145042 – Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count

Bug 145042 - Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count

Summary: Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Jer Noble

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-05-14 23:55 PDT by Jer Noble
Modified:	2015-05-15 10:20 PDT (History)
CC List:	9 users (show)

See Also:	144973

Attachments
Patch (2.95 KB, patch) 2015-05-15 00:22 PDT, Jer Noble	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jer Noble 2015-05-14 23:55:41 PDT

Crash in RenderFlowThread::popFlowThreadLayoutState() due to mismatched push/pop count

Comment 1 Jer Noble 2015-05-15 00:22:10 PDT

Created attachment 253180 [details]
Patch

Comment 2 Andrei Bucur 2015-05-15 08:31:56 PDT

I wonder why this never crashed before. Do you have a test that reproduces this situation? It sounds a bit strange to call layout twice for a renderer in the same stack.

Comment 3 Jon Lee 2015-05-15 08:46:24 PDT

Andrei, see bug 144973.

Comment 4 Jer Noble 2015-05-15 09:02:59 PDT

(In reply to comment #2)
> It sounds a bit strange to call layout twice for a renderer in the same stack.

That's true, but it's not necessarily a 1:1 mapping of layout()-to-push(). For example, in the case I mention in the ChangeLog, the FrameView is pushing it's `root` on the stack, the `root` is pushing itself on the stack, and root->layout() is only called once.

Comment 5 Dave Hyatt 2015-05-15 09:23:32 PDT

Comment on attachment 253180 [details]
Patch

r=me

Comment 6 Jon Lee 2015-05-15 09:27:29 PDT

is it possible to add a test?

Comment 7 Jer Noble 2015-05-15 09:30:00 PDT

(In reply to comment #6)
> is it possible to add a test?

Well, sort of. By adding the proposed changes in the bug you mentioned, we'll be testing this change implicitly in those failing tests (the ones that triggered the roll-out).

Comment 8 Andrei Bucur 2015-05-15 09:32:15 PDT

Ok, that sounds great, thanks for the clarifications!

Comment 9 WebKit Commit Bot 2015-05-15 10:16:46 PDT

Comment on attachment 253180 [details]
Patch

Clearing flags on attachment: 253180

Committed r184394: <http://trac.webkit.org/changeset/184394>

Comment 10 WebKit Commit Bot 2015-05-15 10:16:57 PDT

All reviewed patches have been landed.  Closing bug.

Comment 11 Simon Fraser (smfr) 2015-05-15 10:20:16 PDT

Was this not testable?