RESOLVED FIXED Bug 8360
Repro crash when onscroll handler deletes the scrolled object 
https://bugs.webkit.org/show_bug.cgi?id=8360
Summary Repro crash when onscroll handler deletes the scrolled object
mitz
Reported 2006-04-13 01:09:11 PDT
Follow-up to bug 7048, to track the remaining cases where an object is accessed after calling its onscroll handler, which may have deleted it.
Attachments
Test case (crashes) (698 bytes, text/html)
2006-04-13 01:11 PDT, mitz 		no flags
Details
Delay dispatching scroll events until after layout (33.95 KB, patch)
2007-01-20 03:55 PST, mitz 		sam: review-
DetailsFormatted DiffDiff
Delay dispatching scroll events until after layout (8.78 KB, patch)
2007-01-27 05:19 PST, mitz 		no flags
DetailsFormatted DiffDiff
Delay dispatching scroll events until after layout (r3) (7.59 KB, patch)
2007-01-27 07:39 PST, David Kilzer (:ddkilzer) 		darin: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2006-04-13 01:11:29 PDT
Created attachment 7673 [details] Test case (crashes) The second one doesn't crash, but I think it's only pure chance that it doesn't. There is one more crashing opportunity, in Marquee::start, which this test case doesn't cover.
Darin Adler
Comment 2 2006-05-09 09:23:25 PDT
This is the kind of thing that's quite difficult to fix without reference counting, and easy to fix with reference counting. We should consider adding reference counts to RenderLayer objects to fix this.
Alice Liu
Comment 3 2006-05-22 00:20:21 PDT
<rdar://problem/4556764>
Darin Adler
Comment 4 2006-06-04 12:02:34 PDT
I think the way to fix this is to go from the RenderLayer to the RenderObject and then from the RenderObject to that RenderObject's Element from the DOM. We can hold a referenced pointer to that element. Then we can get back to the layer from the element after the fact. If we can't get back, then we know the layer was destroyed. The only problem with that would be if there can be a layer for an object which does not correspond to an element (generated content). If there can, then this approach won't work. Otherwise, it's very easy to code. I'm tempted to code it up and then ask Hyatt if it's OK or not.
mitz
Comment 5 2006-06-04 12:22:06 PDT
(In reply to comment #4) > The only problem with that would be if there can be a layer for an object which > does not correspond to an element (generated content). Something like this? <style> div:before { content:'bar'; position: absolute; } </style> <div>foo</div>
mitz
Comment 6 2007-01-20 03:55:45 PST
Created attachment 12569 [details] Delay dispatching scroll events until after layout Comes with a layout test and a change log
Darin Adler
Comment 7 2007-01-20 08:08:42 PST
Comment on attachment 12569 [details] Delay dispatching scroll events until after layout The dispatchScrollEvent function should be private, not public. Can we test this? r=me
mitz
Comment 8 2007-01-20 08:14:09 PST
(In reply to comment #7) > The dispatchScrollEvent function should be private, not public. It is: @@ -377,6 +377,8 @@ private: > Can we test this? The patch includes a test.
Sam Weinig
Comment 9 2007-01-20 16:53:49 PST
Landed in r19005.
mitz
Comment 10 2007-01-21 15:14:12 PST
I think the patch had a negative effect on the Safari RSS sidebar and probably many sites that use JavaScript to keep elements in a fixed position.
Darin Adler
Comment 11 2007-01-21 15:21:32 PST
(In reply to comment #10) > I think the patch had a negative effect on the Safari RSS sidebar and probably > many sites that use JavaScript to keep elements in a fixed position. Lets roll it out and reopen the bug. Sam, would you do that?
mitz
Comment 12 2007-01-21 15:23:43 PST
(In reply to comment #11) > Lets roll it out and reopen the bug. Sam, would you do that? > Filed bug 12354
Sam Weinig
Comment 13 2007-01-21 16:01:14 PST
Patch rolled out in r19016.
Sam Weinig
Comment 14 2007-01-21 16:03:23 PST
Reopening bug!
Sam Weinig
Comment 15 2007-01-21 16:14:26 PST
Comment on attachment 12569 [details] Delay dispatching scroll events until after layout Marking r- as it caused regressions.
mitz
Comment 16 2007-01-27 05:19:58 PST
Created attachment 12704 [details] Delay dispatching scroll events until after layout Turns out FrameView already has a mechanism for delaying events.
David Kilzer (:ddkilzer)
Comment 17 2007-01-27 07:39:45 PST
Created attachment 12708 [details] Delay dispatching scroll events until after layout (r3) I'm pretty sure Mitz wanted this test to dump as text, so I changed the layout test from Attachment 12704 [details] to do just that.
Darin Adler
Comment 18 2007-01-28 18:17:49 PST
Comment on attachment 12708 [details] Delay dispatching scroll events until after layout (r3) Looks fine, r=me.
David Kilzer (:ddkilzer)
Comment 19 2007-01-28 18:55:20 PST
Committed revision 19204.
David Kilzer (:ddkilzer)
Comment 20 2007-01-28 18:58:01 PST
Committed revision 19205. (Fixed ChangeLog entry to remove files that weren't committed.)
Note You need to log in before you can comment on or make changes to this bug.