When a frame containing a WebGL context is detached, the WebGL context receives a call to stopActiveDOMObjects, which results in the WebGLRenderingContext::stop() method being called. This causes the underlying OpenGL context to be destroyed. If this destruction takes place as part of the replacement of a node with new HTML, this "in-destruction" node can be asked to adjust its style as part of layout. This causes RenderLayerBacking::updateGraphicsLayerConfiguration() to attempt to use the underlying OpenGL context, causing a crash. The simplest resolution would be the following change: Index: html/canvas/WebGLRenderingContext.cpp =================================================================== --- html/canvas/WebGLRenderingContext.cpp (revision 161907) +++ html/canvas/WebGLRenderingContext.cpp (working copy) @@ -4733,7 +4733,7 @@ #if USE(ACCELERATED_COMPOSITING) PlatformLayer* WebGLRenderingContext::platformLayer() const { - return m_context->platformLayer(); + return (m_context) ? m_context->platformLayer() : 0; } #endif However, this additional null check for every "platformLayer()" access might be too expensive.
Test coverage in webgl/conformance/textures/origin-clean-conformance.html.
<rdar://problem/8622625>
Created attachment 221089 [details] Patch
Committed r161924: <http://trac.webkit.org/changeset/161924>