Bug 141551

Summary: Crashes under RenderLayer::hitTestLayer under determinePrimarySnapshottedPlugIn()
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: New BugsAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, esprehn+autocc, glenn, hyatt, kondapallykalyan, simon.fraser, thorton, zalan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch zalan: review+

Description Simon Fraser (smfr) 2015-02-12 21:06:23 PST 
Crashes under RenderLayer::hitTestLayer under determinePrimarySnapshottedPlugIn()
Comment 1 Simon Fraser (smfr) 2015-02-12 21:16:46 PST 
Created attachment 246504 [details]
Patch
Comment 2 zalan 2015-02-12 21:30:27 PST 
Comment on attachment 246504 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=246504&action=review

> Source/WebCore/page/FrameView.cpp:2577
> +    for (auto& widget : children()) {

const auto&?

> Source/WebCore/page/FrameView.cpp:4008
> +    // A child frame may have dirtied us during its layout.

This is what frame flattening does and by judging the assertion above, it manages to resolve it without the extra layout. How is it different from that setup?

> Source/WebCore/page/FrameView.h:125
> +    bool needsStyleRecalcOrLayout(bool includeSubframes = true) const;

We never call this function with includeSubframes = false; Could we drop this parameter?
Comment 3 Simon Fraser (smfr) 2015-02-13 11:05:19 PST 
https://trac.webkit.org/r180063