[Webkit-unassigned] [Bug 100930] New: [Chromium] debug builds: Use after free under ~PageOverlay()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 1 01:43:20 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=100930

           Summary: [Chromium] debug builds: Use after free under
                    ~PageOverlay()
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: All
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: Web Inspector
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tapted at chromium.org
                CC: keishi at webkit.org, pmuellr at yahoo.com,
                    pfeldman at chromium.org, yurys at chromium.org,
                    apavlov at chromium.org, jamesr at chromium.org,
                    loislo at chromium.org, fsamuel at chromium.org,
                    vsevik at chromium.org, danakj at chromium.org,
                    web-inspector-bugs at googlegroups.com


Downstream bug: http://crbug.com/157097

What steps will reproduce the problem?
0. Run a debug build of Chromium
1. Open a packaged app Shell window, or popout a Google Chat Panel window
2. Right-click -> Inspect Element, Developer tools opens in new window
3. Close the original Shell/Panel Window
4. segfault around:

 void GraphicsLayer::willBeDestroyed()
 {
 #ifndef NDEBUG
     if (m_client)
         m_client->verifyNotPainting();
 #endif


This code added in bug 81954 (from March)


The problem is that WebKit::PageOverlay is declared like this:

class PageOverlay {
/* snip */

    WebViewImpl* m_viewImpl;
    WebPageOverlay* m_overlay;
    OwnPtr<WebCore::GraphicsLayer> m_layer;
    OwnPtr<WebCore::GraphicsLayerClient> m_layerClient;
    int m_zOrder;
};

So m_layerClient will be destroyed before m_layer at the end of ~PageOverlay().

So, it is not valid for GraphicsLayer::willBeDestroyed (called from the ~GraphicsLayerChromium leaf class) to access its own GraphicsLayerClient data member in this situation to do m_client->verifyNotPainting();.

Some possible solutions:
 - Fix the destruction order (reorder members)
 - explicitly set PageOverlay::m_layer->m_client to NULL in ~PageOverlay
 - something-else-because-i-don't-really-know-webkit-that-well

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list