174106 2017-07-03 15:40:47 -0700 Null RenderLayer* deref in FrameView::adjustTiledBackingCoverage() 2017-07-03 16:44:43 -0700 1 1 1 Unclassified WebKit Layout and Rendering WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 kling kling bfulgham commit-queue kling koivisto simon.fraser thorton zalan oldest_to_newest 1325294 0 kling 2017-07-03 15:40:47 -0700 <rdar://problem/33085838> Here's a crash: 0 WebCore 0x000000018d5c9ac0 WebCore::FrameView::adjustTiledBackingCoverage() + 56 (/BuildRoot/Applications/Xcode.app/Contents/Developer/Toolchains/iOS11.0.xctoolchain/usr/include/c++/v1/memory:2582) 1 WebCore 0x000000018d5c9ab8 WebCore::FrameView::adjustTiledBackingCoverage() + 48 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7604.1.28.1/page/FrameView.cpp:5248) 2 WebCore 0x000000018e23f6fc WebCore::Page::setIsVisibleInternal(bool) + 132 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7604.1.28.1/page/Page.cpp:1683) 3 WebCore 0x000000018e23e5e0 WebCore::Page::setActivityState(unsigned int) + 72 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7604.1.28.1/page/Page.cpp:1610) 4 CoreFoundation 0x00000001851e4130 __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 20 Pretty weird that we're called from the event loop with a layer-less RenderView. I am unable to reproduce this locally, but it looks like we just need to null check the RenderView::layer(). 1325295 1 314528 kling 2017-07-03 15:42:02 -0700 Created attachment 314528 Patch 1325314 2 314528 zalan 2017-07-03 16:21:02 -0700 Comment on attachment 314528 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=314528&action=review > Source/WebCore/ChangeLog:12 > + I haven't been able to reproduce this crash locally, but I have seen > + video of someone who can, so here's a null check for the RenderView::layer() > + which could be null if we're called between RenderView construction > + and the first callback to RenderLayerModelObject::styleDidChange(). or if we somehow managed to call destroyLayer() on the RenderView (and now we are bringing the FrameView to foreground) 1325328 3 commit-queue 2017-07-03 16:44:14 -0700 The commit-queue encountered the following flaky tests while processing attachment 314528: editing/spelling/spellcheck-async.html bug 160571 (authors: g.czajkowski@samsung.com and mark.lam@apple.com) The commit-queue is continuing to process your patch. 1325329 4 314528 commit-queue 2017-07-03 16:44:42 -0700 Comment on attachment 314528 Patch Clearing flags on attachment: 314528 Committed r219108: <http://trac.webkit.org/changeset/219108> 1325330 5 commit-queue 2017-07-03 16:44:43 -0700 All reviewed patches have been landed. Closing bug. 314528 2017-07-03 15:42:02 -0700 2017-07-03 16:44:42 -0700 Patch bug-174106.diff text/plain 1664 kling ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCA2YWI0NzY3NDQ0Ni4uZGJhM2M0NDM1YjYgMTAwNjQ0Ci0tLSBhL1NvdXJj ZS9XZWJDb3JlL0NoYW5nZUxvZworKysgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKQEAgLTEs MyArMSwxOSBAQAorMjAxNy0wNy0wMyAgQW5kcmVhcyBLbGluZyAgPGFrbGluZ0BhcHBsZS5jb20+ CisKKyAgICAgICAgTnVsbCBSZW5kZXJMYXllciogZGVyZWYgaW4gRnJhbWVWaWV3OjphZGp1c3RU aWxlZEJhY2tpbmdDb3ZlcmFnZSgpCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD0xNzQxMDYKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzMzMDg1ODM4Pgor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEkgaGF2ZW4n dCBiZWVuIGFibGUgdG8gcmVwcm9kdWNlIHRoaXMgY3Jhc2ggbG9jYWxseSwgYnV0IEkgaGF2ZSBz ZWVuCisgICAgICAgIHZpZGVvIG9mIHNvbWVvbmUgd2hvIGNhbiwgc28gaGVyZSdzIGEgbnVsbCBj aGVjayBmb3IgdGhlIFJlbmRlclZpZXc6OmxheWVyKCkKKyAgICAgICAgd2hpY2ggY291bGQgYmUg bnVsbCBpZiB3ZSdyZSBjYWxsZWQgYmV0d2VlbiBSZW5kZXJWaWV3IGNvbnN0cnVjdGlvbgorICAg ICAgICBhbmQgdGhlIGZpcnN0IGNhbGxiYWNrIHRvIFJlbmRlckxheWVyTW9kZWxPYmplY3Q6OnN0 eWxlRGlkQ2hhbmdlKCkuCisKKyAgICAgICAgKiBwYWdlL0ZyYW1lVmlldy5jcHA6CisgICAgICAg IChXZWJDb3JlOjpGcmFtZVZpZXc6OmFkanVzdFRpbGVkQmFja2luZ0NvdmVyYWdlKToKKwogMjAx Ny0wNy0wMyAgQWxleCBDaHJpc3RlbnNlbiAgPGFjaHJpc3RlbnNlbkB3ZWJraXQub3JnPgogCiAg ICAgICAgIFJFR1JFU1NJT04ocjIxNTA5NikgUXVlcmllcyBvZiBVUkxzIHdpdGggbm9uLXNwZWNp YWwgc2NoZW1lcyBzaG91bGQgbm90IHBlcmNlbnQtZW5jb2RlIHNpbmdsZSBxdW90ZXMKZGlmZiAt LWdpdCBhL1NvdXJjZS9XZWJDb3JlL3BhZ2UvRnJhbWVWaWV3LmNwcCBiL1NvdXJjZS9XZWJDb3Jl L3BhZ2UvRnJhbWVWaWV3LmNwcAppbmRleCBhNjkyZDA0OWVjZS4uYTMzNGNjYTUzNGIgMTAwNjQ0 Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL3BhZ2UvRnJhbWVWaWV3LmNwcAorKysgYi9Tb3VyY2UvV2Vi Q29yZS9wYWdlL0ZyYW1lVmlldy5jcHAKQEAgLTI5MzcsNyArMjkzNyw3IEBAIHZvaWQgRnJhbWVW aWV3OjphZGp1c3RUaWxlZEJhY2tpbmdDb3ZlcmFnZSgpCiAgICAgICAgIGVuYWJsZVNwZWN1bGF0 aXZlVGlsaW5nSWZOZWVkZWQoKTsKIAogICAgIFJlbmRlclZpZXcqIHJlbmRlclZpZXcgPSB0aGlz LT5yZW5kZXJWaWV3KCk7Ci0gICAgaWYgKHJlbmRlclZpZXcgJiYgcmVuZGVyVmlldy0+bGF5ZXIo KS0+YmFja2luZygpKQorICAgIGlmIChyZW5kZXJWaWV3ICYmIHJlbmRlclZpZXctPmxheWVyKCkg JiYgcmVuZGVyVmlldy0+bGF5ZXIoKS0+YmFja2luZygpKQogICAgICAgICByZW5kZXJWaWV3LT5s YXllcigpLT5iYWNraW5nKCktPmFkanVzdFRpbGVkQmFja2luZ0NvdmVyYWdlKCk7CiAjaWYgUExB VEZPUk0oSU9TKQogICAgIGlmIChMZWdhY3lUaWxlQ2FjaGUqIHRpbGVDYWNoZSA9IGxlZ2FjeVRp bGVDYWNoZSgpKQo=