[Webkit-unassigned] [Bug 65492] New: Crash in MainFrameScrollbarGtk::detachAdjustment (v. 1.4.2)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 1 15:10:56 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=65492

           Summary: Crash in MainFrameScrollbarGtk::detachAdjustment (v.
                    1.4.2)
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
               URL: https://bugzilla.gnome.org/show_bug.cgi?id=638740
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: WebKit Gtk
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ed at catmur.co.uk


See downstream for full stack trace.

#0  0x005457a3 in g_type_check_instance_cast (type_instance=0xfffffffe, iface_type=80) at gtype.c:3969
#1  0x42489475 in WebCore::MainFrameScrollbarGtk::detachAdjustment (this=0xad9131b0) at WebCore/platform/gtk/MainFrameScrollbarGtk.cpp:79
#2  0x4249543b in WebCore::ScrollView::setHorizontalAdjustment (this=0xa8bc7a00, hadj=0x0, resetValues=true) at WebCore/platform/gtk/ScrollViewGtk.cpp:92
#3  0x42495705 in WebCore::ScrollView::setGtkAdjustments (this=0xa8bc7a00, hadj=0x0, vadj=0x0, resetValues=true) at WebCore/platform/gtk/ScrollViewGtk.cpp:161
#4  0x424c7ecd in WebKit::FrameLoaderClient::savePlatformDataToCachedFrame (this=0xa8ba50d0, cachedFrame=0xadd4ed20) at WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:1270
#5  0x41f1012e in WebCore::CachedFrame::CachedFrame (this=0xadd4ed20, frame=0xa8ba0c00) at WebCore/history/CachedFrame.cpp:144
#6  0x41f1017c in create (this=0xadd4e780, frame=0xaa23c200) at WebCore/history/CachedFrame.h:73
#7  WebCore::CachedFrame::CachedFrame (this=0xadd4e780, frame=0xaa23c200) at WebCore/history/CachedFrame.cpp:148
#8  0x41f10502 in create (this=0xb6fa9260, page=0xad19df20) at WebCore/history/CachedFrame.h:73

On branch releases/WebKitGTK/webkit-1.4, if a ScrollView that previously did not have a parent acquires a parent, ScrollView::setHorizontalAdjustment()/ScrollView::setVerticalAdjustment() expect m_horizontalScrollbar/m_verticalScrollbar to be a MainFrameScrollbarGtk when it is actually a Scrollbar.  Result is heap UMR or similar.

Proposed fix is to remove the scrollbars when a ScrollView that previously did not have a parent acquires a parent; patch to follow.

Trunk does not have this issue as the dangerous casts are absent.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list