Bug 148442 - Fix crash due to animationDidEnd called on deallocated RemoteLayerTreeHost
Summary: Fix crash due to animationDidEnd called on deallocated RemoteLayerTreeHost
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-08-25 13:09 PDT by Wenson Hsieh
Modified: 2015-08-26 14:55 PDT (History)
3 users (show)

See Also:

Attachments
Test case that reproduces the bug (872 bytes, application/zip)
2015-08-26 13:35 PDT, Wenson Hsieh 		no flags Details
Patch (1.78 KB, patch)
2015-08-26 13:41 PDT, Wenson Hsieh 		no flags Details | Formatted Diff | Diff
Patch (1.80 KB, patch)
2015-08-26 14:05 PDT, Wenson Hsieh 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Wenson Hsieh 2015-08-25 13:09:20 PDT 
WebKit may crash when calling -[PlatformCAAnimationRemote animationDidStop] if the PlatformCAAnimationRemote's layer tree host has been deallocated.
Comment 1 Wenson Hsieh 2015-08-25 13:10:18 PDT 
<rdar://problem/21609257>
Comment 2 Wenson Hsieh 2015-08-26 13:33:50 PDT 
Reproducible nearly 100% of the time -- visit http://whsieh.github.io/examples/layerhost-crash.html and click the link. Works best when running an iOS simulator on a debug build where you can see the stack trace upon the crash.
Comment 3 Wenson Hsieh 2015-08-26 13:35:17 PDT 
Created attachment 259975 [details]
Test case that reproduces the bug

Click the link to open a new tab. The new tab will crash while exiting.
Comment 4 Wenson Hsieh 2015-08-26 13:41:53 PDT 
Created attachment 259977 [details]
Patch
Comment 5 Tim Horton 2015-08-26 13:48:31 PDT 
Comment on attachment 259977 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259977&action=review

> Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm:145
>      m_layers.remove(layerID);

1) You can do the hash table lookup only once.

2) Should you also cover the case in clearLayers()?
Comment 6 Wenson Hsieh 2015-08-26 13:57:44 PDT 
Comment on attachment 259977 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259977&action=review

>> Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm:145
>>      m_layers.remove(layerID);
> 
> 1) You can do the hash table lookup only once.
> 
> 2) Should you also cover the case in clearLayers()?

1. Good point. Fixed.

2. clearLayers is only invoked in the destructor of RemoteLayerTreeHost, which ensures that all animation delegates are first invalidated. It might be better to lift the invalidation logic from ~RemoteLayerTreeHost to clearLayers() instead though.
Comment 7 Tim Horton 2015-08-26 14:00:18 PDT 
(In reply to comment #6)
> Comment on attachment 259977 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=259977&action=review
> 
> >> Source/WebKit2/UIProcess/mac/RemoteLayerTreeHost.mm:145
> >>      m_layers.remove(layerID);
> > 
> > 1) You can do the hash table lookup only once.
> > 
> > 2) Should you also cover the case in clearLayers()?
> 
> 1. Good point. Fixed.
> 
> 2. clearLayers is only invoked in the destructor of RemoteLayerTreeHost,
> which ensures that all animation delegates are first invalidated. It might
> be better to lift the invalidation logic from ~RemoteLayerTreeHost to
> clearLayers() instead though.

Ah! No, that's probably fine. OK.
Comment 8 Wenson Hsieh 2015-08-26 14:05:58 PDT 
Created attachment 259980 [details]
Patch
Comment 9 Tim Horton 2015-08-26 14:07:38 PDT 
Please consider making your test a layout test (it seems like a pretty easy one).
Comment 10 WebKit Commit Bot 2015-08-26 14:54:57 PDT 
Comment on attachment 259980 [details]
Patch

Clearing flags on attachment: 259980

Committed r188991: <http://trac.webkit.org/changeset/188991>
Comment 11 WebKit Commit Bot 2015-08-26 14:55:01 PDT 
All reviewed patches have been landed.  Closing bug.