[Webkit-unassigned] [Bug 136589] New: FrameView::adjustTiledBackingCoverage can use the RenderView before the new document is swapped in

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 5 16:21:56 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=136589

           Summary: FrameView::adjustTiledBackingCoverage can use the
                    RenderView before the new document is swapped in
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: thorton at apple.com
                CC: sam at webkit.org, simon.fraser at apple.com


Steps to Reproduce:

1. Adjust FrameView::renderView to be this:

RenderView* FrameView::renderView() const
{
    RenderView* renderView = frame().contentRenderer();
    ASSERT(!renderView || &renderView->frameView() == this);
    return renderView;
}

2. Run the layout tests. For me, loader/go-back-to-different-window-size.html and fast/history/timed-refresh-in-cached-frame.html both failed with:

0   com.apple.JavaScriptCore          0x00000001133596ca WTFCrash + 42
1   com.apple.WebCore                 0x0000000114fecded WebCore::FrameView::renderView() const + 109 (FrameView.cpp:4549)
2   com.apple.WebCore                 0x0000000114ff5e53 WebCore::FrameView::adjustTiledBackingCoverage() + 51 (FrameView.cpp:2359)
3   com.apple.WebCore                 0x0000000114feb474 WebCore::FrameView::speculativeTilingEnableTimerFired(WebCore::Timer<WebCore::FrameView>&) + 68 (FrameView.cpp:2395)
4   com.apple.WebCore                 0x00000001150100b7 std::__1::__function::__func<std::__1::__bind<void (WebCore::FrameView::*&)(WebCore::Timer<WebCore::FrameView>&), WebCore::FrameView*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::FrameView> > >, std::__1::allocator<std::__1::__bind<void (WebCore::FrameView::*&)(WebCore::Timer<WebCore::FrameView>&), WebCore::FrameView*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::FrameView> > > >, void ()>::operator()() + 359 (functional:1370)
5   com.apple.WebCore                 0x000000011473b8aa std::__1::function<void ()>::operator()() const + 26 (functional:1755)
6   com.apple.WebCore                 0x000000011500cbdc WebCore::Timer<WebCore::FrameView>::fired() + 28 (Timer.h:134)

This means that FrameView::adjustTiledBackingCoverage is using the RenderView from a different Document (most likely, we haven't swapped the new document in yet).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list