Bug 65492

Summary: Crash in MainFrameScrollbarGtk::detachAdjustment (v. 1.4.2)
Product: WebKit Reporter: Ed Catmur <ed>
Component: WebKitGTKAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: gustavo, mrobinson
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://bugzilla.gnome.org/show_bug.cgi?id=638740
Attachments:
Description Flags
MainFrameScrollbarGtk.patch none

Ed Catmur
Reported 2011-08-01 15:10:56 PDT
See downstream for full stack trace. #0 0x005457a3 in g_type_check_instance_cast (type_instance=0xfffffffe, iface_type=80) at gtype.c:3969 #1 0x42489475 in WebCore::MainFrameScrollbarGtk::detachAdjustment (this=0xad9131b0) at WebCore/platform/gtk/MainFrameScrollbarGtk.cpp:79 #2 0x4249543b in WebCore::ScrollView::setHorizontalAdjustment (this=0xa8bc7a00, hadj=0x0, resetValues=true) at WebCore/platform/gtk/ScrollViewGtk.cpp:92 #3 0x42495705 in WebCore::ScrollView::setGtkAdjustments (this=0xa8bc7a00, hadj=0x0, vadj=0x0, resetValues=true) at WebCore/platform/gtk/ScrollViewGtk.cpp:161 #4 0x424c7ecd in WebKit::FrameLoaderClient::savePlatformDataToCachedFrame (this=0xa8ba50d0, cachedFrame=0xadd4ed20) at WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:1270 #5 0x41f1012e in WebCore::CachedFrame::CachedFrame (this=0xadd4ed20, frame=0xa8ba0c00) at WebCore/history/CachedFrame.cpp:144 #6 0x41f1017c in create (this=0xadd4e780, frame=0xaa23c200) at WebCore/history/CachedFrame.h:73 #7 WebCore::CachedFrame::CachedFrame (this=0xadd4e780, frame=0xaa23c200) at WebCore/history/CachedFrame.cpp:148 #8 0x41f10502 in create (this=0xb6fa9260, page=0xad19df20) at WebCore/history/CachedFrame.h:73 On branch releases/WebKitGTK/webkit-1.4, if a ScrollView that previously did not have a parent acquires a parent, ScrollView::setHorizontalAdjustment()/ScrollView::setVerticalAdjustment() expect m_horizontalScrollbar/m_verticalScrollbar to be a MainFrameScrollbarGtk when it is actually a Scrollbar. Result is heap UMR or similar. Proposed fix is to remove the scrollbars when a ScrollView that previously did not have a parent acquires a parent; patch to follow. Trunk does not have this issue as the dangerous casts are absent.
Attachments
MainFrameScrollbarGtk.patch (764 bytes, patch)
2011-08-01 15:12 PDT, Ed Catmur 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ed Catmur
Comment 1 2011-08-01 15:12:12 PDT
Created attachment 102568 [details] MainFrameScrollbarGtk.patch
Martin Robinson
Comment 2 2011-08-03 05:43:11 PDT
Perhaps the right thing to do here is to merge the real scrollbar fix into stable. This was the one which moved adjustment handling out of WebCore entirely.
Gustavo Noronha (kov)
Comment 3 2011-08-05 04:29:06 PDT
I'm in favor of what you propose Martin. It's a big change, but also one we know improves stability by making the whole thing less complex.
Martin Robinson
Comment 4 2011-08-29 14:21:43 PDT
Should be fixed as of http://trac.webkit.org/changeset/94012. This fix will be in WebKitGTK+ 1.4.3.
Note You need to log in before you can comment on or make changes to this bug.