[Webkit-unassigned] [Bug 13563] REGRESSION: Crash loading message in Yahoo! Mail
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu May 17 00:49:38 PDT 2007
http://bugs.webkit.org/show_bug.cgi?id=13563
------- Comment #21 from ddkilzer at webkit.org 2007-05-17 00:49 PDT -------
(In reply to comment #20)
> Created an attachment (id=14588)
--> (http://bugs.webkit.org/attachment.cgi?id=14588&action=view) [edit]
> Debug patch
>
> This is the patch I used to determine what's happening when this bug is
> triggered.
>
> Basically, the bug occurs when:
>
> 1. The rmvScroll(msg) JavaScript method fires.
>
> 2. Before rmvScroll(msg) calls deleteRule(), its code triggers a partial
> relayout. If I had to guess, it would be one of these two lines:
>
> msg.style.overflow = "visible";
> msg.style.visibility = "visible";
WRONG. The relayouts occurs with the following JavaScript (although I don't
know why this happens sometimes when loading the page and not others):
msg.clientHeight
msg.scrollHeight
msg.offsetWidth
msg.clientWidth
msg.scrollWidth
> 3. The deleteRule() and InsertRule() methods are called, replacing the rules.
>
> 4. The relayout continues after the stylesheet change, except that some data
> structures still have references to deleted objects causing the crash.
The layouts that occur after the rule has been deleted and added are triggered
by KJS::ScheduledAction::execute() in WebCore/bindings/js/kjs_window.cpp:1940
with this big, smelly comment:
// Update our document's rendering following the execution of the timeout
callback.
// FIXME: Why not use updateDocumentsRendering to update rendering of all
documents?
// FIXME: Is this really the right point to do the update? We need a place
that works
// for all possible entry points that might possibly execute script, but
this seems
// to be a bit too low-level.
if (Document* doc = frame->document())
doc->updateRendering();
> *NOTE: I am assuming a "relayout" occurs each time
> CSSStyleSelector::matchRulesForList() is being called, although I haven't
> looked at a backtrace for those functions when they're being called.
This appears to be a valid assumption based on backtraces taken when the bug
occurred.
Backtrace from accessing "msg.clientHeight":
Breakpoint 4, WebCore::CSSStyleSelector::matchRulesForList (this=0x187f1e40,
rules=0x19559bb0, firstRuleIndex=@0xbfffd2dc, lastRuleIndex=@0xbfffd2e0) at
/Volumes/Data/WebKit/WebCore/css/cssstyleselector.cpp:435
435 fprintf(stderr, ">>> CSSStyleRule = '%s' ",
rule->selectorText().ascii().data());
#0 WebCore::CSSStyleSelector::matchRulesForList (this=0x187f1e40,
rules=0x19559bb0, firstRuleIndex=@0xbfffd2dc, lastRuleIndex=@0xbfffd2e0) at
/Volumes/Data/WebKit/WebCore/css/cssstyleselector.cpp:435
#1 0x0114fc9c in WebCore::CSSStyleSelector::matchRules (this=0x187f1e40,
rules=0x18f28610, firstRuleIndex=@0xbfffd2dc, lastRuleIndex=@0xbfffd2e0) at
/Volumes/Data/WebKit/WebCore/css/cssstyleselector.cpp:395
#2 0x0115ef54 in WebCore::CSSStyleSelector::styleForElement (this=0x187f1e40,
e=0x189854e0, defaultParent=0x0, allowSharing=true,
resolveForRootDefault=false) at
/Volumes/Data/WebKit/WebCore/css/cssstyleselector.cpp:877
#3 0x012b9844 in WebCore::Element::recalcStyle (this=0x189854e0,
change=WebCore::Node::Force) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:676
#4 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x1878e5d0,
change=WebCore::Node::Force) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#5 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x1893c670,
change=WebCore::Node::Force) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#6 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x1893c730,
change=WebCore::Node::Force) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#7 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x195bd150,
change=WebCore::Node::Force) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#8 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x1976b6a0,
change=WebCore::Node::Force) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#9 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x1873c400,
change=WebCore::Node::Force) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#10 0x01100184 in WebCore::Document::recalcStyle (this=0x2bcb600,
change=WebCore::Node::Force) at
/Volumes/Data/WebKit/WebCore/dom/Document.cpp:1006
#11 0x01105f8c in WebCore::Document::updateStyleSelector (this=0x2bcb600) at
/Volumes/Data/WebKit/WebCore/dom/Document.cpp:1931
#12 0x0110661c in WebCore::Document::updateLayoutIgnorePendingStylesheets
(this=0x2bcb600) at /Volumes/Data/WebKit/WebCore/dom/Document.cpp:1076
#13 0x012b8b78 in WebCore::Element::clientHeight (this=0x189854e0) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:334
#14 0x012a68cc in WebCore::JSElement::getValueProperty (this=0x1881fc00,
exec=0xbfffde2c, token=10) at
/symroots/Debug/DerivedSources/WebCore/JSElement.cpp:217
#15 0x016e4eac in KJS::staticValueGetter<WebCore::JSElement> (exec=0xbfffde2c,
slot=@0xbfffda08) at lookup.h:149
#16 0x005e9820 in KJS::PropertySlot::getValue (this=0xbfffda08,
exec=0xbfffde2c, originalObject=0x1881fc00, propertyName=@0x17033a4c) at
property_slot.h:47
#17 0x0056e018 in KJS::JSObject::get (this=0x1881fc00, exec=0xbfffde2c,
propertyName=@0x17033a4c) at object.cpp:166
#18 0x005c1730 in KJS::DotAccessorNode::evaluate (this=0x17033a40,
exec=0xbfffde2c) at nodes.cpp:563
#19 0x005be790 in KJS::AddNode::evaluate (this=0x189b6ed0, exec=0xbfffde2c) at
nodes.cpp:1209
#20 0x0057c8d4 in KJS::AssignExprNode::evaluate (this=0x17033ab0,
exec=0xbfffde2c) at nodes.cpp:1578
#21 0x005bd44c in KJS::VarDeclNode::evaluate (this=0x195c2550, exec=0xbfffde2c)
at nodes.cpp:1596
#22 0x005bd2f4 in KJS::VarDeclListNode::evaluate (this=0x16e8d370,
exec=0xbfffde2c) at nodes.cpp:1643
#23 0x005bd088 in KJS::VarStatementNode::execute (this=0x195c2570,
exec=0xbfffde2c) at nodes.cpp:1667
#24 0x005b97fc in KJS::SourceElementsNode::execute (this=0x195c2330,
exec=0xbfffde2c) at nodes.cpp:2528
#25 0x005894d4 in KJS::BlockNode::execute (this=0x170d6c50, exec=0xbfffde2c) at
nodes.cpp:1699
#26 0x00589624 in KJS::DeclaredFunctionImp::execute (this=0x1881fcc0,
exec=0xbfffde2c) at function.cpp:317
#27 0x00598ac8 in KJS::FunctionImp::callAsFunction (this=0x1881fcc0,
exec=0xbfffe18c, thisObj=0x16f9fdc0, args=@0xbfffdf70) at function.cpp:104
#28 0x0059b4f8 in KJS::JSObject::call (this=0x1881fcc0, exec=0xbfffe18c,
thisObj=0x16f9fdc0, args=@0xbfffdf70) at object.cpp:98
#29 0x005c1088 in KJS::FunctionCallResolveNode::evaluate (this=0x16e91130,
exec=0xbfffe18c) at nodes.cpp:694
#30 0x005bceb8 in KJS::ExprStatementNode::execute (this=0x195c23c0,
exec=0xbfffe18c) at nodes.cpp:1723
#31 0x005b96a8 in KJS::SourceElementsNode::execute (this=0x195c23e0,
exec=0xbfffe18c) at nodes.cpp:2522
#32 0x005894d4 in KJS::BlockNode::execute (this=0x195c2400, exec=0xbfffe18c) at
nodes.cpp:1699
#33 0x00589624 in KJS::DeclaredFunctionImp::execute (this=0x1881d320,
exec=0xbfffe18c) at function.cpp:317
#34 0x00598ac8 in KJS::FunctionImp::callAsFunction (this=0x1881d320,
exec=0x187262cc, thisObj=0x16f9fdc0, args=@0x189f1f24) at function.cpp:104
#35 0x0059b4f8 in KJS::JSObject::call (this=0x1881d320, exec=0x187262cc,
thisObj=0x16f9fdc0, args=@0x189f1f24) at object.cpp:98
#36 0x012ec3cc in KJS::ScheduledAction::execute (this=0x189f1f20,
window=0x16f9fdc0) at
/Volumes/Data/WebKit/WebCore/bindings/js/kjs_window.cpp:1918
#37 0x012ef734 in KJS::Window::timerFired (this=0x16f9fdc0, timer=0x1894ae10)
at /Volumes/Data/WebKit/WebCore/bindings/js/kjs_window.cpp:2054
#38 0x012ef7d0 in KJS::DOMWindowTimer::fired (this=0x1894ae10) at
/Volumes/Data/WebKit/WebCore/bindings/js/kjs_window.cpp:2641
#39 0x0126b6dc in WebCore::TimerBase::fireTimers (fireTime=1179386457.14042,
firingTimers=@0xbfffe480) at
/Volumes/Data/WebKit/WebCore/platform/Timer.cpp:336
#40 0x0126b7a8 in WebCore::TimerBase::sharedTimerFired () at
/Volumes/Data/WebKit/WebCore/platform/Timer.cpp:353
#41 0x0126ab98 in timerFired () at
/Volumes/Data/WebKit/WebCore/platform/mac/SharedTimerMac.cpp:46
#42 0x907f2578 in __CFRunLoopDoTimer ()
#43 0x907deef8 in __CFRunLoopRun ()
#44 0x907de4ac in CFRunLoopRunSpecific ()
#45 0x93298b20 in RunCurrentEventLoopInMode ()
#46 0x932981b4 in ReceiveNextEventCommon ()
#47 0x93298020 in BlockUntilNextEventMatchingListInMode ()
#48 0x9379eae4 in _DPSNextEvent ()
#49 0x9379e7a8 in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#50 0x00006740 in ?? ()
#51 0x9379acec in -[NSApplication run] ()
#52 0x9388b87c in NSApplicationMain ()
#53 0x0005c77c in ?? ()
#54 0x0005c624 in ?? ()
And a backtrace after rmvScroll(msg) has run showing where the final relayout
occurs:
Breakpoint 4, WebCore::CSSStyleSelector::matchRulesForList (this=0x187f1e40,
rules=0x1700a910, firstRuleIndex=@0xbfffddbc, lastRuleIndex=@0xbfffddc0) at
/Volumes/Data/WebKit/WebCore/css/cssstyleselector.cpp:435
435 fprintf(stderr, ">>> CSSStyleRule = '%s' ",
rule->selectorText().ascii().data());
#0 WebCore::CSSStyleSelector::matchRulesForList (this=0x187f1e40,
rules=0x1700a910, firstRuleIndex=@0xbfffddbc, lastRuleIndex=@0xbfffddc0) at
/Volumes/Data/WebKit/WebCore/css/cssstyleselector.cpp:435
#1 0x0114fc9c in WebCore::CSSStyleSelector::matchRules (this=0x187f1e40,
rules=0x18f28610, firstRuleIndex=@0xbfffddbc, lastRuleIndex=@0xbfffddc0) at
/Volumes/Data/WebKit/WebCore/css/cssstyleselector.cpp:395
#2 0x0115ef54 in WebCore::CSSStyleSelector::styleForElement (this=0x187f1e40,
e=0x189854e0, defaultParent=0x0, allowSharing=true,
resolveForRootDefault=false) at
/Volumes/Data/WebKit/WebCore/css/cssstyleselector.cpp:877
#3 0x012b9844 in WebCore::Element::recalcStyle (this=0x189854e0,
change=WebCore::Node::NoChange) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:676
#4 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x1878e5d0,
change=WebCore::Node::NoChange) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#5 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x1893c670,
change=WebCore::Node::NoChange) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#6 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x1893c730,
change=WebCore::Node::NoChange) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#7 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x195bd150,
change=WebCore::Node::NoChange) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#8 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x1976b6a0,
change=WebCore::Node::NoChange) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#9 0x012b9bc4 in WebCore::Element::recalcStyle (this=0x1873c400,
change=WebCore::Node::NoChange) at
/Volumes/Data/WebKit/WebCore/dom/Element.cpp:716
#10 0x01100184 in WebCore::Document::recalcStyle (this=0x2bcb600,
change=WebCore::Node::NoChange) at
/Volumes/Data/WebKit/WebCore/dom/Document.cpp:1006
#11 0x010f6960 in WebCore::Document::updateRendering (this=0x2bcb600) at
/Volumes/Data/WebKit/WebCore/dom/Document.cpp:1028
#12 0x012ec624 in KJS::ScheduledAction::execute (this=0x189f1f20,
window=0x16f9fdc0) at
/Volumes/Data/WebKit/WebCore/bindings/js/kjs_window.cpp:1940
#13 0x012ef734 in KJS::Window::timerFired (this=0x16f9fdc0, timer=0x1894ae10)
at /Volumes/Data/WebKit/WebCore/bindings/js/kjs_window.cpp:2054
#14 0x012ef7d0 in KJS::DOMWindowTimer::fired (this=0x1894ae10) at
/Volumes/Data/WebKit/WebCore/bindings/js/kjs_window.cpp:2641
#15 0x0126b6dc in WebCore::TimerBase::fireTimers (fireTime=1179386457.14042,
firingTimers=@0xbfffe480) at
/Volumes/Data/WebKit/WebCore/platform/Timer.cpp:336
#16 0x0126b7a8 in WebCore::TimerBase::sharedTimerFired () at
/Volumes/Data/WebKit/WebCore/platform/Timer.cpp:353
#17 0x0126ab98 in timerFired () at
/Volumes/Data/WebKit/WebCore/platform/mac/SharedTimerMac.cpp:46
#18 0x907f2578 in __CFRunLoopDoTimer ()
#19 0x907deef8 in __CFRunLoopRun ()
#20 0x907de4ac in CFRunLoopRunSpecific ()
#21 0x93298b20 in RunCurrentEventLoopInMode ()
#22 0x932981b4 in ReceiveNextEventCommon ()
#23 0x93298020 in BlockUntilNextEventMatchingListInMode ()
#24 0x9379eae4 in _DPSNextEvent ()
#25 0x9379e7a8 in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#26 0x00006740 in ?? ()
#27 0x9379acec in -[NSApplication run] ()
#28 0x9388b87c in NSApplicationMain ()
#29 0x0005c77c in ?? ()
#30 0x0005c624 in ?? ()
--
Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the webkit-unassigned
mailing list