Closed Bug 1319508 Opened 3 years ago Closed 3 years ago

Guard against dangling mParent pointer in EraseLayerState

Categories

(Core :: Graphics, defect, P3)

53 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox53 --- fixed

People

(Reporter: kats, Assigned: kats)

References

Details

(Whiteboard: [gfx-noted])

Attachments

(1 file)

In the QuantumRender build while trying to get reftests going we are running into a consistent crash. This seems to happen because of a race condition during shutdown. Specifically, the call at [1] triggers a call to EraseLayerState on the compositor thread [2]. By the time this call runs, the corresponding CompositorBridgeParent has already been destroyed, leaving the mParent at [3] as a dangling pointer. Dereferencing that pointer then results in a crash.

It seems that the shutdown sequence here is not particular well-defined, so the safest thing to do seems to be to make the LayerTreeState::mParent pointer a RefPtr rather than a raw pointer.

[1] http://searchfox.org/mozilla-central/rev/59bb309e38b10aba63dea8505fb800e99fe821d6/layout/ipc/RenderFrameParent.cpp#228
[2] http://searchfox.org/mozilla-central/rev/59bb309e38b10aba63dea8505fb800e99fe821d6/gfx/layers/ipc/CompositorBridgeParent.cpp#1568
[3] http://searchfox.org/mozilla-central/rev/59bb309e38b10aba63dea8505fb800e99fe821d6/gfx/layers/ipc/CompositorBridgeParent.cpp#1548
Comment on attachment 8813356 [details]
Bug 1319508 - Ensure that we don't leave dangling pointers to CompositorBridgeParent in LayerTreeState instances.

https://reviewboard.mozilla.org/r/94778/#review95014
Attachment #8813356 - Flags: review?(dvander) → review+
Pushed by kgupta@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/25c7f7eb112c
Ensure that we don't leave dangling pointers to CompositorBridgeParent in LayerTreeState instances. r=dvander
https://hg.mozilla.org/mozilla-central/rev/25c7f7eb112c
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.