Guard against dangling mParent pointer in EraseLayerState

RESOLVED FIXED in Firefox 53

Status

()

P3
normal
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: kats, Assigned: kats)

Tracking

53 Branch
mozilla53
Points:
---

Firefox Tracking Flags

(firefox53 fixed)

Details

(Whiteboard: [gfx-noted])

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

In the QuantumRender build while trying to get reftests going we are running into a consistent crash. This seems to happen because of a race condition during shutdown. Specifically, the call at [1] triggers a call to EraseLayerState on the compositor thread [2]. By the time this call runs, the corresponding CompositorBridgeParent has already been destroyed, leaving the mParent at [3] as a dangling pointer. Dereferencing that pointer then results in a crash.

It seems that the shutdown sequence here is not particular well-defined, so the safest thing to do seems to be to make the LayerTreeState::mParent pointer a RefPtr rather than a raw pointer.

[1] http://searchfox.org/mozilla-central/rev/59bb309e38b10aba63dea8505fb800e99fe821d6/layout/ipc/RenderFrameParent.cpp#228
[2] http://searchfox.org/mozilla-central/rev/59bb309e38b10aba63dea8505fb800e99fe821d6/gfx/layers/ipc/CompositorBridgeParent.cpp#1568
[3] http://searchfox.org/mozilla-central/rev/59bb309e38b10aba63dea8505fb800e99fe821d6/gfx/layers/ipc/CompositorBridgeParent.cpp#1548
Comment hidden (mozreview-request)
Comment on attachment 8813356 [details]
Bug 1319508 - Ensure that we don't leave dangling pointers to CompositorBridgeParent in LayerTreeState instances.

https://reviewboard.mozilla.org/r/94778/#review95014
Attachment #8813356 - Flags: review?(dvander) → review+

Comment 4

2 years ago
Pushed by kgupta@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/25c7f7eb112c
Ensure that we don't leave dangling pointers to CompositorBridgeParent in LayerTreeState instances. r=dvander

Comment 5

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/25c7f7eb112c
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox53: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.