159922 – [Threaded Compositor] Web Process crash when the layer tree host is destroyed

Bug 159922 - [Threaded Compositor] Web Process crash when the layer tree host is destroyed

Summary: [Threaded Compositor] Web Process crash when the layer tree host is destroyed

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	154066
	Show dependency tree / graph

Reported:	2016-07-19 08:30 PDT by Carlos Garcia Campos
Modified:	2016-07-20 05:18 PDT (History)
CC List:	0 users

See Also:

Attachments
Patch (5.09 KB, patch) 2016-07-19 08:34 PDT, Carlos Garcia Campos	svillar: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos Garcia Campos 2016-07-19 08:30:47 PDT

It happens when the layer tree host is destroyed after the didChangeVisibleRect is scheduled to be run in the main thread, but before it's actually dispatched. In that case the threaded compositor client points to a deleted object and crashes when trying to dereference it.

Comment 1 Carlos Garcia Campos 2016-07-19 08:34:06 PDT

Created attachment 284007 [details]
Patch

Comment 2 Sergio Villar Senin 2016-07-20 01:07:09 PDT

Comment on attachment 284007 [details]
Patch

Don't we have a test to reproduce the crash?

Comment 3 Carlos Garcia Campos 2016-07-20 01:09:58 PDT

(In reply to comment #2)
> Comment on attachment 284007 [details]
> Patch
> 
> Don't we have a test to reproduce the crash?

Yes, several tests crashed because of this, I found this issue running the layout tests indeed, but I don't remember which tests failed. Same for bug #159918

Comment 4 Carlos Garcia Campos 2016-07-20 05:18:43 PDT

Committed r203449: <http://trac.webkit.org/changeset/203449>