Bug 148182

Summary:

PDFPlugin's scrollableArea container is not properly unregistered when page is going into the PageCache

Product:

WebKit

Reporter:

Brent Fulgham <bfulgham>

Component:

Layout and Rendering

Assignee:

Simon Fraser (smfr) <simon.fraser>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

beidson, cdumez, cgarcia, commit-queue, esprehn+autocc, gyuyoung.kim, simon.fraser

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	dino: review+
Patch	bfulgham: review+

Description Brent Fulgham 2015-08-19 12:39:04 PDT

WebKit is crashing when a some pages (those containing PluginViews, but perhaps others) are restored from the PageCache. This is happening because the FrameView holds onto a set of pointers to ScrollableAreas, but those render elements no longer exist when the page is revived from the cache.

To correct this, we must clear out these ScrollableArea pointers when the page goes into the PageCache. When the page is reconstituted from the cache, the layout pass will rebuild the set of ScrollableAreas that were in this container originally.

Comment 1 Brent Fulgham 2015-08-19 12:41:26 PDT

<rdar://problem/21969170>

Comment 2 Brent Fulgham 2015-08-19 13:37:22 PDT

Created attachment 259396 [details]
Patch

Comment 3 Brent Fulgham 2015-08-19 16:06:08 PDT

Committed r188659: <http://trac.webkit.org/changeset/188659>

Comment 4 Chris Dumez 2015-08-20 09:03:16 PDT

Comment on attachment 259396 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259396&action=review

> Source/WebCore/ChangeLog:9
> +        Must be tested manually going back and forth in history several times.

We have plenty of layout tests for PageCache. Why cannot we write one for this?

Comment 5 Simon Fraser (smfr) 2016-02-16 10:48:25 PST

Reopening. I'm rolling out because this caused bug 153404.

Comment 6 Simon Fraser (smfr) 2016-02-16 10:49:08 PST

Rolled out in https://trac.webkit.org/r196641.

Comment 7 Simon Fraser (smfr) 2016-02-16 16:14:20 PST

PDFPlugin::destroy() already has a call to frameView->removeScrollableArea(), so why doesn't this always work?

Comment 8 Simon Fraser (smfr) 2016-02-16 16:35:13 PST

Oh this is the usual page cache mess where we remove it from the wrong FrameView.

Comment 9 Simon Fraser (smfr) 2016-02-16 17:51:26 PST

So the real issue is that PDFPlugin invalidates the assumption that a page in the page cache is "frozen" and won't try to access the Frame etc. This is because it gets torn down under this stack, after going into the page cache:

* thread #1: tid = 0xd65515, 0x000000010e95a0cf WebKit`WebKit::PDFPlugin::destroy(this=0x0000000125d391d8) + 63 at DeprecatedPDFPlugin.mm:1104, queue = 'com.apple.main-thread', stop reason = breakpoint 14.1
  * frame #0: 0x000000010e95a0cf WebKit`WebKit::PDFPlugin::destroy(this=0x0000000125d391d8) + 63 at DeprecatedPDFPlugin.mm:1104
    frame #1: 0x000000010ebcbb6a WebKit`WebKit::Plugin::destroyPlugin(this=0x0000000125d391d8) + 26 at Plugin.cpp:101
    frame #2: 0x000000010ec4af59 WebKit`WebKit::PluginView::destroyPluginAndReset(this=0x0000000126033a40) + 265 at PluginView.cpp:357
    frame #3: 0x000000010ec4ace2 WebKit`WebKit::PluginView::~PluginView(this=0x0000000126033a40) + 322 at PluginView.cpp:342
    frame #4: 0x000000010ec4b015 WebKit`WebKit::PluginView::~PluginView(this=0x0000000126033a40) + 21 at PluginView.cpp:331
    frame #5: 0x000000010ec4b0f9 WebKit`WebKit::PluginView::~PluginView(this=0x0000000126033a40) + 25 at PluginView.cpp:331
    frame #6: 0x0000000114e564b3 WebCore`WTF::RefCounted<WebCore::Widget>::deref(this=0x0000000126033a48) + 83 at RefCounted.h:146
    frame #7: 0x00000001156be3ea WebCore`void WTF::derefIfNotNull<WebCore::Widget>(ptr=0x0000000126033a40) + 58 at PassRefPtr.h:42
    frame #8: 0x00000001156be3a9 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x0000000125183d70) + 41 at RefPtr.h:59
    frame #9: 0x00000001156bbb75 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x0000000125183d70) + 21 at RefPtr.h:59
    frame #10: 0x0000000116cae775 WebCore`WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair(this=0x0000000125183d70) + 21 at HashTraits.h:168
    frame #11: 0x0000000116cae745 WebCore`WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair(this=0x0000000125183d70) + 21 at HashTraits.h:168
    frame #12: 0x0000000116cae6d4 WebCore`WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable(table=0x0000000125183d00, size=8) + 84 at HashTable.h:1139
    frame #13: 0x0000000116cae4ae WebCore`WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable(this=0x00007fff5141c098) + 62 at HashTable.h:359
    frame #14: 0x0000000116cae465 WebCore`WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable(this=0x00007fff5141c098) + 21 at HashTable.h:356
    frame #15: 0x0000000116cae445 WebCore`WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap(this=0x00007fff5141c098) + 21 at HashMap.h:36
    frame #16: 0x0000000116cadb95 WebCore`WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap(this=0x00007fff5141c098) + 21 at HashMap.h:36
    frame #17: 0x0000000116cab8d3 WebCore`WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets(this=0x00007fff5141c190) + 403 at RenderWidget.cpp:69
    frame #18: 0x0000000115179a5c WebCore`WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope(this=0x00007fff5141c190) + 108 at RenderWidget.h:43
    frame #19: 0x00000001151782d5 WebCore`WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope(this=0x00007fff5141c190) + 21 at RenderWidget.h:40
    frame #20: 0x0000000117029ebb WebCore`WebCore::Style::detachRenderTree(current=0x0000000125f5f280, detachType=NormalDetach) + 315 at StyleTreeResolver.cpp:615
    frame #21: 0x000000011702afc7 WebCore`WebCore::Style::detachRenderTree(element=0x0000000125f5f280) + 23 at StyleTreeResolver.cpp:939
    frame #22: 0x0000000115ab05d7 WebCore`WebCore::HTMLPlugInImageElement::prepareForDocumentSuspension(this=0x0000000125f5f280) + 55 at HTMLPlugInImageElement.cpp:318
    frame #23: 0x00000001154aa6ee WebCore`WebCore::Document::suspend(this=0x0000000125ec2bc0, reason=PageCache) + 222 at Document.cpp:4625
    frame #24: 0x00000001150475c4 WebCore`WebCore::CachedFrame::CachedFrame(this=0x00000001259e6f78, frame=0x000000012516e000) + 964 at CachedFrame.cpp:163

Note that we now put pages with plug-ins into the page cache (which probably triggered this bug).

Comment 10 Simon Fraser (smfr) 2016-02-16 18:06:38 PST

rdar://problem/24679436

Comment 11 Simon Fraser (smfr) 2016-02-16 18:16:22 PST

Actually this is bad teardown stack:

* thread #1: tid = 0xd6f547, 0x0000000109056155 WebKit`WebKit::PDFPlugin::destroy(this=0x000000012054eb10) + 197 at DeprecatedPDFPlugin.mm:1113, queue = 'com.apple.main-thread', stop reason = breakpoint 18.1
  * frame #0: 0x0000000109056155 WebKit`WebKit::PDFPlugin::destroy(this=0x000000012054eb10) + 197 at DeprecatedPDFPlugin.mm:1113
    frame #1: 0x00000001092c7b6a WebKit`WebKit::Plugin::destroyPlugin(this=0x000000012054eb10) + 26 at Plugin.cpp:101
    frame #2: 0x0000000109346f59 WebKit`WebKit::PluginView::destroyPluginAndReset(this=0x000000011fe90740) + 265 at PluginView.cpp:357
    frame #3: 0x0000000109346ce2 WebKit`WebKit::PluginView::~PluginView(this=0x000000011fe90740) + 322 at PluginView.cpp:342
    frame #4: 0x0000000109347015 WebKit`WebKit::PluginView::~PluginView(this=0x000000011fe90740) + 21 at PluginView.cpp:331
    frame #5: 0x00000001093470f9 WebKit`WebKit::PluginView::~PluginView(this=0x000000011fe90740) + 25 at PluginView.cpp:331
    frame #6: 0x000000010f5594b3 WebCore`WTF::RefCounted<WebCore::Widget>::deref(this=0x000000011fe90748) + 83 at RefCounted.h:146
    frame #7: 0x000000010fdc13ea WebCore`void WTF::derefIfNotNull<WebCore::Widget>(ptr=0x000000011fe90740) + 58 at PassRefPtr.h:42
    frame #8: 0x000000010fdc13a9 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x00007fff56d2bee0) + 41 at RefPtr.h:59
    frame #9: 0x000000010fdbeb75 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x00007fff56d2bee0) + 21 at RefPtr.h:59
    frame #10: 0x00000001101ae9ac WebCore`WebCore::HTMLPlugInElement::defaultEventHandler(this=0x000000012075c280, event=0x00000001201a17f8) + 412 at HTMLPlugInElement.cpp:235
    frame #11: 0x00000001101b61a8 WebCore`WebCore::HTMLPlugInImageElement::defaultEventHandler(this=0x000000012075c280, event=0x00000001201a17f8) + 296 at HTMLPlugInImageElement.cpp:756
    frame #12: 0x000000010fd9ed96 WebCore`WebCore::callDefaultEventHandlersInTheBubblingOrder(event=0x00000001201a17f8, path=0x00007fff56d2c020) + 102 at EventDispatcher.cpp:134
    frame #13: 0x000000010fd9e4e1 WebCore`WebCore::EventDispatcher::dispatchEvent(origin=0x000000012075c280, event=0x00000001201a17f8) + 881 at EventDispatcher.cpp:239
    frame #14: 0x0000000110f1003d WebCore`WebCore::Node::dispatchEvent(this=0x000000012075c280, event=0x00000001201a17f8) + 29 at Node.cpp:2108
    frame #15: 0x000000010fdb090f WebCore`WebCore::EventHandler::keyEvent(this=0x000000011f76c000, initialKeyEvent=0x00007fff56d2c4a8) + 1519 at EventHandler.cpp:3054
    frame #16: 0x0000000111a37682 WebCore`WebCore::UserInputBridge::handleKeyEvent(this=0x00007fda18e106a0, keyEvent=0x00007fff56d2c4a8, inputSource=User) + 466 at UserInputBridge.cpp:170

and this happens when we navigate inside handling a key event:

* thread #1: tid = 0xd7189e, 0x000000011602ac4f WebCore`WebCore::FrameLoader::commitProvisionalLoad(this=0x000000012596e0a0) + 47 at FrameLoader.cpp:1726, queue = 'com.apple.main-thread', stop reason = breakpoint 17.1
  * frame #0: 0x000000011602ac4f WebCore`WebCore::FrameLoader::commitProvisionalLoad(this=0x000000012596e0a0) + 47 at FrameLoader.cpp:1726
    frame #1: 0x000000011602fbf2 WebCore`WebCore::FrameLoader::loadProvisionalItemFromCachedPage(this=0x000000012596e0a0) + 290 at FrameLoader.cpp:3211
    frame #2: 0x0000000116029828 WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x000000012596e0a0, request=0x00007fff50c47b70, formState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c47690, shouldContinue=true, allowNavigationToInvalidURL=Yes) + 1080 at FrameLoader.cpp:3058
    frame #3: 0x0000000116037e9e WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x00007fff50c47dc8, request=0x00007fff50c47b70, formState=<unavailable>, shouldContinue=true)::$_4::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const + 94 at FrameLoader.cpp:1446
    frame #4: 0x0000000116037e20 WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) [inlined] decltype(__f=0x00007fff50c47dc8, __args=0x00007fff50c47b70, __args=0x00007fff50c47850, __args=0x00007fff50c477e7)::$_4&>(fp)(std::__1::forward<WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(fp0))) std::__1::__invoke<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 107 at __functional_base:415
    frame #5: 0x0000000116037db5 WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(__args=0x00007fff50c47dc8, __args=0x00007fff50c47b70, __args=0x00007fff50c47850, __args=0x00007fff50c477e7)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 101 at __functional_base:440
    frame #6: 0x0000000116037d1c WebCore`std::__1::__function::__func<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4, std::__1::allocator<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4>, void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator(this=0x00007fff50c47dc0, __arg=0x00007fff50c47b70, __arg=0x00007fff50c47850, __arg=0x00007fff50c477e7)(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 92 at functional:1407
    frame #7: 0x00000001170be187 WebCore`std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator(this=0x00007fff50c47dc0, __arg=0x00007fff50c47b70, __arg=<unavailable>, __arg=true)(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const + 87 at functional:1793
    frame #8: 0x00000001170bd779 WebCore`WebCore::PolicyCallback::call(this=0x00007fff50c47b70, shouldContinue=true) + 137 at PolicyCallback.cpp:95
    frame #9: 0x00000001170bede5 WebCore`WebCore::PolicyChecker::continueAfterNavigationPolicy(this=0x000000012596d000, policy=PolicyUse) + 677 at PolicyChecker.cpp:204
    frame #10: 0x00000001170c23de WebCore`WebCore::PolicyChecker::checkNavigationPolicy(this=0x00007fff50c47f98, action=PolicyUse)>)::$_1::operator()(WebCore::PolicyAction) const + 30 at PolicyChecker.cpp:121
    frame #11: 0x00000001170c23af WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&, WebCore::PolicyAction>(WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&&&, WebCore::PolicyAction&&) [inlined] decltype(__f=0x00007fff50c47f98, __args=0x00007fff50c47f2c)>)::$_1&>(fp)(std::__1::forward<WebCore::PolicyAction>(fp0))) std::__1::__invoke<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&, WebCore::PolicyAction>(WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&&&, WebCore::PolicyAction&&) + 79 at __functional_base:415
    frame #12: 0x00000001170c2390 WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::PolicyChecker::checkNavigationPolicy(__args=0x00007fff50c47f98, __args=0x00007fff50c47f2c)>)::$_1&, WebCore::PolicyAction>(WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&&&, WebCore::PolicyAction&&) + 48 at __functional_base:440
    frame #13: 0x00000001170c232c WebCore`std::__1::__function::__func<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1, std::__1::allocator<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1>, void (WebCore::PolicyAction)>::operator(this=0x00007fff50c47f90, __arg=0x00007fff50c47f2c)(WebCore::PolicyAction&&) + 60 at functional:1407
    frame #14: 0x000000010f6bfc8c WebKit`std::__1::function<void (WebCore::PolicyAction)>::operator(this=0x00007fff50c47f90, __arg=PolicyUse)(WebCore::PolicyAction) const + 44 at functional:1793
    frame #15: 0x000000010f6bb35c WebKit`WebKit::WebFrame::didReceivePolicyDecision(this=0x00007f969b7035d0, listenerID=10, action=PolicyUse, navigationID=6, downloadID=(m_downloadID = 0)) + 332 at WebFrame.cpp:246
    frame #16: 0x000000010f6c6b14 WebKit`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(this=0x00007f969d103f80, navigationAction=0x00007fff50c48540, request=0x000000012623a750, prpFormState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c483d8, function=WebCore::FramePolicyFunction @ 0x00007fff50c48680)>) + 2196 at WebFrameLoaderClient.cpp:829
    frame #17: 0x00000001170bea8b WebCore`WebCore::PolicyChecker::checkNavigationPolicy(this=0x000000012596d000, request=0x000000012623a750, loader=0x000000012623a280, formState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c48850, function=WebCore::NavigationPolicyDecisionFunction @ 0x00007fff50c48c30)>) + 1531 at PolicyChecker.cpp:120
    frame #18: 0x0000000116028f07 WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x000000012596e0a0, loader=0x000000012623a280, type=Back, prpFormState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c49508, allowNavigationToInvalidURL=Yes) + 1735 at FrameLoader.cpp:1445
    frame #19: 0x0000000116025445 WebCore`WebCore::FrameLoader::loadDifferentDocumentItem(this=0x000000012596e0a0, item=0x00000001259bf0c8, loadType=Back, cacheLoadPolicy=MayAttemptCacheOnlyLoadForFormSubmissionItem) + 373 at FrameLoader.cpp:3279
    frame #20: 0x0000000116030945 WebCore`WebCore::FrameLoader::loadItem(this=0x000000012596e0a0, item=0x00000001259bf0c8, loadType=Back) + 165 at FrameLoader.cpp:3368
    frame #21: 0x000000011614f030 WebCore`WebCore::HistoryController::recursiveGoToItem(this=0x00000001259f23f0, item=0x00000001259bf0c8, fromItem=0x00000001297c33e8, type=Back) + 96 at HistoryController.cpp:747
    frame #22: 0x000000011614edf1 WebCore`WebCore::HistoryController::goToItem(this=0x00000001259f23f0, targetItem=0x00000001259bf0c8, type=Back) + 401 at HistoryController.cpp:320
    frame #23: 0x000000011701fa76 WebCore`WebCore::Page::goToItem(this=0x0000000125801c00, item=0x00000001259bf0c8, type=Back) + 198 at Page.cpp:436
    frame #24: 0x00000001157b93c9 WebCore`WebCore::BackForwardController::goBack(this=0x00000001259f7050) + 73 at BackForwardController.cpp:86
    frame #25: 0x000000010f806b07 WebKit`WebKit::WebPage::performNonEditingBehaviorForSelector(this=0x00007f969e007e10, selector=0x0000000126182540, event=0x00000001259a02a8) + 1287 at WebPageMac.mm:554
    frame #26: 0x000000010f806100 WebKit`WebKit::WebPage::executeKeypressCommandsInternal(this=0x00007f969e007e10, commands=0x00000001259a0320, event=0x00000001259a02a8) + 912 at WebPageMac.mm:250
    frame #27: 0x000000010f806fed WebKit`WebKit::WebPage::handleEditingKeyboardEvent(this=0x00007f969e007e10, event=0x00000001259a02a8) + 797 at WebPageMac.mm:293
    frame #28: 0x000000010f6b3191 WebKit`WebKit::WebEditorClient::handleKeyboardEvent(this=0x00007f969d102ba0, event=0x00000001259a02a8) + 33 at WebEditorClientMac.mm:66
    frame #29: 0x0000000115e12e72 WebCore`WebCore::Editor::handleKeyboardEvent(this=0x0000000125975c00, event=0x00000001259a02a8) + 66 at Editor.cpp:189
    frame #30: 0x0000000115e803a1 WebCore`WebCore::EventHandler::defaultKeyboardEventHandler(this=0x000000012596c000, event=0x00000001259a02a8) + 97 at EventHandler.cpp:3221
    frame #31: 0x0000000116fdf541 WebCore`WebCore::Node::defaultEventHandler(this=0x000000012595a780, event=0x00000001259a02a8) + 241 at Node.cpp:2175
    frame #32: 0x000000011627d99c WebCore`WebCore::HTMLPlugInElement::defaultEventHandler(this=0x000000012595a780, event=0x00000001259a02a8) + 396 at HTMLPlugInElement.cpp:234
    frame #33: 0x00000001162851a8 WebCore`WebCore::HTMLPlugInImageElement::defaultEventHandler(this=0x000000012595a780, event=0x00000001259a02a8) + 296 at HTMLPlugInImageElement.cpp:756
    frame #34: 0x0000000115e6dd96 WebCore`WebCore::callDefaultEventHandlersInTheBubblingOrder(event=0x00000001259a02a8, path=0x00007fff50c4a020) + 102 at EventDispatcher.cpp:134
    frame #35: 0x0000000115e6d4e1 WebCore`WebCore::EventDispatcher::dispatchEvent(origin=0x000000012595a780, event=0x00000001259a02a8) + 881 at EventDispatcher.cpp:239
    frame #36: 0x0000000116fdf03d WebCore`WebCore::Node::dispatchEvent(this=0x000000012595a780, event=0x00000001259a02a8) + 29 at Node.cpp:2108
    frame #37: 0x0000000115e7f90f WebCore`WebCore::EventHandler::keyEvent(this=0x000000012596c000, initialKeyEvent=0x00007fff50c4a4a8) + 1519 at EventHandler.cpp:3054
    frame #38: 0x0000000117b06682 WebCore`WebCore::UserInputBridge::handleKeyEvent(this=0x00007f969d1017f0, keyEvent=0x00007fff50c4a4a8, inputSource=User) + 466 at UserInputBridge.cpp:170
    frame #39: 0x000000010f7b648d WebKit`WebKit::handleKeyEvent(keyboardEvent=0x00007fff50c4a708, page=0x0000000125801c00) + 221 at WebPage.cpp:2138
    frame #40: 0x000000010f7b6342 WebKit`WebKit::WebPage::keyEvent(this=0x00007f969e007e10, keyboardEvent=0x00007fff50c4a708) + 162 at WebPage.cpp:2150

Comment 12 Simon Fraser (smfr) 2016-02-16 18:29:05 PST

Fragile fix:
diff --git a/Source/WebCore/html/HTMLPlugInElement.cpp b/Source/WebCore/html/HTMLPlugInElement.cpp
index 57a532e98da402bc737b54e8f6494fc791e23133..f22d93b4464406f83b9425278b21256c662d8be4 100644
--- a/Source/WebCore/html/HTMLPlugInElement.cpp
+++ b/Source/WebCore/html/HTMLPlugInElement.cpp
@@ -225,12 +225,14 @@ void HTMLPlugInElement::defaultEventHandler(Event* event)
             return;
     }
 
-    RefPtr<Widget> widget = downcast<RenderWidget>(*renderer).widget();
-    if (!widget)
-        return;
-    widget->handleEvent(event);
-    if (event->defaultHandled())
-        return;
+    {
+        RefPtr<Widget> widget = downcast<RenderWidget>(*renderer).widget();
+        if (!widget)
+            return;
+        widget->handleEvent(event);
+        if (event->defaultHandled())
+            return;
+    }
     HTMLFrameOwnerElement::defaultEventHandler(event);
 }

Comment 13 Simon Fraser (smfr) 2016-02-17 12:14:39 PST

Created attachment 271575 [details]
Patch

Comment 14 Simon Fraser (smfr) 2016-02-17 12:15:28 PST

To reproduce this bug:
1. Load a page with a link to a long (scrollable) pdf
2. Click the link
3. Use Command-Left Arrow to go back.

Crashes under GuardMalloc.

Comment 15 Brent Fulgham 2016-02-17 12:23:51 PST

Comment on attachment 271575 [details]
Patch

r=me. Thank you for figuring out the *true* fix to this problem!

Comment 16 Simon Fraser (smfr) 2016-02-17 13:27:23 PST

https://trac.webkit.org/r196717