WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
119818
[Windows] Test fails in DRT, succeeds in WinLauncher
https://bugs.webkit.org/show_bug.cgi?id=119818
Summary
[Windows] Test fails in DRT, succeeds in WinLauncher
Brent Fulgham
Reported
2013-08-14 15:00:20 PDT
For some reason, the test "compositing/tiling/empty-to-tiled.html" crashes when run via DumpRenderTree, but works correctly inside WinLauncher. The crash happens because we encounter a CACFLayer in the PlatformCALayer::adoptSublayers call that does not have an PlatformCALayerWinInternal object attached to its UserData node. We dereference this null pointer and crash. The crashing callstack looks like this:
> WebKit.dll!WTF::VectorBufferBase<WebCore::StyleRule *>::buffer() Line 50 + 0xa bytes C++
WebKit.dll!WebCore::PlatformCALayer::platformLayer() Line 180 C++ WebKit.dll!WebCore::PlatformCALayerWinInternal::setSublayers(const WTF::Vector<WTF::RefPtr<WebCore::PlatformCALayer>,0,WTF::CrashOnOverflow> & list) Line 205 + 0x1a bytes C++ WebKit.dll!WebCore::PlatformCALayer::setSublayers(const WTF::Vector<WTF::RefPtr<WebCore::PlatformCALayer>,0,WTF::CrashOnOverflow> & list) Line 264 C++ WebKit.dll!WebCore::PlatformCALayer::adoptSublayers(WebCore::PlatformCALayer * source) Line 316 C++ WebKit.dll!WebCore::GraphicsLayerCA::swapFromOrToTiledLayer(bool useTiledLayer) Line 2706 C++ WebKit.dll!WebCore::GraphicsLayerCA::commitLayerChangesBeforeSublayers(WebCore::GraphicsLayerCA::CommitState & commitState, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, const WebCore::FloatRect & oldVisibleRect) Line 1145 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1064 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1080 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1080 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1080 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1080 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1080 C++ WebKit.dll!WebCore::GraphicsLayerCA::flushCompositingState(const WebCore::FloatRect & clipRect) Line 893 C++ WebKit.dll!WebCore::RenderLayerCompositor::flushPendingLayerChanges(bool isFlushRoot) Line 399 C++ WebKit.dll!WebCore::FrameView::flushCompositingStateForThisFrame(WebCore::Frame * rootFrameForFlush) Line 938 C++ WebKit.dll!WebCore::FrameView::flushCompositingStateIncludingSubframes() Line 1038 + 0x17 bytes C++ WebKit.dll!WebView::flushPendingGraphicsLayerChanges() Line 6736 C++ WebKit.dll!WebCore::CACFLayerTreeHost::flushPendingLayerChangesNow() Line 296 C++ WebKit.dll!WebView::paint(HDC__ * dc, long options) Line 1066 C++ WebKit.dll!WebView::WebViewWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 2189 C++ user32.dll!_InternalCallWinProc@20() + 0x23 bytes user32.dll!_UserCallWinProcCheckWow@36() + 0xbd bytes user32.dll!_CallWindowProcAorW@24() + 0x5d bytes user32.dll!_CallWindowProcW@20() + 0x1c bytes comctl32.dll!_CallOriginalWndProc@24() + 0x1a bytes comctl32.dll!CallNextSubclassProc() + 0x92 bytes comctl32.dll!TTSubclassProc() + 0x97 bytes comctl32.dll!CallNextSubclassProc() + 0x92 bytes comctl32.dll!MasterSubclassProc() + 0xa4 bytes user32.dll!_InternalCallWinProc@20() + 0x23 bytes user32.dll!_UserCallWinProcCheckWow@36() + 0x18d9 bytes user32.dll!_SendMessageWorker@24() + 0x47b9 bytes user32.dll!_SendMessageW@16() + 0x52 bytes DumpRenderTree.dll!dump() Line 749 C++ DumpRenderTree.dll!FrameLoadDelegate::locationChangeDone(IWebError * __formal, IWebFrame * frame) Line 254 C++ DumpRenderTree.dll!FrameLoadDelegate::didFinishLoadForFrame(IWebView * webView, IWebFrame * frame) Line 264 C++ WebKit.dll!WebFrameLoaderClient::dispatchDidFinishLoad() Line 413 C++ WebKit.dll!WebCore::FrameLoader::checkLoadCompleteForThisFrame() Line 2197 C++ WebKit.dll!WebCore::FrameLoader::checkLoadComplete() Line 2363 + 0x24 bytes C++ WebKit.dll!WebCore::DocumentLoader::finishedLoading(double finishTime) Line 411 C++ WebKit.dll!WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource * resource) Line 345 C++ WebKit.dll!WebCore::CachedResource::checkNotify() Line 369 + 0x11 bytes C++ WebKit.dll!WebCore::CachedResource::finishLoading(WebCore::ResourceBuffer * __formal) Line 386 C++ WebKit.dll!WebCore::CachedRawResource::finishLoading(WebCore::ResourceBuffer * data) Line 95 C++ WebKit.dll!WebCore::SubresourceLoader::didFinishLoading(double finishTime) Line 284 C++ WebKit.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal, double finishTime) Line 489 C++ WebKit.dll!WebCore::didFinishLoading(_CFURLConnection * conn, const void * clientInfo) Line 263 C++ CFNetwork.dll!URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue * preQ) Line 1739 + 0x13 bytes C++ CFNetwork.dll!URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<enum XClientEvent,XClientEventParams> * e, long count) Line 2256 C++ CFNetwork.dll!XConnectionEventQueue<enum XClientEvent,XClientEventParams>::processAllEvents() Line 231 C++ CFNetwork.dll!URLConnectionClient::processEvents() Line 362 C++ CFNetwork.dll!URLConnectionWndProc(HWND__ * hWnd, unsigned int message, unsigned int wParam, long lParam) Line 109 C++ user32.dll!_InternalCallWinProc@20() + 0x23 bytes user32.dll!_UserCallWinProcCheckWow@36() + 0xbd bytes user32.dll!_DispatchMessageWorker@8() + 0xf8 bytes user32.dll!_DispatchMessageW@4() + 0x10 bytes DumpRenderTree.dll!runTest(const std::basic_string<char,std::char_traits<char>,std::allocator<char> > & inputLine) Line 1134 C++ DumpRenderTree.dll!dllLauncherEntryPoint(int argc, const char * * argv) Line 1425 + 0x23 bytes C++ DumpRenderTree.exe!main(int argc, const char * * argv) Line 202 + 0xe bytes C++ DumpRenderTree.exe!__tmainCRTStartup() Line 555 + 0x17 bytes C kernel32.dll!@BaseThreadInitThunk@12() + 0xe bytes ntdll.dll!___RtlUserThreadStart@8() + 0x27 bytes ntdll.dll!__RtlUserThreadStart@8() + 0x1b bytes The same break position (in WinLauncher) is hit from a different starting point. In WinLauncher we are in the midst of a flush operation from the parent layers.
> WebKit.dll!WebCore::GraphicsLayerCA::swapFromOrToTiledLayer(bool useTiledLayer) Line 2696 C++
WebKit.dll!WebCore::GraphicsLayerCA::commitLayerChangesBeforeSublayers(WebCore::GraphicsLayerCA::CommitState & commitState, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, const WebCore::FloatRect & oldVisibleRect) Line 1145 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1064 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1080 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1080 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1080 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1080 C++ WebKit.dll!WebCore::GraphicsLayerCA::recursiveCommitChanges(const WebCore::GraphicsLayerCA::CommitState & commitState, const WebCore::TransformState & state, float pageScaleFactor, const WebCore::FloatPoint & positionRelativeToBase, bool affectedByPageScale) Line 1080 C++ WebKit.dll!WebCore::GraphicsLayerCA::flushCompositingState(const WebCore::FloatRect & clipRect) Line 893 C++ WebKit.dll!WebCore::RenderLayerCompositor::flushPendingLayerChanges(bool isFlushRoot) Line 399 C++ WebKit.dll!WebCore::FrameView::flushCompositingStateForThisFrame(WebCore::Frame * rootFrameForFlush) Line 938 C++ WebKit.dll!WebCore::FrameView::flushCompositingStateIncludingSubframes() Line 1038 + 0x17 bytes C++ WebKit.dll!WebView::flushPendingGraphicsLayerChanges() Line 6736 C++ WebKit.dll!WebCore::CACFLayerTreeHost::flushPendingLayerChangesNow() Line 296 C++ WebKit.dll!WebCore::LayerChangesFlusher::hookFired(int code, unsigned int wParam, long lParam) Line 93 + 0x1e bytes C++ WebKit.dll!WebCore::LayerChangesFlusher::hookCallback(int code, unsigned int wParam, long lParam) Line 78 + 0x18 bytes C++ user32.dll!_DispatchHookW@16() + 0x36 bytes user32.dll!_CallHookWithSEH@16() + 0x25 bytes user32.dll!___fnHkINLPMSG@4() + 0x51 bytes ntdll.dll!_KiUserCallbackDispatcher@12() + 0x2e bytes user32.dll!_PeekMessageW@20() + 0x11f bytes CoreFoundation.dll!__CFRunLoopRun(__CFRunLoop * rl, __CFRunLoopMode * rlm, double seconds, unsigned char stopAfterHandle, __CFRunLoopMode * previousMode) Line 42286 + 0xf bytes C++ CoreFoundation.dll!CFRunLoopRunSpecific(__CFRunLoop * rl, const __CFString * modeName, double seconds, unsigned char returnAfterSourceHandled) Line 42413 + 0x12 bytes C++ CoreFoundation.dll!CFRunLoopRun() Line 42440 + 0x1d bytes C++ WinLauncher.dll!dllLauncherEntryPoint(HINSTANCE__ * __formal, HINSTANCE__ * __formal, HINSTANCE__ * __formal, int nCmdShow) Line 475 C++ WinLauncher.exe!004012ca() [Frames below may be incorrect and/or missing, no symbols loaded for WinLauncher.exe] ntdll.dll!_RtlpHeapAddListEntry@24() + 0xc16 bytes ntdll.dll!@RtlpFreeHeap@16() + 0x20c bytes I have two initial thoughts: 1. DRT is not properly setting up the run environment. Perhaps not using a CFRunLoop to handle Windows messages means that certain dispatch operations are not occurring, which we rely on to sync/flush our CALayers? 2. Maybe we have a bug in our CACFLayer setup code that is allowing a layer to be created with no "intern" member.
Attachments
Patch
(1.47 KB, patch)
2013-08-15 18:11 PDT
,
Brent Fulgham
no flags
Details
Formatted Diff
Diff
Patch
(3.60 KB, patch)
2013-08-15 21:14 PDT
,
Brent Fulgham
no flags
Details
Formatted Diff
Diff
Reactivate compositing/tiling/empty-to-tiled.html
(2.62 KB, patch)
2013-08-15 21:18 PDT
,
Brent Fulgham
darin
: review+
Details
Formatted Diff
Diff
Show Obsolete
(2)
View All
Add attachment
proposed patch, testcase, etc.
Brent Fulgham
Comment 1
2013-08-15 18:06:01 PDT
This happens when the large blank rectangle in the test is changed to something with a border. This causes us to switch from a plain layer with a color background to a tiled layer. When the switch from flat to tiled layers is made, the old "background color" layer is destroyed. However, a pointer to this destroyed layer is left in the parent containing layer. Later, when we switch to using a tiling layer, we attempt to grab the sublayers of the "flat" layer we are replacing. Unfortunately, the sole sublayer is a dangling pointer to our "destroyed" "background color" layer. When we attempt to dereference this NULL pointer we get a crash. The solution proposed in this bug is to remove the layer from its superlayer during the destruction process. We could also add null-pointer checking in the PlatformCALayerWinInternall::getSublayers method, but removing the sublayer prevents the corrupt entry from being present.
Brent Fulgham
Comment 2
2013-08-15 18:11:37 PDT
Created
attachment 208874
[details]
Patch
Radar WebKit Bug Importer
Comment 3
2013-08-15 18:12:24 PDT
<
rdar://problem/14753069
>
Simon Fraser (smfr)
Comment 4
2013-08-15 18:17:47 PDT
Comment on
attachment 208874
[details]
Patch You should re-enable tests at the same time!
Brent Fulgham
Comment 5
2013-08-15 21:14:32 PDT
Created
attachment 208879
[details]
Patch
Brent Fulgham
Comment 6
2013-08-15 21:15:06 PDT
Comment on
attachment 208879
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=208879&action=review
> Tools/ChangeLog:16 > +
Sigh.
Brent Fulgham
Comment 7
2013-08-15 21:18:30 PDT
Created
attachment 208880
[details]
Reactivate compositing/tiling/empty-to-tiled.html
Brent Fulgham
Comment 8
2013-08-16 08:26:28 PDT
Committed
r154180
: <
http://trac.webkit.org/changeset/154180
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug