Title: [152121] trunk/Source/WebCore
- Revision
- 152121
- Author
- an...@apple.com
- Date
- 2013-06-27 13:02:12 -0700 (Thu, 27 Jun 2013)
Log Message
RenderLayerCompositor destructor is fragile
https://bugs.webkit.org/show_bug.cgi?id=118143
Reviewed by Simon Fraser.
With iOS tile cache implementation deleting RenderLayerCompositor may end up starting a deleted timer.
This corrupts the timer heap and leads to a crash later. This happens because GraphicsLayers destructor
calls back to the RenderLayerCompositor that is being deleted. This is pretty fragile in general.
No test as there is no known way to repro this with plain webkit.
* platform/Timer.cpp:
(WebCore::TimerBase::TimerBase):
(WebCore::TimerBase::~TimerBase):
(WebCore::TimerBase::setNextFireTime):
* platform/Timer.h:
Assert that the timer is alive before starting it. This turns bugs like this into clear crash stacks
instead of hard-to-debug timer heap corruptions.
* rendering/RenderLayerCompositor.cpp:
(WebCore::RenderLayerCompositor::~RenderLayerCompositor):
Take care to delete owned GraphicsLayers before proceeding with the rest of the destructor.
Modified Paths
Diff
Modified: trunk/Source/WebCore/ChangeLog (152120 => 152121)
--- trunk/Source/WebCore/ChangeLog 2013-06-27 19:36:25 UTC (rev 152120)
+++ trunk/Source/WebCore/ChangeLog 2013-06-27 20:02:12 UTC (rev 152121)
@@ -1,3 +1,30 @@
+2013-06-27 Antti Koivisto <an...@apple.com>
+
+ RenderLayerCompositor destructor is fragile
+ https://bugs.webkit.org/show_bug.cgi?id=118143
+
+ Reviewed by Simon Fraser.
+
+ With iOS tile cache implementation deleting RenderLayerCompositor may end up starting a deleted timer.
+ This corrupts the timer heap and leads to a crash later. This happens because GraphicsLayers destructor
+ calls back to the RenderLayerCompositor that is being deleted. This is pretty fragile in general.
+
+ No test as there is no known way to repro this with plain webkit.
+
+ * platform/Timer.cpp:
+ (WebCore::TimerBase::TimerBase):
+ (WebCore::TimerBase::~TimerBase):
+ (WebCore::TimerBase::setNextFireTime):
+ * platform/Timer.h:
+
+ Assert that the timer is alive before starting it. This turns bugs like this into clear crash stacks
+ instead of hard-to-debug timer heap corruptions.
+
+ * rendering/RenderLayerCompositor.cpp:
+ (WebCore::RenderLayerCompositor::~RenderLayerCompositor):
+
+ Take care to delete owned GraphicsLayers before proceeding with the rest of the destructor.
+
2013-06-27 Christophe Dumez <ch.du...@sisa.samsung.com>
Update SVG interfaces to stop inheriting from SVGURIReference and SVGTests
Modified: trunk/Source/WebCore/platform/Timer.cpp (152120 => 152121)
--- trunk/Source/WebCore/platform/Timer.cpp 2013-06-27 19:36:25 UTC (rev 152120)
+++ trunk/Source/WebCore/platform/Timer.cpp 2013-06-27 20:02:12 UTC (rev 152121)
@@ -195,6 +195,7 @@
, m_cachedThreadGlobalTimerHeap(0)
#ifndef NDEBUG
, m_thread(currentThread())
+ , m_wasDeleted(false)
#endif
{
}
@@ -203,6 +204,9 @@
{
stop();
ASSERT(!inHeap());
+#ifndef NDEBUG
+ m_wasDeleted = true;
+#endif
}
void TimerBase::start(double nextFireInterval, double repeatInterval)
@@ -367,6 +371,7 @@
void TimerBase::setNextFireTime(double newUnalignedTime)
{
ASSERT(m_thread == currentThread());
+ ASSERT(!m_wasDeleted);
if (m_unalignedNextFireTime != newUnalignedTime)
m_unalignedNextFireTime = newUnalignedTime;
Modified: trunk/Source/WebCore/platform/Timer.h (152120 => 152121)
--- trunk/Source/WebCore/platform/Timer.h 2013-06-27 19:36:25 UTC (rev 152120)
+++ trunk/Source/WebCore/platform/Timer.h 2013-06-27 20:02:12 UTC (rev 152121)
@@ -95,6 +95,7 @@
#ifndef NDEBUG
ThreadIdentifier m_thread;
+ bool m_wasDeleted;
#endif
friend class ThreadTimers;
Modified: trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp (152120 => 152121)
--- trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp 2013-06-27 19:36:25 UTC (rev 152120)
+++ trunk/Source/WebCore/rendering/RenderLayerCompositor.cpp 2013-06-27 20:02:12 UTC (rev 152121)
@@ -225,6 +225,9 @@
RenderLayerCompositor::~RenderLayerCompositor()
{
+ // Take care that the owned GraphicsLayers are deleted first as their destructors may call back here.
+ m_clipLayer = nullptr;
+ m_scrollLayer = nullptr;
ASSERT(m_rootLayerAttachment == RootLayerUnattached);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
