NEW 108524
Crash under FrameView::isRubberBandInProgress() during FrameView creation 
https://bugs.webkit.org/show_bug.cgi?id=108524
Summary Crash under FrameView::isRubberBandInProgress() during FrameView creation
James Robinson
Reported 2013-01-31 14:15:30 PST
Copied from https://code.google.com/p/chromium/issues/detail?id=173009: Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0xfffffffffaa6fc6a ) 0x68abf5e3 [chrome.dll] - scrollingcoordinator.cpp:436 (cs|src|ann)] WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects(WebCore::FrameView *) 0x68abf6a3 [chrome.dll] - scrollingcoordinator.cpp:463 (cs|src|ann)] WebCore::ScrollingCoordinator::mainThreadScrollingReasons() 0x682a27dd [chrome.dll] - frameview.cpp:1919 (cs|src|ann)] WebCore::FrameView::isRubberBandInProgress() 0x68285408 [chrome.dll] - scrollview.cpp:618 (cs|src|ann)] WebCore::ScrollView::updateScrollbars(WebCore::IntSize const &) 0x689315ff [chrome.dll] - scrollview.cpp:188 (cs|src|ann)] WebCore::ScrollView::setCanHaveScrollbars(bool) 0x68a7e82c [chrome.dll] - frameview.cpp:507 (cs|src|ann)] WebCore::FrameView::setCanHaveScrollbars(bool) 0x6820a110 [chrome.dll] - frameview.cpp:352 (cs|src|ann)] WebCore::FrameView::init() 0x68209f6f [chrome.dll] - frameview.cpp:202 (cs|src|ann)] WebCore::FrameView::FrameView(WebCore::Frame *) 0x68209798 [chrome.dll] - frame.cpp:796 (cs|src|ann)] WebCore::Frame::createView(WebCore::IntSize const &,WebCore::Color const &,bool,WebCore::IntSize const &,WebCore::IntRect const &,bool,WebCore::ScrollbarMode,bool,WebCore::ScrollbarMode,bool) 0x6820953d [chrome.dll] - webframeimpl.cpp:2280 (cs|src|ann)] WebKit::WebFrameImpl::createFrameView() 0x68208edd [chrome.dll] - frameloader.cpp:1864 (cs|src|ann)] WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage>) 0x682084ed [chrome.dll] - frameloader.cpp:1701 (cs|src|ann)] WebCore::FrameLoader::commitProvisionalLoad() 0x682082d3 [chrome.dll] - documentloader.cpp:283 (cs|src|ann)] WebCore::DocumentLoader::finishedLoading() 0x68207ada [chrome.dll] - documentloader.cpp:880 (cs|src|ann)] WebCore::DocumentLoader::maybeLoadEmpty() 0x682075a5 [chrome.dll] - documentloader.cpp:890 (cs|src|ann)] WebCore::DocumentLoader::startLoadingMainResource() 0x68204e97 [chrome.dll] - frameloader.cpp:261 (cs|src|ann)] WebCore::FrameLoader::init() 0x6944d834 [chrome.dll] - webframeimpl.cpp:2242 (cs|src|ann)] WebKit::WebFrameImpl::createChildFrame(WebCore::FrameLoadRequest const &,WebCore::HTMLFrameOwnerElement *) 0x6945f4cc [chrome.dll] - frameloaderclientimpl.cpp:1477 (cs|src|ann)] WebKit::FrameLoaderClientImpl::createFrame(WebCore::KURL const &,WTF::String const &,WebCore::HTMLFrameOwnerElement *,WTF::String const &,bool,int,int) 0x68af7b3b [chrome.dll] - subframeloader.cpp:367 (cs|src|ann)] WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement *,WebCore::KURL const &,WTF::String const &,WTF::String const &) 0x68af79cf [chrome.dll] - subframeloader.cpp:341 (cs|src|ann)] WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement *,WebCore::KURL const &,WTF::AtomicString const &,bool,bool) 0x68af6bc2 [chrome.dll] - subframeloader.cpp:87 (cs|src|ann)] WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement *,WTF::String const &,WTF::AtomicString const &,bool,bool) 0x68e74c66 [chrome.dll] - htmlframeelementbase.cpp:88 (cs|src|ann)] WebCore::HTMLFrameElementBase::openURL(bool,bool) 0x68e7503e [chrome.dll] - htmlframeelementbase.cpp:141 (cs|src|ann)] WebCore::HTMLFrameElementBase::setNameAndOpenURL() 0x68e7508e [chrome.dll] - htmlframeelementbase.cpp:172 (cs|src|ann)] WebCore::HTMLFrameElementBase::didNotifySubtreeInsertions(WebCore::ContainerNode *) 0x6822de07 [chrome.dll] - containernodealgorithms.h:230 (cs|src|ann)] WebCore::ChildNodeInsertionNotifier::notify(WebCore::Node *) 0x684a262c [chrome.dll] - containernode.cpp:1105 (cs|src|ann)] WebCore::updateTreeAfterInsertion 0x684a222f [chrome.dll] - containernode.cpp:686 (cs|src|ann)] WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>,int &,bool) 0x684f80c5 [chrome.dll] - node.cpp:570 (cs|src|ann)] WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>,int &,bool) 0x684f7fff [chrome.dll] - api.cc:4842 (cs|src)] v8::FunctionTemplate::HasInstance(v8::Handle<v8::Value>) 0x68392cee [chrome.dll] - builtins.cc:1350 (cs|src)] v8::internal::HandleApiCallHelper<0> 0x68392ac5 [chrome.dll] - builtins.cc:1368 (cs|src)] v8::internal::Builtin_HandleApiCall 0x0022e033 0x2dee2478 We're constructing a new FrameView for the main Frame, but haven't set it as the mainFrame's view yet.
Attachments
Add attachment proposed patch, testcase, etc.
James Robinson
Comment 1 2013-01-31 14:38:05 PST
From the stacktrace it looks like we're actually navigating a subframe and aren't removing objects from the viewport constrained set properly.
Note You need to log in before you can comment on or make changes to this bug.