<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Possible crash in WebCore::RenderLayer::updateScrollbarsAfterLayout"

   href="https://bugs.webkit.org/show_bug.cgi?id=145142">145142</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Possible crash in WebCore::RenderLayer::updateScrollbarsAfterLayout

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>528+ (Nightly build)

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>Layout and Rendering

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>bdakin&#64;apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>I have not been able to reproduce this crash, but according to symbolication m_vBar is null. It seems like this crash was probably caused by <a href="http://trac.webkit.org/changeset/173668">http://trac.webkit.org/changeset/173668</a> which made it so that overflow:scroll behaves like overflow:auto when the scrollbars are overlay. I can see how you could encounter this crash with that change if the layout caused styleRequiresScrollbar() to return true when it used to return false. Then this code, by failing to nil-check the scrollbars assumes that there is already a scrollbar, because it assumes that styleRequiresScrollbar() could not have changed based on a layout. But it could change if the css changed the scrollbars to be custom or if the user managed switch to legacy style scrollbars at just the wrong time. Or I suppose it could also happen if the user has legacy scrollbars and the style switched from auto to scroll during the layout.

Anyway, we should null check the scrollbars.

<span class="quote">&gt;  1 com.apple.WebCore              0x7fff93692574 WebCore::RenderLayer::updateScrollbarsAfterLayout() + 0x204</span >

   2 com.apple.WebCore              0x7fff93691d34 WebCore::RenderLayer::updateScrollInfoAfterLayout() + 0x154

   3 com.apple.WebCore              0x7fff9410a6bd WebCore::RenderBlock::endAndCommitUpdateScrollInfoAfterLayoutTransaction() + 0x23d

   4 com.apple.WebCore              0x7fff93725c7f WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit) + 0x38f

   5 com.apple.WebCore              0x7fff935dbaf3 WebCore::RenderBlock::layout() + 0x83

…</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>