Bug 55469

Summary: REGRESSION (r79863): Lots of dom/html/level2/html/HTMLFrameElement*.html tests crashing in FrameView::paintOverhangAreas in WebKit2
Product: WebKit Reporter: Adam Roben (:aroben) <aroben>
Component: Tools / TestsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: bdakin, sam
Priority: P2 Keywords: InRadar, LayoutTestFailure, PlatformOnly, Regression
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://build.webkit.org/results/Windows%207%20Release%20(WebKit2%20Tests)/r79994%20(3567)/CrashLog_0b08_2011-03-01_06-13-18-438.txt
Attachments:
Description Flags
Wait for force a paint in WebKitTestRunner until we're actually ready to dump the output bdakin: review+

Adam Roben (:aroben)
Reported 2011-03-01 07:46:45 PST
Lots of dom/html/level2/html/HTMLFrameElement*.html tests are crashing in FrameView::paintOverhangAreas in WebKit2 on Windows. See the URL for a crash log. You can find more crash logs here: http://build.webkit.org/results/Windows%207%20Release%20(WebKit2%20Tests)/r79994%20(3567)/ (Note that these crashes are being reported as hangs due to bug 44121.) I'm not sure when the crashes started. Buildbot says around r79865, but that doesn't really make sense to me.
Attachments
Wait for force a paint in WebKitTestRunner until we're actually ready to dump the output (2.27 KB, patch)
2011-03-02 15:10 PST, Adam Roben (:aroben) 		bdakin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Adam Roben (:aroben)
Comment 1 2011-03-01 07:47:14 PST
<rdar://problem/9068539>
Adam Roben (:aroben)
Comment 2 2011-03-01 09:16:35 PST
Looks like Mac is crashing, too: http://build.webkit.org/results/SnowLeopard%20Intel%20Release%20(WebKit2%20Tests)/r80001%20(9140)/results.html
Adam Roben (:aroben)
Comment 3 2011-03-01 15:38:59 PST
Alexey says this started happening over the weekend.
Sam Weinig
Comment 4 2011-03-02 12:01:00 PST
It seems like r79863, is the likely cause of this, specifically the change in InjectedBundlePage.cpp (http://trac.webkit.org/changeset/79863/trunk/Tools/WebKitTestRunner/InjectedBundle/InjectedBundlePage.cpp). It seems that we are calling out to WebKit in an inconsistent state, so that when we go to paint a FrameView, it is no longer in the tree. We could add a null check for the page, but I think that would just be papering over the issue.
Adam Roben (:aroben)
Comment 5 2011-03-02 12:04:33 PST
I wonder why WebKit1 doesn't have this problem? I placed the WKBundlePageForceRepaint call in the same place we call -[WebView displayIfNeeded] in DRT on Mac. (DRT on Windows does the equivalent of this in its dump() function; we could try moving the call to the equivalent place in WTR.)
Adam Roben (:aroben)
Comment 6 2011-03-02 12:07:18 PST
My bad for not noticing I caused this!
Adam Roben (:aroben)
Comment 7 2011-03-02 12:10:29 PST
(In reply to comment #5) > I wonder why WebKit1 doesn't have this problem? I placed the WKBundlePageForceRepaint call in the same place we call -[WebView displayIfNeeded] in DRT on Mac. I guess it's possible -displayIfNeeded was bailing because no display is needed. But *something* is causing the tests always to paint in DRT.
Adam Roben (:aroben)
Comment 8 2011-03-02 13:00:32 PST
Here's a backtrace: WebKit.dll!WTF::RefPtr<WebCore::Frame>::get() Line 60 + 0x11 bytes C++ WebKit.dll!WebCore::Page::mainFrame() Line 135 + 0x19 bytes C++ WebKit.dll!WebCore::FrameView::paintOverhangAreas(WebCore::GraphicsContext * context=0x0249bb68, const WebCore::IntRect & horizontalOverhangArea={...}, const WebCore::IntRect & verticalOverhangArea={...}, const WebCore::IntRect & dirtyRect={...}) Line 2361 + 0x12 bytes C++ WebKit.dll!WebCore::ScrollView::paint(WebCore::GraphicsContext * context=0x0249bb68, const WebCore::IntRect & rect={...}) Line 943 + 0x22 bytes C++ WebKit.dll!WebCore::RenderWidget::paint(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0) Line 299 + 0x30 bytes C++ WebKit.dll!WebCore::RenderFrameSet::paint(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0) Line 142 + 0x1e bytes C++ WebKit.dll!WebCore::RenderFrameSet::paint(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0) Line 142 + 0x1e bytes C++ WebKit.dll!WebCore::RenderBlock::paintChildren(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0) Line 2367 + 0x28 bytes C++ WebKit.dll!WebCore::RenderBlock::paintContents(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0) Line 2327 C++ WebKit.dll!WebCore::RenderBlock::paintObject(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0) Line 2439 C++ WebKit.dll!WebCore::RenderBlock::paint(WebCore::PaintInfo & paintInfo={...}, int tx=0, int ty=0) Line 2214 + 0x1e bytes C++ WebKit.dll!WebCore::RenderLayer::paintLayer(WebCore::RenderLayer * rootLayer=0x0247dabc, WebCore::GraphicsContext * p=0x0249bb68, const WebCore::IntRect & paintDirtyRect={...}, unsigned int paintBehavior=0, WebCore::RenderObject * paintingRoot=0x00000000, WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > * overlapTestRequests=0x0012e658, unsigned int paintFlags=0) Line 2509 + 0x3b bytes C++ WebKit.dll!WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer *,0> * list=[1](0x025309dc {m_renderer=0x024e604c m_parent=0x0247dabc m_previous=0x00000000 ...}), WebCore::RenderLayer * rootLayer=0x0247dabc, WebCore::GraphicsContext * p=0x0249bb68, const WebCore::IntRect & paintDirtyRect={...}, unsigned int paintBehavior=0, WebCore::RenderObject * paintingRoot=0x00000000, WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > * overlapTestRequests=0x0012e658, unsigned int paintFlags=0) Line 2563 C++ WebKit.dll!WebCore::RenderLayer::paintLayer(WebCore::RenderLayer * rootLayer=0x0247dabc, WebCore::GraphicsContext * p=0x0249bb68, const WebCore::IntRect & paintDirtyRect={...}, unsigned int paintBehavior=0, WebCore::RenderObject * paintingRoot=0x00000000, WTF::HashMap<WebCore::OverlapTestRequestClient *,WebCore::IntRect,WTF::PtrHash<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::OverlapTestRequestClient *>,WTF::HashTraits<WebCore::IntRect> > * overlapTestRequests=0x0012e658, unsigned int paintFlags=0) Line 2532 C++ WebKit.dll!WebCore::RenderLayer::paint(WebCore::GraphicsContext * p=0x0249bb68, const WebCore::IntRect & damageRect={...}, unsigned int paintBehavior=0, WebCore::RenderObject * paintingRoot=0x00000000) Line 2315 C++ WebKit.dll!WebCore::FrameView::paintContents(WebCore::GraphicsContext * p=0x0249bb68, const WebCore::IntRect & rect={...}) Line 2312 C++ WebKit.dll!WebCore::ScrollView::paint(WebCore::GraphicsContext * context=0x0249bb68, const WebCore::IntRect & rect={...}) Line 934 + 0x1a bytes C++ WebKit.dll!WebKit::WebPage::drawRect(WebCore::GraphicsContext & graphicsContext={...}, const WebCore::IntRect & rect={...}) Line 588 + 0x33 bytes C++ WebKit.dll!WebKit::DrawingAreaImpl::display(WebKit::UpdateInfo & updateInfo={...}) Line 480 C++ WebKit.dll!WebKit::DrawingAreaImpl::display() Line 403 C++ WebKit.dll!WebKit::DrawingAreaImpl::forceRepaint() Line 159 C++ WebKit.dll!WebKit::WebPage::forceRepaintWithoutCallback() Line 1286 + 0x1d bytes C++ WebKit.dll!WKBundlePageForceRepaint(const OpaqueWKBundlePage * page=0x024806e8) Line 219 C++ InjectedBundle.dll!WTR::InjectedBundlePage::didFinishLoadForFrame(const OpaqueWKBundleFrame * frame=0x02483f38) Line 537 + 0xe bytes C++ InjectedBundle.dll!WTR::InjectedBundlePage::didFinishLoadForFrame(const OpaqueWKBundlePage * page=0x024806e8, const OpaqueWKBundleFrame * frame=0x02483f38, const void * * __formal=0x0012e99c, const void * clientInfo=0x024c8b90) Line 288 C++ WebKit.dll!WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage * page=0x024806e8, WebKit::WebFrame * frame=0x02483f38, WTF::RefPtr<WebKit::APIObject> & userData=0x00000000) Line 95 + 0x2f bytes C++ WebKit.dll!WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() Line 518 C++ WebKit.dll!WebCore::FrameLoader::checkLoadCompleteForThisFrame() Line 2427 + 0x18 bytes C++ WebKit.dll!WebCore::FrameLoader::recursiveCheckLoadComplete() Line 2539 C++ WebKit.dll!WebCore::FrameLoader::checkLoadComplete() Line 2552 C++ WebKit.dll!WebCore::FrameLoader::mainReceivedCompleteError(WebCore::DocumentLoader * loader=0x025542f0, const WebCore::ResourceError & __formal={...}) Line 3302 C++ WebKit.dll!WebCore::DocumentLoader::mainReceivedError(const WebCore::ResourceError & error={...}, bool isComplete=true) Line 206 C++ WebKit.dll!WebCore::FrameLoader::receivedMainResourceError(const WebCore::ResourceError & error={...}, bool isComplete=true) Line 2837 C++ WebKit.dll!WebCore::MainResourceLoader::didCancel(const WebCore::ResourceError & error={...}) Line 111 C++ WebKit.dll!WebCore::ResourceLoader::cancel(const WebCore::ResourceError & error={...}) Line 381 + 0x1f bytes C++ WebKit.dll!WebCore::ResourceLoader::cancel() Line 371 + 0x18 bytes C++ WebKit.dll!WebCore::DocumentLoader::stopLoading() Line 248 + 0x12 bytes C++ WebKit.dll!WebCore::FrameLoader::stopAllLoaders(WebCore::ClearProvisionalItemPolicy clearProvisionalItemPolicy=ShouldClearProvisionalItem) Line 1715 C++ WebKit.dll!WebCore::FrameLoader::frameDetached() Line 2587 C++ > WebKit.dll!WebCore::HTMLFrameOwnerElement::willRemove() Line 59 C++ WebKit.dll!WebCore::HTMLFrameElementBase::willRemove() Line 284 C++ WebKit.dll!WebCore::ContainerNode::willRemove() Line 363 + 0x24 bytes C++ WebKit.dll!WebCore::ContainerNode::willRemove() Line 363 + 0x24 bytes C++ WebKit.dll!WebCore::willRemoveChildren(WebCore::ContainerNode * container=0x0251a008) Line 391 + 0x12 bytes C++ WebKit.dll!WebCore::ContainerNode::removeChildren() Line 510 + 0xe bytes C++ WebKit.dll!WebCore::Document::implicitOpen() Line 1963 C++ WebKit.dll!WebCore::Document::open(WebCore::Document * ownerDocument=0x0251a008) Line 1926 C++ WebKit.dll!WebCore::JSHTMLDocument::open(JSC::ExecState * exec=0x03a00170) Line 129 C++ WebKit.dll!WebCore::jsHTMLDocumentPrototypeFunctionOpen(JSC::ExecState * exec=0x03a00170) Line 402 + 0x10 bytes C++ 040a006a() JavaScriptCore.dll!cti_vm_lazyLinkCall() Line 2022 + 0x1c bytes C++ JavaScriptCore.dll!JSC::Interpreter::executeCall(JSC::ExecState * callFrame=0x0252c3f8, JSC::JSObject * function=0x04031d98, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 844 + 0x2a bytes C++ JavaScriptCore.dll!JSC::call(JSC::ExecState * exec=0x0252c3f8, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 38 + 0x3c bytes C++ WebKit.dll!WebCore::JSMainThreadExecState::call(JSC::ExecState * exec=0x0252c3f8, JSC::JSValue functionObject={...}, JSC::CallType callType=CallTypeJS, const JSC::CallData & callData={...}, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 48 + 0x29 bytes C++ WebKit.dll!WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext * scriptExecutionContext=, WebCore::Event * event=) Line 123 + 0x6a bytes C++ WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event=0x0251f5b8, WebCore::EventTargetData * d=0x024ce5e8, WTF::Vector<WebCore::RegisteredEventListener,1> & entry=[1549312]({listener={...} useCapture=??? },{listener={...} useCapture=??? },{listener={...} useCapture=??? },{listener={...} useCapture=??? },{listener={...} useCapture=??? },{listener={...} useCapture=??? },{listener={...} useCapture=??? },{listener={...} useCapture=??? },{listener={...} useCapture=??? },{listener={...} useCapture=??? },{listener={...} useCapture=??? },{listener={...} useCapture=,...)) Line 354 + 0x35 bytes C++ WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event=0x0251f5b8) Line 325 C++ WebKit.dll!WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event> prpEvent={...}, WTF::PassRefPtr<WebCore::EventTarget> prpTarget={...}) Line 1585 + 0x11 bytes C++ WebKit.dll!WebCore::DOMWindow::dispatchTimedEvent(WTF::PassRefPtr<WebCore::Event> event={...}, WebCore::Document * target=0x0251a008, double * startTime=0x02492578, double * endTime=0x02492580) Line 1598 C++ WebKit.dll!WebCore::DOMWindow::dispatchLoadEvent() Line 1558 C++ WebKit.dll!WebCore::Document::dispatchWindowLoadEvent() Line 3505 C++ WebKit.dll!WebCore::Document::implicitClose() Line 2091 C++ WebKit.dll!WebCore::FrameLoader::checkCallImplicitClose() Line 892 C++ WebKit.dll!WebCore::FrameLoader::checkCompleted() Line 841 C++ WebKit.dll!WebCore::FrameLoader::completed() Line 1204 C++ WebKit.dll!WebCore::FrameLoader::checkCompleted() Line 844 C++ WebKit.dll!WebCore::FrameLoader::finishedParsing() Line 775 C++ WebKit.dll!WebCore::Document::finishedParsing() Line 4272 C++ WebKit.dll!WebCore::ImageDocumentParser::finish() Line 171 + 0x1d bytes C++ WebKit.dll!WebCore::Document::finishParsing() Line 2257 + 0x20 bytes C++ WebKit.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource() Line 223 C++ WebKit.dll!WebCore::DocumentWriter::end() Line 208 C++ WebKit.dll!WebCore::DocumentLoader::finishedLoading() Line 286 C++ WebKit.dll!WebCore::FrameLoader::finishedLoading() Line 2189 C++ WebKit.dll!WebCore::MainResourceLoader::didFinishLoading(double finishTime=0.00000000000000000) Line 466 C++ WebKit.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x025288c8, double finishTime=0.00000000000000000) Line 436 + 0x18 bytes C++ WebKit.dll!WebCore::didFinishLoading(_CFURLConnection * conn=0x02556650, const void * clientInfo=0x025288c8) Line 241 + 0x26 bytes C++
Adam Roben (:aroben)
Comment 9 2011-03-02 13:01:17 PST
We're crashing on this line: if (page->mainFrame() == m_frame) { page is 0. m_frame is not the same frame that is being detached.
Adam Roben (:aroben)
Comment 10 2011-03-02 13:46:27 PST
It looks like FrameView::paintContents, which is also called at this time, does not require the Page to be non-null (at least not directly).
Adam Roben (:aroben)
Comment 11 2011-03-02 14:40:06 PST
I can reproduce the crash in WebKit1 on Windows by adding code to force a display at the equivalent point in DRT. (As stated above, DRT on Windows normally waits until dump() is called to force a display.) I'd bet we can get the crash to go away in WebKit2 by waiting to force the repaint until dump() is called. We'd still want to fix the underlying issue here, though.
Adam Roben (:aroben)
Comment 12 2011-03-02 14:50:20 PST
(In reply to comment #11) > I'd bet we can get the crash to go away in WebKit2 by waiting to force the repaint until dump() is called. That does indeed fix the crash.
Adam Roben (:aroben)
Comment 13 2011-03-02 15:03:25 PST
I discovered a few more things while looking at what happens in WebKit1 on Mac: In some tests, e.g., css1/basic/class_as_selector.html, the -displayIfNeeded call in -webView:didFinishLoadForFrame: does indeed cause a display. In others, e.g., dom/html/level2/html/HTMLFrameElement01.html, the -displayIfNeeded call *does not* cause a display, and in fact we never display at all in that test in WebKit1. So it looks like DRT on Mac and DRT on Windows have an important difference: Windows always displays, while Mac only sometimes displays. The change I made to WTR made it always display, like DRT on Windows, but put the call in the place where Mac DRT has it. I think the best thing to do is to move it to dump() to match DRT on Windows.
Adam Roben (:aroben)
Comment 14 2011-03-02 15:10:31 PST
Created attachment 84475 [details] Wait for force a paint in WebKitTestRunner until we're actually ready to dump the output
Adam Roben (:aroben)
Comment 15 2011-03-02 15:11:03 PST
We're going to track the underlying issue separately. Beth volunteered to file that bug.
Beth Dakin
Comment 16 2011-03-02 15:17:26 PST
(In reply to comment #15) > We're going to track the underlying issue separately. Beth volunteered to file that bug. I filed: https://bugs.webkit.org/show_bug.cgi?id=55624
Adam Roben (:aroben)
Comment 17 2011-03-02 15:19:51 PST
Committed r80175: <http://trac.webkit.org/changeset/80175>
Note You need to log in before you can comment on or make changes to this bug.