| Summary: | FrameView::adjustTiledBackingCoverage can use the RenderView before the new document is swapped in | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Tim Horton <thorton> |
| Component: | Layout and Rendering | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW --- | ||
| Severity: | Normal | CC: | kling, koivisto, sam, simon.fraser |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Steps to Reproduce: 1. Adjust FrameView::renderView to be this: RenderView* FrameView::renderView() const { RenderView* renderView = frame().contentRenderer(); ASSERT(!renderView || &renderView->frameView() == this); return renderView; } 2. Run the layout tests. For me, loader/go-back-to-different-window-size.html and fast/history/timed-refresh-in-cached-frame.html both failed with: 0 com.apple.JavaScriptCore 0x00000001133596ca WTFCrash + 42 1 com.apple.WebCore 0x0000000114fecded WebCore::FrameView::renderView() const + 109 (FrameView.cpp:4549) 2 com.apple.WebCore 0x0000000114ff5e53 WebCore::FrameView::adjustTiledBackingCoverage() + 51 (FrameView.cpp:2359) 3 com.apple.WebCore 0x0000000114feb474 WebCore::FrameView::speculativeTilingEnableTimerFired(WebCore::Timer<WebCore::FrameView>&) + 68 (FrameView.cpp:2395) 4 com.apple.WebCore 0x00000001150100b7 std::__1::__function::__func<std::__1::__bind<void (WebCore::FrameView::*&)(WebCore::Timer<WebCore::FrameView>&), WebCore::FrameView*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::FrameView> > >, std::__1::allocator<std::__1::__bind<void (WebCore::FrameView::*&)(WebCore::Timer<WebCore::FrameView>&), WebCore::FrameView*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::FrameView> > > >, void ()>::operator()() + 359 (functional:1370) 5 com.apple.WebCore 0x000000011473b8aa std::__1::function<void ()>::operator()() const + 26 (functional:1755) 6 com.apple.WebCore 0x000000011500cbdc WebCore::Timer<WebCore::FrameView>::fired() + 28 (Timer.h:134) This means that FrameView::adjustTiledBackingCoverage is using the RenderView from a different Document (most likely, we haven't swapped the new document in yet).