Bug 36894

Summary: Crash with frame flattening on after r56854
Product: WebKit Reporter: Greg Bolsinga <bolsinga>
Component: FramesAssignee: Nobody <webkit-unassigned>
Status: CLOSED FIXED    
Severity: Normal CC: ain, beanoboy7, ddkilzer, drcarstens, hausmann, hyatt, kenneth, koivisto, mcroft, stamatgeorge, svetloslav
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Bug Depends on:    
Bug Blocks: 35784    

Description Greg Bolsinga 2010-03-31 11:49:31 PDT 
Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001011cd4c0 WebCore::Frame::ownerElement() const + 12 (Frame.cpp:1107)
1   com.apple.WebCore             	0x00000001011f6d6c WebCore::FrameView::avoidScrollbarCreation() + 36 (FrameView.cpp:334)
2   com.apple.WebCore             	0x00000001018101c4 WebCore::ScrollView::setHasHorizontalScrollbar(bool) + 38 (ScrollView.cpp:84)
3   com.apple.WebCore             	0x00000001011f9faf WebCore::FrameView::~FrameView() + 359 (FrameView.cpp:165)

m_frame is being destroyed here and is being accessed.

To reproduce apply the following patch, build WebKit debug and run Safari:

diff --git a/WebKit/mac/WebView/WebPreferences.mm b/WebKit/mac/WebView/WebPreferences.mm
index 84a6e9e..28f8f17 100644
--- a/WebKit/mac/WebView/WebPreferences.mm
+++ b/WebKit/mac/WebView/WebPreferences.mm
@@ -357,7 +357,7 @@ static WebCacheModel cacheModelForMainBundle(void)
         [NSNumber numberWithBool:NO],   WebKitWebGLEnabledPreferenceKey,
         [NSNumber numberWithBool:NO],   WebKitUsesProxiedOpenPanelPreferenceKey,
         [NSNumber numberWithUnsignedInt:4], WebKitPluginAllowedRunTimePreferenceKey,
-        [NSNumber numberWithBool:NO],   WebKitFrameFlatteningEnabledPreferenceKey,
+        [NSNumber numberWithBool:YES],   WebKitFrameFlatteningEnabledPreferenceKey,
         nil];
 
     // This value shouldn't ever change, which is assumed in the initialization of WebKitPDFDisplay
Comment 1 Greg Bolsinga 2010-03-31 11:52:46 PDT 
See Bug 36798
Comment 2 Kenneth Rohde Christiansen 2010-03-31 12:04:55 PDT 
Could you try changing

void ScrollView::setHasVerticalScrollbar(bool hasBar)                                                            
{                                                                                                                
    if (avoidScrollbarCreation())                                                                                
        return;

to 

if (hasBar && avoidScrollbarCreation())
    return;
Comment 3 Greg Bolsinga 2010-03-31 12:08:46 PDT 
I did that for both tests, and that prevents the crash.
Comment 4 Kenneth Rohde Christiansen 2010-03-31 12:17:53 PDT 
Fix landed in r56856
Comment 5 Simon Hausmann 2010-04-06 02:53:41 PDT 
Revision r56856 cherry-picked into qtwebkit-2.0 with commit 59daec93fc7ad1f4c5dbeb88b67aca17d6f4cc3b
Comment 6 Alexey Proskuryakov 2010-04-06 11:41:42 PDT 
*** Bug 36928 has been marked as a duplicate of this bug. ***
Comment 7 Alexey Proskuryakov 2010-04-06 11:42:49 PDT 
*** Bug 36915 has been marked as a duplicate of this bug. ***
Comment 8 Alexey Proskuryakov 2010-04-06 11:42:52 PDT 
*** Bug 36914 has been marked as a duplicate of this bug. ***
Comment 9 Alexey Proskuryakov 2010-04-06 11:42:56 PDT 
*** Bug 36913 has been marked as a duplicate of this bug. ***
Comment 10 Alexey Proskuryakov 2010-04-06 11:42:59 PDT 
*** Bug 36969 has been marked as a duplicate of this bug. ***
Comment 11 Alexey Proskuryakov 2010-04-06 11:43:08 PDT 
*** Bug 36927 has been marked as a duplicate of this bug. ***
Comment 12 Alexey Proskuryakov 2010-04-06 11:43:18 PDT 
*** Bug 36922 has been marked as a duplicate of this bug. ***
Comment 13 Alexey Proskuryakov 2010-04-06 11:43:30 PDT 
*** Bug 36920 has been marked as a duplicate of this bug. ***