Bug 15596

Summary: REGRESSION: Intermittent crashes in WebCore::RenderLayer::calculateClipRects()
Product: WebKit Reporter: mitz
Component: Layout and RenderingAssignee: Dave Hyatt <hyatt>
Status: RESOLVED FIXED    
Severity: Major CC: hyatt
Priority: P1 Keywords: NeedsReduction, Regression
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
URL: http://www.haaretz.co.il
Attachments:
Description Flags
Restore the null checks that were used before, since these methods get called on orphaned layers. eric: review+

mitz
Reported 2007-10-21 12:24:30 PDT
I have had two crashes in RenderLayer on haaretz.co.il. I guess this regressed in the -webkit-transform patch. Backtrace: Thread 0 Crashed: 0 com.apple.WebCore 0x01d6f13d WebCore::RenderLayer::calculateClipRects(WebCore::RenderLayer const*) + 21 (RenderLayer.cpp:1741) 1 com.apple.WebCore 0x01d6f848 WebCore::RenderLayer::calculateRects(WebCore::RenderLayer const*, WebCore::IntRect const&, WebCore::IntRect&, WebCore::IntRect&, WebCore::IntRect&, WebCore::IntRect&) const + 58 (RenderLayer.cpp:1819) 2 com.apple.WebCore 0x01d706b4 WebCore::RenderLayer::childrenClipRect() const + 200 (RenderLayer.cpp:1868) 3 com.apple.WebCore 0x01ccda69 WebCore::FrameView::windowClipRectForLayer(WebCore::RenderLayer const*, bool) const + 121 (FrameView.cpp:924) 4 com.apple.WebCore 0x01ccddff WebCore::FrameView::windowClipRect(bool) const + 669 (FrameView.cpp:911) 5 com.apple.WebCore 0x01ccde64 WebCore::FrameView::windowClipRect() const + 36 (FrameView.cpp:886) 6 com.apple.WebCore 0x01ccdb00 WebCore::FrameView::windowClipRectForLayer(WebCore::RenderLayer const*, bool) const + 272 (FrameView.cpp:928) 7 com.apple.WebCore 0x01ccddff WebCore::FrameView::windowClipRect(bool) const + 669 (FrameView.cpp:911) 8 com.apple.WebCore 0x01ccde64 WebCore::FrameView::windowClipRect() const + 36 (FrameView.cpp:886) 9 com.apple.WebCore 0x01ccdb00 WebCore::FrameView::windowClipRectForLayer(WebCore::RenderLayer const*, bool) const + 272 (FrameView.cpp:928) 10 com.apple.WebCore 0x01d0e8fd -[DOMElement(WebPrivate) _windowClipRect] + 231 (DOM.mm:553) 11 com.apple.WebKit 0x002e12e9 -[WebBaseNetscapePluginView visibleRect] + 137 (WebBaseNetscapePluginView.mm:342) 12 com.apple.WebKit 0x002ea08d -[WebBaseNetscapePluginView saveAndSetNewPortStateForUpdate:] + 507 (WebBaseNetscapePluginView.mm:361) 13 com.apple.WebKit 0x002e13f4 -[WebBaseNetscapePluginView saveAndSetNewPortState] + 44 (WebBaseNetscapePluginView.mm:655) 14 com.apple.WebKit 0x002e2d6d -[WebBaseNetscapePluginView updateAndSetWindow] + 111 (WebBaseNetscapePluginView.mm:1206) 15 com.apple.WebKit 0x002e7567 -[WebBaseNetscapePluginView(Internal) _viewHasMoved] + 145 (WebBaseNetscapePluginView.mm:2686) 16 com.apple.WebKit 0x002e4cc5 -[WebBaseNetscapePluginView renewGState] + 77 (WebBaseNetscapePluginView.mm:1752) 17 com.apple.AppKit 0x95fb8a80 -[NSView _invalidateGStatesForTree] + 49 18 com.apple.CoreFoundation 0x90195516 CFArrayApplyFunction + 198 19 com.apple.AppKit 0x95fb8bf3 -[NSView _invalidateGStatesForTree] + 420 20 com.apple.CoreFoundation 0x90195516 CFArrayApplyFunction + 198 21 com.apple.AppKit 0x95fb8bf3 -[NSView _invalidateGStatesForTree] + 420 22 com.apple.CoreFoundation 0x90195516 CFArrayApplyFunction + 198 23 com.apple.AppKit 0x95fb8bf3 -[NSView _invalidateGStatesForTree] + 420 24 com.apple.CoreFoundation 0x90195516 CFArrayApplyFunction + 198 25 com.apple.AppKit 0x95fb8bf3 -[NSView _invalidateGStatesForTree] + 420 26 com.apple.CoreFoundation 0x90195516 CFArrayApplyFunction + 198 27 com.apple.AppKit 0x95fb8bf3 -[NSView _invalidateGStatesForTree] + 420 28 com.apple.CoreFoundation 0x90195516 CFArrayApplyFunction + 198 29 com.apple.AppKit 0x95fb8bf3 -[NSView _invalidateGStatesForTree] + 420 30 com.apple.CoreFoundation 0x90195516 CFArrayApplyFunction + 198 31 com.apple.AppKit 0x95fb8bf3 -[NSView _invalidateGStatesForTree] + 420 32 com.apple.CoreFoundation 0x90195516 CFArrayApplyFunction + 198 33 com.apple.AppKit 0x95fb8bf3 -[NSView _invalidateGStatesForTree] + 420 34 com.apple.AppKit 0x95fb8a05 -[NSView _invalidateFocus] + 35 35 com.apple.AppKit 0x95fbfd95 -[NSView _removeSubview:] + 79 36 com.apple.AppKit 0x95fb5ae9 -[NSView _setSuperview:] + 667 37 com.apple.AppKit 0x95fbf6a9 -[NSView removeFromSuperview] + 338 38 com.apple.WebCore 0x01e2454b WebCore::safeRemoveFromSuperview(NSView*) + 295 (WidgetMac.mm:73) 39 com.apple.WebCore 0x01e2596b WebCore::Widget::removeFromSuperview() + 225 (WidgetMac.mm:273) 40 com.apple.WebCore 0x01e386dd WebCore::ScrollView::removeChild(WebCore::Widget*) + 17 (ScrollViewMac.mm:318) 41 com.apple.WebCore 0x01ede1c4 WebCore::RenderWidget::destroy() + 134 (RenderWidget.cpp:85) 42 com.apple.WebCore 0x01e6e261 WebCore::Node::detach() + 63 (Node.cpp:843) 43 com.apple.WebCore 0x01cf11a6 WebCore::ContainerNode::detach() + 68 (ContainerNode.cpp:625) 44 com.apple.WebCore 0x01e77cbc WebCore::Element::detach() + 66 (Element.cpp:679) 45 com.apple.WebCore 0x01e77a1c WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 450 (Element.cpp:703) 46 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 47 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 48 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 49 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 50 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 51 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 52 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 53 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 54 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 55 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 56 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 57 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 58 com.apple.WebCore 0x01e77c3e WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 996 (Element.cpp:735) 59 com.apple.WebCore 0x01cdd6f1 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) + 1257 (Document.cpp:1071) 60 com.apple.WebCore 0x01cd373f WebCore::Document::updateRendering() + 49 (Document.cpp:1096) 61 com.apple.WebCore 0x01cd57db WebCore::Document::updateDocumentsRendering() + 57 (Document.cpp:1103) 62 com.apple.WebCore 0x01e8ce2b WebCore::JSAbstractEventListener::handleEvent(WebCore::Event*, bool) + 1405 (kjs_events.cpp:144) 63 com.apple.WebCore 0x01cd5d49 WebCore::Document::handleWindowEvent(WebCore::Event*, bool) + 281 (Document.cpp:2427) 64 com.apple.WebCore 0x01e46f32 WebCore::EventTargetNode::dispatchWindowEvent(WebCore::AtomicString const&, bool, bool) + 332 (EventTargetNode.cpp:339) 65 com.apple.WebCore 0x01cdb49a WebCore::Document::implicitClose() + 622 (Document.cpp:1456) 66 com.apple.WebCore 0x02090752 WebCore::FrameLoader::checkCallImplicitClose() + 400 (FrameLoader.cpp:1307) 67 com.apple.WebCore 0x0209a0ac WebCore::FrameLoader::checkCompleted() + 268 (FrameLoader.cpp:1253) 68 com.apple.WebCore 0x02099f88 WebCore::FrameLoader::completed() + 148 (FrameLoader.cpp:1877) 69 com.apple.WebCore 0x0209a101 WebCore::FrameLoader::checkCompleted() + 353 (FrameLoader.cpp:1257) 70 com.apple.WebCore 0x0209b1e2 WebCore::FrameLoader::finishedParsing() + 90 (FrameLoader.cpp:1201) 71 com.apple.WebCore 0x01cd822c WebCore::Document::finishedParsing() + 204 (Document.cpp:3500) 72 com.apple.WebCore 0x01ba377f WebCore::HTMLParser::finished() + 217 (HTMLParser.cpp:1436) 73 com.apple.WebCore 0x01ba8a9e WebCore::HTMLTokenizer::end() + 286 (HTMLTokenizer.cpp:1555) 74 com.apple.WebCore 0x01ba8e73 WebCore::HTMLTokenizer::finish() + 941 (HTMLTokenizer.cpp:1596) 75 com.apple.WebCore 0x01cd3a54 WebCore::Document::finishParsing() + 40 (Document.cpp:1604) 76 com.apple.WebCore 0x0209ccba WebCore::FrameLoader::endIfNotLoadingMainResource() + 122 (FrameLoader.cpp:1028) 77 com.apple.WebCore 0x0209cd3f WebCore::FrameLoader::end() + 27 (FrameLoader.cpp:1013) 78 com.apple.WebCore 0x020a40e4 WebCore::DocumentLoader::finishedLoading() + 76 (DocumentLoader.cpp:321) 79 com.apple.WebCore 0x02094db0 WebCore::FrameLoader::finishedLoading() + 72 (FrameLoader.cpp:2764) 80 com.apple.WebCore 0x020a5a5b WebCore::MainResourceLoader::didFinishLoading() + 215 (MainResourceLoader.cpp:305) 81 com.apple.WebCore 0x020a7a3a WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*) + 24 (ResourceLoader.cpp:362) 82 com.apple.WebCore 0x020774e8 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 116 (ResourceHandleMac.mm:456) 83 com.apple.Foundation 0x93c43357 -[NSURLConnection(NSURLConnectionReallyInternal) sendDidFinishLoading] + 87 84 com.apple.Foundation 0x93c432e4 _NSURLConnectionDidFinishLoading + 68 85 com.apple.CFNetwork 0x93a4cadb sendDidFinishLoadingCallback + 148 86 com.apple.CFNetwork 0x93a499ce _CFURLConnectionSendCallbacks + 1908 87 com.apple.CFNetwork 0x93a491df muxerSourcePerform + 283 88 com.apple.CoreFoundation 0x9020564e CFRunLoopRunSpecific + 3166 89 com.apple.CoreFoundation 0x90205d38 CFRunLoopRunInMode + 88 90 com.apple.HIToolbox 0x9118a8a4 RunCurrentEventLoopInMode + 283 91 com.apple.HIToolbox 0x9118a6bd ReceiveNextEventCommon + 374 92 com.apple.HIToolbox 0x9118a531 BlockUntilNextEventMatchingListInMode + 106 93 com.apple.AppKit 0x95fd5d5b _DPSNextEvent + 657 94 com.apple.AppKit 0x95fd56a0 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 95 com.apple.Safari 0x00023de0 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 171 (BrowserApplication.m:161) 96 com.apple.AppKit 0x95fce6d1 -[NSApplication run] + 795 97 com.apple.AppKit 0x95f9b9ba NSApplicationMain + 574 98 com.apple.Safari 0x000ab4ad main + 90 (main.m:21) 99 com.apple.Safari 0x00003042 start + 54
Attachments
Restore the null checks that were used before, since these methods get called on orphaned layers. (1.11 KB, patch)
2007-10-22 00:32 PDT, Dave Hyatt 		eric: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
John Moe
Comment 1 2007-10-21 23:35:15 PDT
This happens to me fairly often (three times in the last few hours, I think). http://cnn.com/ seems to do it sometimes. The immediate cause is that parent() is returning NULL in RenderLayer::calculateRects. Is it OK to have a NULL parent?
Dave Hyatt
Comment 2 2007-10-22 00:32:05 PDT
Created attachment 16785 [details] Restore the null checks that were used before, since these methods get called on orphaned layers.
Eric Seidel (no email)
Comment 3 2007-10-22 00:35:09 PDT
Comment on attachment 16785 [details] Restore the null checks that were used before, since these methods get called on orphaned layers. Looks good. Needs a ChangeLog, and a test if possible.
Mark Rowe (bdash)
Comment 4 2007-10-22 06:15:07 PDT
This was landed in r26865.
Note You need to log in before you can comment on or make changes to this bug.