[Webkit-unassigned] [Bug 111953] New: Possible incorrect cleanup in RenderLayerBacking destructor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Mar 10 21:07:14 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=111953

           Summary: Possible incorrect cleanup in RenderLayerBacking
                    destructor
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: shawnsingh at chromium.org
                CC: simon.fraser at apple.com, enne at google.com,
                    shawnsingh at chromium.org, vollick at chromium.org,
                    hartmanng at chromium.org


The code in RenderLayerBacking::destroyGraphicsLayers()  (which is private and only called from destructor) does the following:
  1. detaches m_graphicsLayer from its possible parent
  2. releases the refs of all possible graphicsLayers that may exist.

It looks like step 1 has existed since this code was added way back in 2009.  Was there a reason do implement step 1 this way?

It seems to me that the purpose of step 1 is to remove this Backing's GraphicsLayers from the composited layer tree, right?  If so, then I think it should actually be accessing childForSuperLayers(), and detaching that layer from it's parent.

Or optionally, if we want to remove the assumption that the layer is in a "good state" when its being destroyed, we could just removeFromParent for all possible values of childForSuperLayers(), or even for all GraphicsLayers, knowing it will be a no-op (though it may cause more churn)

Simon, what do you think?

I don't have any examples of this causing crashes or leaks, but it's conceivable to me that it can cause crashes.  In practice I suspect that problems don't occur because RenderLayerBackings are typically de-allocated just before a new RenderLayerBacking tree is rebuilt, at which point such dangling subtrees would disappear shortly after, anyway.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list