<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[184576] trunk/Source/WebCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/184576">184576</a></dd>
<dt>Author</dt> <dd>bdakin@apple.com</dd>
<dt>Date</dt> <dd>2015-05-19 10:26:23 -0700 (Tue, 19 May 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Crash in WebCore::RenderLayer::updateScrollbarsAfterLayout
https://bugs.webkit.org/show_bug.cgi?id=145142
Reviewed by Simon Fraser.
I have not been able to reproduce this crash, but according to symbolication
m_vBar is null. It seems like this crash was probably caused by
http://trac.webkit.org/changeset/173668 which made it so that overflow:scroll
behaves like overflow:auto when the scrollbars are overlay. I can see how you
could encounter this crash with that change if the layout caused
styleRequiresScrollbar() to return true when it used to return false. Then this
code, by failing to null-check the scrollbars, assumes that
styleRequiresScrollbar() could not have changed based on a layout. But it could
change if the css changed the scrollbars to be custom or if the user managed
switch to legacy style scrollbars at just the wrong time. Or I suppose it could
also happen if the user has legacy scrollbars and the style switched from auto to
scroll during the layout.
Anyway, we should null-check the scrollbars. This is a speculative fix.
* rendering/RenderLayer.cpp:
(WebCore::RenderLayer::updateScrollbarsAfterLayout):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceWebCoreChangeLog">trunk/Source/WebCore/ChangeLog</a></li>
<li><a href="#trunkSourceWebCorerenderingRenderLayercpp">trunk/Source/WebCore/rendering/RenderLayer.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/ChangeLog (184575 => 184576)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/ChangeLog 2015-05-19 17:06:23 UTC (rev 184575)
+++ trunk/Source/WebCore/ChangeLog 2015-05-19 17:26:23 UTC (rev 184576)
</span><span class="lines">@@ -1,3 +1,27 @@
</span><ins>+2015-05-19 Beth Dakin <bdakin@apple.com>
+
+ Crash in WebCore::RenderLayer::updateScrollbarsAfterLayout
+ https://bugs.webkit.org/show_bug.cgi?id=145142
+
+ Reviewed by Simon Fraser.
+
+ I have not been able to reproduce this crash, but according to symbolication
+ m_vBar is null. It seems like this crash was probably caused by
+ http://trac.webkit.org/changeset/173668 which made it so that overflow:scroll
+ behaves like overflow:auto when the scrollbars are overlay. I can see how you
+ could encounter this crash with that change if the layout caused
+ styleRequiresScrollbar() to return true when it used to return false. Then this
+ code, by failing to null-check the scrollbars, assumes that
+ styleRequiresScrollbar() could not have changed based on a layout. But it could
+ change if the css changed the scrollbars to be custom or if the user managed
+ switch to legacy style scrollbars at just the wrong time. Or I suppose it could
+ also happen if the user has legacy scrollbars and the style switched from auto to
+ scroll during the layout.
+
+ Anyway, we should null-check the scrollbars. This is a speculative fix.
+ * rendering/RenderLayer.cpp:
+ (WebCore::RenderLayer::updateScrollbarsAfterLayout):
+
</ins><span class="cx"> 2015-05-19 Hunseop Jeong <hs85.jeong@samsung.com>
</span><span class="cx">
</span><span class="cx"> Use modern for-loops in WebCore/xml.
</span></span></pre></div>
<a id="trunkSourceWebCorerenderingRenderLayercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/WebCore/rendering/RenderLayer.cpp (184575 => 184576)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/WebCore/rendering/RenderLayer.cpp 2015-05-19 17:06:23 UTC (rev 184575)
+++ trunk/Source/WebCore/rendering/RenderLayer.cpp 2015-05-19 17:26:23 UTC (rev 184576)
</span><span class="lines">@@ -3392,9 +3392,9 @@
</span><span class="cx"> bool hasVerticalOverflow = this->hasVerticalOverflow();
</span><span class="cx">
</span><span class="cx"> // If overflow requires a scrollbar, then we just need to enable or disable.
</span><del>- if (styleRequiresScrollbar(renderer().style(), HorizontalScrollbar))
</del><ins>+ if (m_hBar && styleRequiresScrollbar(renderer().style(), HorizontalScrollbar))
</ins><span class="cx"> m_hBar->setEnabled(hasHorizontalOverflow);
</span><del>- if (styleRequiresScrollbar(renderer().style(), VerticalScrollbar))
</del><ins>+ if (m_vBar && styleRequiresScrollbar(renderer().style(), VerticalScrollbar))
</ins><span class="cx"> m_vBar->setEnabled(hasVerticalOverflow);
</span><span class="cx">
</span><span class="cx"> // Scrollbars with auto behavior may need to lay out again if scrollbars got added or removed.
</span></span></pre>
</div>
</div>
</body>
</html>