Created attachment 138546 [details] Patch

Looks good, nice catch. One small comment: is there a named constant you could use instead of -1?

Thanks for the review. > One small comment: is there a named constant you could use instead of -1? I wondered about the same and found out that -1 seems to be generally used as the "null" layer id in the Chromium compositor code. I guess it would be worth replacing those with a named constant, but I did not want to go there with this particular crash fix.

Comment on attachment 138546 [details] Patch If this wasn't a crash fix, I'd say you should fix the -1 in this patch, but I'd like to get this fixed sooner rather than later. Can you file a bug for changing -1 to a constant and assign it to yourself?

Comment on attachment 138546 [details] Patch Argh, bit by the releaseRootLayer feature AGAIN!

(In reply to comment #4) > (From update of attachment 138546 [details]) > If this wasn't a crash fix, I'd say you should fix the -1 in this patch, but I'd like to get this fixed sooner rather than later. Can you file a bug for changing -1 to a constant and assign it to yourself? Sure, done: https://bugs.webkit.org/show_bug.cgi?id=84737

(In reply to comment #5) > Argh, bit by the releaseRootLayer feature AGAIN! It's a treacherous thing :( I think this particular bug would have been caught by running webkit_unit_tests with Valgrind -- any reason why we're not doing that?

Comment on attachment 138546 [details] Patch Clearing flags on attachment: 138546 Committed r115080: <http://trac.webkit.org/changeset/115080>

All reviewed patches have been landed. Closing bug.