[Webkit-unassigned] [Bug 75000] New: [Qt][WK2] Crash in ~WebGraphicsLayer when running fast/multicol/pagination-* tests

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Dec 21 01:50:03 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=75000

           Summary: [Qt][WK2] Crash in ~WebGraphicsLayer when running
                    fast/multicol/pagination-* tests
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit2
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: kbalazs at webkit.org
                CC: kenneth at webkit.org, ostapenko.viatcheslav at nokia.com,
                    noam.rosenthal at nokia.com


WebKitTestRunner LayoutTests/fast/multicol/pagination-*.html
It's not clear which test will crash. Running them separately does not reproduce it.
We also have an assertion with these tests but is seems like a different bug: https://bugs.webkit.org/show_bug.cgi?id=74999
I did a debug build with ASSERT_DISABLED to avoid hitting the assert.
Backtrace:

#0  0x00007ffff5a32db5 in WebCore::WebGraphicsLayer::~WebGraphicsLayer (this=0x6ad6c0, __in_chrg=<optimized out>)
    at /home/balazs/WebKitGit/Source/WebKit2/WebProcess/WebCoreSupport/WebGraphicsLayer.cpp:100
#1  0x00007ffff5a32f12 in WebCore::WebGraphicsLayer::~WebGraphicsLayer (this=0x6ad6c0, __in_chrg=<optimized out>)
    at /home/balazs/WebKitGit/Source/WebKit2/WebProcess/WebCoreSupport/WebGraphicsLayer.cpp:101
#2  0x00007ffff58847b2 in WTF::deleteOwnedPtr<WebCore::GraphicsLayer> (ptr=0x6ad6c0)
    at /home/balazs/WebKitGit/Source/JavaScriptCore/wtf/OwnPtrCommon.h:53
#3  0x00007ffff5a65140 in WTF::OwnPtr<WebCore::GraphicsLayer>::clear (this=0x7268d8)
    at /home/balazs/WebKitGit/Source/JavaScriptCore/wtf/OwnPtr.h:100
#4  0x00007ffff5a64b76 in WTF::OwnPtr<WebCore::GraphicsLayer>::operator= (this=0x7268d8)
    at /home/balazs/WebKitGit/Source/JavaScriptCore/wtf/OwnPtr.h:73
#5  0x00007ffff6317625 in WebCore::RenderLayerBacking::destroyGraphicsLayers (this=0x7268c0)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayerBacking.cpp:162
#6  0x00007ffff631719c in WebCore::RenderLayerBacking::~RenderLayerBacking (this=0x7268c0, __in_chrg=<optimized out>)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayerBacking.cpp:117
#7  0x00007ffff631732a in WebCore::RenderLayerBacking::~RenderLayerBacking (this=0x7268c0, __in_chrg=<optimized out>)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayerBacking.cpp:118
#8  0x00007ffff63130ce in WTF::deleteOwnedPtr<WebCore::RenderLayerBacking> (ptr=0x7268c0)
    at /home/balazs/WebKitGit/Source/JavaScriptCore/wtf/OwnPtrCommon.h:53
#9  0x00007ffff6312d5a in WTF::OwnPtr<WebCore::RenderLayerBacking>::clear (this=0x755188)
    at /home/balazs/WebKitGit/Source/JavaScriptCore/wtf/OwnPtr.h:100
#10 0x00007ffff630f718 in WebCore::RenderLayer::clearBacking (this=0x755068)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayer.cpp:3936
#11 0x00007ffff62fea2e in WebCore::RenderLayer::~RenderLayer (this=0x755068, __in_chrg=<optimized out>)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayer.cpp:224
#12 0x00007ffff62feba8 in WebCore::RenderLayer::~RenderLayer (this=0x755068, __in_chrg=<optimized out>)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayer.cpp:234
#13 0x00007ffff6301a9e in WebCore::RenderLayer::destroy (this=0x755068, renderArena=0x75c5a0)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderLayer.cpp:1088
#14 0x00007ffff62b4f66 in WebCore::RenderBoxModelObject::destroyLayer (this=0x6e2888)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderBoxModelObject.cpp:273
#15 0x00007ffff6340c6d in WebCore::RenderObject::willBeDestroyed (this=0x6e2888)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderObject.cpp:2237
#16 0x00007ffff62b4fa9 in WebCore::RenderBoxModelObject::willBeDestroyed (this=0x6e2888)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderBoxModelObject.cpp:287
#17 0x00007ffff62a2252 in WebCore::RenderBox::willBeDestroyed (this=0x6e2888)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderBox.cpp:267
#18 0x00007ffff6255e5d in WebCore::RenderBlock::willBeDestroyed (this=0x6e2888)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderBlock.cpp:204
#19 0x00007ffff6340c99 in WebCore::RenderObject::destroy (this=0x6e2888)
    at /home/balazs/WebKitGit/Source/WebCore/rendering/RenderObject.cpp:2243
#20 0x00007ffff5d32a75 in WebCore::Document::detach (this=0x76c530) at /home/balazs/WebKitGit/Source/WebCore/dom/Document.cpp:1870

Well, it's a bit confusing (for example ~RenderLayerBacking seems to call itself which cannot happen in reality). But at least it is sure that smg is not ok with the WebGraphicsLayer object's m_layerTreeTileClient member:
(gdb) p *m_layerTreeTileClient
$12 = {
  _vptr.WebLayerTreeTileClient = 0x4545454545454545
}

Does this pattern say something to you?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list