Bug 174106

Summary: Null RenderLayer* deref in FrameView::adjustTiledBackingCoverage()
Product: WebKit Reporter: Andreas Kling <kling>
Component: Layout and RenderingAssignee: Andreas Kling <kling>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue, kling, koivisto, simon.fraser, thorton, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Andreas Kling
Reported 2017-07-03 15:40:47 PDT
<rdar://problem/33085838> Here's a crash: 0 WebCore 0x000000018d5c9ac0 WebCore::FrameView::adjustTiledBackingCoverage() + 56 (/BuildRoot/Applications/Xcode.app/Contents/Developer/Toolchains/iOS11.0.xctoolchain/usr/include/c++/v1/memory:2582) 1 WebCore 0x000000018d5c9ab8 WebCore::FrameView::adjustTiledBackingCoverage() + 48 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7604.1.28.1/page/FrameView.cpp:5248) 2 WebCore 0x000000018e23f6fc WebCore::Page::setIsVisibleInternal(bool) + 132 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7604.1.28.1/page/Page.cpp:1683) 3 WebCore 0x000000018e23e5e0 WebCore::Page::setActivityState(unsigned int) + 72 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebCore/WebCore-7604.1.28.1/page/Page.cpp:1610) 4 CoreFoundation 0x00000001851e4130 __CFNOTIFICATIONCENTER_IS_CALLING_OUT_TO_AN_OBSERVER__ + 20 Pretty weird that we're called from the event loop with a layer-less RenderView. I am unable to reproduce this locally, but it looks like we just need to null check the RenderView::layer().
Attachments
Patch (1.62 KB, patch)
2017-07-03 15:42 PDT, Andreas Kling
no flags
Andreas Kling
Comment 1 2017-07-03 15:42:02 PDT
zalan
Comment 2 2017-07-03 16:21:02 PDT
Comment on attachment 314528 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=314528&action=review > Source/WebCore/ChangeLog:12 > + I haven't been able to reproduce this crash locally, but I have seen > + video of someone who can, so here's a null check for the RenderView::layer() > + which could be null if we're called between RenderView construction > + and the first callback to RenderLayerModelObject::styleDidChange(). or if we somehow managed to call destroyLayer() on the RenderView (and now we are bringing the FrameView to foreground)
WebKit Commit Bot
Comment 3 2017-07-03 16:44:14 PDT
The commit-queue encountered the following flaky tests while processing attachment 314528 [details]: editing/spelling/spellcheck-async.html bug 160571 (authors: g.czajkowski@samsung.com and mark.lam@apple.com) The commit-queue is continuing to process your patch.
WebKit Commit Bot
Comment 4 2017-07-03 16:44:42 PDT
Comment on attachment 314528 [details] Patch Clearing flags on attachment: 314528 Committed r219108: <http://trac.webkit.org/changeset/219108>
WebKit Commit Bot
Comment 5 2017-07-03 16:44:43 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.