Bug 147848

Summary: Invalid FrameView::m_viewportRenderer after layout is finished.
Product: WebKit Reporter: alan <zalan>
Component: Layout and RenderingAssignee: alan <zalan>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, davidkclark, ddkilzer, simon.fraser
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

alan
Reported 2015-08-10 15:37:16 PDT
0 WebCore 0x000000019680c128 WebCore::FrameView::contentsSizeRespectingOverflow() const + 128 (RenderStyle.h:306) 1 WebCore 0x000000019680c120 WebCore::FrameView::contentsSizeRespectingOverflow() const + 120 (FrameView.cpp:629) 2 WebKit 0x000000018acb73e0 WebKit::WebPage::mainFrameDidLayout() + 128 (WebPage.cpp:3522) 3 WebCore 0x00000001963bf3f0 WebCore::FrameView::performPostLayoutTasks() + 164 (FrameView.cpp:3045) 4 WebCore 0x00000001963ba964 WebCore::FrameView::layout(bool) + 496 (TemporaryChange.h:55) 5 WebCore 0x00000001966c32c8 WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WebCore::DimensionsCheck) + 1312 (Document.cpp:2036) 6 WebCore 0x0000000196475a50 WebCore::Element::clientWidth() + 40 (Node.h:395) 7 WebCore 0x0000000196a7d39c WebCore::jsElementClientWidth(JSC::ExecState*, JSC::JSObject*, long long, JSC::PropertyName) + 48 (JSCJSValueInlines.h:141) 8 JavaScriptCore 0x000000018608d590 JSC::LLInt::getByVal(JSC::ExecState*, JSC::JSValue, JSC::JSValue) + 3284 (PropertySlot.h:257) 9 JavaScriptCore 0x000000018606c110 llint_slow_path_get_by_val + 180 (LLIntSlowPaths.cpp:749) 10 JavaScriptCore 0x00000001864b331c llint_entry + 12620 11 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 12 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 13 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 14 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 15 ??? 0x000000014b09cbc0 0 + 5553900480 16 JavaScriptCore 0x00000001864b5dd0 llint_entry + 23552 17 JavaScriptCore 0x00000001864b6004 llint_entry + 24116 18 JavaScriptCore 0x00000001864b5dd0 llint_entry + 23552 19 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 20 JavaScriptCore 0x00000001864b6004 llint_entry + 24116 21 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 22 JavaScriptCore 0x00000001864b6004 llint_entry + 24116 23 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 24 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 25 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 26 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 27 JavaScriptCore 0x00000001864b5e34 llint_entry + 23652 28 JavaScriptCore 0x00000001864affb8 vmEntryToJavaScript + 312 29 JavaScriptCore 0x00000001863dcd04 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 180 (VM.h:384) 30 JavaScriptCore 0x000000018605e39c JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 8204 (Interpreter.cpp:901) 31 JavaScriptCore 0x00000001861b65e8 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 440 (Completion.cpp:82) 32 WebCore 0x0000000196f1ad28 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 292 (JSMainThreadExecState.h:62) 33 WebCore 0x000000019636aa54 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 340 (ScriptElement.cpp:309) 34 WebCore 0x00000001964a89bc WebCore::ScriptElement::execute(WebCore::CachedScript*) + 188 (StdLibExtras.h:374) 35 WebCore 0x0000000196f2134c WebCore::ScriptRunner::timerFired() + 468 (ScriptRunner.cpp:122) 36 WebCore 0x0000000196342ca8 WebCore::ThreadTimers::sharedTimerFiredInternal() + 148 (ThreadTimers.cpp:135) 37 WebCore 0x0000000196342be8 WebCore::timerFired(__CFRunLoopTimer*, void*) + 36 (SharedTimerCF.cpp:82) 38 CoreFoundation 0x00000001849c97d4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 28 (CFRunLoop.c:1630) 39 CoreFoundation 0x00000001849c9478 __CFRunLoopDoTimer + 884 (CFRunLoop.c:2168) 40 CoreFoundation 0x00000001849c6b8c __CFRunLoopRun + 1520 (CFRunLoop.c:2306) 41 CoreFoundation 0x00000001848f58a0 CFRunLoopRunSpecific + 384 (CFRunLoop.c:2814) 42 Foundation 0x000000018586894c -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 308 (NSRunLoop.m:367) 43 Foundation 0x00000001858bdf74 -[NSRunLoop(NSRunLoop) run] + 88 (NSRunLoop.m:388) 44 libxpc.dylib 0x0000000199eccd4c _xpc_objc_main + 660 (main.m:177) 45 libxpc.dylib 0x0000000199ecea80 xpc_main + 200 (init.c:1395) 46 com.apple.WebKit.WebContent 0x00000001000ab924 main + 56 (XPCServiceMain.mm:89) 47 libdyld.dylib 0x0000000199caa8b8 start + 4 (start_glue.s:80)
Attachments
Patch (10.60 KB, patch)
2015-08-10 15:40 PDT, alan 		no flags
DetailsFormatted DiffDiff
Patch (10.62 KB, patch)
2015-08-11 10:53 PDT, alan 		no flags
DetailsFormatted DiffDiff
Patch (10.62 KB, patch)
2015-08-11 12:54 PDT, alan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
alan
Comment 1 2015-08-10 15:37:33 PDT
rdar://problem/22205197
alan
Comment 2 2015-08-10 15:40:45 PDT
Created attachment 258659 [details] Patch
alan
Comment 3 2015-08-10 15:41:06 PDT
Need to construct a test case.
alan
Comment 4 2015-08-11 10:53:43 PDT
Created attachment 258726 [details] Patch
Darin Adler
Comment 5 2015-08-11 11:34:32 PDT
Comment on attachment 258726 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=258726&action=review > Source/WebCore/page/FrameView.cpp:624 > + if (!renderView || !viewportRenderer || !is<RenderBox>(viewportRenderer) || !frame().isMainFrame()) This: !viewportRenderer || !is<RenderBox>(viewportRenderer) Is the same as this: !is<RenderBox>(viewportRenderer) So I think we should remove the extra null check.
alan
Comment 6 2015-08-11 11:35:47 PDT
(In reply to comment #5) > Comment on attachment 258726 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=258726&action=review > > > Source/WebCore/page/FrameView.cpp:624 > > + if (!renderView || !viewportRenderer || !is<RenderBox>(viewportRenderer) || !frame().isMainFrame()) > > This: > > !viewportRenderer || !is<RenderBox>(viewportRenderer) > > Is the same as this: > > !is<RenderBox>(viewportRenderer) > > So I think we should remove the extra null check. Good point!
alan
Comment 7 2015-08-11 12:54:23 PDT
Created attachment 258740 [details] Patch
WebKit Commit Bot
Comment 8 2015-08-11 14:50:53 PDT
Comment on attachment 258740 [details] Patch Clearing flags on attachment: 258740 Committed r188298: <http://trac.webkit.org/changeset/188298>
WebKit Commit Bot
Comment 9 2015-08-11 14:50:56 PDT
All reviewed patches have been landed. Closing bug.
David Kilzer (:ddkilzer)
Comment 10 2015-08-11 19:59:18 PDT
Comment on attachment 258740 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=258740&action=review > Source/WebCore/page/FrameView.cpp:758 > + auto documentElement = document->documentElement(); Shouldn't this be of type "auto*" as it is later in the patch? auto* documentElement = document->documentElement();
alan
Comment 11 2015-08-11 20:03:17 PDT
Comment on attachment 258740 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=258740&action=review >> Source/WebCore/page/FrameView.cpp:758 >> + auto documentElement = document->documentElement(); > > Shouldn't this be of type "auto*" as it is later in the patch? > > auto* documentElement = document->documentElement(); It should! I'll fix it in one of my upcoming patches. (note: it does not change functionality)
David Kilzer (:ddkilzer)
Comment 12 2016-06-13 18:10:26 PDT
*** Bug 149495 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.