Bug 141931

Summary: EventHandler references deleted Scrollbar
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: Layout and RenderingAssignee: Brent Fulgham <bfulgham>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, buildbot, commit-queue, mmaxfield, rniwa, simon.fraser, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 141923    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Archive of layout-test-results from ews101 for mac-mavericks
none
Archive of layout-test-results from ews104 for mac-mavericks-wk2
none
Patch v2 (Fix for EWS failures) thorton: review+

Description Brent Fulgham 2015-02-23 15:48:19 PST 
The EventHandler class holds a RefPtr of the last Scrollbar used during an event. If the Scrollbar is destroyed (as well as its underlying RenderLayer), the EventHandler keeps the Scrollbar from being deleted. However, the underlying ScrollableArea has already been destroyed at this point, leaving this "m_lastScrollbarUnderMouse" Scrollbar holding a reference to deleted memory. This can happen during EventHandling related to scrollbars, and should be prevented.

Prior to r180474, this was avoided by using a "disconnectFromScrollableArea" method to set the internal ScrollableArea to null, and relying on internal nullptr checks to avoid dereferencing the null value.

But this behavior is not correct either; we should not artificially prolong the life of a Scrollbar simply because of an implementation detail of the EventHandler class.

Instead, EventHandler should be notified when the Scrollbar has been destroyed, and stop trying to use it when this happens.
Comment 1 Brent Fulgham 2015-02-23 15:48:36 PST 
<rdar://problem/19915210>
Comment 2 Brent Fulgham 2015-02-23 15:56:26 PST 
Test that discovered this problem: ASAN or Guard Malloc run of "scrollbars/overflow-custom-scrollbar-crash.html"
Comment 3 Brent Fulgham 2015-02-23 16:00:13 PST 
Created attachment 247156 [details]
Patch
Comment 4 WebKit Commit Bot 2015-02-23 16:03:14 PST 
Attachment 247156 [details] did not pass style-queue:


ERROR: Source/WebCore/platform/Scrollbar.cpp:84:  Wrong number of spaces before statement. (expected: 25)  [whitespace/indent] [4]
Total errors found: 1 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 5 Myles C. Maxfield 2015-02-23 16:07:05 PST 
Comment on attachment 247156 [details]
Patch

Are there any other places in EventHandler that use m_lastScrollbarUnderMouse that need to be audited to make sure they work with a null pointer? Other than that, the use of WeakPtr looks good. I'll leave it to smfr to review the semantics of this change regarding the lifetimes of EventHandler and Scrollbar
Comment 6 Brent Fulgham 2015-02-23 16:28:24 PST 
(In reply to comment #5)
> Comment on attachment 247156 [details]
> Patch
> 
> Are there any other places in EventHandler that use
> m_lastScrollbarUnderMouse that need to be audited to make sure they work
> with a null pointer? Other than that, the use of WeakPtr looks good. I'll
> leave it to smfr to review the semantics of this change regarding the
> lifetimes of EventHandler and Scrollbar

I don't think so. It was a RefPtr before, so the same possibility of null-ness existed in the earlier code. I'll double check, though.
Comment 7 Brent Fulgham 2015-02-23 16:28:57 PST 
(In reply to comment #4)
> Attachment 247156 [details] did not pass style-queue:
> 
> ERROR: Source/WebCore/platform/Scrollbar.cpp:84:  Wrong number of spaces
> before statement. (expected: 25)  [whitespace/indent] [4]
> Total errors found: 1 in 5 files

This is a strange error message -- this line has the correct number of spaces on it.
Comment 8 Build Bot 2015-02-23 16:53:53 PST 
Comment on attachment 247156 [details]
Patch

Attachment 247156 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/5830458965229568

New failing tests:
fast/forms/select/listbox-click-on-scrollbar.html
scrollbars/scrollbar-miss-mousemove-disabled.html
scrollbars/scrollbar-drag-thumb-with-large-content.html
fast/scrolling/scrollbar-mousedown-move-mouseup.html
Comment 9 Build Bot 2015-02-23 16:53:57 PST 
Created attachment 247167 [details]
Archive of layout-test-results from ews101 for mac-mavericks

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews101  Port: mac-mavericks  Platform: Mac OS X 10.9.5
Comment 10 Brent Fulgham 2015-02-23 16:58:49 PST 
(In reply to comment #6)
> (In reply to comment #5)
> > Comment on attachment 247156 [details]
> > Patch
> > 
> > Are there any other places in EventHandler that use
> > m_lastScrollbarUnderMouse that need to be audited to make sure they work
> > with a null pointer? Other than that, the use of WeakPtr looks good. I'll
> > leave it to smfr to review the semantics of this change regarding the
> > lifetimes of EventHandler and Scrollbar
> 
> I don't think so. It was a RefPtr before, so the same possibility of
> null-ness existed in the earlier code. I'll double check, though.

Well, EWS just told me that I am full of crap, and it definitely was *not* expecting the pointer to be null in a few cases. I'll revise the patch! :-)
Comment 11 Build Bot 2015-02-23 17:02:10 PST 
Comment on attachment 247156 [details]
Patch

Attachment 247156 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/5496935326679040

New failing tests:
fast/forms/select/listbox-click-on-scrollbar.html
fast/events/scroll-div-with-prevent-default-in-subframe.html
scrollbars/scrollbar-miss-mousemove-disabled.html
Comment 12 Build Bot 2015-02-23 17:02:14 PST 
Created attachment 247169 [details]
Archive of layout-test-results from ews104 for mac-mavericks-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104  Port: mac-mavericks-wk2  Platform: Mac OS X 10.9.5
Comment 13 Brent Fulgham 2015-02-23 17:41:18 PST 
Created attachment 247177 [details]
Patch v2 (Fix for EWS failures)
Comment 14 Brent Fulgham 2015-02-23 17:44:13 PST 
Comment on attachment 247177 [details]
Patch v2 (Fix for EWS failures)

I had originally written my patch as:

        m_lastScrollbarUnderMouse = setLast ? scrollbar->createWeakPtr() : nullptr;

But this is wrong, because the scrollbar might be null. Previously this wasn't a problem because we were assigning a RefPtr from the original pointer. But we must call 'createWeakPtr' now, which is obviously bad if the pointer we were handed is a nullptr.

We should probably try to make WeakPtr understand this case so others don't make this mistake.
Comment 15 WebKit Commit Bot 2015-02-23 17:44:49 PST 
Attachment 247177 [details] did not pass style-queue:


ERROR: Source/WebCore/platform/Scrollbar.cpp:84:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
Total errors found: 1 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 16 Brent Fulgham 2015-02-23 20:09:34 PST 
Committed r180548: <http://trac.webkit.org/changeset/180548>