #1 0x000000010073f43e in WebKit::LayerBackedDrawingArea::~LayerBackedDrawingArea (this=0x11c19c190) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit2/WebProcess/WebPage/LayerBackedDrawingArea.cpp:66 #2 0x0000000100782f49 in WTF::deleteOwnedPtr<WebKit::DrawingArea> (ptr=0x11c19c190) at OwnPtrCommon.h:57 #3 0x000000010078413a in WTF::OwnPtr<WebKit::DrawingArea>::operator= (this=0x119d01178, o=@0x7fff5fbfe3a0) at OwnPtr.h:129 #4 0x0000000100781ad9 in WebKit::WebPage::changeAcceleratedCompositingMode (this=0x119d010f0, layer=0x0) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit2/WebProcess/WebPage/WebPage.cpp:189 #5 0x0000000100781b60 in WebKit::WebPage::exitAcceleratedCompositingMode (this=0x119d010f0) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit2/WebProcess/WebPage/WebPage.cpp:205 #6 0x000000010076d473 in WebKit::WebChromeClient::attachRootGraphicsLayer (this=0x119d00c70, layer=0x0) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit2/WebProcess/WebCoreSupport/WebChromeClient.cpp:505 #7 0x0000000101c9af8a in WebCore::RenderLayerCompositor::detachRootPlatformLayer (this=0x11c1d64e0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayerCompositor.cpp:1409 #8 0x0000000101c9b146 in WebCore::RenderLayerCompositor::destroyRootPlatformLayer (this=0x11c1d64e0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayerCompositor.cpp:1343 #9 0x0000000101c9c957 in WebCore::RenderLayerCompositor::enableCompositingMode (this=0x11c1d64e0, enable=false) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayerCompositor.cpp:122 #10 0x0000000101c9e5b6 in WebCore::RenderLayerCompositor::computeCompositingRequirements (this=0x11c1d64e0, layer=0x11c19c6b8, overlapMap=0x7fff5fbfe6e0, compositingState=@0x7fff5fbfe6c0, layersChanged=@0x7fff5fbfe6dc) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayerCompositor.cpp:644 #11 0x0000000101c9e841 in WebCore::RenderLayerCompositor::updateCompositingLayers (this=0x11c1d64e0, updateType=WebCore::CompositingUpdateAfterLayoutOrStyleChange, updateRoot=0x11c19c6b8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayerCompositor.cpp:215 #12 0x00000001016c127f in WebCore::FrameView::updateCompositingLayers (this=0x11c1d4fa0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/FrameView.cpp:497 #13 0x00000001016c1e0f in WebCore::FrameView::layout (this=0x11c1d4fa0, allowSubtree=true) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/FrameView.cpp:808 #14 0x00000001016c2545 in WebCore::FrameView::layoutIfNeededRecursive (this=0x11c1d4fa0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/FrameView.cpp:2012 #15 0x0000000100780b28 in WebKit::WebPage::layoutIfNeeded (this=0x119d010f0) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit2/WebProcess/WebPage/WebPage.cpp:286 #16 0x000000010073f9ed in WebKit::LayerBackedDrawingArea::updateLayoutRunLoopObserverFired (this=0x11c19c190) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit2/WebProcess/WebPage/mac/LayerBackedDrawingAreaMac.mm:152 #17 0x000000010073fa29 in WebKit::LayerBackedDrawingArea::updateLayoutRunLoopObserverCallback (info=0x11c19c190) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit2/WebProcess/WebPage/mac/LayerBackedDrawingAreaMac.mm:147 #18 0x00007fff870ae077 in __CFRunLoopDoObservers ()

Simon Fraser (smfr)

Comment 4 2010-08-02 17:57:06 PDT

Created attachment 63284 [details] Part one: make DrawingArea ref-counted

Darin Adler

Comment 5 2010-08-03 12:47:56 PDT

Comment on attachment 63284 [details] Part one: make DrawingArea ref-counted Reference counts. Is there nothing they can't do?

Simon Fraser (smfr)

Comment 6 2010-08-03 14:33:05 PDT

Created attachment 63377 [details] Patch

WebKit Review Bot

Comment 7 2010-08-03 14:36:19 PDT

Attachment 63377 [details] did not pass style-queue: Failed to run "['WebKitTools/Scripts/check-webkit-style']" exit_code: 1 WebKit2/Shared/DrawingAreaBase.h:32: Code inside a namespace should not be indented. [whitespace/indent] [4] WebKit2/Shared/DrawingAreaBase.cpp:26: Found header this file implements before WebCore config.h. Should be: config.h, primary header, blank line, and then alphabetically sorted. [build/include_order] [4] Total errors found: 2 in 21 files If any of these errors are false positives, please file a bug against check-webkit-style.

Anders Carlsson

Comment 8 2010-08-03 15:24:52 PDT

Comment on attachment 63377 [details] Patch > +class DrawingAreaBase { > +public: > + enum Type { > + None, > + ChunkedUpdateDrawingAreaType, > +#if USE(ACCELERATED_COMPOSITING) > + LayerBackedDrawingAreaType, > +#endif > + }; > + > + typedef uint64_t DrawingAreaID; > + > + virtual ~DrawingAreaBase() { } > + > + Type type() const { return m_type; } > + DrawingAreaID id() const { return m_id; } > + > + struct DrawingAreaInfo { > + Type type; > + DrawingAreaID id; > + > + DrawingAreaInfo(Type type = None, DrawingAreaID indentifier = 0) Typo, "indentifier." > +protected: > + DrawingAreaBase(Type type, DrawingAreaID indentifier) > + : m_type(type) > + , m_id(indentifier) Ditto.

Simon Fraser (smfr)

Comment 9 2010-08-03 15:33:28 PDT

http://trac.webkit.org/changeset/64594 http://trac.webkit.org/changeset/64595

Note You need to log in before you can comment on or make changes to this bug.