[Webkit-unassigned] [Bug 118143] New: Deleting RenderLayerCompositor may cause timer corruption

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jun 27 11:53:07 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=118143

           Summary: Deleting RenderLayerCompositor may cause timer
                    corruption
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: koivisto at iki.fi


RenderLayerCompositor destruction is fragile. With iOS tile cache implementation deleting RenderLayerCompositor may end up starting a deleted timer. This corrupts the timer heap and leads to a crash later. This happens because GraphicsLayers destructor calls back to the RenderLayerCompositor that is being deleted.

    frame #1: 0x0000000106b8b1e8 WebCore`WebCore::TimerBase::start(this=0x0000000121818df8, nextFireInterval=0.5, repeatInterval=0) + 168 at Timer.cpp:231
    frame #2: 0x0000000104fa8932 WebCore`WebCore::TimerBase::startOneShot(this=0x0000000121818df8, interval=0.5) + 34 at Timer.h:52
    frame #3: 0x00000001065cb9c4 WebCore`WebCore::RenderLayerCompositor::startInitialLayerFlushTimerIfNeeded(this=0x0000000121818c90) + 100 at RenderLayerCompositor.cpp:3545
    frame #4: 0x00000001065cb8bf WebCore`WebCore::RenderLayerCompositor::scheduleLayerFlush(this=0x0000000121818c90, canThrottle=true) + 47 at RenderLayerCompositor.cpp:349
    frame #5: 0x00000001065cb889 WebCore`WebCore::RenderLayerCompositor::notifyFlushRequired(this=0x0000000121818c90, layer=0x0000000114dcc9a0) + 57 at RenderLayerCompositor.cpp:335
    frame #6: 0x0000000105836a63 WebCore`WebCore::GraphicsLayerCA::noteLayerPropertyChanged(this=0x0000000114dcc9a0, flags=4) + 211 at GraphicsLayerCA.cpp:3145
    frame #7: 0x00000001058370be WebCore`WebCore::GraphicsLayerCA::noteSublayersChanged(this=0x0000000114dcc9a0) + 30 at GraphicsLayerCA.cpp:3126
    frame #8: 0x0000000105837298 WebCore`WebCore::GraphicsLayerCA::removeFromParent(this=0x0000000114dbead0) + 56 at GraphicsLayerCA.cpp:388
    frame #9: 0x000000010582ca80 WebCore`WebCore::GraphicsLayer::removeAllChildren(this=0x0000000114dcc9a0) + 160 at GraphicsLayer.cpp:251
    frame #10: 0x000000010582c9ce WebCore`WebCore::GraphicsLayer::willBeDestroyed(this=0x0000000114dcc9a0) + 222 at GraphicsLayer.cpp:128
    frame #11: 0x0000000105836e4b WebCore`WebCore::GraphicsLayerCA::willBeDestroyed(this=0x0000000114dcc9a0) + 235 at GraphicsLayerCA.cpp:328
    frame #12: 0x0000000105836b27 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 55 at GraphicsLayerCA.cpp:307
    frame #13: 0x0000000105836ab5 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 21 at GraphicsLayerCA.cpp:305
    frame #14: 0x0000000105836a89 WebCore`WebCore::GraphicsLayerCA::~GraphicsLayerCA(this=0x0000000114dcc9a0) + 25 at GraphicsLayerCA.cpp:305
    frame #15: 0x00000001065c80ee WebCore`void WTF::deleteOwnedPtr<WebCore::GraphicsLayer>(ptr=0x0000000114dcc9a0) + 46 at OwnPtrCommon.h:63
    frame #16: 0x00000001065c8214 WebCore`WTF::OwnPtr<WebCore::GraphicsLayer>::~OwnPtr(this=0x0000000121818dd0) + 20 at OwnPtr.h:63
    frame #17: 0x00000001065c74e5 WebCore`WTF::OwnPtr<WebCore::GraphicsLayer>::~OwnPtr(this=0x0000000121818dd0) + 21 at OwnPtr.h:63
    frame #18: 0x00000001065c9f2d WebCore`WebCore::RenderLayerCompositor::~RenderLayerCompositor(this=0x0000000121818c90) + 557 at

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list