145142 2015-05-18 14:26:51 -0700 Crash in WebCore::RenderLayer::updateScrollbarsAfterLayout 2015-05-19 10:27:30 -0700 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 bdakin webkit-unassigned bdakin commit-queue esprehn+autocc glenn kondapallykalyan simon.fraser thorton oldest_to_newest 1095680 0 bdakin 2015-05-18 14:26:51 -0700 I have not been able to reproduce this crash, but according to symbolication m_vBar is null. It seems like this crash was probably caused by http://trac.webkit.org/changeset/173668 which made it so that overflow:scroll behaves like overflow:auto when the scrollbars are overlay. I can see how you could encounter this crash with that change if the layout caused styleRequiresScrollbar() to return true when it used to return false. Then this code, by failing to nil-check the scrollbars assumes that there is already a scrollbar, because it assumes that styleRequiresScrollbar() could not have changed based on a layout. But it could change if the css changed the scrollbars to be custom or if the user managed switch to legacy style scrollbars at just the wrong time. Or I suppose it could also happen if the user has legacy scrollbars and the style switched from auto to scroll during the layout. Anyway, we should null check the scrollbars. > 1 com.apple.WebCore 0x7fff93692574 WebCore::RenderLayer::updateScrollbarsAfterLayout() + 0x204 2 com.apple.WebCore 0x7fff93691d34 WebCore::RenderLayer::updateScrollInfoAfterLayout() + 0x154 3 com.apple.WebCore 0x7fff9410a6bd WebCore::RenderBlock::endAndCommitUpdateScrollInfoAfterLayoutTransaction() + 0x23d 4 com.apple.WebCore 0x7fff93725c7f WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit) + 0x38f 5 com.apple.WebCore 0x7fff935dbaf3 WebCore::RenderBlock::layout() + 0x83 … 1095684 1 253343 bdakin 2015-05-18 14:32:43 -0700 Created attachment 253343 Speculative fix 1095980 2 bdakin 2015-05-19 10:27:30 -0700 Thanks Simon! http://trac.webkit.org/changeset/184576 253343 2015-05-18 14:32:43 -0700 2015-05-18 19:16:25 -0700 Speculative fix for-review.txt text/plain 2678 bdakin SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDE4NDUxMSkKKysrIFNvdXJjZS9XZWJDb3JlL0NoYW5n ZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDI3IEBACisyMDE1LTA1LTE4ICBCZXRoIERh a2luICA8YmRha2luQGFwcGxlLmNvbT4KKworICAgICAgICBDcmFzaCBpbiBXZWJDb3JlOjpSZW5k ZXJMYXllcjo6dXBkYXRlU2Nyb2xsYmFyc0FmdGVyTGF5b3V0CisgICAgICAgIGh0dHBzOi8vYnVn cy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNDUxNDIKKworICAgICAgICBSZXZpZXdlZCBi eSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBJIGhhdmUgbm90IGJlZW4gYWJsZSB0byByZXBy b2R1Y2UgdGhpcyBjcmFzaCwgYnV0IGFjY29yZGluZyB0byBzeW1ib2xpY2F0aW9uIAorICAgICAg ICBtX3ZCYXIgaXMgbnVsbC4gSXQgc2VlbXMgbGlrZSB0aGlzIGNyYXNoIHdhcyBwcm9iYWJseSBj YXVzZWQgYnkgCisgICAgICAgIGh0dHA6Ly90cmFjLndlYmtpdC5vcmcvY2hhbmdlc2V0LzE3MzY2 OCB3aGljaCBtYWRlIGl0IHNvIHRoYXQgb3ZlcmZsb3c6c2Nyb2xsIAorICAgICAgICBiZWhhdmVz IGxpa2Ugb3ZlcmZsb3c6YXV0byB3aGVuIHRoZSBzY3JvbGxiYXJzIGFyZSBvdmVybGF5LiBJIGNh biBzZWUgaG93IHlvdSAKKyAgICAgICAgY291bGQgZW5jb3VudGVyIHRoaXMgY3Jhc2ggd2l0aCB0 aGF0IGNoYW5nZSBpZiB0aGUgbGF5b3V0IGNhdXNlZCAKKyAgICAgICAgc3R5bGVSZXF1aXJlc1Nj cm9sbGJhcigpIHRvIHJldHVybiB0cnVlIHdoZW4gaXQgdXNlZCB0byByZXR1cm4gZmFsc2UuIFRo ZW4gdGhpcyAKKyAgICAgICAgY29kZSwgYnkgZmFpbGluZyB0byBudWxsLWNoZWNrIHRoZSBzY3Jv bGxiYXJzLCBhc3N1bWVzIHRoYXQgCisgICAgICAgIHN0eWxlUmVxdWlyZXNTY3JvbGxiYXIoKSBj b3VsZCBub3QgaGF2ZSBjaGFuZ2VkIGJhc2VkIG9uIGEgbGF5b3V0LiBCdXQgaXQgY291bGQgCisg ICAgICAgIGNoYW5nZSBpZiB0aGUgY3NzIGNoYW5nZWQgdGhlIHNjcm9sbGJhcnMgdG8gYmUgY3Vz dG9tIG9yIGlmIHRoZSB1c2VyIG1hbmFnZWQgCisgICAgICAgIHN3aXRjaCB0byBsZWdhY3kgc3R5 bGUgc2Nyb2xsYmFycyBhdCBqdXN0IHRoZSB3cm9uZyB0aW1lLiBPciBJIHN1cHBvc2UgaXQgY291 bGQgCisgICAgICAgIGFsc28gaGFwcGVuIGlmIHRoZSB1c2VyIGhhcyBsZWdhY3kgc2Nyb2xsYmFy cyBhbmQgdGhlIHN0eWxlIHN3aXRjaGVkIGZyb20gYXV0byB0byAKKyAgICAgICAgc2Nyb2xsIGR1 cmluZyB0aGUgbGF5b3V0LgorCisgICAgICAgIEFueXdheSwgd2Ugc2hvdWxkIG51bGwtY2hlY2sg IHRoZSBzY3JvbGxiYXJzLiBUaGlzIGlzIGEgc3BlY3VsYXRpdmUgZml4LgorICAgICAgICAqIHJl bmRlcmluZy9SZW5kZXJMYXllci5jcHA6CisgICAgICAgIChXZWJDb3JlOjpSZW5kZXJMYXllcjo6 dXBkYXRlU2Nyb2xsYmFyc0FmdGVyTGF5b3V0KToKKwogMjAxNS0wNS0xNyAgTWFudWVsIFJlZ28g Q2FzYXNub3ZhcyAgPHJlZ29AaWdhbGlhLmNvbT4KIAogICAgICAgICBbQ1NTIEdyaWQgTGF5b3V0 XSBBZGQgc2Nyb2xsYmFyIHdpZHRoIGluIGludHJpbnNpYyBsb2dpY2FsIHdpZHRocyBjb21wdXRh dGlvbgpJbmRleDogU291cmNlL1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlckxheWVyLmNwcAo9PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyTGF5ZXIuY3BwCShyZXZp c2lvbiAxODQ1MDUpCisrKyBTb3VyY2UvV2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyTGF5ZXIuY3Bw CSh3b3JraW5nIGNvcHkpCkBAIC0zMzkyLDkgKzMzOTIsOSBAQCB2b2lkIFJlbmRlckxheWVyOjp1 cGRhdGVTY3JvbGxiYXJzQWZ0ZXJMCiAgICAgYm9vbCBoYXNWZXJ0aWNhbE92ZXJmbG93ID0gdGhp cy0+aGFzVmVydGljYWxPdmVyZmxvdygpOwogCiAgICAgLy8gSWYgb3ZlcmZsb3cgcmVxdWlyZXMg YSBzY3JvbGxiYXIsIHRoZW4gd2UganVzdCBuZWVkIHRvIGVuYWJsZSBvciBkaXNhYmxlLgotICAg IGlmIChzdHlsZVJlcXVpcmVzU2Nyb2xsYmFyKHJlbmRlcmVyKCkuc3R5bGUoKSwgSG9yaXpvbnRh bFNjcm9sbGJhcikpCisgICAgaWYgKG1faEJhciAmJiBzdHlsZVJlcXVpcmVzU2Nyb2xsYmFyKHJl bmRlcmVyKCkuc3R5bGUoKSwgSG9yaXpvbnRhbFNjcm9sbGJhcikpCiAgICAgICAgIG1faEJhci0+ c2V0RW5hYmxlZChoYXNIb3Jpem9udGFsT3ZlcmZsb3cpOwotICAgIGlmIChzdHlsZVJlcXVpcmVz U2Nyb2xsYmFyKHJlbmRlcmVyKCkuc3R5bGUoKSwgVmVydGljYWxTY3JvbGxiYXIpKQorICAgIGlm IChtX3ZCYXIgJiYgc3R5bGVSZXF1aXJlc1Njcm9sbGJhcihyZW5kZXJlcigpLnN0eWxlKCksIFZl cnRpY2FsU2Nyb2xsYmFyKSkKICAgICAgICAgbV92QmFyLT5zZXRFbmFibGVkKGhhc1ZlcnRpY2Fs T3ZlcmZsb3cpOwogCiAgICAgLy8gU2Nyb2xsYmFycyB3aXRoIGF1dG8gYmVoYXZpb3IgbWF5IG5l ZWQgdG8gbGF5IG91dCBhZ2FpbiBpZiBzY3JvbGxiYXJzIGdvdCBhZGRlZCBvciByZW1vdmVkLgo=