Bug 107639

Summary: Coordinated Graphics: crash in TiledBackingStore::adjustForContentsRect
Product: WebKit Reporter: Jae Hyun Park <jaepark>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: dev, kenneth, noam, webkit-ews, webkit.review.bot, zeno
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 79668    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch for landing
none
Patch for landing none

Description Jae Hyun Park 2013-01-22 23:56:58 PST
When running the following test case, Minibrowser crashes in Qt and EFL.

http://black.company100.com/test/TC/3DCube/

This crash is caused by division by zero in TiledBackingStore::adjustForContentsRect.
This crash was first observed at r135212. However, IMHO, reverting r135212 is not the right way to proceed.
Comment 1 Jae Hyun Park 2013-01-22 23:57:25 PST
Stack Trace:


#0  0x00007ffff3baea61 in WebCore::TiledBackingStore::adjustForContentsRect (this=0x86cdb0, rect=...) at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/graphics/TiledBackingStore.cpp:384
#1  0x00007ffff3baed7f in WebCore::TiledBackingStore::computeCoverAndKeepRect (this=0x86cdb0, visibleRect=..., coverRect=..., keepRect=...)
    at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/graphics/TiledBackingStore.cpp:432
#2  0x00007ffff3bae456 in WebCore::TiledBackingStore::createTiles (this=0x86cdb0) at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/graphics/TiledBackingStore.cpp:288
#3  0x00007ffff3bad38c in WebCore::TiledBackingStore::coverWithTilesIfNeeded (this=0x86cdb0, trajectoryVector=...) at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/graphics/TiledBackingStore.cpp:87
#4  0x00007ffff3badd72 in WebCore::TiledBackingStore::commitScaleChange (this=0x86cdb0) at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/graphics/TiledBackingStore.cpp:202
#5  0x00007ffff3badd0e in WebCore::TiledBackingStore::setContentsScale (this=0x86cdb0, scale=1) at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/graphics/TiledBackingStore.cpp:194
#6  0x00007ffff7a0894f in WebCore::CoordinatedGraphicsLayer::createBackingStore (this=0x779b40)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:674
#7  0x00007ffff7a0911e in WebCore::CoordinatedGraphicsLayer::updateContentBuffers (this=0x779b40)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:783
#8  0x00007ffff7a08470 in WebCore::CoordinatedGraphicsLayer::flushCompositingStateForThisLayerOnly (this=0x779b40)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:602
#9  0x00007ffff7a07a4e in WebCore::CoordinatedGraphicsLayer::flushCompositingState (this=0x779b40, rect=...)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:458
#10 0x00007ffff7a07a8f in WebCore::CoordinatedGraphicsLayer::flushCompositingState (this=0x777b40, rect=...)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:461
#11 0x00007ffff7a07a8f in WebCore::CoordinatedGraphicsLayer::flushCompositingState (this=0x762cf0, rect=...)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:461
#12 0x00007ffff7a07a8f in WebCore::CoordinatedGraphicsLayer::flushCompositingState (this=0x692ac0, rect=...)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:461
#13 0x00007ffff7a07a8f in WebCore::CoordinatedGraphicsLayer::flushCompositingState (this=0x50f700, rect=...)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:461
#14 0x00007ffff7a07a8f in WebCore::CoordinatedGraphicsLayer::flushCompositingState (this=0x482190, rect=...)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/CoordinatedGraphicsLayer.cpp:461
#15 0x00007ffff3db80d8 in WebCore::RenderLayerCompositor::flushPendingLayerChanges (this=0x4af7f0, isFlushRoot=true) at /home/jaepark/workspace/WebKitQt/Source/WebCore/rendering/RenderLayerCompositor.cpp:323
#16 0x00007ffff3ae8f1b in WebCore::FrameView::flushCompositingStateForThisFrame (this=0x481e10, rootFrameForFlush=0x4723f0) at /home/jaepark/workspace/WebKitQt/Source/WebCore/page/FrameView.cpp:839
#17 0x00007ffff3ae9255 in WebCore::FrameView::flushCompositingStateIncludingSubframes (this=0x481e10) at /home/jaepark/workspace/WebKitQt/Source/WebCore/page/FrameView.cpp:921
#18 0x00007ffff7a110f0 in WebKit::LayerTreeCoordinator::flushPendingLayerChanges (this=0x468740)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.cpp:275
#19 0x00007ffff7a11e68 in WebKit::LayerTreeCoordinator::performScheduledLayerFlush (this=0x468740)
    at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.cpp:504
#20 0x00007ffff7a11f60 in WebKit::LayerTreeCoordinator::layerFlushTimerFired (this=0x468740) at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/WebPage/CoordinatedGraphics/LayerTreeCoordinator.cpp:528
#21 0x00007ffff7a1dc1a in WebCore::Timer<WebKit::LayerTreeCoordinator>::fired (this=0x468878) at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/Timer.h:106
#22 0x00007ffff3c38756 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x46dae0) at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/ThreadTimers.cpp:116
#23 0x00007ffff3c38677 in WebCore::ThreadTimers::sharedTimerFired () at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/ThreadTimers.cpp:93
#24 0x00007ffff3f4e018 in WebCore::SharedTimerQt::timerEvent (this=0x46db10, ev=0x7fffffffd8a0) at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/qt/SharedTimerQt.cpp:113
#25 0x00007ffff68af0d9 in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r39/lib/libQtCore.so.5
#26 0x00007ffff6bcf3f4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r39/lib/libQtWidgets.so.5
#27 0x00007ffff6bd2471 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r39/lib/libQtWidgets.so.5
#28 0x00007ffff6888754 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r39/lib/libQtCore.so.5
#29 0x00007ffff68cf3cc in QTimerInfoList::activateTimers() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r39/lib/libQtCore.so.5
#30 0x00007ffff68cfc5d in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r39/lib/libQtCore.so.5
#31 0x00007fffedef2d53 in g_main_dispatch (context=0x41de40) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:2539
#32 g_main_context_dispatch (context=0x41de40) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3075
#33 0x00007fffedef30a0 in g_main_context_iterate (dispatch=1, block=<optimized out>, context=0x41de40, self=<optimized out>) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3146
#34 g_main_context_iterate (context=0x41de40, block=<optimized out>, dispatch=1, self=<optimized out>) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3083
#35 0x00007fffedef3164 in g_main_context_iteration (context=0x41de40, may_block=1) at /build/buildd/glib2.0-2.32.3/./glib/gmain.c:3207
#36 0x00007ffff68d0344 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r39/lib/libQtCore.so.5
#37 0x00007ffff68876fb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r39/lib/libQtCore.so.5
#38 0x00007ffff688abce in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r39/lib/libQtCore.so.5
#39 0x00007ffff3f34606 in WebCore::RunLoop::run () at /home/jaepark/workspace/WebKitQt/Source/WebCore/platform/qt/RunLoopQt.cpp:69
#40 0x00007ffff7a5ecef in WebKit::WebProcessMainQt (app=0x412e90) at /home/jaepark/workspace/WebKitQt/Source/WebKit2/WebProcess/qt/WebProcessMainQt.cpp:195
#41 0x00000000004016a8 in main (argc=2, argv=0x7fffffffdee8) at /home/jaepark/workspace/WebKitQt/Source/WebKit2/qt/MainQt.cpp:95
Comment 2 Seulgi Kim 2013-02-03 16:38:44 PST
Created attachment 186276 [details]
Patch
Comment 3 EFL EWS Bot 2013-02-03 16:44:13 PST
Comment on attachment 186276 [details]
Patch

Attachment 186276 [details] did not pass efl-ews (efl):
Output: http://queues.webkit.org/results/16354841
Comment 4 Early Warning System Bot 2013-02-03 16:46:25 PST
Comment on attachment 186276 [details]
Patch

Attachment 186276 [details] did not pass qt-ews (qt):
Output: http://queues.webkit.org/results/16353802
Comment 5 Early Warning System Bot 2013-02-03 16:47:00 PST
Comment on attachment 186276 [details]
Patch

Attachment 186276 [details] did not pass qt-wk2-ews (qt):
Output: http://queues.webkit.org/results/16354850
Comment 6 Seulgi Kim 2013-02-03 16:51:18 PST
Created attachment 186278 [details]
Patch
Comment 7 Seulgi Kim 2013-02-03 16:53:03 PST
Created attachment 186279 [details]
Patch
Comment 8 Build Bot 2013-02-03 18:02:21 PST
Comment on attachment 186279 [details]
Patch

Attachment 186279 [details] did not pass win-ews (win):
Output: http://queues.webkit.org/results/16357795
Comment 9 Build Bot 2013-02-03 19:07:28 PST
Comment on attachment 186279 [details]
Patch

Attachment 186279 [details] did not pass win-ews (win):
Output: http://queues.webkit.org/results/16350876
Comment 10 Kenneth Rohde Christiansen 2013-02-04 00:39:57 PST
Comment on attachment 186279 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=186279&action=review

> Source/WebCore/platform/graphics/TiledBackingStore.cpp:367
> +     * If then cover/keep rect is not need to be inflated.

Thus the latter should not be inflated*
Comment 11 Seulgi Kim 2013-02-04 15:30:06 PST
Created attachment 186479 [details]
Patch for landing
Comment 12 Seulgi Kim 2013-02-04 15:34:29 PST
Created attachment 186480 [details]
Patch for landing
Comment 13 Seulgi Kim 2013-02-04 15:38:15 PST
(In reply to comment #10)
> (From update of attachment 186279 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=186279&action=review
> 
> > Source/WebCore/platform/graphics/TiledBackingStore.cpp:367
> > +     * If then cover/keep rect is not need to be inflated.
> 
> Thus the latter should not be inflated*

Thanks for your comment.
Comment 14 WebKit Review Bot 2013-02-04 16:56:10 PST
Comment on attachment 186480 [details]
Patch for landing

Clearing flags on attachment: 186480

Committed r141833: <http://trac.webkit.org/changeset/141833>
Comment 15 WebKit Review Bot 2013-02-04 16:56:14 PST
All reviewed patches have been landed.  Closing bug.