88815 – [chromium] Don't crash when m_private->layerTreeHost()->context() is NULL

RESOLVED FIXED 88815

[chromium] Don't crash when m_private->layerTreeHost()->context() is NULL

https://bugs.webkit.org/show_bug.cgi?id=88815

Summary [chromium] Don't crash when m_private->layerTreeHost()->context() is NULL

Ami Fischman

Reported 2012-06-11 15:39:22 PDT

I think r119313 introduced a crasher; see backtrace below. Fix seems simple enough: return 0 if !m_private->layerTreeHost()->context(). I'll upload a patch. (gdb) bt #0 0x00007f2cb89daa32 in WTF::RefPtr<WebCore::GraphicsContext3D>::get (this=0x20) at ../../third_party/WebKit/Source/WTF/wtf/RefPtr.h:58 #1 0x00007f2cb89da8ea in WebCore::CCGraphicsContext::context3D (this=0x0) at ../../third_party/WebKit/Source/WebCore/platform/graphics/chromium/cc/CCGraphicsContext.h:47 #2 0x00007f2cb89da874 in WebKit::WebLayerTreeView::context (this=0x7f2cb496faf8) at ../../third_party/WebKit/Source/WebKit/chromium/src/WebLayerTreeView.cpp:170 #3 0x00007f2cb8a17096 in WebKit::WebViewImpl::graphicsContext3D (this=0x7f2cb496f880) at ../../third_party/WebKit/Source/WebKit/chromium/src/WebViewImpl.cpp:3659 #4 0x00007f2cc083065a in RenderViewImpl::createMediaPlayer (this=0x7f2cae18d000, frame=0x7f2cad4d6e00, client=0x7f2cac8a43d0) at ../../content/renderer/render_view_impl.cc:2369 #5 0x00007f2cb89db5bb in WebKit::createWebMediaPlayer (client=0x7f2cac8a43d0, frame=0x7f2caccb6000) at ../../third_party/WebKit/Source/WebKit/chromium/src/WebMediaPlayerClientImpl.cpp:56 #6 0x00007f2cb89dc77f in WebKit::WebMediaPlayerClientImpl::loadInternal (this=0x7f2cac8a43c0) at ../../third_party/WebKit/Source/WebKit/chromium/src/WebMediaPlayerClientImpl.cpp:314 #7 0x00007f2cb89dc6ad in WebKit::WebMediaPlayerClientImpl::load (this=0x7f2cac8a43c0, url=...) at ../../third_party/WebKit/Source/WebKit/chromium/src/WebMediaPlayerClientImpl.cpp:303 #8 0x00007f2cb975d18f in WebCore::MediaPlayer::loadWithNextMediaEngine(WebCore::MediaPlayerFactory*) () from /home/fischman/chrome_root/src/out_lumpy/Debug/lib/libwebkit.so #9 0x00007f2cb975cea0 in WebCore::MediaPlayer::load(WebCore::KURL const&, WebCore::ContentType const&, WTF::String const&) () from /home/fischman/chrome_root/src/out_lumpy/Debug/lib/libwebkit.so #10 0x00007f2cba03db3e in WebCore::HTMLMediaElement::loadResource(WebCore::KURL const&, WebCore::ContentType&, WTF::String const&) () from /home/fischman/chrome_root/src/out_lumpy/Debug/lib/libwebkit.so #11 0x00007f2cba03d45d in WebCore::HTMLMediaElement::selectMediaResource() () from /home/fischman/chrome_root/src/out_lumpy/Debug/lib/libwebkit.so #12 0x00007f2cba03d135 in WebCore::HTMLMediaElement::loadInternal() () from /home/fischman/chrome_root/src/out_lumpy/Debug/lib/libwebkit.so #13 0x00007f2cba03cc15 in WebCore::HTMLMediaElement::load(int&) () from /home/fischman/chrome_root/src/out_lumpy/Debug/lib/libwebkit.so #14 0x00007f2cba308522 in WebCore::HTMLMediaElementV8Internal::loadCallback(v8::Arguments const&) () from /home/fischman/chrome_root/src/out_lumpy/Debug/lib/libwebkit.so #15 0x00007f2cbef531b3 in v8::internal::HandleApiCallHelper<false> (args=..., isolate=0x7f2cb48b9000) at ../../v8/src/builtins.cc:1145 #16 0x00007f2cbef4d54c in v8::internal::Builtin_Impl_HandleApiCall (args=..., isolate=0x7f2cb48b9000) at ../../v8/src/builtins.cc:1162 #17 0x00007f2cbef4d51d in v8::internal::Builtin_HandleApiCall (args=..., isolate=0x7f2cb48b9000) at ../../v8/src/builtins.cc:1161

Attachments
Patch (1.54 KB, patch) 2012-06-11 15:40 PDT, Ami Fischman	no flags	Details Formatted Diff Diff
Patch (1.56 KB, patch) 2012-06-11 15:47 PDT, Ami Fischman	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Ami Fischman

Comment 1 2012-06-11 15:40:11 PDT

Created attachment 146934 [details] Patch

James Robinson

Comment 2 2012-06-11 15:41:31 PDT

Comment on attachment 146934 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=146934&action=review Test? In what situation is ->context() NULL? > Source/WebKit/chromium/src/WebLayerTreeView.cpp:171 > + WebCore::CCGraphicsContext* c = m_private->layerTreeHost()->context(); > + if (!c) we don't use one-letter variable names in WebKit (probably because we don't have an 80 column limit), please give this a better name. Perhaps "context" ?

Ami Fischman

Comment 3 2012-06-11 15:47:40 PDT

Created attachment 146939 [details] Patch

Ami Fischman

Comment 4 2012-06-11 15:47:59 PDT

(In reply to comment #2) > (From update of attachment 146934 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=146934&action=review > > Test? In what situation is ->context() NULL? I don't know. I was hoping the backtrace in the bug report would be enough for you to divine what's gone wrong. > > Source/WebKit/chromium/src/WebLayerTreeView.cpp:171 > > + WebCore::CCGraphicsContext* c = m_private->layerTreeHost()->context(); > > + if (!c) > > we don't use one-letter variable names in WebKit (probably because we don't have an 80 column limit), please give this a better name. Perhaps "context" ? I dispute that "context" is any clearer in this context, but done ;)

James Robinson

Comment 5 2012-06-11 17:16:01 PDT

Comment on attachment 146939 [details] Patch Looking more closely it seems quite reasonable that we would get here and extractWeb...() handles a null parameter fine, but we need a test to avoid regressing this (if we had one then we wouldn't have broken this in r119313)

Ami Fischman

Comment 6 2012-06-11 19:31:41 PDT

(In reply to comment #5) > (From update of attachment 146939 [details]) > Looking more closely it seems quite reasonable that we would get here and extractWeb...() handles a null parameter fine, but we need a test to avoid regressing this (if we had one then we wouldn't have broken this in r119313) Since you understand this stuff 10000x better than me can you suggest a useful test scenario that'd hit this case? (obvs I could construct a mock something to tickle the codepath, but that doesn't seem very useful)

Ami Fischman

Comment 7 2012-06-14 22:50:50 PDT

James/Alexandre: ping? Can you make a concrete suggestion for testing (comment #6), or r+ this without test? (I think we all agree this is a uniformly-positive change to the codebase, what with the not crashing and all).

James Robinson

Comment 8 2012-06-15 14:21:52 PDT

With the fix for http://code.google.com/p/chromium/issues/detail?id=129103 is this still relevant?

Ami Fischman

Comment 9 2012-06-15 14:46:05 PDT

(In reply to comment #8) > With the fix for http://code.google.com/p/chromium/issues/detail?id=129103 is this still relevant? Reverting the proposed patch locally, I no longer see the crashes (which were intermittent before). Are you comfortable asserting m_private->layerTreeHost()->context() is never NULL?

James Robinson

Comment 10 2012-06-15 14:50:52 PDT

When that patch lands I'm more comfortable deleting the getter that lets you hit this codepath :)

Ami Fischman

Comment 11 2012-06-15 14:52:14 PDT

(In reply to comment #10) > When that patch lands I'm more comfortable deleting the getter that lets you hit this codepath :) SGTM!

James Robinson

Comment 12 2012-06-15 16:08:43 PDT

I've got patches on the way to remove WebView::graphicsContext3D() which I think will make this crash impossible.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Ami Fischman

Reported

2012-06-11 15:39 PDT

Modified

2012-06-15 16:08 PDT History

CC List

3 users Show

URL

Keywords

Depends on

Blocks