[Webkit-unassigned] [Bug 125776] New: [CoordinatedGraphics] Segmentation fault at CoordinatedGraphicsScene::clearImageBackingContents

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 16 05:37:54 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=125776

           Summary: [CoordinatedGraphics] Segmentation fault at
                    CoordinatedGraphicsScene::clearImageBackingContents
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: edbalint at inf.u-szeged.hu


The bug occurs on flickr.com webpage: scroll down to "Spectaculr" section and then scroll up to the top of the page and click on "Sign in" (or any other link) -> Segmentation fault - the browser crashes.
The cause of the problem is that if an image becomes visible and then after a while it becomes invisible a clearContentsTimer starts. The Timer fires after 3 seconds. If the current image becomes visible in these 3 seconds the Timer stops. If the 3 seconds elapse the Timer fires. The CoordinatedImageBacking object which contains the Timer will call CompositingCoordinator::clearImageBackingContents which will append its imageID to m_state.imagesToClear. After this, if you scroll or move the mouse over a link the image will be cleared (because CoordinatedGraphicsScene::syncImageBackings calls CoordinatedGraphicsScene::clearImageBackingContents). Segmentation fault occurs if the time between the image becoming invisible and moving the mouse over the link is less than 3 seconds. In this case the imageID appends to m_state.imagesToClear but it won't be cleared until clicking on the link. But if you click on the link, the imageID will append to m_state.imagesToRemove too. Then CoordinatedGraphicsScene::syncImageBackings calls CoordinatedGraphicsScene::removeImageBacking. This method removes the image from m_imageBackings but then CoordinatedGraphicsScene::clearImageBackingContents is called and it wants to clear the image with the same ID which image was removed before. This causes the segmentation fault.
I've found a possible fix: If CoordinatedGraphicsScene::removeImageBacking is called, it removes the current imageID from m_state.imagesToClear.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list