Bug 147848 - Invalid FrameView::m_viewportRenderer after layout is finished.
Summary: Invalid FrameView::m_viewportRenderer after layout is finished.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: zalan
URL:
Keywords: InRadar
: 149495 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-08-10 15:37 PDT by zalan
Modified: 2016-06-13 18:10 PDT (History)
4 users (show)

See Also:


Attachments
Patch (10.60 KB, patch)
2015-08-10 15:40 PDT, zalan
no flags Details | Formatted Diff | Diff
Patch (10.62 KB, patch)
2015-08-11 10:53 PDT, zalan
no flags Details | Formatted Diff | Diff
Patch (10.62 KB, patch)
2015-08-11 12:54 PDT, zalan
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description zalan 2015-08-10 15:37:16 PDT
0   WebCore                       	0x000000019680c128 WebCore::FrameView::contentsSizeRespectingOverflow() const + 128 (RenderStyle.h:306)
1   WebCore                       	0x000000019680c120 WebCore::FrameView::contentsSizeRespectingOverflow() const + 120 (FrameView.cpp:629)
2   WebKit                        	0x000000018acb73e0 WebKit::WebPage::mainFrameDidLayout() + 128 (WebPage.cpp:3522)
3   WebCore                       	0x00000001963bf3f0 WebCore::FrameView::performPostLayoutTasks() + 164 (FrameView.cpp:3045)
4   WebCore                       	0x00000001963ba964 WebCore::FrameView::layout(bool) + 496 (TemporaryChange.h:55)
5   WebCore                       	0x00000001966c32c8 WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WebCore::DimensionsCheck) + 1312 (Document.cpp:2036)
6   WebCore                       	0x0000000196475a50 WebCore::Element::clientWidth() + 40 (Node.h:395)
7   WebCore                       	0x0000000196a7d39c WebCore::jsElementClientWidth(JSC::ExecState*, JSC::JSObject*, long long, JSC::PropertyName) + 48 (JSCJSValueInlines.h:141)
8   JavaScriptCore                	0x000000018608d590 JSC::LLInt::getByVal(JSC::ExecState*, JSC::JSValue, JSC::JSValue) + 3284 (PropertySlot.h:257)
9   JavaScriptCore                	0x000000018606c110 llint_slow_path_get_by_val + 180 (LLIntSlowPaths.cpp:749)
10  JavaScriptCore                	0x00000001864b331c llint_entry + 12620
11  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
12  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
13  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
14  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
15  ???                           	0x000000014b09cbc0 0 + 5553900480
16  JavaScriptCore                	0x00000001864b5dd0 llint_entry + 23552
17  JavaScriptCore                	0x00000001864b6004 llint_entry + 24116
18  JavaScriptCore                	0x00000001864b5dd0 llint_entry + 23552
19  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
20  JavaScriptCore                	0x00000001864b6004 llint_entry + 24116
21  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
22  JavaScriptCore                	0x00000001864b6004 llint_entry + 24116
23  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
24  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
25  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
26  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
27  JavaScriptCore                	0x00000001864b5e34 llint_entry + 23652
28  JavaScriptCore                	0x00000001864affb8 vmEntryToJavaScript + 312
29  JavaScriptCore                	0x00000001863dcd04 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 180 (VM.h:384)
30  JavaScriptCore                	0x000000018605e39c JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 8204 (Interpreter.cpp:901)
31  JavaScriptCore                	0x00000001861b65e8 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 440 (Completion.cpp:82)
32  WebCore                       	0x0000000196f1ad28 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) + 292 (JSMainThreadExecState.h:62)
33  WebCore                       	0x000000019636aa54 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 340 (ScriptElement.cpp:309)
34  WebCore                       	0x00000001964a89bc WebCore::ScriptElement::execute(WebCore::CachedScript*) + 188 (StdLibExtras.h:374)
35  WebCore                       	0x0000000196f2134c WebCore::ScriptRunner::timerFired() + 468 (ScriptRunner.cpp:122)
36  WebCore                       	0x0000000196342ca8 WebCore::ThreadTimers::sharedTimerFiredInternal() + 148 (ThreadTimers.cpp:135)
37  WebCore                       	0x0000000196342be8 WebCore::timerFired(__CFRunLoopTimer*, void*) + 36 (SharedTimerCF.cpp:82)
38  CoreFoundation                	0x00000001849c97d4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 28 (CFRunLoop.c:1630)
39  CoreFoundation                	0x00000001849c9478 __CFRunLoopDoTimer + 884 (CFRunLoop.c:2168)
40  CoreFoundation                	0x00000001849c6b8c __CFRunLoopRun + 1520 (CFRunLoop.c:2306)
41  CoreFoundation                	0x00000001848f58a0 CFRunLoopRunSpecific + 384 (CFRunLoop.c:2814)
42  Foundation                    	0x000000018586894c -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 308 (NSRunLoop.m:367)
43  Foundation                    	0x00000001858bdf74 -[NSRunLoop(NSRunLoop) run] + 88 (NSRunLoop.m:388)
44  libxpc.dylib                  	0x0000000199eccd4c _xpc_objc_main + 660 (main.m:177)
45  libxpc.dylib                  	0x0000000199ecea80 xpc_main + 200 (init.c:1395)
46  com.apple.WebKit.WebContent   	0x00000001000ab924 main + 56 (XPCServiceMain.mm:89)
47  libdyld.dylib                 	0x0000000199caa8b8 start + 4 (start_glue.s:80)
Comment 1 zalan 2015-08-10 15:37:33 PDT
rdar://problem/22205197
Comment 2 zalan 2015-08-10 15:40:45 PDT
Created attachment 258659 [details]
Patch
Comment 3 zalan 2015-08-10 15:41:06 PDT
Need to construct a test case.
Comment 4 zalan 2015-08-11 10:53:43 PDT
Created attachment 258726 [details]
Patch
Comment 5 Darin Adler 2015-08-11 11:34:32 PDT
Comment on attachment 258726 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=258726&action=review

> Source/WebCore/page/FrameView.cpp:624
> +    if (!renderView || !viewportRenderer || !is<RenderBox>(viewportRenderer) || !frame().isMainFrame())

This:

    !viewportRenderer || !is<RenderBox>(viewportRenderer)

Is the same as this:

    !is<RenderBox>(viewportRenderer)

So I think we should remove the extra null check.
Comment 6 zalan 2015-08-11 11:35:47 PDT
(In reply to comment #5)
> Comment on attachment 258726 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=258726&action=review
> 
> > Source/WebCore/page/FrameView.cpp:624
> > +    if (!renderView || !viewportRenderer || !is<RenderBox>(viewportRenderer) || !frame().isMainFrame())
> 
> This:
> 
>     !viewportRenderer || !is<RenderBox>(viewportRenderer)
> 
> Is the same as this:
> 
>     !is<RenderBox>(viewportRenderer)
> 
> So I think we should remove the extra null check.
Good point!
Comment 7 zalan 2015-08-11 12:54:23 PDT
Created attachment 258740 [details]
Patch
Comment 8 WebKit Commit Bot 2015-08-11 14:50:53 PDT
Comment on attachment 258740 [details]
Patch

Clearing flags on attachment: 258740

Committed r188298: <http://trac.webkit.org/changeset/188298>
Comment 9 WebKit Commit Bot 2015-08-11 14:50:56 PDT
All reviewed patches have been landed.  Closing bug.
Comment 10 David Kilzer (:ddkilzer) 2015-08-11 19:59:18 PDT
Comment on attachment 258740 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=258740&action=review

> Source/WebCore/page/FrameView.cpp:758
> +    auto documentElement = document->documentElement();

Shouldn't this be of type "auto*" as it is later in the patch?

    auto* documentElement = document->documentElement();
Comment 11 zalan 2015-08-11 20:03:17 PDT
Comment on attachment 258740 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=258740&action=review

>> Source/WebCore/page/FrameView.cpp:758
>> +    auto documentElement = document->documentElement();
> 
> Shouldn't this be of type "auto*" as it is later in the patch?
> 
>     auto* documentElement = document->documentElement();

It should! I'll fix it in one of my upcoming patches. (note: it does not change functionality)
Comment 12 David Kilzer (:ddkilzer) 2016-06-13 18:10:26 PDT
*** Bug 149495 has been marked as a duplicate of this bug. ***