The bug occurs on flickr.com webpage: scroll down to "Spectaculr" section and then scroll up to the top of the page and click on "Sign in" (or any other link) -> Segmentation fault - the browser crashes. The cause of the problem is that if an image becomes visible and then after a while it becomes invisible a clearContentsTimer starts. The Timer fires after 3 seconds. If the current image becomes visible in these 3 seconds the Timer stops. If the 3 seconds elapse the Timer fires. The CoordinatedImageBacking object which contains the Timer will call CompositingCoordinator::clearImageBackingContents which will append its imageID to m_state.imagesToClear. After this, if you scroll or move the mouse over a link the image will be cleared (because CoordinatedGraphicsScene::syncImageBackings calls CoordinatedGraphicsScene::clearImageBackingContents). Segmentation fault occurs if the time between the image becoming invisible and moving the mouse over the link is less than 3 seconds. In this case the imageID appends to m_state.imagesToClear but it won't be cleared until clicking on the link. But if you click on the link, the imageID will append to m_state.imagesToRemove too. Then CoordinatedGraphicsScene::syncImageBackings calls CoordinatedGraphicsScene::removeImageBacking. This method removes the image from m_imageBackings but then CoordinatedGraphicsScene::clearImageBackingContents is called and it wants to clear the image with the same ID which image was removed before. This causes the segmentation fault. I've found a possible fix: If CoordinatedGraphicsScene::removeImageBacking is called, it removes the current imageID from m_state.imagesToClear.
Created attachment 219308 [details] proposed patch
Comment on attachment 219308 [details] proposed patch r=me
Comment on attachment 219308 [details] proposed patch Clearing flags on attachment: 219308 Committed r162329: <http://trac.webkit.org/changeset/162329>
All reviewed patches have been landed. Closing bug.