Bug 136589 - FrameView::adjustTiledBackingCoverage can use the RenderView before the new document is swapped in
Summary: FrameView::adjustTiledBackingCoverage can use the RenderView before the new d...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-05 16:22 PDT by Tim Horton
Modified: 2014-09-05 16:33 PDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Horton 2014-09-05 16:22:00 PDT 
Steps to Reproduce:

1. Adjust FrameView::renderView to be this:

RenderView* FrameView::renderView() const
{
    RenderView* renderView = frame().contentRenderer();
    ASSERT(!renderView || &renderView->frameView() == this);
    return renderView;
}

2. Run the layout tests. For me, loader/go-back-to-different-window-size.html and fast/history/timed-refresh-in-cached-frame.html both failed with:

0   com.apple.JavaScriptCore      	0x00000001133596ca WTFCrash + 42
1   com.apple.WebCore             	0x0000000114fecded WebCore::FrameView::renderView() const + 109 (FrameView.cpp:4549)
2   com.apple.WebCore             	0x0000000114ff5e53 WebCore::FrameView::adjustTiledBackingCoverage() + 51 (FrameView.cpp:2359)
3   com.apple.WebCore             	0x0000000114feb474 WebCore::FrameView::speculativeTilingEnableTimerFired(WebCore::Timer<WebCore::FrameView>&) + 68 (FrameView.cpp:2395)
4   com.apple.WebCore             	0x00000001150100b7 std::__1::__function::__func<std::__1::__bind<void (WebCore::FrameView::*&)(WebCore::Timer<WebCore::FrameView>&), WebCore::FrameView*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::FrameView> > >, std::__1::allocator<std::__1::__bind<void (WebCore::FrameView::*&)(WebCore::Timer<WebCore::FrameView>&), WebCore::FrameView*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::FrameView> > > >, void ()>::operator()() + 359 (functional:1370)
5   com.apple.WebCore             	0x000000011473b8aa std::__1::function<void ()>::operator()() const + 26 (functional:1755)
6   com.apple.WebCore             	0x000000011500cbdc WebCore::Timer<WebCore::FrameView>::fired() + 28 (Timer.h:134)

This means that FrameView::adjustTiledBackingCoverage is using the RenderView from a different Document (most likely, we haven't swapped the new document in yet).