New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 591106 link

Starred by 1 user

Issue metadata

Status: Duplicate
Merged: issue 582755
Owner:
Closed: Mar 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 2
Type: Bug



Sign in to add a comment

Dangling pointers between ScrollAnimatorMac and PaintLayer

Project Member Reported by jbroman@chromium.org, Mar 1 2016

Issue description

thakis pointed me at this ASAN failure on unit tests, that was blamed on my CL: https://build.chromium.org/p/chromium.memory/builders/Mac%20ASan%2064%20Tests%20%281%29/builds/12543/steps/webkit_unit_tests%20on%20Mac-10.9/logs/All_ParameterizedVisualViewportTest.ScrollIntoViewFractionalOffset_1

The underlying problem here is a dangling-pointer issue in Oilpan, as follows:

The objects at play here are:
PaintLayer (non-GC)
PaintLayerScrollableArea (GC)
ScrollAnimatorMac (GC)
BlinkScrollbarPainterControllerDelegate (Obj-C)

PaintLayer is owned by the LayoutView.
PaintLayer has Member<PaintLayerScrollableArea>, and PaintLayerScrollableArea has a PaintLayer& back.
PaintLayerScrollableArea owns ScrollAnimatorMac, which in turn owns BlinkScrollbarPainterControllerDelegate.
AppKit holds a raw pointer to BlinkScrollbarPainterControllerDelegate (unset when ScrollAnimatorMac is destroyed), 

When we navigate, LayoutView::willBeDestroyed is called, which destroys the PaintLayer. However, it does not destroy the PaintLayerScrollableArea (since the heap hasn't been collected yet). Thus the rest of the objects remain alive.

Then at some point, AppKit calls back by sending |-scrollerImpPair:updateScrollerStyleForNewRecommendedScrollerStyle:| to the delegate, and we make a series of calls walking back toward PaintLayer. Unfortunately, the PaintLayer& held by PaintLayerScrollableArea is dangling, leading to the ASAN failure (and possibly worse behaviour in non-sanitizer builds).

I'd appreciate advice from Oilpan people about how to handle this. PaintLayerScrollableArea could hold a weak pointer and be able to handle its layer pointer being null, but that seems like quite a large change. Or perhaps PaintLayer should call a dispose method on PaintLayerScrollableArea that causes it to put the ScrollAnimator in a "waiting to be collected" state (also seems non-trivial).
 
~PaintLayer() will call PaintLayerScrollableArea::dispose(), which in turn calls ScrollableArea::clearScrollAnimators(). Which in turns calls dispose() on the ScrollableAnimatorMac::dispose(), clearing the duff pointer here.

With that in place, I don't understand the weakness described above.

(There's three bugs on this one already, duplicate this to 582755 ? )
Mergedinto: 582755
Status: Duplicate (was: Assigned)
Hmm, if that was working, though, I don't see how the ASAN report is possible. Something is definitely calling into the delegate, and ASAN is clearly reporting that someone is accessing a freed PaintLayer.

But yeah, it looks like someone else is investigating (I assumed this was new based on how it was reported to me, as blamed on my recent CL). Duping as suggested.

Comment 3 by tkent@chromium.org, Mar 23 2016

Components: -Blink>Oilpan Blink>MemoryAllocator>GarbageCollection

Sign in to add a comment