[Webkit-unassigned] [Bug 125776] New: [CoordinatedGraphics] Segmentation fault at CoordinatedGraphicsScene::clearImageBackingContents
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Dec 16 05:37:54 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=125776
Summary: [CoordinatedGraphics] Segmentation fault at
CoordinatedGraphicsScene::clearImageBackingContents
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: WebKit Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: edbalint at inf.u-szeged.hu
The bug occurs on flickr.com webpage: scroll down to "Spectaculr" section and then scroll up to the top of the page and click on "Sign in" (or any other link) -> Segmentation fault - the browser crashes.
The cause of the problem is that if an image becomes visible and then after a while it becomes invisible a clearContentsTimer starts. The Timer fires after 3 seconds. If the current image becomes visible in these 3 seconds the Timer stops. If the 3 seconds elapse the Timer fires. The CoordinatedImageBacking object which contains the Timer will call CompositingCoordinator::clearImageBackingContents which will append its imageID to m_state.imagesToClear. After this, if you scroll or move the mouse over a link the image will be cleared (because CoordinatedGraphicsScene::syncImageBackings calls CoordinatedGraphicsScene::clearImageBackingContents). Segmentation fault occurs if the time between the image becoming invisible and moving the mouse over the link is less than 3 seconds. In this case the imageID appends to m_state.imagesToClear but it won't be cleared until clicking on the link. But if you click on the link, the imageID will append to m_state.imagesToRemove too. Then CoordinatedGraphicsScene::syncImageBackings calls CoordinatedGraphicsScene::removeImageBacking. This method removes the image from m_imageBackings but then CoordinatedGraphicsScene::clearImageBackingContents is called and it wants to clear the image with the same ID which image was removed before. This causes the segmentation fault.
I've found a possible fix: If CoordinatedGraphicsScene::removeImageBacking is called, it removes the current imageID from m_state.imagesToClear.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list