Bug 148182

Summary: PDFPlugin's scrollableArea container is not properly unregistered when page is going into the PageCache
Product: WebKit Reporter: Brent Fulgham <bfulgham>
Component: Layout and RenderingAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson, cdumez, cgarcia, commit-queue, esprehn+autocc, gyuyoung.kim, simon.fraser
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
dino: review+
Patch bfulgham: review+

Brent Fulgham
Reported 2015-08-19 12:39:04 PDT
WebKit is crashing when a some pages (those containing PluginViews, but perhaps others) are restored from the PageCache. This is happening because the FrameView holds onto a set of pointers to ScrollableAreas, but those render elements no longer exist when the page is revived from the cache. To correct this, we must clear out these ScrollableArea pointers when the page goes into the PageCache. When the page is reconstituted from the cache, the layout pass will rebuild the set of ScrollableAreas that were in this container originally.
Attachments
Patch (2.61 KB, patch)
2015-08-19 13:37 PDT, Brent Fulgham 		dino: review+
DetailsFormatted DiffDiff
Patch (9.88 KB, patch)
2016-02-17 12:14 PST, Simon Fraser (smfr) 		bfulgham: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2015-08-19 12:41:26 PDT
<rdar://problem/21969170>
Brent Fulgham
Comment 2 2015-08-19 13:37:22 PDT
Created attachment 259396 [details] Patch
Brent Fulgham
Comment 3 2015-08-19 16:06:08 PDT
Committed r188659: <http://trac.webkit.org/changeset/188659>
Chris Dumez
Comment 4 2015-08-20 09:03:16 PDT
Comment on attachment 259396 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=259396&action=review > Source/WebCore/ChangeLog:9 > + Must be tested manually going back and forth in history several times. We have plenty of layout tests for PageCache. Why cannot we write one for this?
Simon Fraser (smfr)
Comment 5 2016-02-16 10:48:25 PST
Reopening. I'm rolling out because this caused bug 153404.
Simon Fraser (smfr)
Comment 6 2016-02-16 10:49:08 PST
Rolled out in https://trac.webkit.org/r196641.
Simon Fraser (smfr)
Comment 7 2016-02-16 16:14:20 PST
PDFPlugin::destroy() already has a call to frameView->removeScrollableArea(), so why doesn't this always work?
Simon Fraser (smfr)
Comment 8 2016-02-16 16:35:13 PST
Oh this is the usual page cache mess where we remove it from the wrong FrameView.
Simon Fraser (smfr)
Comment 9 2016-02-16 17:51:26 PST
So the real issue is that PDFPlugin invalidates the assumption that a page in the page cache is "frozen" and won't try to access the Frame etc. This is because it gets torn down under this stack, after going into the page cache: * thread #1: tid = 0xd65515, 0x000000010e95a0cf WebKit`WebKit::PDFPlugin::destroy(this=0x0000000125d391d8) + 63 at DeprecatedPDFPlugin.mm:1104, queue = 'com.apple.main-thread', stop reason = breakpoint 14.1 * frame #0: 0x000000010e95a0cf WebKit`WebKit::PDFPlugin::destroy(this=0x0000000125d391d8) + 63 at DeprecatedPDFPlugin.mm:1104 frame #1: 0x000000010ebcbb6a WebKit`WebKit::Plugin::destroyPlugin(this=0x0000000125d391d8) + 26 at Plugin.cpp:101 frame #2: 0x000000010ec4af59 WebKit`WebKit::PluginView::destroyPluginAndReset(this=0x0000000126033a40) + 265 at PluginView.cpp:357 frame #3: 0x000000010ec4ace2 WebKit`WebKit::PluginView::~PluginView(this=0x0000000126033a40) + 322 at PluginView.cpp:342 frame #4: 0x000000010ec4b015 WebKit`WebKit::PluginView::~PluginView(this=0x0000000126033a40) + 21 at PluginView.cpp:331 frame #5: 0x000000010ec4b0f9 WebKit`WebKit::PluginView::~PluginView(this=0x0000000126033a40) + 25 at PluginView.cpp:331 frame #6: 0x0000000114e564b3 WebCore`WTF::RefCounted<WebCore::Widget>::deref(this=0x0000000126033a48) + 83 at RefCounted.h:146 frame #7: 0x00000001156be3ea WebCore`void WTF::derefIfNotNull<WebCore::Widget>(ptr=0x0000000126033a40) + 58 at PassRefPtr.h:42 frame #8: 0x00000001156be3a9 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x0000000125183d70) + 41 at RefPtr.h:59 frame #9: 0x00000001156bbb75 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x0000000125183d70) + 21 at RefPtr.h:59 frame #10: 0x0000000116cae775 WebCore`WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair(this=0x0000000125183d70) + 21 at HashTraits.h:168 frame #11: 0x0000000116cae745 WebCore`WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair(this=0x0000000125183d70) + 21 at HashTraits.h:168 frame #12: 0x0000000116cae6d4 WebCore`WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable(table=0x0000000125183d00, size=8) + 84 at HashTable.h:1139 frame #13: 0x0000000116cae4ae WebCore`WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable(this=0x00007fff5141c098) + 62 at HashTable.h:359 frame #14: 0x0000000116cae465 WebCore`WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable(this=0x00007fff5141c098) + 21 at HashTable.h:356 frame #15: 0x0000000116cae445 WebCore`WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap(this=0x00007fff5141c098) + 21 at HashMap.h:36 frame #16: 0x0000000116cadb95 WebCore`WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap(this=0x00007fff5141c098) + 21 at HashMap.h:36 frame #17: 0x0000000116cab8d3 WebCore`WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets(this=0x00007fff5141c190) + 403 at RenderWidget.cpp:69 frame #18: 0x0000000115179a5c WebCore`WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope(this=0x00007fff5141c190) + 108 at RenderWidget.h:43 frame #19: 0x00000001151782d5 WebCore`WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope(this=0x00007fff5141c190) + 21 at RenderWidget.h:40 frame #20: 0x0000000117029ebb WebCore`WebCore::Style::detachRenderTree(current=0x0000000125f5f280, detachType=NormalDetach) + 315 at StyleTreeResolver.cpp:615 frame #21: 0x000000011702afc7 WebCore`WebCore::Style::detachRenderTree(element=0x0000000125f5f280) + 23 at StyleTreeResolver.cpp:939 frame #22: 0x0000000115ab05d7 WebCore`WebCore::HTMLPlugInImageElement::prepareForDocumentSuspension(this=0x0000000125f5f280) + 55 at HTMLPlugInImageElement.cpp:318 frame #23: 0x00000001154aa6ee WebCore`WebCore::Document::suspend(this=0x0000000125ec2bc0, reason=PageCache) + 222 at Document.cpp:4625 frame #24: 0x00000001150475c4 WebCore`WebCore::CachedFrame::CachedFrame(this=0x00000001259e6f78, frame=0x000000012516e000) + 964 at CachedFrame.cpp:163 Note that we now put pages with plug-ins into the page cache (which probably triggered this bug).
Simon Fraser (smfr)
Comment 10 2016-02-16 18:06:38 PST
rdar://problem/24679436
Simon Fraser (smfr)
Comment 11 2016-02-16 18:16:22 PST
Actually this is bad teardown stack: * thread #1: tid = 0xd6f547, 0x0000000109056155 WebKit`WebKit::PDFPlugin::destroy(this=0x000000012054eb10) + 197 at DeprecatedPDFPlugin.mm:1113, queue = 'com.apple.main-thread', stop reason = breakpoint 18.1 * frame #0: 0x0000000109056155 WebKit`WebKit::PDFPlugin::destroy(this=0x000000012054eb10) + 197 at DeprecatedPDFPlugin.mm:1113 frame #1: 0x00000001092c7b6a WebKit`WebKit::Plugin::destroyPlugin(this=0x000000012054eb10) + 26 at Plugin.cpp:101 frame #2: 0x0000000109346f59 WebKit`WebKit::PluginView::destroyPluginAndReset(this=0x000000011fe90740) + 265 at PluginView.cpp:357 frame #3: 0x0000000109346ce2 WebKit`WebKit::PluginView::~PluginView(this=0x000000011fe90740) + 322 at PluginView.cpp:342 frame #4: 0x0000000109347015 WebKit`WebKit::PluginView::~PluginView(this=0x000000011fe90740) + 21 at PluginView.cpp:331 frame #5: 0x00000001093470f9 WebKit`WebKit::PluginView::~PluginView(this=0x000000011fe90740) + 25 at PluginView.cpp:331 frame #6: 0x000000010f5594b3 WebCore`WTF::RefCounted<WebCore::Widget>::deref(this=0x000000011fe90748) + 83 at RefCounted.h:146 frame #7: 0x000000010fdc13ea WebCore`void WTF::derefIfNotNull<WebCore::Widget>(ptr=0x000000011fe90740) + 58 at PassRefPtr.h:42 frame #8: 0x000000010fdc13a9 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x00007fff56d2bee0) + 41 at RefPtr.h:59 frame #9: 0x000000010fdbeb75 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x00007fff56d2bee0) + 21 at RefPtr.h:59 frame #10: 0x00000001101ae9ac WebCore`WebCore::HTMLPlugInElement::defaultEventHandler(this=0x000000012075c280, event=0x00000001201a17f8) + 412 at HTMLPlugInElement.cpp:235 frame #11: 0x00000001101b61a8 WebCore`WebCore::HTMLPlugInImageElement::defaultEventHandler(this=0x000000012075c280, event=0x00000001201a17f8) + 296 at HTMLPlugInImageElement.cpp:756 frame #12: 0x000000010fd9ed96 WebCore`WebCore::callDefaultEventHandlersInTheBubblingOrder(event=0x00000001201a17f8, path=0x00007fff56d2c020) + 102 at EventDispatcher.cpp:134 frame #13: 0x000000010fd9e4e1 WebCore`WebCore::EventDispatcher::dispatchEvent(origin=0x000000012075c280, event=0x00000001201a17f8) + 881 at EventDispatcher.cpp:239 frame #14: 0x0000000110f1003d WebCore`WebCore::Node::dispatchEvent(this=0x000000012075c280, event=0x00000001201a17f8) + 29 at Node.cpp:2108 frame #15: 0x000000010fdb090f WebCore`WebCore::EventHandler::keyEvent(this=0x000000011f76c000, initialKeyEvent=0x00007fff56d2c4a8) + 1519 at EventHandler.cpp:3054 frame #16: 0x0000000111a37682 WebCore`WebCore::UserInputBridge::handleKeyEvent(this=0x00007fda18e106a0, keyEvent=0x00007fff56d2c4a8, inputSource=User) + 466 at UserInputBridge.cpp:170 and this happens when we navigate inside handling a key event: * thread #1: tid = 0xd7189e, 0x000000011602ac4f WebCore`WebCore::FrameLoader::commitProvisionalLoad(this=0x000000012596e0a0) + 47 at FrameLoader.cpp:1726, queue = 'com.apple.main-thread', stop reason = breakpoint 17.1 * frame #0: 0x000000011602ac4f WebCore`WebCore::FrameLoader::commitProvisionalLoad(this=0x000000012596e0a0) + 47 at FrameLoader.cpp:1726 frame #1: 0x000000011602fbf2 WebCore`WebCore::FrameLoader::loadProvisionalItemFromCachedPage(this=0x000000012596e0a0) + 290 at FrameLoader.cpp:3211 frame #2: 0x0000000116029828 WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x000000012596e0a0, request=0x00007fff50c47b70, formState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c47690, shouldContinue=true, allowNavigationToInvalidURL=Yes) + 1080 at FrameLoader.cpp:3058 frame #3: 0x0000000116037e9e WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x00007fff50c47dc8, request=0x00007fff50c47b70, formState=<unavailable>, shouldContinue=true)::$_4::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const + 94 at FrameLoader.cpp:1446 frame #4: 0x0000000116037e20 WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) [inlined] decltype(__f=0x00007fff50c47dc8, __args=0x00007fff50c47b70, __args=0x00007fff50c47850, __args=0x00007fff50c477e7)::$_4&>(fp)(std::__1::forward<WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(fp0))) std::__1::__invoke<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 107 at __functional_base:415 frame #5: 0x0000000116037db5 WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(__args=0x00007fff50c47dc8, __args=0x00007fff50c47b70, __args=0x00007fff50c47850, __args=0x00007fff50c477e7)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 101 at __functional_base:440 frame #6: 0x0000000116037d1c WebCore`std::__1::__function::__func<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4, std::__1::allocator<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4>, void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator(this=0x00007fff50c47dc0, __arg=0x00007fff50c47b70, __arg=0x00007fff50c47850, __arg=0x00007fff50c477e7)(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 92 at functional:1407 frame #7: 0x00000001170be187 WebCore`std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator(this=0x00007fff50c47dc0, __arg=0x00007fff50c47b70, __arg=<unavailable>, __arg=true)(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const + 87 at functional:1793 frame #8: 0x00000001170bd779 WebCore`WebCore::PolicyCallback::call(this=0x00007fff50c47b70, shouldContinue=true) + 137 at PolicyCallback.cpp:95 frame #9: 0x00000001170bede5 WebCore`WebCore::PolicyChecker::continueAfterNavigationPolicy(this=0x000000012596d000, policy=PolicyUse) + 677 at PolicyChecker.cpp:204 frame #10: 0x00000001170c23de WebCore`WebCore::PolicyChecker::checkNavigationPolicy(this=0x00007fff50c47f98, action=PolicyUse)>)::$_1::operator()(WebCore::PolicyAction) const + 30 at PolicyChecker.cpp:121 frame #11: 0x00000001170c23af WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&, WebCore::PolicyAction>(WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&&&, WebCore::PolicyAction&&) [inlined] decltype(__f=0x00007fff50c47f98, __args=0x00007fff50c47f2c)>)::$_1&>(fp)(std::__1::forward<WebCore::PolicyAction>(fp0))) std::__1::__invoke<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&, WebCore::PolicyAction>(WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&&&, WebCore::PolicyAction&&) + 79 at __functional_base:415 frame #12: 0x00000001170c2390 WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::PolicyChecker::checkNavigationPolicy(__args=0x00007fff50c47f98, __args=0x00007fff50c47f2c)>)::$_1&, WebCore::PolicyAction>(WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&&&, WebCore::PolicyAction&&) + 48 at __functional_base:440 frame #13: 0x00000001170c232c WebCore`std::__1::__function::__func<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1, std::__1::allocator<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1>, void (WebCore::PolicyAction)>::operator(this=0x00007fff50c47f90, __arg=0x00007fff50c47f2c)(WebCore::PolicyAction&&) + 60 at functional:1407 frame #14: 0x000000010f6bfc8c WebKit`std::__1::function<void (WebCore::PolicyAction)>::operator(this=0x00007fff50c47f90, __arg=PolicyUse)(WebCore::PolicyAction) const + 44 at functional:1793 frame #15: 0x000000010f6bb35c WebKit`WebKit::WebFrame::didReceivePolicyDecision(this=0x00007f969b7035d0, listenerID=10, action=PolicyUse, navigationID=6, downloadID=(m_downloadID = 0)) + 332 at WebFrame.cpp:246 frame #16: 0x000000010f6c6b14 WebKit`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(this=0x00007f969d103f80, navigationAction=0x00007fff50c48540, request=0x000000012623a750, prpFormState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c483d8, function=WebCore::FramePolicyFunction @ 0x00007fff50c48680)>) + 2196 at WebFrameLoaderClient.cpp:829 frame #17: 0x00000001170bea8b WebCore`WebCore::PolicyChecker::checkNavigationPolicy(this=0x000000012596d000, request=0x000000012623a750, loader=0x000000012623a280, formState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c48850, function=WebCore::NavigationPolicyDecisionFunction @ 0x00007fff50c48c30)>) + 1531 at PolicyChecker.cpp:120 frame #18: 0x0000000116028f07 WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x000000012596e0a0, loader=0x000000012623a280, type=Back, prpFormState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c49508, allowNavigationToInvalidURL=Yes) + 1735 at FrameLoader.cpp:1445 frame #19: 0x0000000116025445 WebCore`WebCore::FrameLoader::loadDifferentDocumentItem(this=0x000000012596e0a0, item=0x00000001259bf0c8, loadType=Back, cacheLoadPolicy=MayAttemptCacheOnlyLoadForFormSubmissionItem) + 373 at FrameLoader.cpp:3279 frame #20: 0x0000000116030945 WebCore`WebCore::FrameLoader::loadItem(this=0x000000012596e0a0, item=0x00000001259bf0c8, loadType=Back) + 165 at FrameLoader.cpp:3368 frame #21: 0x000000011614f030 WebCore`WebCore::HistoryController::recursiveGoToItem(this=0x00000001259f23f0, item=0x00000001259bf0c8, fromItem=0x00000001297c33e8, type=Back) + 96 at HistoryController.cpp:747 frame #22: 0x000000011614edf1 WebCore`WebCore::HistoryController::goToItem(this=0x00000001259f23f0, targetItem=0x00000001259bf0c8, type=Back) + 401 at HistoryController.cpp:320 frame #23: 0x000000011701fa76 WebCore`WebCore::Page::goToItem(this=0x0000000125801c00, item=0x00000001259bf0c8, type=Back) + 198 at Page.cpp:436 frame #24: 0x00000001157b93c9 WebCore`WebCore::BackForwardController::goBack(this=0x00000001259f7050) + 73 at BackForwardController.cpp:86 frame #25: 0x000000010f806b07 WebKit`WebKit::WebPage::performNonEditingBehaviorForSelector(this=0x00007f969e007e10, selector=0x0000000126182540, event=0x00000001259a02a8) + 1287 at WebPageMac.mm:554 frame #26: 0x000000010f806100 WebKit`WebKit::WebPage::executeKeypressCommandsInternal(this=0x00007f969e007e10, commands=0x00000001259a0320, event=0x00000001259a02a8) + 912 at WebPageMac.mm:250 frame #27: 0x000000010f806fed WebKit`WebKit::WebPage::handleEditingKeyboardEvent(this=0x00007f969e007e10, event=0x00000001259a02a8) + 797 at WebPageMac.mm:293 frame #28: 0x000000010f6b3191 WebKit`WebKit::WebEditorClient::handleKeyboardEvent(this=0x00007f969d102ba0, event=0x00000001259a02a8) + 33 at WebEditorClientMac.mm:66 frame #29: 0x0000000115e12e72 WebCore`WebCore::Editor::handleKeyboardEvent(this=0x0000000125975c00, event=0x00000001259a02a8) + 66 at Editor.cpp:189 frame #30: 0x0000000115e803a1 WebCore`WebCore::EventHandler::defaultKeyboardEventHandler(this=0x000000012596c000, event=0x00000001259a02a8) + 97 at EventHandler.cpp:3221 frame #31: 0x0000000116fdf541 WebCore`WebCore::Node::defaultEventHandler(this=0x000000012595a780, event=0x00000001259a02a8) + 241 at Node.cpp:2175 frame #32: 0x000000011627d99c WebCore`WebCore::HTMLPlugInElement::defaultEventHandler(this=0x000000012595a780, event=0x00000001259a02a8) + 396 at HTMLPlugInElement.cpp:234 frame #33: 0x00000001162851a8 WebCore`WebCore::HTMLPlugInImageElement::defaultEventHandler(this=0x000000012595a780, event=0x00000001259a02a8) + 296 at HTMLPlugInImageElement.cpp:756 frame #34: 0x0000000115e6dd96 WebCore`WebCore::callDefaultEventHandlersInTheBubblingOrder(event=0x00000001259a02a8, path=0x00007fff50c4a020) + 102 at EventDispatcher.cpp:134 frame #35: 0x0000000115e6d4e1 WebCore`WebCore::EventDispatcher::dispatchEvent(origin=0x000000012595a780, event=0x00000001259a02a8) + 881 at EventDispatcher.cpp:239 frame #36: 0x0000000116fdf03d WebCore`WebCore::Node::dispatchEvent(this=0x000000012595a780, event=0x00000001259a02a8) + 29 at Node.cpp:2108 frame #37: 0x0000000115e7f90f WebCore`WebCore::EventHandler::keyEvent(this=0x000000012596c000, initialKeyEvent=0x00007fff50c4a4a8) + 1519 at EventHandler.cpp:3054 frame #38: 0x0000000117b06682 WebCore`WebCore::UserInputBridge::handleKeyEvent(this=0x00007f969d1017f0, keyEvent=0x00007fff50c4a4a8, inputSource=User) + 466 at UserInputBridge.cpp:170 frame #39: 0x000000010f7b648d WebKit`WebKit::handleKeyEvent(keyboardEvent=0x00007fff50c4a708, page=0x0000000125801c00) + 221 at WebPage.cpp:2138 frame #40: 0x000000010f7b6342 WebKit`WebKit::WebPage::keyEvent(this=0x00007f969e007e10, keyboardEvent=0x00007fff50c4a708) + 162 at WebPage.cpp:2150
Simon Fraser (smfr)
Comment 12 2016-02-16 18:29:05 PST
Fragile fix: diff --git a/Source/WebCore/html/HTMLPlugInElement.cpp b/Source/WebCore/html/HTMLPlugInElement.cpp index 57a532e98da402bc737b54e8f6494fc791e23133..f22d93b4464406f83b9425278b21256c662d8be4 100644 --- a/Source/WebCore/html/HTMLPlugInElement.cpp +++ b/Source/WebCore/html/HTMLPlugInElement.cpp @@ -225,12 +225,14 @@ void HTMLPlugInElement::defaultEventHandler(Event* event) return; } - RefPtr<Widget> widget = downcast<RenderWidget>(*renderer).widget(); - if (!widget) - return; - widget->handleEvent(event); - if (event->defaultHandled()) - return; + { + RefPtr<Widget> widget = downcast<RenderWidget>(*renderer).widget(); + if (!widget) + return; + widget->handleEvent(event); + if (event->defaultHandled()) + return; + } HTMLFrameOwnerElement::defaultEventHandler(event); }
Simon Fraser (smfr)
Comment 13 2016-02-17 12:14:39 PST
Created attachment 271575 [details] Patch
Simon Fraser (smfr)
Comment 14 2016-02-17 12:15:28 PST
To reproduce this bug: 1. Load a page with a link to a long (scrollable) pdf 2. Click the link 3. Use Command-Left Arrow to go back. Crashes under GuardMalloc.
Brent Fulgham
Comment 15 2016-02-17 12:23:51 PST
Comment on attachment 271575 [details] Patch r=me. Thank you for figuring out the *true* fix to this problem!
Simon Fraser (smfr)
Comment 16 2016-02-17 13:27:23 PST
https://trac.webkit.org/r196717
Note You need to log in before you can comment on or make changes to this bug.