Bug 71044

Summary: RenderLayer::hasVisibleContent() can be called when m_visibleContentStatusDirty is true
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: jchaffraix, koivisto, robin.webkit, simon.fraser
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=228983

Description Simon Fraser (smfr) 2011-10-27 11:50:21 PDT
RenderBox::clippedOverflowRectForRepaint() calls enclosingLayer()->hasVisibleContent() in cases where hasVisibleContent() may return incorrect data. Here's one stack trace where this happens:


1   0x1048e712c WebCore::RenderLayer::hasVisibleContent() const
2   0x104a09aca WebCore::RenderReplaced::clippedOverflowRectForRepaint(WebCore::RenderBoxModelObject*) const
3   0x1049f3ff8 WebCore::RenderObject::repaint(bool)
4   0x1049f6fde WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>)
5   0x1049f664b WebCore::RenderObject::setAnimatableStyle(WTF::PassRefPtr<WebCore::RenderStyle>)
6   0x1047ff7d3 WebCore::Node::setRenderStyle(WTF::PassRefPtr<WebCore::RenderStyle>)
7   0x103e57c09 WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
8   0x103e5809f WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
9   0x103e5809f WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
10  0x103e5809f WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
11  0x103c88c91 WebCore::Document::recalcStyle(WebCore::Node::StyleChange)
12  0x103c89d09 WebCore::Document::updateStyleIfNeeded()
13  0x103c89ece WebCore::Document::updateLayout()
14  0x103c8a074 WebCore::Document::updateLayoutIgnorePendingStylesheets()
15  0x103e54e19 WebCore::Element::getBoundingClientRect()
16  0x1043820bf WebCore::jsElementPrototypeFunctionGetBoundingClientRect(JSC::ExecState*)
17  0x5127366014f8
18  0x101b8ef49 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)
19  0x101b8b866 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
20  0x101ae2bd1 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
21  0x1042799e3 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
22  0x104b36263 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*)
23  0x104b35d49 WebCore::ScheduledAction::execute(WebCore::Document*)
24  0x104b35b74 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*)
25  0x103def266 WebCore::DOMTimer::fired()
26  0x104d8de67 WebCore::ThreadTimers::sharedTimerFiredInternal()
27  0x104d8dc39 WebCore::ThreadTimers::sharedTimerFired()
28  0x104bb7873 _ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv

but I also see it during style updates before event handling.

Detected with:

-    bool hasVisibleContent() const { return m_hasVisibleContent; }
-    bool hasVisibleDescendant() const { return m_hasVisibleDescendant; }
+    bool hasVisibleContent() const { ASSERT(!m_visibleContentStatusDirty); return m_hasVisibleContent; }
+    bool hasVisibleDescendant() const { ASSERT(!m_visibleDescendantStatusDirty); return m_hasVisibleDescendant; }
Comment 1 Simon Fraser (smfr) 2011-10-27 13:12:16 PDT
Here's another example:


Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000010396a0d0 WebCore::RenderLayer::hasVisibleContent() const + 96 (RenderLayer.h:388)
1   com.apple.WebCore             	0x0000000103a7a433 WebCore::RenderObject::styleWillChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 483 (RenderObject.cpp:1781)
2   com.apple.WebCore             	0x00000001039c3c0a WebCore::RenderBoxModelObject::styleWillChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 1418 (RenderBoxModelObject.cpp:343)
3   com.apple.WebCore             	0x00000001039ac4a0 WebCore::RenderBox::styleWillChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 864 (RenderBox.cpp:341)
4   com.apple.WebCore             	0x000000010394585e WebCore::RenderBlock::styleWillChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 798 (RenderBlock.cpp:238)
5   com.apple.WebCore             	0x0000000103a79a35 WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) + 389 (RenderObject.cpp:1713)
6   com.apple.WebCore             	0x0000000103b36900 WebCore::RenderTextControl::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 320 (RenderTextControl.cpp:93)
7   com.apple.WebCore             	0x0000000103a79ec3 WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) + 1555 (RenderObject.cpp:1729)
8   com.apple.WebCore             	0x0000000103a7961b WebCore::RenderObject::setAnimatableStyle(WTF::PassRefPtr<WebCore::RenderStyle>) + 139 (RenderObject.cpp:1640)
9   com.apple.WebCore             	0x0000000103882773 WebCore::Node::setRenderStyle(WTF::PassRefPtr<WebCore::RenderStyle>) + 83 (Node.cpp:1506)
10  com.apple.WebCore             	0x0000000102edaba9 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 1433 (Element.cpp:1141)
11  com.apple.WebCore             	0x0000000102edb03f WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 2607 (Element.cpp:1184)
12  com.apple.WebCore             	0x0000000102edb03f WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 2607 (Element.cpp:1184)
13  com.apple.WebCore             	0x0000000102edb03f WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 2607 (Element.cpp:1184)
14  com.apple.WebCore             	0x0000000102d0bc31 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) + 945 (Document.cpp:1507)
15  com.apple.WebCore             	0x0000000102d0cca9 WebCore::Document::updateStyleIfNeeded() + 361 (Document.cpp:1569)
16  com.apple.WebCore             	0x0000000102d0ce6e WebCore::Document::updateLayout() + 158 (Document.cpp:1596)
17  com.apple.WebCore             	0x0000000102d0d014 WebCore::Document::updateLayoutIgnorePendingStylesheets() + 196 (Document.cpp:1631)
18  com.apple.WebCore             	0x0000000102edcace WebCore::Element::focus(bool) + 126 (Element.cpp:1605)
19  com.apple.WebCore             	0x000000010340370f WebCore::jsElementPrototypeFunctionFocus(JSC::ExecState*) + 351 (JSElement.cpp:1903)
20  ???                           	0x00004c9c8b2011f8 0 + 84235232743928
21  com.apple.JavaScriptCore      	0x0000000101a08f49 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) + 121 (JITCode.h:103)
22  com.apple.JavaScriptCore      	0x0000000101a04eaa JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 4890 (Interpreter.cpp:897)
23  com.apple.JavaScriptCore      	0x0000000101979e9a JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 458 (Completion.cpp:70)
24  com.apple.WebCore             	0x0000000103519a31 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 81 (JSMainThreadExecState.h:58)
25  com.apple.WebCore             	0x0000000103bc5b5f WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 495 (ScriptController.cpp:145)
26  com.apple.WebCore             	0x0000000103bc5cc4 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 68 (ScriptController.cpp:163)
27  com.apple.WebCore             	0x0000000103bdb159 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 473 (ScriptElement.cpp:297)
28  com.apple.WebCore             	0x0000000103bd9e6d WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1853 (ScriptElement.cpp:247)
29  com.apple.WebCore             	0x000000010311254c WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 460 (HTMLScriptRunner.cpp:298)
30  com.apple.WebCore             	0x00000001031122df WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 159 (HTMLScriptRunner.cpp:172)
31  com.apple.WebCore             	0x0000000103098b4c WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 332 (HTMLDocumentParser.cpp:207)
32  com.apple.WebCore             	0x0000000103098c3b WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 171 (HTMLDocumentParser.cpp:225)
33  com.apple.WebCore             	0x00000001030984b6 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 470 (HTMLDocumentParser.cpp:263)
34  com.apple.WebCore             	0x00000001030980c8 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 200 (HTMLDocumentParser.cpp:178)
35  com.apple.WebCore             	0x000000010309912f WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) + 335 (HTMLDocumentParser.cpp:372)
36  com.apple.WebCore             	0x0000000102cdce7d WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, unsigned long) + 237 (DecodedDataDocumentParser.cpp:50)
37  com.apple.WebCore             	0x0000000102d6969d WebCore::DocumentWriter::addData(char const*, unsigned long) + 93 (DocumentWriter.cpp:207)
38  com.apple.WebCore             	0x0000000102d4909e WebCore::DocumentLoader::commitData(char const*, unsigned long) + 286 (DocumentLoader.cpp:318)
39  com.apple.WebKit              	0x00000001023574d6 -[WebFrame(WebInternal) _commitData:] + 214 (WebFrame.mm:858)
40  com.apple.WebKit              	0x000000010238eb50 -[WebHTMLRepresentation receivedData:withDataSource:] + 128 (WebHTMLRepresentation.mm:185)
41  com.apple.WebKit              	0x0000000102336baa -[WebDataSource(WebInternal) _receivedData:] + 90 (WebDataSource.mm:233)
42  com.apple.WebKit              	0x0000000102364bb1 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 129 (WebFrameLoaderClient.mm:890)
43  com.apple.WebCore             	0x0000000102d48f48 WebCore::DocumentLoader::commitLoad(char const*, int) + 216 (DocumentLoader.cpp:304)
44  com.apple.WebCore             	0x0000000102d4916a WebCore::DocumentLoader::receivedData(char const*, int) + 90 (DocumentLoader.cpp:330)
45  com.apple.WebCore             	0x000000010380a9f7 WebCore::MainResourceLoader::addData(char const*, int, bool) + 87 (MainResourceLoader.cpp:169)
46  com.apple.WebCore             	0x0000000103b88239 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 265 (ResourceLoader.cpp:291)
47  com.apple.WebCore             	0x000000010380c38f WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 863 (MainResourceLoader.cpp:468)
48  com.apple.WebCore             	0x0000000103b88bbd WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 157 (ResourceLoader.cpp:442)
49  com.apple.WebCore             	0x0000000103b851b2 -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 306 (ResourceHandleMac.mm:833)
50  com.apple.Foundation          	0x00007fff8ab86459 ___NSURLConnectionDidReceiveData_block_invoke_1 + 144
51  com.apple.Foundation          	0x00007fff8ab863c3 _NSURLConnectionDidReceiveData + 86
52  com.apple.CFNetwork           	0x00007fff925795ec URLConnectionClient::_clientDidReceiveData(__CFArray const*, URLConnectionClient::ClientConnectionEventQueue*) + 348
53  com.apple.CFNetwork           	0x00007fff9262aceb URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 827
54  com.apple.CFNetwork           	0x00007fff92555dfd URLConnectionClient::processEvents() + 185

from one of these tests (not sure which)

  fast/forms/cursor-at-editable-content-boundary.html -> unexpected DumpRenderTree crash
  fast/dynamic/positioned-movement-with-positioned-children.html -> unexpected DumpRenderTree crash