willMoveToWebPage should be called with a null WebPage on WebPage teardown. Instead the PageOverlayController is just destroyed, which just destroys each overlay, and never notifies the PageOverlay::clients Here's a backtrace of what happens today to destroy a PageOverlay, and the willMoveToWebPage should've been called before that: #0 0x0000000114dcf0e0 in WebKit::PageOverlay::~PageOverlay() at /Volumes/Data/git/OpenSource/Source/WebKit2/WebProcess/WebPage/PageOverlay.cpp:64 #1 0x0000000114f552af in -[WKObject dealloc] at /Volumes/Data/git/OpenSource/Source/WebKit2/Shared/Cocoa/WKObject.mm:40 #2 0x00007fff8225768c in objc_object::sidetable_release(bool) () #3 0x000000011529ff64 in API::Object::deref() at /Volumes/Data/git/OpenSource/Source/WebKit2/Shared/Cocoa/APIObject.mm:67 #4 0x0000000114b33d0b in void WTF::derefIfNotNull<WebKit::PageOverlay>(WebKit::PageOverlay*) at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/PassRefPtr.h:39 #5 0x0000000114b33cc8 in WTF::RefPtr<WebKit::PageOverlay>::~RefPtr() at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/RefPtr.h:55 #6 0x0000000114b2f265 in WTF::RefPtr<WebKit::PageOverlay>::~RefPtr() at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/RefPtr.h:55 #7 0x000000011503049f in WTF::VectorDestructor<true, WTF::RefPtr<WebKit::PageOverlay> >::destruct(WTF::RefPtr<WebKit::PageOverlay>*, WTF::RefPtr<WebKit::PageOverlay>*) at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/Vector.h:56 #8 0x000000011503045d in WTF::VectorTypeOperations<WTF::RefPtr<WebKit::PageOverlay> >::destruct(WTF::RefPtr<WebKit::PageOverlay>*, WTF::RefPtr<WebKit::PageOverlay>*) at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/Vector.h:220 #9 0x00000001150303c0 in WTF::Vector<WTF::RefPtr<WebKit::PageOverlay>, 0ul, WTF::CrashOnOverflow>::shrink(unsigned long) at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/Vector.h:957 #10 0x0000000115030324 in WTF::Vector<WTF::RefPtr<WebKit::PageOverlay>, 0ul, WTF::CrashOnOverflow>::~Vector() at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/Vector.h:596 #11 0x0000000115030165 in WTF::Vector<WTF::RefPtr<WebKit::PageOverlay>, 0ul, WTF::CrashOnOverflow>::~Vector() at /Volumes/Data/MyUser/build/Debug/usr/local/include/wtf/Vector.h:594 #12 0x000000011502ff61 in WebKit::PageOverlayController::~PageOverlayController() at /Volumes/Data/git/OpenSource/Source/WebKit2/WebProcess/WebPage/PageOverlayController.h:45 #13 0x000000011502c625 in WebKit::PageOverlayController::~PageOverlayController() at /Volumes/Data/git/OpenSource/Source/WebKit2/WebProcess/WebPage/PageOverlayController.h:45 #14 0x00000001150dd98b in WebKit::WebPage::~WebPage() at /Volumes/Data/git/OpenSource/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:529 #15 0x00000001150de395 in WebKit::WebPage::~WebPage() at /Volumes/Data/git/OpenSource/Source/WebKit2/WebProcess/WebPage/WebPage.cpp:489
This is pretty bad because there's no guarantee that PageOverlay clients don't outlive the page, and then they'll have dangling PageOverlay pointers.
(In reply to comment #1) > This is pretty bad because there's no guarantee that PageOverlay clients don't outlive the page, and then they'll have dangling PageOverlay pointers. Yup.