[Webkit-unassigned] [Bug 42561] Crash when computing pseudo-style of a vanished scrollbar

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=42561





--- Comment #4 from Simon Fraser (smfr) <simon.fraser at apple.com>  2010-07-28 15:49:11 PST ---
Part of the issue is that the inspector runs a runloop, which causes us to re-enter the dispatchEvent machinery. Here's the stack for the destruction of the RenderLayer's scrollbar:

(gdb) bt
#0  WebCore::RenderLayer::destroyScrollbar (this=0x122b792d8, orientation=WebCore::HorizontalScrollbar) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayer.cpp:1794
#1  0x0000000103be078a in WebCore::RenderLayer::~RenderLayer (this=0x122b792d8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayer.cpp:197
#2  0x0000000103bd8133 in WebCore::RenderLayer::destroy (this=0x122b792d8, renderArena=0x10965e7e0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayer.cpp:968
#3  0x0000000103baa7e7 in WebCore::RenderBoxModelObject::destroyLayer (this=0x11f27a0c8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderBoxModelObject.cpp:209
#4  0x0000000103c0b27b in WebCore::RenderObject::destroy (this=0x11f27a0c8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderObject.cpp:2167
#5  0x0000000103baa743 in WebCore::RenderBoxModelObject::destroy (this=0x11f27a0c8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderBoxModelObject.cpp:220
#6  0x0000000103ba203a in WebCore::RenderBox::destroy (this=0x11f27a0c8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderBox.cpp:96
#7  0x0000000103b6fe6f in WebCore::RenderBlock::destroy (this=0x11f27a0c8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderBlock.cpp:199
#8  0x0000000103aebbe7 in WebCore::Node::detach (this=0x11f2fbe10) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:1270
#9  0x000000010334ca4c in WebCore::ContainerNode::detach (this=0x11f2fbe10) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/ContainerNode.cpp:647
#10 0x0000000103596103 in WebCore::Element::detach (this=0x11f2fbe10) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Element.cpp:837
#11 0x000000010334ca26 in WebCore::ContainerNode::detach (this=0x1262816c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/ContainerNode.cpp:645
#12 0x0000000103596103 in WebCore::Element::detach (this=0x1262816c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Element.cpp:837
#13 0x000000010334dea7 in WebCore::ContainerNode::removeChild (this=0x12301a0e0, oldChild=0x1262816c0, ec=@0x7fff5fbfc2e8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/ContainerNode.cpp:374
#14 0x0000000103924408 in WebCore::JSNode::removeChild (this=0x1222a8c40, exec=0x11e0102c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/JSNodeCustom.cpp:97
#15 0x0000000103922b9e in WebCore::jsNodePrototypeFunctionRemoveChild (exec=0x11e0102c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebKitBuild/Debug/DerivedSources/WebCore/JSNode.cpp:453
#16 0x000040b4118001aa in ?? ()
#17 0x0000000101dab28c in JSC::JITCode::execute (this=0x126e36ff8, registerFile=0x10935af68, callFrame=0x11e010150, globalData=0x10a04c000, exception=0x10a04d920) at JITCode.h:77
#18 0x0000000101da6caa in JSC::Interpreter::executeCall (this=0x10935af50, callFrame=0x109673a08, function=0x122ac4d40, callType=JSC::CallTypeJS, callData=@0x7fff5fbfc7a0, thisValue={m_ptr = 0x122ac2a40}, args=@0x7fff5fbfc760, exception=0x10a04d920) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:780
#19 0x0000000101d62a83 in JSC::call (exec=0x109673a08, functionObject={m_ptr = 0x122ac4d40}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfc7a0, thisValue={m_ptr = 0x122ac2a40}, args=@0x7fff5fbfc760) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/CallData.cpp:38
#20 0x00000001037f53b7 in WebCore::JSMainThreadExecState::call (exec=0x109673a08, functionObject={m_ptr = 0x122ac4d40}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfc7a0, thisValue={m_ptr = 0x122ac2a40}, args=@0x7fff5fbfc760) at JSMainThreadExecState.h:48
#21 0x000000010388c1fa in WebCore::JSEventListener::handleEvent (this=0x10c8805f0, scriptExecutionContext=0x10c040468, event=0x107d482e0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/JSEventListener.cpp:124
#22 0x00000001035b10de in WebCore::EventTarget::fireEventListeners (this=0x10c862750, event=0x107d482e0, d=0x10c862300, entry=@0x10c880260) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/EventTarget.cpp:329
#23 0x00000001035b16ff in WebCore::EventTarget::fireEventListeners (this=0x10c862750, event=0x107d482e0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/EventTarget.cpp:290
#24 0x0000000103ae62db in WebCore::Node::handleLocalEvents (this=0x10c862750, event=0x107d482e0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2582
#25 0x0000000103ae695e in WebCore::Node::dispatchGenericEvent (this=0x126eb8310, prpEvent=@0x7fff5fbfcba0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2717
#26 0x0000000103ae6ec7 in WebCore::Node::dispatchEvent (this=0x126eb8310, prpEvent=@0x7fff5fbfcd30) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2645
#27 0x0000000103ae512f in WebCore::Node::dispatchMouseEvent (this=0x126eb8310, eventType=@0x109384e18, button=0, detail=1, pageX=237, pageY=222, screenX=2191, screenY=316, ctrlKey=false, altKey=false, shiftKey=false, metaKey=false, isSimulated=false, relatedTargetArg=0x0, underlyingEvent=@0x7fff5fbfceb0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2937
#28 0x0000000103ae5613 in WebCore::Node::dispatchMouseEvent (this=0x126eb8310, event=@0x7fff5fbfd250, eventType=@0x109384e18, detail=1, relatedTarget=0x0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2846
#29 0x00000001035a04d2 in WebCore::EventHandler::dispatchMouseEvent (this=0x10c024f48, eventType=@0x109384e18, targetNode=0x126eb8310, clickCount=1, mouseEvent=@0x7fff5fbfd250, setUnder=true) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/EventHandler.cpp:1845
#30 0x00000001035a63d1 in WebCore::EventHandler::handleMousePressEvent (this=0x10c024f48, mouseEvent=@0x7fff5fbfd250) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/EventHandler.cpp:1305
#31 0x00000001035ac108 in WebCore::EventHandler::mouseDown (this=0x10c024f48, event=0x107d49c60) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/mac/EventHandlerMac.mm:494
#32 0x00000001025190fd in -[WebHTMLView mouseDown:] (self=0x109622b20, _cmd=0x7fff875b1de8, event=0x107d49c60) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebHTMLView.mm:3538
#33 0x00007fff86fac763 in -[NSWindow sendEvent:] ()
#34 0x00007fff86ee1ee2 in -[NSApplication sendEvent:] ()
#35 0x0000000100080f7f in -[BrowserApplication sendEvent:] (self=0x109010880, _cmd=0x7fff875a7b60, event=0x107d49c60) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/BrowserApplication.mm:400
#36 0x00000001035ad6ee in WebCore::EventLoop::cycle (this=0x7fff5fbfd98e) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/platform/mac/EventLoopMac.mm:39
#37 0x0000000103ccbe91 in WebCore::ScriptDebugServer::pauseIfNeeded (this=0x109374080, page=0x10c8047b0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/ScriptDebugServer.cpp:456
#38 0x0000000103ccc4d9 in WebCore::ScriptDebugServer::atStatement (this=0x109374080, debuggerCallFrame=@0x7fff5fbfda30, sourceID=4817558224, lineNumber=8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/ScriptDebugServer.cpp:485
#39 0x0000000101da5401 in JSC::Interpreter::debug (this=0x10935af50, callFrame=0x11e0100a0, debugHookID=JSC::WillExecuteStatement, firstLine=8, lastLine=8) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:1125
#40 0x0000000101dcc774 in cti_op_debug (args=0x7fff5fbfdae0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/jit/JITStubs.cpp:3452
Could not find the frame base for "WTF::doubleHash(unsigned int)".
#41 0x0000000101dcb1df in WTF::doubleHash (key=) at HashTable.h:447
#42 0x0000000101dab28c in JSC::JITCode::execute (this=0x11f384028, registerFile=0x10935af68, callFrame=0x11e010040, globalData=0x10a04c000, exception=0x10a04d920) at JITCode.h:77
#43 0x0000000101da6caa in JSC::Interpreter::executeCall (this=0x10935af50, callFrame=0x11f28e4c8, function=0x122ae76c0, callType=JSC::CallTypeJS, callData=@0x7fff5fbfdf20, thisValue={m_ptr = 0x122ae7800}, args=@0x7fff5fbfdee0, exception=0x10a04d920) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:780
#44 0x0000000101d62a83 in JSC::call (exec=0x11f28e4c8, functionObject={m_ptr = 0x122ae76c0}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfdf20, thisValue={m_ptr = 0x122ae7800}, args=@0x7fff5fbfdee0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/CallData.cpp:38
#45 0x00000001037f53b7 in WebCore::JSMainThreadExecState::call (exec=0x11f28e4c8, functionObject={m_ptr = 0x122ae76c0}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfdf20, thisValue={m_ptr = 0x122ae7800}, args=@0x7fff5fbfdee0) at JSMainThreadExecState.h:48
#46 0x000000010388c1fa in WebCore::JSEventListener::handleEvent (this=0x11f262d50, scriptExecutionContext=0x10886ec68, event=0x11f384ae0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/JSEventListener.cpp:124
#47 0x00000001035b10de in WebCore::EventTarget::fireEventListeners (this=0x11f262c30, event=0x11f384ae0, d=0x11f2617c0, entry=@0x11f261860) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/EventTarget.cpp:329
#48 0x00000001035b16ff in WebCore::EventTarget::fireEventListeners (this=0x11f262c30, event=0x11f384ae0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/EventTarget.cpp:290
#49 0x0000000103ae62db in WebCore::Node::handleLocalEvents (this=0x11f262c30, event=0x11f384ae0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2582
#50 0x0000000103ae69e7 in WebCore::Node::dispatchGenericEvent (this=0x11f262c30, prpEvent=@0x7fff5fbfe320) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2725
#51 0x0000000103ae6ec7 in WebCore::Node::dispatchEvent (this=0x11f262c30, prpEvent=@0x7fff5fbfe4b0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2645
#52 0x0000000103ae512f in WebCore::Node::dispatchMouseEvent (this=0x11f262c30, eventType=@0x109384d10, button=0, detail=1, pageX=47, pageY=14, screenX=123, screenY=115, ctrlKey=false, altKey=false, shiftKey=false, metaKey=false, isSimulated=false, relatedTargetArg=0x0, underlyingEvent=@0x7fff5fbfe630) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2937
#53 0x0000000103ae5613 in WebCore::Node::dispatchMouseEvent (this=0x11f262c30, event=@0x7fff5fbfe8a0, eventType=@0x109384d10, detail=1, relatedTarget=0x0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2846
#54 0x00000001035a04d2 in WebCore::EventHandler::dispatchMouseEvent (this=0x109808948, eventType=@0x109384d10, targetNode=0x11f262c30, clickCount=1, mouseEvent=@0x7fff5fbfe8a0, setUnder=true) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/EventHandler.cpp:1845
#55 0x00000001035a3c15 in WebCore::EventHandler::handleMouseReleaseEvent (this=0x109808948, mouseEvent=@0x7fff5fbfe8a0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/EventHandler.cpp:1573
#56 0x00000001035abea5 in WebCore::EventHandler::mouseUp (this=0x109808948, event=0x11f384670) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/mac/EventHandlerMac.mm:534
#57 0x00000001025181bd in -[WebHTMLView mouseUp:] (self=0x10c805c60, _cmd=0x7fff875b27c4, event=0x11f384670) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebHTMLView.mm:3697
#58 0x00007fff86fac7ed in -[NSWindow sendEvent:] ()
#59 0x0000000100380ccc in -[Window sendEvent:] (self=0x10961ebe0, _cmd=0x7fff875a7b60, event=0x11f384670) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/Window.m:100
#60 0x00000001000c5b35 in -[BrowserWindow sendEvent:] (self=0x10961ebe0, _cmd=0x7fff875a7b60, event=0x11f384670) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/BrowserWindow.mm:417
#61 0x00007fff86ee1ee2 in -[NSApplication sendEvent:] ()
#62 0x0000000100080f7f in -[BrowserApplication sendEvent:] (self=0x109010880, _cmd=0x7fff875a7b60, event=0x11f384670) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/BrowserApplication.mm:400
#63 0x00007fff86e78922 in -[NSApplication run] ()
#64 0x00007fff86e715f8 in NSApplicationMain ()
#65 0x00000001002300e9 in main (argc=5, argv=0x7fff5fbff150) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/main.mm:157
Current language:  auto; currently objective-c++
Warning: the current language does not match this frame.
(gdb)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.