WebContent often crashes at in RenderBlock::paint at <https://www.flickr.com/photos/goopymart/14052958504/>. We think this may have been caused by r167879. Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000100000520 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010870cd82 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 274 1 com.apple.WebCore 0x0000000107e0d1b8 WebCore::RenderFlexibleBox::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) + 88 2 com.apple.WebCore 0x0000000107cbce26 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 214 3 com.apple.WebCore 0x0000000107cbc0db WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 459 4 com.apple.WebCore 0x0000000107cbe36b WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) + 283 5 com.apple.WebCore 0x0000000107cbccc7 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*) + 391 6 com.apple.WebCore 0x0000000107cbc911 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow> const&, WebCore::GraphicsContext*, WebCore::GraphicsContext*, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int, WebCore::RenderObject*, bool, bool) + 337 7 com.apple.WebCore 0x0000000107cba9f1 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext*, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int) + 1953 8 com.apple.WebCore 0x0000000107ce4334 WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext*, WebCore::IntRect const&, unsigned int, unsigned int) + 404 9 com.apple.WebCore 0x000000010876cbdf WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, unsigned int, WebCore::FloatRect const&) + 687 10 com.apple.WebCore 0x000000010819c9ff WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&) + 143 11 com.apple.WebCore 0x0000000108998b59 WebCore::drawLayerContents(CGContext*, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow>&) + 361 12 com.apple.WebCore 0x0000000107d0a96d -[WebLayer drawInContext:] + 61
<rdar://problem/16752448>
Manuel, could you take a look?
(In reply to comment #2) > Manuel, could you take a look? Yes, it seems it was introduced by my changes in OrderIterator. I'm uploading a new patch porting https://codereview.chromium.org/19558006 that seems to be fixing the issue here. It would be great if you could very it.
Created attachment 230382 [details] Patch
Comment on attachment 230382 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=230382&action=review > Source/WebCore/ChangeLog:15 > + The solution is simple: just clear the memory when we remove a child. "clear the memory" doesn't really match removing all items from the m_children vector.
Comment on attachment 230382 [details] Patch Clearing flags on attachment: 230382 Committed r167942: <http://trac.webkit.org/changeset/167942>
All reviewed patches have been landed. Closing bug.