Bug 36894 - Crash with frame flattening on after r56854
Summary: Crash with frame flattening on after r56854
Status: CLOSED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Frames (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC OS X 10.5
: P2 Normal
Assignee: Nobody
URL:
Keywords:
: 36913 36914 36915 36920 36922 36927 36928 36969 (view as bug list)
Depends on:
Blocks: 35784
  Show dependency treegraph
 
Reported: 2010-03-31 11:49 PDT by Greg Bolsinga
Modified: 2010-04-06 11:43 PDT (History)
11 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Greg Bolsinga 2010-03-31 11:49:31 PDT 
Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001011cd4c0 WebCore::Frame::ownerElement() const + 12 (Frame.cpp:1107)
1   com.apple.WebCore             	0x00000001011f6d6c WebCore::FrameView::avoidScrollbarCreation() + 36 (FrameView.cpp:334)
2   com.apple.WebCore             	0x00000001018101c4 WebCore::ScrollView::setHasHorizontalScrollbar(bool) + 38 (ScrollView.cpp:84)
3   com.apple.WebCore             	0x00000001011f9faf WebCore::FrameView::~FrameView() + 359 (FrameView.cpp:165)

m_frame is being destroyed here and is being accessed.

To reproduce apply the following patch, build WebKit debug and run Safari:

diff --git a/WebKit/mac/WebView/WebPreferences.mm b/WebKit/mac/WebView/WebPreferences.mm
index 84a6e9e..28f8f17 100644
--- a/WebKit/mac/WebView/WebPreferences.mm
+++ b/WebKit/mac/WebView/WebPreferences.mm
@@ -357,7 +357,7 @@ static WebCacheModel cacheModelForMainBundle(void)
         [NSNumber numberWithBool:NO],   WebKitWebGLEnabledPreferenceKey,
         [NSNumber numberWithBool:NO],   WebKitUsesProxiedOpenPanelPreferenceKey,
         [NSNumber numberWithUnsignedInt:4], WebKitPluginAllowedRunTimePreferenceKey,
-        [NSNumber numberWithBool:NO],   WebKitFrameFlatteningEnabledPreferenceKey,
+        [NSNumber numberWithBool:YES],   WebKitFrameFlatteningEnabledPreferenceKey,
         nil];
 
     // This value shouldn't ever change, which is assumed in the initialization of WebKitPDFDisplay
Comment 1 Greg Bolsinga 2010-03-31 11:52:46 PDT 
See Bug 36798
Comment 2 Kenneth Rohde Christiansen 2010-03-31 12:04:55 PDT 
Could you try changing

void ScrollView::setHasVerticalScrollbar(bool hasBar)                                                            
{                                                                                                                
    if (avoidScrollbarCreation())                                                                                
        return;

to 

if (hasBar && avoidScrollbarCreation())
    return;
Comment 3 Greg Bolsinga 2010-03-31 12:08:46 PDT 
I did that for both tests, and that prevents the crash.
Comment 4 Kenneth Rohde Christiansen 2010-03-31 12:17:53 PDT 
Fix landed in r56856
Comment 5 Simon Hausmann 2010-04-06 02:53:41 PDT 
Revision r56856 cherry-picked into qtwebkit-2.0 with commit 59daec93fc7ad1f4c5dbeb88b67aca17d6f4cc3b
Comment 6 Alexey Proskuryakov 2010-04-06 11:41:42 PDT 
*** Bug 36928 has been marked as a duplicate of this bug. ***
Comment 7 Alexey Proskuryakov 2010-04-06 11:42:49 PDT 
*** Bug 36915 has been marked as a duplicate of this bug. ***
Comment 8 Alexey Proskuryakov 2010-04-06 11:42:52 PDT 
*** Bug 36914 has been marked as a duplicate of this bug. ***
Comment 9 Alexey Proskuryakov 2010-04-06 11:42:56 PDT 
*** Bug 36913 has been marked as a duplicate of this bug. ***
Comment 10 Alexey Proskuryakov 2010-04-06 11:42:59 PDT 
*** Bug 36969 has been marked as a duplicate of this bug. ***
Comment 11 Alexey Proskuryakov 2010-04-06 11:43:08 PDT 
*** Bug 36927 has been marked as a duplicate of this bug. ***
Comment 12 Alexey Proskuryakov 2010-04-06 11:43:18 PDT 
*** Bug 36922 has been marked as a duplicate of this bug. ***
Comment 13 Alexey Proskuryakov 2010-04-06 11:43:30 PDT 
*** Bug 36920 has been marked as a duplicate of this bug. ***