61159 2011-05-19 17:56:06 -0700 Crashes in RenderLayerBacking::paintingGoesToWindow 2011-06-13 11:39:35 -0700 1 1 1 Unclassified WebKit New Bugs 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 jamesr simon.fraser cmarrin enne simon.fraser vangelis willchan oldest_to_newest 406784 0 jamesr 2011-05-19 17:56:06 -0700 We're seeing a number of crashes in RenderLayerBacking::paintingGoesToWindow(), mostly on maps.google.com but also on some other pages. The top of the callstack looks like: Source/WebCore/rendering/RenderLayer.h:164] WebCore::RenderLayerBacking::paintingGoesToWindow Source/WebCore/rendering/RenderLayer.cpp:3907] WebCore::RenderLayer::setBackingNeedsRepaintInRect Source/WebCore/rendering/RenderObject.cpp:1168] WebCore::RenderObject::repaintUsingContainer Source/WebCore/rendering/RenderObject.cpp:1238] WebCore::RenderObject::repaintAfterLayoutIfNeeded Source/WebCore/rendering/RenderObject.h:812] WebCore::RenderBlock::layoutBlock Source/WebCore/rendering/RenderBlock.cpp:1135] WebCore::RenderBlock::layout (from http://code.google.com/p/chromium-os/issues/detail?id=15377). We have had no success trying to reproduce locally and suspect it has something to do with the loading order or something else difficult to reproduce. The crash is a null pointer deref on the repaintContainer's m_backing. So it seems that when we enter RenderObject::repaintUsingContainer our RenderView has a non-null m_compositor and that the compositor's m_compositing flag is true, but the layer doesn't have a backing yet. I suspect that we've entered compositing mode but somehow haven't yet update the layers, but am not sure. 406785 1 jamesr 2011-05-19 17:56:42 -0700 I'm planning to add a check for layer()->isCompositing() on this line: http://trac.webkit.org/browser/trunk/Source/WebCore/rendering/RenderObject.cpp?rev=86705#L1187 in a chromium release branch to see if that has any impact on the crash rate. 407100 2 simon.fraser 2011-05-20 08:10:46 -0700 <rdar://problem/9125141> 415586 3 willchan 2011-06-04 23:35:53 -0700 Hey James, I ran into this crash a few minutes ago. It was reproducible for me on Google Maps by looking up directions. I was able to crash it twice. After looking up this bug report, I stopped being able to reproduce it =/ 415890 4 jamesr 2011-06-06 10:43:17 -0700 (In reply to comment #3) > Hey James, I ran into this crash a few minutes ago. It was reproducible for me on Google Maps by looking up directions. I was able to crash it twice. After looking up this bug report, I stopped being able to reproduce it =/ Were you in debug or release? It'd be useful to know if the ASSERT()s we have in place already are tripping or not. 417199 5 willchan 2011-06-08 06:07:12 -0700 Google Chrome Mac dev channel (Release build) 418151 6 96613 simon.fraser 2011-06-09 11:48:01 -0700 Created attachment 96613 Patch 418208 7 simon.fraser 2011-06-09 13:07:46 -0700 https://trac.webkit.org/changeset/88475 419722 8 jamesr 2011-06-13 11:35:10 -0700 Early indications from our crash reports indicate that this may have fixed the crash. Any idea on how we get to this function when isComposited() is false? This only seems possible if repaintUsingContainer() is called when compositing is active with a repaintContainer that is not a RenderView. 419729 9 simon.fraser 2011-06-13 11:39:35 -0700 (In reply to comment #8) > Early indications from our crash reports indicate that this may have fixed the crash. Any idea on how we get to this function when isComposited() is false? This only seems possible if repaintUsingContainer() is called when compositing is active with a repaintContainer that is not a RenderView. It's probably one of those cases where painting plugins runs script or something. 96613 2011-06-09 11:48:01 -0700 2011-06-09 11:54:47 -0700 Patch bug-61159-20110609114800.patch text/plain 1925 simon.fraser U3VidmVyc2lvbiBSZXZpc2lvbjogODgzMTgKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwppbmRleCAzOWFhOWNkMjI5YjNiYzAy MzYxNGJiMWYyOTVjOGUxODhiYTYxMzgxLi5lOGNkNzA3MGExZjdhNWI3MTA4NTk4NGZhMWUyNmNi M2FkMzg3NzI4IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKKysrIGIvU291 cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTkgQEAKKzIwMTEtMDYtMDkgIFNpbW9u IEZyYXNlciAgPHNpbW9uLmZyYXNlckBhcHBsZS5jb20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkg Tk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgQ3Jhc2hlcyBpbiBSZW5kZXJMYXllckJhY2tpbmc6 OnBhaW50aW5nR29lc1RvV2luZG93CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD02MTE1OQorCisgICAgICAgIFNwZWN1bGF0aXZlIGZpeCBmb3IgdW5yZXBy b2R1Y2libGUgY3Jhc2ggdGhhdCBjYW4gb2NjdXIgd2hlbiBSZW5kZXJPYmplY3Q6OnJlcGFpbnRV c2luZ0NvbnRhaW5lcigpCisgICAgICAgIGZpbmRzIGEgcmVwYWludENvbnRhaW5lciB0aGF0IGlz IG5vdCB0aGUgUmVuZGVyVmlldywgYnV0IHRoYXQgaXMgYWxzbyBub3QKKyAgICAgICAgY29tcG9z aXRlZCAoZm9yIHVua25vd24gcmVhc29ucyksIGJ5IGNoZWNraW5nIHRvIHNlZSBpZiB0aGUgbGF5 ZXIgaXMKKyAgICAgICAgY29tcG9zaXRpbmcgYmVmb3JlIHVzaW5nIGJhY2tpbmcoKS4gQW4gYXNz ZXJ0aW9uIHJlbWFpbnMgdG8gdHJ5IHRvIGNhdGNoCisgICAgICAgIHRoaXMgaW4gZGVidWcgYnVp bGRzLgorCisgICAgICAgICogcmVuZGVyaW5nL1JlbmRlckxheWVyLmNwcDoKKyAgICAgICAgKFdl YkNvcmU6OlJlbmRlckxheWVyOjpzZXRCYWNraW5nTmVlZHNSZXBhaW50SW5SZWN0KToKKwogMjAx MS0wNi0wNyAgWWkgU2hlbiAgPHlpLjQuc2hlbkBub2tpYS5jb20+CiAKICAgICAgICAgUmV2aWV3 ZWQgYnkgU2ltb24gSGF1c21hbm4uCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9yZW5kZXJp bmcvUmVuZGVyTGF5ZXIuY3BwIGIvU291cmNlL1dlYkNvcmUvcmVuZGVyaW5nL1JlbmRlckxheWVy LmNwcAppbmRleCAxNGU4MTZhNzQ5MDEwNGYxYTEwNzllNDA5YmY4Yjg4MmRiZTAyZGZjLi41NjE5 ZWQ1ZmJjZTBmOTRlZTE4MzNiMWVjNTc3YmZiYjg4NzA2MDk1IDEwMDY0NAotLS0gYS9Tb3VyY2Uv V2ViQ29yZS9yZW5kZXJpbmcvUmVuZGVyTGF5ZXIuY3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3Jl bmRlcmluZy9SZW5kZXJMYXllci5jcHAKQEAgLTM5MjIsOCArMzkyMiwxMCBAQCB2b2lkIFJlbmRl ckxheWVyOjpzZXRCYWNraW5nTmVlZHNSZXBhaW50KCkKIAogdm9pZCBSZW5kZXJMYXllcjo6c2V0 QmFja2luZ05lZWRzUmVwYWludEluUmVjdChjb25zdCBJbnRSZWN0JiByKQogeworICAgIC8vIGh0 dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD02MTE1OSBkZXNjcmliZXMgYW4g dW5yZXByb2R1Y2libGUgY3Jhc2ggaGVyZSwKKyAgICAvLyBzbyBhc3NlcnQgYnV0IGNoZWNrIHRo YXQgdGhlIGxheWVyIGlzIGNvbXBvc2l0ZWQuCiAgICAgQVNTRVJUKGlzQ29tcG9zaXRlZCgpKTsK LSAgICBpZiAoYmFja2luZygpLT5wYWludGluZ0dvZXNUb1dpbmRvdygpKSB7CisgICAgaWYgKCFp c0NvbXBvc2l0ZWQoKSB8fCBiYWNraW5nKCktPnBhaW50aW5nR29lc1RvV2luZG93KCkpIHsKICAg ICAgICAgLy8gSWYgd2UncmUgdHJ5aW5nIHRvIHJlcGFpbnQgdGhlIHBsYWNlaG9sZGVyIGRvY3Vt ZW50IGxheWVyLCBwcm9wYWdhdGUgdGhlCiAgICAgICAgIC8vIHJlcGFpbnQgdG8gdGhlIG5hdGl2 ZSB2aWV3IHN5c3RlbS4KICAgICAgICAgSW50UmVjdCBhYnNSZWN0KHIpOwo=