Bug 140455 - [Win] Crashes due to invalid RenderLayer::m_enclosingPaginationLayer
Summary: [Win] Crashes due to invalid RenderLayer::m_enclosingPaginationLayer
Status: RESOLVED DUPLICATE of bug 135514
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL: InRadar
Keywords:
Depends on: 135514
Blocks:
  Show dependency treegraph
 
Reported: 2015-01-14 10:48 PST by Brent Fulgham
Modified: 2015-01-15 13:40 PST (History)
4 users (show)

See Also:


Attachments
Some dump analysis. (21.02 KB, application/octet-stream)
2015-01-14 11:53 PST, Brent Fulgham
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2015-01-14 10:48:33 PST
I have found that a number of layout tests are crashing on Windows in release builds because the RenderLayer's m_enclosingPaginationLayer is invalid.

Debugging indicates the following:

1. In RenderLayer::updatePagination(), the RenderLayer sets its m_enclosingPaginationLayer to the result of parent()->enclosingPaginationLayer(IncludeCompositedPaginatedLayers); This is a valid RenderLayer.
2. Later, the RenderLayer we assigned in the first step is deleted during a later stage of layout.
3. RenderLayer::m_enclosingPaginationLayer is not set to nullptr, and becomes a dangling pointer.
4. Later, RenderLayer::hasCompositedLayerInEnclosingPaginationChain() is called, which attempts to call 'isComposited' through the garbage m_enclosingPaginationLayer.

The issue seems to be that the destruction of the RenderLayer referenced by m_enclosingPaginationLayer is not communicated back to the RenderLayer holding this pointer, so it doesn't know that the value is invalid.
Comment 1 Simon Fraser (smfr) 2015-01-14 10:59:17 PST
Smells like rdar://problem/17873488
Comment 2 Brent Fulgham 2015-01-14 11:23:54 PST
I wonder if this is only hit in WK1?
Comment 3 Brent Fulgham 2015-01-14 11:28:53 PST
I am seeing this with the test "fast/dynamic/layer-no-longer-paginated.html"
Comment 4 Brent Fulgham 2015-01-14 11:53:03 PST
Created attachment 244627 [details]
Some dump analysis.
Comment 5 Simon Fraser (smfr) 2015-01-14 12:02:30 PST
This is exactly rdar://problem/17873488
Comment 6 Brent Fulgham 2015-01-14 13:30:29 PST

*** This bug has been marked as a duplicate of bug 135514 ***