23973 2009-02-16 08:54:43 -0800 Chromium crashes at times when the view is being closed. 2009-02-26 11:33:32 -0800 1 1 1 Unclassified WebKit Layout and Rendering 528+ (Nightly build) PC Windows XP RESOLVED FIXED P2 Normal --- 1 ananta ananta fishd hyatt jon oldest_to_newest 109853 0 ananta 2009-02-16 08:54:43 -0800 We don't have a definite reproducible case for this crash. While the crash occurs in Chromium, the callstack suggests that this could in other webkit browsers as well. The callstack is as below:- This occurs when the view is being closed and the scrollcontents method in the ScrollView object is called. It attempts to call the repaint method on the HostWindow object returned via FrameView::hostWindow. This method can return NULL in scenarios where the frame is NULL, or if the underlying page is destroyed. I think that a NULL check for the return value of the FrameView::hostWindow call is warranted. I will submit a patch for this in a bit. Thread 1 *CRASHED* (EXCEPTION_ACCESS_VIOLATION @0x00000000) 0x62d3789e [chrome.dll - scrollview.cpp:438] WebCore::ScrollView::scrollContents(WebCore::IntSize const &) 0x62d37831 [chrome.dll - scrollview.cpp:420] WebCore::ScrollView::updateScrollbars(WebCore::IntSize const &) 0x62d37009 [chrome.dll - scrollview.cpp:116] WebCore::ScrollView::setScrollbarModes(WebCore::ScrollbarMode,WebCore::ScrollbarMode) 0x62d5d8e4 [chrome.dll - frameview.cpp:231] WebCore::FrameView::resetScrollbars() 0x62d5d7f8 [chrome.dll - frameview.cpp:197] WebCore::FrameView::~FrameView() 0x62d5d6d6 [chrome.dll + 0x003ed6d6] WebCore::FrameView::`vector deleting destructor'(unsigned int) 0x62e309d8 [chrome.dll - renderpart.cpp:56] WebCore::RenderPart::~RenderPart() 0x62e30998 [chrome.dll + 0x004c0998] WebCore::RenderPart::`vector deleting destructor'(unsigned int) 0x62d6885f [chrome.dll - renderobject.cpp:2670] WebCore::RenderObject::arenaDelete(WebCore::RenderArena *,void *) 0x62dadd8b [chrome.dll - renderwidget.cpp:213] WebCore::RenderWidget::deref(WebCore::RenderArena *) 0x62dadabc [chrome.dll - renderwidget.cpp:103] WebCore::RenderWidget::destroy() 0x62d18d19 [chrome.dll - node.cpp:1060] WebCore::Node::detach() 0x62d55b4c [chrome.dll - containernode.cpp:593] WebCore::ContainerNode::detach() 0x62d55b4c [chrome.dll - containernode.cpp:593] WebCore::ContainerNode::detach() 0x62d55b4c [chrome.dll - containernode.cpp:593] WebCore::ContainerNode::detach() 0x62d55b4c [chrome.dll - containernode.cpp:593] WebCore::ContainerNode::detach() 0x62cfd86b [chrome.dll - document.cpp:1412] WebCore::Document::detach() 0x62ce59d4 [chrome.dll - frame.cpp:217] WebCore::Frame::setView(WebCore::FrameView *) 0x62cf23a2 [chrome.dll - frameloader.cpp:3474] WebCore::FrameLoader::detachFromParent() 0x62cf22d8 [chrome.dll - frameloader.cpp:3452] WebCore::FrameLoader::frameDetached() 0x62cb57a4 [chrome.dll - webview_impl.cc:776] WebViewImpl::Close() 0x62984cb2 [chrome.dll - render_widget.cc:639] RenderWidget::Close() 0x62984236 [chrome.dll - render_widget.cc:225] RenderWidget::OnClose() 0x629803d7 [chrome.dll - ipc_message.h:125] IPC::Message::Dispatch<RenderWidget>(IPC::Message const *,RenderWidget *,void ( RenderWidget::*)(void)) 0x62984007 [chrome.dll - render_widget.cc:157] RenderWidget::OnMessageReceived(IPC::Message const &) 0x62979fc3 [chrome.dll - render_view.cc:400] RenderView::OnMessageReceived(IPC::Message const &) 0x62997262 [chrome.dll - message_router.cc:39] MessageRouter::RouteMessage(IPC::Message const &) 0x6299723c [chrome.dll - message_router.cc:30] MessageRouter::OnMessageReceived(IPC::Message const &) 0x62976ba4 [chrome.dll - render_thread.cc:174] RenderThread::OnMessageReceived(IPC::Message const &) 0x62ae6dab [chrome.dll - task.h:312] RunnableMethod<SafeBrowsingService,void ( SafeBrowsingService::*)(SafeBrowsingService::BlockingPageParam const &),Tuple1<SafeBrowsingService::BlockingPageParam> >::Run() 0x62b56ebc [chrome.dll - message_loop.cc:308] MessageLoop::RunTask(Task *) 0x62b56ef3 [chrome.dll - message_loop.cc:316] MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &) 0x62b57081 [chrome.dll - message_loop.cc:408] MessageLoop::DoWork() 0x62b6dccf [chrome.dll - message_pump_default.cc:50] base::MessagePumpDefault::Run(base::MessagePump::Delegate *) 0x62b56d8d [chrome.dll - message_loop.cc:197] MessageLoop::RunInternal() 0x62b56d5a [chrome.dll - message_loop.cc:180] MessageLoop::RunHandler() 0x62b56cfd [chrome.dll - message_loop.cc:154] MessageLoop::Run() 0x62b5cfdf [chrome.dll - thread.cc:153] base::Thread::ThreadMain() 0x62b5a8a9 [chrome.dll - platform_thread_win.cc:26] `anonymous namespace'::ThreadFunc(void *) 0x76fb4910 [kernel32.dll + 0x00044910] BaseThreadInitThunk 0x7711e4b5 [ntdll.dll + 0x0003e4b5] __RtlUserThreadStart 0x7711e488 [ntdll.dll + 0x0003e488] _RtlUserThreadStart 109857 1 27699 ananta 2009-02-16 10:04:13 -0800 Created attachment 27699 Initial attempt at a patch for this issue 111058 2 jon 2009-02-25 15:47:50 -0800 I need to get this reviewed so we can (hopefully) close the bug. Also reported in http://code.google.com/p/chromium/issues/detail?id=6319 111231 3 27699 fishd 2009-02-26 11:00:27 -0800 Comment on attachment 27699 Initial attempt at a patch for this issue >Index: WebCore/platform/ScrollView.cpp ... > void ScrollView::scrollContents(const IntSize& scrollDelta) > { >+ if (!hostWindow()) >+ return; >+ nit: the return statement should be indented by 4 spaces. R- because of this. ScrollView appears to be designed with the assumption that the hostWindow will never be null, but I can see from the callstack that assumption seems to be invalid. So, I think your solution is probably the best we can do. Are any of the other ScrollView methods reachable from ~FrameView? 111239 4 28024 ananta 2009-02-26 11:22:54 -0800 Created attachment 28024 Updated patch with the indentation fixed. The functions in ScrollView.cpp reachable from ~FrameView are as below:- 1. ScrollView::setScrollbarModes which calls into updateScrollbars and ends up in scrollcontents where hostwindow is dereferenced. 2. ScrollView::setHasHorizontalScrollbar and ScrollView::setHasVerticalScrollbar. These functions internally call ScrollView::removeChild. They don't reference hostWindow(). 111241 5 28024 fishd 2009-02-26 11:25:09 -0800 Comment on attachment 28024 Updated patch with the indentation fixed. LGTM 111246 6 fishd 2009-02-26 11:33:32 -0800 Landed as http://trac.webkit.org/changeset/41260 27699 2009-02-16 10:04:13 -0800 2009-02-26 11:22:54 -0800 Initial attempt at a patch for this issue ScrollViewCrash.txt text/plain 1438 ananta SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0MTAxOSkKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMTcgQEAKKzIwMDktMDItMTYgIGl5ZW5nYXIgIDxhbmFudGFAY2hyb21pdW0ub3Jn PgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIGh0dHBz Oi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yMzk3MworICAgICAgICBTY3JvbGxW aWV3OjpzY3JvbGxDb250ZW50cyBjYW4gYmUgaW52b2tlZCBkdXJpbmcgdmlldyBzaHV0ZG93bi4K KyAgICAgICAgSW4gdGhpcyBzY2VuYXJpbyB0aGUgRnJhbWVWaWV3Ojpob3N0V2luZG93IG1ldGhv ZCBjYW4gcmV0dXJuIE5VTEwsCisgICAgICAgIHdoaWNoIGluZGljYXRlcyB0aGF0IHRoZSBmcmFt ZS9wYWdlIGlzIGJlaW5nIGRlc3Ryb3llZC4gVGhpcyBjYXVzZXMKKyAgICAgICAgYSBjcmFzaCB3 aGVuIHdlIHRyeSB0byBkZXJlZmVyZW5jZSBhIE5VTEwgaG9zdFdpbmRvdyBwb2ludGVyLgorICAg ICAgICBGaXggaXMgdG8gYWRkIGEgTlVMTCBjaGVjayBmb3IgdGhpcy4gIAorCisgICAgICAgICog cGxhdGZvcm0vU2Nyb2xsVmlldy5jcHA6CisgICAgICAgIChXZWJDb3JlOjpTY3JvbGxWaWV3Ojpz Y3JvbGxDb250ZW50cyk6CisKIDIwMDktMDItMTUgIERhdmlkIEtpbHplciAgPGRka2lsemVyQGFw cGxlLmNvbT4KIAogICAgICAgICBNb3ZlIGR1cGxpY2F0ZSBjYXJldFdpZHRoIGNvbnN0YW50cyB0 byBSZW5kZXJPYmplY3QuaApJbmRleDogV2ViQ29yZS9wbGF0Zm9ybS9TY3JvbGxWaWV3LmNwcAo9 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09Ci0tLSBXZWJDb3JlL3BsYXRmb3JtL1Njcm9sbFZpZXcuY3BwCShyZXZpc2lvbiA0 MTAxOSkKKysrIFdlYkNvcmUvcGxhdGZvcm0vU2Nyb2xsVmlldy5jcHAJKHdvcmtpbmcgY29weSkK QEAgLTQzNiw2ICs0MzYsOSBAQCBjb25zdCBpbnQgcGFuSWNvblNpemVMZW5ndGggPSAyMDsKIAog dm9pZCBTY3JvbGxWaWV3OjpzY3JvbGxDb250ZW50cyhjb25zdCBJbnRTaXplJiBzY3JvbGxEZWx0 YSkKIHsKKyAgICBpZiAoIWhvc3RXaW5kb3coKSkKKyAgICAgIHJldHVybjsKKwogICAgIC8vIFNp bmNlIHNjcm9sbGluZyBpcyBkb3VibGUgYnVmZmVyZWQsIHdlIHdpbGwgYmUgYmxpdHRpbmcgdGhl IHNjcm9sbCB2aWV3J3MgaW50ZXJzZWN0aW9uCiAgICAgLy8gd2l0aCB0aGUgY2xpcCByZWN0IGV2 ZXJ5IHRpbWUgdG8ga2VlcCBpdCBzbW9vdGguCiAgICAgSW50UmVjdCBjbGlwUmVjdCA9IHdpbmRv d0NsaXBSZWN0KCk7Cg== 28024 2009-02-26 11:22:54 -0800 2009-02-26 11:25:09 -0800 Updated patch with the indentation fixed. ScrollViewCrash.txt text/plain 1492 ananta SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQotLS0gV2ViQ29yZS9DaGFuZ2VM b2cJKHJldmlzaW9uIDQxMDE5KQ0KKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkp DQpAQCAtMSwzICsxLDE3IEBADQorMjAwOS0wMi0xNiAgQW5hbnRhbmFyYXlhbmFuIEl5ZW5nYXIg IDxhbmFudGFAY2hyb21pdW0ub3JnPg0KKw0KKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChP T1BTISkuDQorDQorICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/ aWQ9MjM5NzMNCisgICAgICAgIFNjcm9sbFZpZXc6OnNjcm9sbENvbnRlbnRzIGNhbiBiZSBpbnZv a2VkIGR1cmluZyB2aWV3IHNodXRkb3duLg0KKyAgICAgICAgSW4gdGhpcyBzY2VuYXJpbyB0aGUg RnJhbWVWaWV3Ojpob3N0V2luZG93IG1ldGhvZCBjYW4gcmV0dXJuIE5VTEwsDQorICAgICAgICB3 aGljaCBpbmRpY2F0ZXMgdGhhdCB0aGUgZnJhbWUvcGFnZSBpcyBiZWluZyBkZXN0cm95ZWQuIFRo aXMgY2F1c2VzDQorICAgICAgICBhIGNyYXNoIHdoZW4gd2UgdHJ5IHRvIGRlcmVmZXJlbmNlIGEg TlVMTCBob3N0V2luZG93IHBvaW50ZXIuDQorICAgICAgICBGaXggaXMgdG8gYWRkIGEgTlVMTCBj aGVjayBmb3IgdGhpcy4gIA0KKw0KKyAgICAgICAgKiBwbGF0Zm9ybS9TY3JvbGxWaWV3LmNwcDoN CisgICAgICAgIChXZWJDb3JlOjpTY3JvbGxWaWV3OjpzY3JvbGxDb250ZW50cyk6DQorDQogMjAw OS0wMi0xNSAgRGF2aWQgS2lsemVyICA8ZGRraWx6ZXJAYXBwbGUuY29tPg0KIA0KICAgICAgICAg TW92ZSBkdXBsaWNhdGUgY2FyZXRXaWR0aCBjb25zdGFudHMgdG8gUmVuZGVyT2JqZWN0LmgNCklu ZGV4OiBXZWJDb3JlL3BsYXRmb3JtL1Njcm9sbFZpZXcuY3BwDQo9PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQotLS0gV2Vi Q29yZS9wbGF0Zm9ybS9TY3JvbGxWaWV3LmNwcAkocmV2aXNpb24gNDEwMTkpDQorKysgV2ViQ29y ZS9wbGF0Zm9ybS9TY3JvbGxWaWV3LmNwcAkod29ya2luZyBjb3B5KQ0KQEAgLTQzNiw2ICs0MzYs OSBAQCBjb25zdCBpbnQgcGFuSWNvblNpemVMZW5ndGggPSAyMDsNCiANCiB2b2lkIFNjcm9sbFZp ZXc6OnNjcm9sbENvbnRlbnRzKGNvbnN0IEludFNpemUmIHNjcm9sbERlbHRhKQ0KIHsNCisgICAg aWYgKCFob3N0V2luZG93KCkpDQorICAgICAgICByZXR1cm47DQorDQogICAgIC8vIFNpbmNlIHNj cm9sbGluZyBpcyBkb3VibGUgYnVmZmVyZWQsIHdlIHdpbGwgYmUgYmxpdHRpbmcgdGhlIHNjcm9s bCB2aWV3J3MgaW50ZXJzZWN0aW9uDQogICAgIC8vIHdpdGggdGhlIGNsaXAgcmVjdCBldmVyeSB0 aW1lIHRvIGtlZXAgaXQgc21vb3RoLg0KICAgICBJbnRSZWN0IGNsaXBSZWN0ID0gd2luZG93Q2xp cFJlY3QoKTsNCg==