RESOLVED INVALID 75000
[Qt][WK2] Crash in ~WebGraphicsLayer when running fast/multicol/pagination-* tests 
https://bugs.webkit.org/show_bug.cgi?id=75000
Summary [Qt][WK2] Crash in ~WebGraphicsLayer when running fast/multicol/pagination-* ...
Balazs Kelemen
Reported 2011-12-21 01:50:03 PST
WebKitTestRunner LayoutTests/fast/multicol/pagination-*.html It's not clear which test will crash. Running them separately does not reproduce it. We also have an assertion with these tests but is seems like a different bug: https://bugs.webkit.org/show_bug.cgi?id=74999 I did a debug build with ASSERT_DISABLED to avoid hitting the assert. Backtrace: #0 0x00007ffff5a32db5 in WebCore::WebGraphicsLayer::~WebGraphicsLayer (this=0x6ad6c0, __in_chrg=<optimized out>) at /home/balazs/WebKitGit/Source/WebKit2/WebProcess/WebCoreSupport/WebGraphicsLayer.cpp:100 #1 0x00007ffff5a32f12 in WebCore::WebGraphicsLayer::~WebGraphicsLayer (this=0x6ad6c0, __in_chrg=<optimized out>) at /home/balazs/WebKitGit/Source/WebKit2/WebProcess/WebCoreSupport/WebGraphicsLayer.cpp:101 #2 0x00007ffff58847b2 in WTF::deleteOwnedPtr<WebCore::GraphicsLayer> (ptr=0x6ad6c0) at /home/balazs/WebKitGit/Source/JavaScriptCore/wtf/OwnPtrCommon.h:53 #3 0x00007ffff5a65140 in WTF::OwnPtr<WebCore::GraphicsLayer>::clear (this=0x7268d8) at /home/balazs/WebKitGit/Source/JavaScriptCore/wtf/OwnPtr.h:100 #4 0x00007ffff5a64b76 in WTF::OwnPtr<WebCore::GraphicsLayer>::operator= (this=0x7268d8) at /home/balazs/WebKitGit/Source/JavaScriptCore/wtf/OwnPtr.h:73 #5 0x00007ffff6317625 in WebCore::RenderLayerBacking::destroyGraphicsLayers (this=0x7268c0) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayerBacking.cpp:162 #6 0x00007ffff631719c in WebCore::RenderLayerBacking::~RenderLayerBacking (this=0x7268c0, __in_chrg=<optimized out>) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayerBacking.cpp:117 #7 0x00007ffff631732a in WebCore::RenderLayerBacking::~RenderLayerBacking (this=0x7268c0, __in_chrg=<optimized out>) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayerBacking.cpp:118 #8 0x00007ffff63130ce in WTF::deleteOwnedPtr<WebCore::RenderLayerBacking> (ptr=0x7268c0) at /home/balazs/WebKitGit/Source/JavaScriptCore/wtf/OwnPtrCommon.h:53 #9 0x00007ffff6312d5a in WTF::OwnPtr<WebCore::RenderLayerBacking>::clear (this=0x755188) at /home/balazs/WebKitGit/Source/JavaScriptCore/wtf/OwnPtr.h:100 #10 0x00007ffff630f718 in WebCore::RenderLayer::clearBacking (this=0x755068) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayer.cpp:3936 #11 0x00007ffff62fea2e in WebCore::RenderLayer::~RenderLayer (this=0x755068, __in_chrg=<optimized out>) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayer.cpp:224 #12 0x00007ffff62feba8 in WebCore::RenderLayer::~RenderLayer (this=0x755068, __in_chrg=<optimized out>) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayer.cpp:234 #13 0x00007ffff6301a9e in WebCore::RenderLayer::destroy (this=0x755068, renderArena=0x75c5a0) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayer.cpp:1088 #14 0x00007ffff62b4f66 in WebCore::RenderBoxModelObject::destroyLayer (this=0x6e2888) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderBoxModelObject.cpp:273 #15 0x00007ffff6340c6d in WebCore::RenderObject::willBeDestroyed (this=0x6e2888) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderObject.cpp:2237 #16 0x00007ffff62b4fa9 in WebCore::RenderBoxModelObject::willBeDestroyed (this=0x6e2888) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderBoxModelObject.cpp:287 #17 0x00007ffff62a2252 in WebCore::RenderBox::willBeDestroyed (this=0x6e2888) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderBox.cpp:267 #18 0x00007ffff6255e5d in WebCore::RenderBlock::willBeDestroyed (this=0x6e2888) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderBlock.cpp:204 #19 0x00007ffff6340c99 in WebCore::RenderObject::destroy (this=0x6e2888) at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderObject.cpp:2243 #20 0x00007ffff5d32a75 in WebCore::Document::detach (this=0x76c530) at /home/balazs/WebKitGit/Source/WebCore/dom/Document.cpp:1870 Well, it's a bit confusing (for example ~RenderLayerBacking seems to call itself which cannot happen in reality). But at least it is sure that smg is not ok with the WebGraphicsLayer object's m_layerTreeTileClient member: (gdb) p *m_layerTreeTileClient $12 = { _vptr.WebLayerTreeTileClient = 0x4545454545454545 } Does this pattern say something to you?
Attachments
Patch (3.91 KB, patch)
2011-12-21 09:43 PST, Balazs Kelemen 		no flags
DetailsFormatted DiffDiff
Patch (2.36 KB, patch)
2011-12-21 10:04 PST, Balazs Kelemen 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Balazs Kelemen
Comment 1 2011-12-21 01:52:07 PST
*** Bug 74511 has been marked as a duplicate of this bug. ***
Balazs Kelemen
Comment 2 2011-12-21 09:43:34 PST
Created attachment 120186 [details] Patch
Balazs Kelemen
Comment 3 2011-12-21 09:48:23 PST
It's a freed object dereferencing bug.
Balazs Kelemen
Comment 4 2011-12-21 10:04:30 PST
Created attachment 120187 [details] Patch Ergh, I forgot that these tests are still asserting in debug (but this is another issue, see bug 42408).
Balazs Kelemen
Comment 5 2011-12-21 10:05:37 PST
> Ergh, I forgot that these tests are still asserting in debug (but this is another issue, see bug 42408). D'oh, it is bug 74999.
Noam Rosenthal
Comment 6 2012-02-09 06:42:34 PST
I think this should be fixed in r107236.
Balazs Kelemen
Comment 7 2012-02-09 06:59:57 PST
(In reply to comment #6) > I think this should be fixed in r107236. Sorry, I forgot to mention that I landed this.
Balazs Kelemen
Comment 8 2012-02-09 07:03:56 PST
(In reply to comment #7) > (In reply to comment #6) > > I think this should be fixed in r107236. > > Sorry, I forgot to mention that I landed this. Which caused a memory leak fixed in http://trac.webkit.org/changeset/104370.
Note You need to log in before you can comment on or make changes to this bug.