Bug 193937
| Summary: | compositing/iframes/remove-reinsert-webview-with-iframe.html crashes under ScrollingTree::updateTreeFromStateNode() | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Simon Fraser (smfr) <simon.fraser> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | CC: | fred.wang, koivisto, simon.fraser, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Simon Fraser (smfr)
3 0x56001dae2 WTF::RefCountedBase::ref() const
4 0x562f4d7f5 void WTF::refIfNotNull<WebCore::ScrollingTreeNode>(WebCore::ScrollingTreeNode*)
5 0x562f4d7b4 WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >::RefPtr(WebCore::ScrollingTreeNode*)
6 0x562f4d74d WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >::RefPtr(WebCore::ScrollingTreeNode*)
7 0x562f40ef3 WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >::operator=(WebCore::ScrollingTreeNode*)
8 0x562f407a8 WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&)
9 0x562f40c83 WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&)
10 0x562f40c83 WebCore::ScrollingTree::updateTreeFromStateNode(WebCore::ScrollingStateNode const*, WTF::HashMap<unsigned long long, WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> >, WTF::IntHash<unsigned long long>, WTF::HashTraits<unsigned long long>, WTF::HashTraits<WTF::RefPtr<WebCore::ScrollingTreeNode, WTF::DumbPtrTraits<WebCore::ScrollingTreeNode> > > >&)
11 0x562f40471 WebCore::ScrollingTree::commitTreeState(std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree> >)
12 0x562f529da WebCore::ThreadedScrollingTree::commitTreeState(std::__1::unique_ptr<WebCore::ScrollingStateTree, std::__1::default_delete<WebCore::ScrollingStateTree> >)
13 0x5605cfd7b WebCore::ScrollingCoordinatorMac::commitTreeState()::$_2::operator()() const
14 0x5605cfc59 WTF::Function<void ()>::CallableWrapper<WebCore::ScrollingCoordinatorMac::commitTreeState()::$_2>::call()
15 0x56000f6ca WTF::Function<void ()>::operator()() const
16 0x562f3f70b WebCore::ScrollingThread::dispatchFunctionsFromScrollingThread()
17 0x5605c4876 WebCore::ScrollingThread::threadRunLoopSourceCallback()
18 0x5605c46b5 WebCore::ScrollingThread::threadRunLoopSourceCallback(void*)
This is about unparented subtrees. We've unparented a subframe node, so its scrolling tree node gets deleted (but not removed from the node map). We then re-parent it, try to look up the node in m_nodeMap and get a deleted pointer.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/47616226>
Simon Fraser (smfr)
We also need to make sure that if we unparent a subtree, then add it back, that subsequent commits get a full set of changes for the re-added nodes, so that all the state for those nodes is sent to the UI process and set in the scrolling tree.
Simon Fraser (smfr)
*** This bug has been marked as a duplicate of bug 193907 ***