108524 – Crash under FrameView::isRubberBandInProgress() during FrameView creation

Bug 108524 - Crash under FrameView::isRubberBandInProgress() during FrameView creation

Summary: Crash under FrameView::isRubberBandInProgress() during FrameView creation

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-01-31 14:15 PST by James Robinson
Modified:	2013-02-21 17:46 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description James Robinson 2013-01-31 14:15:30 PST

Copied from https://code.google.com/p/chromium/issues/detail?id=173009:

Thread 0 *CRASHED* ( EXCEPTION_ACCESS_VIOLATION_READ @ 0xfffffffffaa6fc6a )

0x68abf5e3	 [chrome.dll]	 - scrollingcoordinator.cpp:436 (cs|src|ann)]	WebCore::ScrollingCoordinator::hasVisibleSlowRepaintViewportConstrainedObjects(WebCore::FrameView *)
0x68abf6a3	 [chrome.dll]	 - scrollingcoordinator.cpp:463 (cs|src|ann)]	WebCore::ScrollingCoordinator::mainThreadScrollingReasons()
0x682a27dd	 [chrome.dll]	 - frameview.cpp:1919 (cs|src|ann)]	WebCore::FrameView::isRubberBandInProgress()
0x68285408	 [chrome.dll]	 - scrollview.cpp:618 (cs|src|ann)]	WebCore::ScrollView::updateScrollbars(WebCore::IntSize const &)
0x689315ff	 [chrome.dll]	 - scrollview.cpp:188 (cs|src|ann)]	WebCore::ScrollView::setCanHaveScrollbars(bool)
0x68a7e82c	 [chrome.dll]	 - frameview.cpp:507 (cs|src|ann)]	WebCore::FrameView::setCanHaveScrollbars(bool)
0x6820a110	 [chrome.dll]	 - frameview.cpp:352 (cs|src|ann)]	WebCore::FrameView::init()
0x68209f6f	 [chrome.dll]	 - frameview.cpp:202 (cs|src|ann)]	WebCore::FrameView::FrameView(WebCore::Frame *)
0x68209798	 [chrome.dll]	 - frame.cpp:796 (cs|src|ann)]	WebCore::Frame::createView(WebCore::IntSize const &,WebCore::Color const &,bool,WebCore::IntSize const &,WebCore::IntRect const &,bool,WebCore::ScrollbarMode,bool,WebCore::ScrollbarMode,bool)
0x6820953d	 [chrome.dll]	 - webframeimpl.cpp:2280 (cs|src|ann)]	WebKit::WebFrameImpl::createFrameView()
0x68208edd	 [chrome.dll]	 - frameloader.cpp:1864 (cs|src|ann)]	WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage>)
0x682084ed	 [chrome.dll]	 - frameloader.cpp:1701 (cs|src|ann)]	WebCore::FrameLoader::commitProvisionalLoad()
0x682082d3	 [chrome.dll]	 - documentloader.cpp:283 (cs|src|ann)]	WebCore::DocumentLoader::finishedLoading()
0x68207ada	 [chrome.dll]	 - documentloader.cpp:880 (cs|src|ann)]	WebCore::DocumentLoader::maybeLoadEmpty()
0x682075a5	 [chrome.dll]	 - documentloader.cpp:890 (cs|src|ann)]	WebCore::DocumentLoader::startLoadingMainResource()
0x68204e97	 [chrome.dll]	 - frameloader.cpp:261 (cs|src|ann)]	WebCore::FrameLoader::init()
0x6944d834	 [chrome.dll]	 - webframeimpl.cpp:2242 (cs|src|ann)]	WebKit::WebFrameImpl::createChildFrame(WebCore::FrameLoadRequest const &,WebCore::HTMLFrameOwnerElement *)
0x6945f4cc	 [chrome.dll]	 - frameloaderclientimpl.cpp:1477 (cs|src|ann)]	WebKit::FrameLoaderClientImpl::createFrame(WebCore::KURL const &,WTF::String const &,WebCore::HTMLFrameOwnerElement *,WTF::String const &,bool,int,int)
0x68af7b3b	 [chrome.dll]	 - subframeloader.cpp:367 (cs|src|ann)]	WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement *,WebCore::KURL const &,WTF::String const &,WTF::String const &)
0x68af79cf	 [chrome.dll]	 - subframeloader.cpp:341 (cs|src|ann)]	WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement *,WebCore::KURL const &,WTF::AtomicString const &,bool,bool)
0x68af6bc2	 [chrome.dll]	 - subframeloader.cpp:87 (cs|src|ann)]	WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement *,WTF::String const &,WTF::AtomicString const &,bool,bool)
0x68e74c66	 [chrome.dll]	 - htmlframeelementbase.cpp:88 (cs|src|ann)]	WebCore::HTMLFrameElementBase::openURL(bool,bool)
0x68e7503e	 [chrome.dll]	 - htmlframeelementbase.cpp:141 (cs|src|ann)]	WebCore::HTMLFrameElementBase::setNameAndOpenURL()
0x68e7508e	 [chrome.dll]	 - htmlframeelementbase.cpp:172 (cs|src|ann)]	WebCore::HTMLFrameElementBase::didNotifySubtreeInsertions(WebCore::ContainerNode *)
0x6822de07	 [chrome.dll]	 - containernodealgorithms.h:230 (cs|src|ann)]	WebCore::ChildNodeInsertionNotifier::notify(WebCore::Node *)
0x684a262c	 [chrome.dll]	 - containernode.cpp:1105 (cs|src|ann)]	WebCore::updateTreeAfterInsertion
0x684a222f	 [chrome.dll]	 - containernode.cpp:686 (cs|src|ann)]	WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>,int &,bool)
0x684f80c5	 [chrome.dll]	 - node.cpp:570 (cs|src|ann)]	WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>,int &,bool)
0x684f7fff	 [chrome.dll]	 - api.cc:4842 (cs|src)]	v8::FunctionTemplate::HasInstance(v8::Handle<v8::Value>)
0x68392cee	 [chrome.dll]	 - builtins.cc:1350 (cs|src)]	v8::internal::HandleApiCallHelper<0>
0x68392ac5	 [chrome.dll]	 - builtins.cc:1368 (cs|src)]	v8::internal::Builtin_HandleApiCall
0x0022e033			
0x2dee2478	

We're constructing a new FrameView for the main Frame, but haven't set it as the mainFrame's view yet.

Comment 1 James Robinson 2013-01-31 14:38:05 PST

From the stacktrace it looks like we're actually navigating a subframe and aren't removing objects from the viewport constrained set properly.