|« First Last »| « Prev Next »    This bug is not in your last search results.
Bug 100930 - [Chromium] debug builds: Use after free under ~PageOverlay()
: [Chromium] debug builds: Use after free under ~PageOverlay()
Status: RESOLVED FIXED
Product: WebKit
Classification: Unclassified
Component: Web Inspector (Deprecated)
: 528+ (Nightly build)
: Unspecified All
: P2 Normal
Assigned To: Vsevolod Vlasov
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-01 01:44 PDT by tapted
Modified: 2012-11-01 09:51 PDT (History)
12 users (show)

See Also:

Attachments
Patch (1.24 KB, patch)
2012-11-01 07:35 PDT, Vsevolod Vlasov 		no flags Details | Formatted Diff | Diff
Patch (1.34 KB, patch)
2012-11-01 07:36 PDT, Vsevolod Vlasov 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description tapted 2012-11-01 01:44:40 PDT 
Downstream bug: http://crbug.com/157097

What steps will reproduce the problem?
0. Run a debug build of Chromium
1. Open a packaged app Shell window, or popout a Google Chat Panel window
2. Right-click -> Inspect Element, Developer tools opens in new window
3. Close the original Shell/Panel Window
4. segfault around:

 void GraphicsLayer::willBeDestroyed()
 {
 #ifndef NDEBUG
     if (m_client)
         m_client->verifyNotPainting();
 #endif


This code added in bug 81954 (from March)


The problem is that WebKit::PageOverlay is declared like this:

class PageOverlay {
/* snip */

    WebViewImpl* m_viewImpl;
    WebPageOverlay* m_overlay;
    OwnPtr<WebCore::GraphicsLayer> m_layer;
    OwnPtr<WebCore::GraphicsLayerClient> m_layerClient;
    int m_zOrder;
};

So m_layerClient will be destroyed before m_layer at the end of ~PageOverlay().

So, it is not valid for GraphicsLayer::willBeDestroyed (called from the ~GraphicsLayerChromium leaf class) to access its own GraphicsLayerClient data member in this situation to do m_client->verifyNotPainting();.

Some possible solutions:
 - Fix the destruction order (reorder members)
 - explicitly set PageOverlay::m_layer->m_client to NULL in ~PageOverlay
 - something-else-because-i-don't-really-know-webkit-that-well
Comment 1 Vsevolod Vlasov 2012-11-01 07:35:35 PDT 
Created attachment 171850 [details]
Patch
Comment 2 Vsevolod Vlasov 2012-11-01 07:36:29 PDT 
Created attachment 171851 [details]
Patch
Comment 3 WebKit Review Bot 2012-11-01 09:51:39 PDT 
Comment on attachment 171851 [details]
Patch

Clearing flags on attachment: 171851

Committed r133188: <http://trac.webkit.org/changeset/133188>
Comment 4 WebKit Review Bot 2012-11-01 09:51:42 PDT 
All reviewed patches have been landed.  Closing bug.
|« First Last »| « Prev Next »    This bug is not in your last search results.