Bug 118143 - RenderLayerCompositor destructor is fragile
Summary: RenderLayerCompositor destructor is fragile
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2013-06-27 11:55 PDT by Antti Koivisto
Modified: 2013-06-27 13:10 PDT (History)
5 users (show)

See Also:

Attachments
patch (3.33 KB, patch)
2013-06-27 12:05 PDT, Antti Koivisto 		simon.fraser: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Antti Koivisto 2013-06-27 11:55:03 PDT 
RenderLayerCompositor destruction is fragile. With iOS tile cache implementation deleting RenderLayerCompositor may end up starting a deleted timer. This corrupts the timer heap and leads to a crash later. This happens because GraphicsLayers destructor calls back to the RenderLayerCompositor that is being deleted.

    frame #1: 0x0000000106b8b1e8 WebCore`WebCore::TimerBase::start(this=0x0000000121818df8, nextFireInterval=0.5, repeatInterval=0) + 168 at Timer.cpp:231
    frame #2: 0x0000000104fa8932 WebCore`WebCore::TimerBase::startOneShot(this=0x0000000121818df8, interval=0.5) + 34 at Timer.h:52
    frame #3: 0x00000001065cb9c4 WebCore`WebCore::RenderLayerCompositor::startInitialLayerFlushTimerIfNeeded(this=0x0000000121818c90) + 100 at RenderLayerCompositor.cpp:3545
    frame #4: 0x00000001065cb8bf WebCore`WebCore::RenderLayerCompositor::scheduleLayerFlush(this=0x0000000121818c90, canThrottle=true) + 47 at RenderLayerCompositor.cpp:349
    frame #5: 0x00000001065cb889 WebCore`WebCore::RenderLayerCompositor::notifyFlushRequired(this=0x0000000121818c90, layer=0x0000000114dcc9a0) + 57 at RenderLayerCompositor.cpp:335
    frame #6: 0x0000000105836a63 WebCore`WebCore::GraphicsLayerCA::noteLayerPropertyChanged(this=0x0000000114dcc9a0, flags=4) + 211 at GraphicsLayerCA.cpp:3145
    frame #7: 0x00000001058370be WebCore`WebCore::GraphicsLayerCA::noteSublayersChanged(this=0x0000000114dcc9a0) + 30 at GraphicsLayerCA.cpp:3126
    frame #8: 0x0000000105837298 WebCore`WebCore::GraphicsLayerCA::removeFromParent(this=0x0000000114dbead0) + 56 at GraphicsLayerCA.cpp:388
    frame #9: 0x000000010582ca80 WebCore`WebCore::GraphicsLayer::removeAllChildren(this=0x0000000114dcc9a0) + 160 at GraphicsLayer.cpp:251
    frame #10: 0x000000010582c9ce WebCore`WebCore::GraphicsLayer::willBeDestroyed(this=0x0000000114dcc9a0) + 222 at GraphicsLayer.cpp:128
    frame #11: 0x0000000105836e4b WebCore`WebCore::GraphicsLayerCA::willBeDestroyed(this=0x0000000114dcc9a0) + 235 at GraphicsLayerCA.cpp:328
    frame #12: 0x0000000105836b27 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 55 at GraphicsLayerCA.cpp:307
    frame #13: 0x0000000105836ab5 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 21 at GraphicsLayerCA.cpp:305
    frame #14: 0x0000000105836a89 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 25 at GraphicsLayerCA.cpp:305
    frame #15: 0x00000001065c80ee WebCore`void WTF::deleteOwnedPtr<WebCore::GraphicsLayer>(ptr=0x0000000114dcc9a0) + 46 at OwnPtrCommon.h:63
    frame #16: 0x00000001065c8214 WebCore`WTF::OwnPtr<WebCore::GraphicsLayer>::~OwnPtr(this=0x0000000121818dd0) + 20 at OwnPtr.h:63
    frame #17: 0x00000001065c74e5 WebCore`WTF::OwnPtr<WebCore::GraphicsLayer>::~OwnPtr(this=0x0000000121818dd0) + 21 at OwnPtr.h:63
    frame #18: 0x00000001065c9f2d WebCore`WebCore::RenderLayerCompositor::~RenderLayerCompositor(this=0x0000000121818c90) + 557 at
Comment 1 Antti Koivisto 2013-06-27 11:58:33 PDT 
<rdar://problem/14273910>
Comment 2 Antti Koivisto 2013-06-27 12:05:04 PDT 
Created attachment 205624 [details]
patch
Comment 3 Antti Koivisto 2013-06-27 13:10:10 PDT 
http://trac.webkit.org/changeset/152121