[Webkit-unassigned] [Bug 97841] New: Crash re-entering Document layout with frame flattening enabled

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Sep 27 19:11:27 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=97841

           Summary: Crash re-entering Document layout with frame
                    flattening enabled
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Frames
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: simon.fraser at apple.com
                CC: beidson at apple.com, kenneth at webkit.org


Navigation with framesets and plugins and the page cache can cause layout to be re-entered, causing crashes. I have a layout test that reproduces this.

In debug, DRT will assert about layout being called on a FrameView whose frame's view is not it:


Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore                 0x000000010ca49076 WebCore::RenderView::layout() + 886 (RenderView.cpp:158)
1   com.apple.WebCore                 0x000000010bce8192 WebCore::FrameView::layout(bool) + 3426 (FrameView.cpp:1190)
2   com.apple.WebCore                 0x000000010bce8a3c WebCore::FrameView::doLayoutWithFrameFlattening(bool) + 380 (FrameView.cpp:3128)
3   com.apple.WebCore                 0x000000010bce761d WebCore::FrameView::layout(bool) + 493 (FrameView.cpp:1011)
4   com.apple.WebCore                 0x000000010bcf1765 WebCore::FrameView::forceLayout(bool) + 37 (FrameView.cpp:3412)
5   com.apple.WebKit                  0x000000010af85565 -[WebHTMLView layoutToMinimumPageWidth:height:originalPageWidth:originalPageHeight:maximumShrinkRatio:adjustingViewSize:] + 469 (WebHTMLView.mm:3065)
6   com.apple.WebKit                  0x000000010af855cc -[WebHTMLView layout] + 76 (WebHTMLView.mm:3079)
7   com.apple.WebKit                  0x000000010af226f8 -[WebDynamicScrollBarsView(WebInternal) updateScrollers] + 264 (WebDynamicScrollBarsView.mm:266)
8   com.apple.WebKit                  0x000000010af23364 -[WebDynamicScrollBarsView(WebInternal) reflectScrolledClipView:] + 228 (WebDynamicScrollBarsView.mm:408)
9   com.apple.AppKit                  0x00007fff8d94b59a -[NSClipView _selfBoundsChanged] + 689
10  com.apple.AppKit                  0x00007fff8d94ad70 -[NSClipView setFrameSize:] + 410
11  com.apple.AppKit                  0x00007fff8d8f503e -[NSView setFrame:] + 299
12  com.apple.AppKit                  0x00007fff8d9b8abf -[NSScrollView _setContentViewFrame:] + 596
13  com.apple.AppKit                  0x00007fff8d9b84f7 -[NSScrollView _applyContentAreaLayout:] + 129
14  com.apple.AppKit                  0x00007fff8d9b75ae -[NSScrollView tile] + 2091
15  com.apple.WebKit                  0x000000010af222a9 -[WebDynamicScrollBarsView(WebInternal) tile] + 57 (WebDynamicScrollBarsView.mm:212)
16  com.apple.AppKit                  0x00007fff8d9b6ce6 -[NSScrollView _tileWithoutRecursing] + 49
17  com.apple.AppKit                  0x00007fff8d9b6c6a -[NSScrollView _update] + 30
18  com.apple.AppKit                  0x00007fff8d8f57f8 -[NSView setFrameSize:] + 1101
19  com.apple.AppKit                  0x00007fff8d9bbf0c -[NSScrollView setFrameSize:] + 1131
20  com.apple.AppKit                  0x00007fff8d8f503e -[NSView setFrame:] + 299
21  com.apple.AppKit                  0x00007fff8d94a2a2 -[NSView resizeWithOldSuperviewSize:] + 1502
22  com.apple.AppKit                  0x00007fff8d9493e7 -[NSView resizeSubviewsWithOldSize:] + 318
23  com.apple.AppKit                  0x00007fff8d8f57f8 -[NSView setFrameSize:] + 1101
24  com.apple.WebKit                  0x000000010af51deb -[WebFrameView setFrameSize:] + 267 (WebFrameView.mm:514)
25  com.apple.AppKit                  0x00007fff8d8f503e -[NSView setFrame:] + 299
26  com.apple.WebCore                 0x000000010cf07b1f WebCore::Widget::setFrameRect(WebCore::IntRect const&) + 607 (WidgetMac.mm:178)
27  com.apple.WebCore                 0x000000010cb14df7 WebCore::ScrollView::setFrameRect(WebCore::IntRect const&) + 103 (ScrollView.cpp:872)
28  com.apple.WebCore                 0x000000010bce53cf WebCore::FrameView::setFrameRect(WebCore::IntRect const&) + 95 (FrameView.cpp:442)
29  com.apple.WebCore                 0x000000010ca57425 WebCore::RenderWidget::setWidgetGeometry(WebCore::FractionalLayoutRect const&) + 437 (RenderWidget.cpp:159)
30  com.apple.WebCore                 0x000000010ca576e7 WebCore::RenderWidget::updateWidgetGeometry() + 423 (RenderWidget.cpp:175)
31  com.apple.WebCore                 0x000000010ca587d3 WebCore::RenderWidget::updateWidgetPosition() + 83 (RenderWidget.cpp:331)
32  com.apple.WebCore                 0x000000010c896846 WebCore::RenderFrameBase::layoutWithFlattening(bool, bool) + 374 (RenderFrameBase.cpp:70)
33  com.apple.WebCore                 0x000000010c899ead WebCore::RenderFrameSet::positionFramesWithFlattening() + 893 (RenderFrameSet.cpp:592)
34  com.apple.WebCore                 0x000000010c899951 WebCore::RenderFrameSet::layout() + 961 (RenderFrameSet.cpp:487)
35  com.apple.WebCore                 0x000000010c7bdd6c WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1324 (RenderBlock.cpp:2487)
36  com.apple.WebCore                 0x000000010c7b48d4 WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1316 (RenderBlock.cpp:2421)
37  com.apple.WebCore                 0x000000010c7b1dc6 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1590 (RenderBlock.cpp:1556)
38  com.apple.WebCore                 0x000000010c7b0da5 WebCore::RenderBlock::layout() + 117 (RenderBlock.cpp:1378)
39  com.apple.WebCore                 0x000000010c7bdd6c WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1324 (RenderBlock.cpp:2487)
40  com.apple.WebCore                 0x000000010c7b48d4 WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1316 (RenderBlock.cpp:2421)
41  com.apple.WebCore                 0x000000010c7b1dc6 WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1590 (RenderBlock.cpp:1556)
42  com.apple.WebCore                 0x000000010c7b0da5 WebCore::RenderBlock::layout() + 117 (RenderBlock.cpp:1378)
43  com.apple.WebCore                 0x000000010ca4912e WebCore::RenderView::layout() + 1070 (RenderView.cpp:170)
44  com.apple.WebCore                 0x000000010bce8192 WebCore::FrameView::layout(bool) + 3426 (FrameView.cpp:1190)
45  com.apple.WebCore                 0x000000010bce8a3c WebCore::FrameView::doLayoutWithFrameFlattening(bool) + 380 (FrameView.cpp:3128)
46  com.apple.WebCore                 0x000000010bce761d WebCore::FrameView::layout(bool) + 493 (FrameView.cpp:1011)
47  com.apple.WebCore                 0x000000010bce3ee8 WebCore::FrameView::layoutTimerFired(WebCore::Timer<WebCore::FrameView>*) + 72 (FrameView.cpp:2125)
48  com.apple.WebCore                 0x000000010bcff713 WebCore::Timer<WebCore::FrameView>::fired() + 115 (Timer.h:100)
49  com.apple.WebCore                 0x000000010ce34bfd WebCore::ThreadTimers::sharedTimerFiredInternal() + 285 (ThreadTimers.cpp:118)
50  com.apple.WebCore                 0x000000010ce34999 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:94)
51  com.apple.WebCore                 0x000000010cb599a3 WebCore::timerFired(__CFRunLoopTimer*, void*) + 67 (SharedTimerMac.mm:167)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list