Downstream bug: http://crbug.com/157097 What steps will reproduce the problem? 0. Run a debug build of Chromium 1. Open a packaged app Shell window, or popout a Google Chat Panel window 2. Right-click -> Inspect Element, Developer tools opens in new window 3. Close the original Shell/Panel Window 4. segfault around: void GraphicsLayer::willBeDestroyed() { #ifndef NDEBUG if (m_client) m_client->verifyNotPainting(); #endif This code added in bug 81954 (from March) The problem is that WebKit::PageOverlay is declared like this: class PageOverlay { /* snip */ WebViewImpl* m_viewImpl; WebPageOverlay* m_overlay; OwnPtr<WebCore::GraphicsLayer> m_layer; OwnPtr<WebCore::GraphicsLayerClient> m_layerClient; int m_zOrder; }; So m_layerClient will be destroyed before m_layer at the end of ~PageOverlay(). So, it is not valid for GraphicsLayer::willBeDestroyed (called from the ~GraphicsLayerChromium leaf class) to access its own GraphicsLayerClient data member in this situation to do m_client->verifyNotPainting();. Some possible solutions: - Fix the destruction order (reorder members) - explicitly set PageOverlay::m_layer->m_client to NULL in ~PageOverlay - something-else-because-i-don't-really-know-webkit-that-well
Created attachment 171850 [details] Patch
Created attachment 171851 [details] Patch
Comment on attachment 171851 [details] Patch Clearing flags on attachment: 171851 Committed r133188: <http://trac.webkit.org/changeset/133188>
All reviewed patches have been landed. Closing bug.