Bug 109826

Summary: REGRESSION (r142505?): Crashes in WebCore::ScrollingStateNode::appendChild when using back/forward buttons
Product: WebKit Reporter: Dieter Komendera <dieter>
Component: WebCore Misc.Assignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, bdakin, cmarcelo, jamesr, luiz, simon.fraser, thorton, tonikitoo, webkit-bug-importer, webkit.review.bot
Priority: P1 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.8   
Attachments:
Description Flags
full crash report
none
Patch none

Dieter Komendera
Reported 2013-02-14 06:50:35 PST
Created attachment 188340 [details] full crash report Since yesterdays nightly builds I see crashes likes this when using the back/forward buttons. Haven't noticed a pattern when the crash happens, will post an update if I find something. Tested with Safari 6.0.2 (8536.26.17, 537+) and nightly r142854. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000109143c68 WebCore::ScrollingStateNode::appendChild(WTF::PassOwnPtr<WebCore::ScrollingStateNode>) + 24 1 com.apple.WebCore 0x0000000109145a65 WebCore::ScrollingStateTree::attachNode(WebCore::ScrollingNodeType, unsigned long long, unsigned long long) + 501 2 com.apple.WebCore 0x0000000109029eb2 WebCore::RenderLayerBacking::attachToScrollingCoordinatorWithParent(WebCore::RenderLayerBacking*) + 162 3 com.apple.WebCore 0x000000010902d818 WebCore::RenderLayerCompositor::registerOrUpdateViewportConstrainedLayer(WebCore::RenderLayer*) + 248 4 com.apple.WebCore 0x00000001090326f3 WebCore::RenderLayerCompositor::updateViewportConstraintStatus(WebCore::RenderLayer*) + 163 5 com.apple.WebCore 0x0000000109029798 WebCore::RenderLayerBacking::registerScrollingLayers() + 88 6 com.apple.WebCore 0x000000010902869e WebCore::RenderLayerBacking::updateGraphicsLayerGeometry() + 5374 7 com.apple.WebCore 0x0000000109030c8d WebCore::RenderLayerCompositor::updateCompositingDescendantGeometry(WebCore::RenderLayer*, WebCore::RenderLayer*, bool) + 93 8 com.apple.WebCore 0x0000000109030e07 WebCore::RenderLayerCompositor::updateCompositingDescendantGeometry(WebCore::RenderLayer*, WebCore::RenderLayer*, bool) + 471 9 com.apple.WebCore 0x0000000109030e07 WebCore::RenderLayerCompositor::updateCompositingDescendantGeometry(WebCore::RenderLayer*, WebCore::RenderLayer*, bool) + 471 10 com.apple.WebCore 0x0000000109027130 WebCore::RenderLayerBacking::updateAfterLayout(unsigned int) + 64 11 com.apple.WebCore 0x000000010900e1c0 WebCore::RenderLayer::updateLayerPositions(WebCore::RenderGeometryMap*, unsigned int) + 1440 12 com.apple.WebCore 0x000000010900dc04 WebCore::RenderLayer::updateLayerPositionsAfterLayout(WebCore::RenderLayer const*, unsigned int) + 84 13 com.apple.WebCore 0x00000001089886d5 WebCore::FrameView::layout(bool) + 2197 14 com.apple.WebCore 0x000000010897248d WebCore::FrameLoader::commitProvisionalLoad() + 893 15 com.apple.WebCore 0x0000000108970f96 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 502 16 com.apple.WebCore 0x0000000108971080 WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 32 17 com.apple.WebCore 0x0000000108f68299 WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, void (*)(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool), void*) + 489 18 com.apple.WebCore 0x0000000108970c47 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) + 1287 19 com.apple.WebCore 0x000000010896d815 WebCore::FrameLoader::loadDifferentDocumentItem(WebCore::HistoryItem*, WebCore::FrameLoadType, WebCore::FrameLoader::FormSubmissionCacheLoadPolicy) + 101 20 com.apple.WebCore 0x00000001089d3b3c WebCore::HistoryController::recursiveGoToItem(WebCore::HistoryItem*, WebCore::HistoryItem*, WebCore::FrameLoadType) + 460 21 com.apple.WebCore 0x00000001089d3748 WebCore::HistoryController::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 216 22 com.apple.WebCore 0x0000000108f400a5 WebCore::Page::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 85 23 com.apple.WebKit2 0x0000000107e52087 WebKit::WebPage::goBack(unsigned long long) + 39
Attachments
full crash report (63.38 KB, application/octet-stream)
2013-02-14 06:50 PST, Dieter Komendera 		no flags
Details
Patch (6.93 KB, patch)
2013-02-15 15:22 PST, Simon Fraser (smfr) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Dieter Komendera
Comment 1 2013-02-14 06:55:49 PST
Maybe http://trac.webkit.org/changeset/142505 ?
Simon Fraser (smfr)
Comment 2 2013-02-14 12:51:27 PST
<rdar://problem/13216100>
Dieter Komendera
Comment 3 2013-02-15 02:06:58 PST
I'm able to reproduce the crash with one of our sites reliably now and cooked up a testcase. I stripped out us much html as I could. To reproduce: * navigate to http://static.abloom.at/kommen/webkit/bug-109826.html * click Safari's previous page button * click Safari's next page button Hope that helps.
Simon Fraser (smfr)
Comment 4 2013-02-15 15:22:13 PST
Created attachment 188651 [details] Patch
WebKit Review Bot
Comment 5 2013-02-15 17:22:18 PST
Comment on attachment 188651 [details] Patch Clearing flags on attachment: 188651 Committed r143074: <http://trac.webkit.org/changeset/143074>
WebKit Review Bot
Comment 6 2013-02-15 17:22:22 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.