Bug 100930 – [Chromium] debug builds: Use after free under ~PageOverlay()

Bug 100930 - [Chromium] debug builds: Use after free under ~PageOverlay()


Summary:	[Chromium] debug builds: Use after free under ~PageOverlay()

Status:	RESOLVED FIXED

Product:	WebKit
Component:	Web Inspector (Deprecated)
Version:	528+ (Nightly build)
Platform:	Unspecified All

Importance:	P2 Normal
Assigned To:	Vsevolod Vlasov

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-11-01 01:44 PST by tapted@chromium.org
Modified:	2012-11-01 09:51 PST (History)

Attachments
Patch (1.24 KB, patch) 2012-11-01 07:35 PST, Vsevolod Vlasov	no flags	Review Patch \| Details \| Formatted Diff \| Diff
Patch (1.34 KB, patch) 2012-11-01 07:36 PST, Vsevolod Vlasov	no flags	Review Patch \| Details \| Formatted Diff \| Diff
Hide Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From tapted@chromium.org 2012-11-01 01:44:40 PST

Downstream bug: http://crbug.com/157097

What steps will reproduce the problem?
0. Run a debug build of Chromium
1. Open a packaged app Shell window, or popout a Google Chat Panel window
2. Right-click -> Inspect Element, Developer tools opens in new window
3. Close the original Shell/Panel Window
4. segfault around:

 void GraphicsLayer::willBeDestroyed()
 {
 #ifndef NDEBUG
     if (m_client)
         m_client->verifyNotPainting();
 #endif


This code added in bug 81954 (from March)


The problem is that WebKit::PageOverlay is declared like this:

class PageOverlay {
/* snip */

    WebViewImpl* m_viewImpl;
    WebPageOverlay* m_overlay;
    OwnPtr<WebCore::GraphicsLayer> m_layer;
    OwnPtr<WebCore::GraphicsLayerClient> m_layerClient;
    int m_zOrder;
};

So m_layerClient will be destroyed before m_layer at the end of ~PageOverlay().

So, it is not valid for GraphicsLayer::willBeDestroyed (called from the ~GraphicsLayerChromium leaf class) to access its own GraphicsLayerClient data member in this situation to do m_client->verifyNotPainting();.

Some possible solutions:
 - Fix the destruction order (reorder members)
 - explicitly set PageOverlay::m_layer->m_client to NULL in ~PageOverlay
 - something-else-because-i-don't-really-know-webkit-that-well

------- Comment #1 From Vsevolod Vlasov 2012-11-01 07:35:35 PST -------

Created an attachment (id=171850) [details]
Patch

------- Comment #2 From Vsevolod Vlasov 2012-11-01 07:36:29 PST -------

Created an attachment (id=171851) [details]
Patch

------- Comment #3 From WebKit Review Bot 2012-11-01 09:51:39 PST -------

(From update of attachment 171851 [details])
Clearing flags on attachment: 171851

Committed r133188: <http://trac.webkit.org/changeset/133188>

------- Comment #4 From WebKit Review Bot 2012-11-01 09:51:42 PST -------

All reviewed patches have been landed.  Closing bug.