[Webkit-unassigned] [Bug 193937] New: compositing/iframes/remove-reinsert-webview-with-iframe.html crashes under ScrollingTree::updateTreeFromStateNode()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 28 16:34:45 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=193937

            Bug ID: 193937
           Summary: compositing/iframes/remove-reinsert-webview-with-ifram
                    e.html crashes under
                    ScrollingTree::updateTreeFromStateNode()
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: simon.fraser at apple.com

3   0x56001dae2 WTF::RefCountedBase::ref() const
4   0x562f4d7f5 void WTF::refIfNotNull<WebCore::ScrollingTreeNode>(WebCore::ScrollingTreeNode*)
5   0x562f4d7b4 WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >::RefPtr(WebCore::ScrollingTreeNode*)
6   0x562f4d74d WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >::RefPtr(WebCore::ScrollingTreeNode*)
7   0x562f40ef3 WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >::operator=(WebCore::ScrollingTreeNode*)
8   0x562f407a8 WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&)
9   0x562f40c83 WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&)
10  0x562f40c83 WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&)
11  0x562f40471 WebCore::ScrollingTree::commitTreeState(std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree> >)
12  0x562f529da WebCore::ThreadedScrollingTree::commitTreeState(std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree> >)
13  0x5605cfd7b WebCore::ScrollingCoordinatorMac::commitTreeState()::$_2::operator()() const
14  0x5605cfc59 WTF::Function<void ()>::CallableWrapper<WebCore::ScrollingCoordinatorMac::commitTreeState()::$_2>::call()
15  0x56000f6ca WTF::Function<void ()>::operator()() const
16  0x562f3f70b WebCore::ScrollingThread::dispatchFunctionsFromScrollingThread()
17  0x5605c4876 WebCore::ScrollingThread::threadRunLoopSourceCallback()
18  0x5605c46b5 WebCore::ScrollingThread::threadRunLoopSourceCallback(void*)

This is about unparented subtrees. We've unparented a subframe node, so its scrolling tree node gets deleted (but not removed from the node map). We then re-parent it, try to look up the node in m_nodeMap and get a deleted pointer.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190129/b4f966af/attachment.html>

More information about the webkit-unassigned mailing list