Bug 148182 - PDFPlugin's scrollableArea container is not properly unregistered when page is going into the PageCache
Summary: PDFPlugin's scrollableArea container is not properly unregistered when page i...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Simon Fraser (smfr)
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-08-19 12:39 PDT by Brent Fulgham
Modified: 2016-02-17 13:27 PST (History)
7 users (show)

See Also:

Attachments
Patch (2.61 KB, patch)
2015-08-19 13:37 PDT, Brent Fulgham 		dino: review+
Details | Formatted Diff | Diff
Patch (9.88 KB, patch)
2016-02-17 12:14 PST, Simon Fraser (smfr) 		bfulgham: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brent Fulgham 2015-08-19 12:39:04 PDT 
WebKit is crashing when a some pages (those containing PluginViews, but perhaps others) are restored from the PageCache. This is happening because the FrameView holds onto a set of pointers to ScrollableAreas, but those render elements no longer exist when the page is revived from the cache.

To correct this, we must clear out these ScrollableArea pointers when the page goes into the PageCache. When the page is reconstituted from the cache, the layout pass will rebuild the set of ScrollableAreas that were in this container originally.
Comment 1 Brent Fulgham 2015-08-19 12:41:26 PDT 
<rdar://problem/21969170>
Comment 2 Brent Fulgham 2015-08-19 13:37:22 PDT 
Created attachment 259396 [details]
Patch
Comment 3 Brent Fulgham 2015-08-19 16:06:08 PDT 
Committed r188659: <http://trac.webkit.org/changeset/188659>
Comment 4 Chris Dumez 2015-08-20 09:03:16 PDT 
Comment on attachment 259396 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=259396&action=review

> Source/WebCore/ChangeLog:9
> +        Must be tested manually going back and forth in history several times.

We have plenty of layout tests for PageCache. Why cannot we write one for this?
Comment 5 Simon Fraser (smfr) 2016-02-16 10:48:25 PST 
Reopening. I'm rolling out because this caused bug 153404.
Comment 6 Simon Fraser (smfr) 2016-02-16 10:49:08 PST 
Rolled out in https://trac.webkit.org/r196641.
Comment 7 Simon Fraser (smfr) 2016-02-16 16:14:20 PST 
PDFPlugin::destroy() already has a call to frameView->removeScrollableArea(), so why doesn't this always work?
Comment 8 Simon Fraser (smfr) 2016-02-16 16:35:13 PST 
Oh this is the usual page cache mess where we remove it from the wrong FrameView.
Comment 9 Simon Fraser (smfr) 2016-02-16 17:51:26 PST 
So the real issue is that PDFPlugin invalidates the assumption that a page in the page cache is "frozen" and won't try to access the Frame etc. This is because it gets torn down under this stack, after going into the page cache:

* thread #1: tid = 0xd65515, 0x000000010e95a0cf WebKit`WebKit::PDFPlugin::destroy(this=0x0000000125d391d8) + 63 at DeprecatedPDFPlugin.mm:1104, queue = 'com.apple.main-thread', stop reason = breakpoint 14.1
  * frame #0: 0x000000010e95a0cf WebKit`WebKit::PDFPlugin::destroy(this=0x0000000125d391d8) + 63 at DeprecatedPDFPlugin.mm:1104
    frame #1: 0x000000010ebcbb6a WebKit`WebKit::Plugin::destroyPlugin(this=0x0000000125d391d8) + 26 at Plugin.cpp:101
    frame #2: 0x000000010ec4af59 WebKit`WebKit::PluginView::destroyPluginAndReset(this=0x0000000126033a40) + 265 at PluginView.cpp:357
    frame #3: 0x000000010ec4ace2 WebKit`WebKit::PluginView::~PluginView(this=0x0000000126033a40) + 322 at PluginView.cpp:342
    frame #4: 0x000000010ec4b015 WebKit`WebKit::PluginView::~PluginView(this=0x0000000126033a40) + 21 at PluginView.cpp:331
    frame #5: 0x000000010ec4b0f9 WebKit`WebKit::PluginView::~PluginView(this=0x0000000126033a40) + 25 at PluginView.cpp:331
    frame #6: 0x0000000114e564b3 WebCore`WTF::RefCounted<WebCore::Widget>::deref(this=0x0000000126033a48) + 83 at RefCounted.h:146
    frame #7: 0x00000001156be3ea WebCore`void WTF::derefIfNotNull<WebCore::Widget>(ptr=0x0000000126033a40) + 58 at PassRefPtr.h:42
    frame #8: 0x00000001156be3a9 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x0000000125183d70) + 41 at RefPtr.h:59
    frame #9: 0x00000001156bbb75 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x0000000125183d70) + 21 at RefPtr.h:59
    frame #10: 0x0000000116cae775 WebCore`WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair(this=0x0000000125183d70) + 21 at HashTraits.h:168
    frame #11: 0x0000000116cae745 WebCore`WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair(this=0x0000000125183d70) + 21 at HashTraits.h:168
    frame #12: 0x0000000116cae6d4 WebCore`WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable(table=0x0000000125183d00, size=8) + 84 at HashTable.h:1139
    frame #13: 0x0000000116cae4ae WebCore`WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable(this=0x00007fff5141c098) + 62 at HashTable.h:359
    frame #14: 0x0000000116cae465 WebCore`WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable(this=0x00007fff5141c098) + 21 at HashTable.h:356
    frame #15: 0x0000000116cae445 WebCore`WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap(this=0x00007fff5141c098) + 21 at HashMap.h:36
    frame #16: 0x0000000116cadb95 WebCore`WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap(this=0x00007fff5141c098) + 21 at HashMap.h:36
    frame #17: 0x0000000116cab8d3 WebCore`WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets(this=0x00007fff5141c190) + 403 at RenderWidget.cpp:69
    frame #18: 0x0000000115179a5c WebCore`WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope(this=0x00007fff5141c190) + 108 at RenderWidget.h:43
    frame #19: 0x00000001151782d5 WebCore`WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope(this=0x00007fff5141c190) + 21 at RenderWidget.h:40
    frame #20: 0x0000000117029ebb WebCore`WebCore::Style::detachRenderTree(current=0x0000000125f5f280, detachType=NormalDetach) + 315 at StyleTreeResolver.cpp:615
    frame #21: 0x000000011702afc7 WebCore`WebCore::Style::detachRenderTree(element=0x0000000125f5f280) + 23 at StyleTreeResolver.cpp:939
    frame #22: 0x0000000115ab05d7 WebCore`WebCore::HTMLPlugInImageElement::prepareForDocumentSuspension(this=0x0000000125f5f280) + 55 at HTMLPlugInImageElement.cpp:318
    frame #23: 0x00000001154aa6ee WebCore`WebCore::Document::suspend(this=0x0000000125ec2bc0, reason=PageCache) + 222 at Document.cpp:4625
    frame #24: 0x00000001150475c4 WebCore`WebCore::CachedFrame::CachedFrame(this=0x00000001259e6f78, frame=0x000000012516e000) + 964 at CachedFrame.cpp:163

Note that we now put pages with plug-ins into the page cache (which probably triggered this bug).
Comment 10 Simon Fraser (smfr) 2016-02-16 18:06:38 PST 
rdar://problem/24679436
Comment 11 Simon Fraser (smfr) 2016-02-16 18:16:22 PST 
Actually this is bad teardown stack:

* thread #1: tid = 0xd6f547, 0x0000000109056155 WebKit`WebKit::PDFPlugin::destroy(this=0x000000012054eb10) + 197 at DeprecatedPDFPlugin.mm:1113, queue = 'com.apple.main-thread', stop reason = breakpoint 18.1
  * frame #0: 0x0000000109056155 WebKit`WebKit::PDFPlugin::destroy(this=0x000000012054eb10) + 197 at DeprecatedPDFPlugin.mm:1113
    frame #1: 0x00000001092c7b6a WebKit`WebKit::Plugin::destroyPlugin(this=0x000000012054eb10) + 26 at Plugin.cpp:101
    frame #2: 0x0000000109346f59 WebKit`WebKit::PluginView::destroyPluginAndReset(this=0x000000011fe90740) + 265 at PluginView.cpp:357
    frame #3: 0x0000000109346ce2 WebKit`WebKit::PluginView::~PluginView(this=0x000000011fe90740) + 322 at PluginView.cpp:342
    frame #4: 0x0000000109347015 WebKit`WebKit::PluginView::~PluginView(this=0x000000011fe90740) + 21 at PluginView.cpp:331
    frame #5: 0x00000001093470f9 WebKit`WebKit::PluginView::~PluginView(this=0x000000011fe90740) + 25 at PluginView.cpp:331
    frame #6: 0x000000010f5594b3 WebCore`WTF::RefCounted<WebCore::Widget>::deref(this=0x000000011fe90748) + 83 at RefCounted.h:146
    frame #7: 0x000000010fdc13ea WebCore`void WTF::derefIfNotNull<WebCore::Widget>(ptr=0x000000011fe90740) + 58 at PassRefPtr.h:42
    frame #8: 0x000000010fdc13a9 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x00007fff56d2bee0) + 41 at RefPtr.h:59
    frame #9: 0x000000010fdbeb75 WebCore`WTF::RefPtr<WebCore::Widget>::~RefPtr(this=0x00007fff56d2bee0) + 21 at RefPtr.h:59
    frame #10: 0x00000001101ae9ac WebCore`WebCore::HTMLPlugInElement::defaultEventHandler(this=0x000000012075c280, event=0x00000001201a17f8) + 412 at HTMLPlugInElement.cpp:235
    frame #11: 0x00000001101b61a8 WebCore`WebCore::HTMLPlugInImageElement::defaultEventHandler(this=0x000000012075c280, event=0x00000001201a17f8) + 296 at HTMLPlugInImageElement.cpp:756
    frame #12: 0x000000010fd9ed96 WebCore`WebCore::callDefaultEventHandlersInTheBubblingOrder(event=0x00000001201a17f8, path=0x00007fff56d2c020) + 102 at EventDispatcher.cpp:134
    frame #13: 0x000000010fd9e4e1 WebCore`WebCore::EventDispatcher::dispatchEvent(origin=0x000000012075c280, event=0x00000001201a17f8) + 881 at EventDispatcher.cpp:239
    frame #14: 0x0000000110f1003d WebCore`WebCore::Node::dispatchEvent(this=0x000000012075c280, event=0x00000001201a17f8) + 29 at Node.cpp:2108
    frame #15: 0x000000010fdb090f WebCore`WebCore::EventHandler::keyEvent(this=0x000000011f76c000, initialKeyEvent=0x00007fff56d2c4a8) + 1519 at EventHandler.cpp:3054
    frame #16: 0x0000000111a37682 WebCore`WebCore::UserInputBridge::handleKeyEvent(this=0x00007fda18e106a0, keyEvent=0x00007fff56d2c4a8, inputSource=User) + 466 at UserInputBridge.cpp:170

and this happens when we navigate inside handling a key event:

* thread #1: tid = 0xd7189e, 0x000000011602ac4f WebCore`WebCore::FrameLoader::commitProvisionalLoad(this=0x000000012596e0a0) + 47 at FrameLoader.cpp:1726, queue = 'com.apple.main-thread', stop reason = breakpoint 17.1
  * frame #0: 0x000000011602ac4f WebCore`WebCore::FrameLoader::commitProvisionalLoad(this=0x000000012596e0a0) + 47 at FrameLoader.cpp:1726
    frame #1: 0x000000011602fbf2 WebCore`WebCore::FrameLoader::loadProvisionalItemFromCachedPage(this=0x000000012596e0a0) + 290 at FrameLoader.cpp:3211
    frame #2: 0x0000000116029828 WebCore`WebCore::FrameLoader::continueLoadAfterNavigationPolicy(this=0x000000012596e0a0, request=0x00007fff50c47b70, formState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c47690, shouldContinue=true, allowNavigationToInvalidURL=Yes) + 1080 at FrameLoader.cpp:3058
    frame #3: 0x0000000116037e9e WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x00007fff50c47dc8, request=0x00007fff50c47b70, formState=<unavailable>, shouldContinue=true)::$_4::operator()(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const + 94 at FrameLoader.cpp:1446
    frame #4: 0x0000000116037e20 WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) [inlined] decltype(__f=0x00007fff50c47dc8, __args=0x00007fff50c47b70, __args=0x00007fff50c47850, __args=0x00007fff50c477e7)::$_4&>(fp)(std::__1::forward<WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(fp0))) std::__1::__invoke<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 107 at __functional_base:415
    frame #5: 0x0000000116037db5 WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::FrameLoader::loadWithDocumentLoader(__args=0x00007fff50c47dc8, __args=0x00007fff50c47b70, __args=0x00007fff50c47850, __args=0x00007fff50c477e7)::$_4&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool>(WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4&&&, WebCore::ResourceRequest const&&&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 101 at __functional_base:440
    frame #6: 0x0000000116037d1c WebCore`std::__1::__function::__func<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4, std::__1::allocator<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>, WebCore::AllowNavigationToInvalidURL)::$_4>, void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator(this=0x00007fff50c47dc0, __arg=0x00007fff50c47b70, __arg=0x00007fff50c47850, __arg=0x00007fff50c477e7)(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>&&, bool&&) + 92 at functional:1407
    frame #7: 0x00000001170be187 WebCore`std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>::operator(this=0x00007fff50c47dc0, __arg=0x00007fff50c47b70, __arg=<unavailable>, __arg=true)(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) const + 87 at functional:1793
    frame #8: 0x00000001170bd779 WebCore`WebCore::PolicyCallback::call(this=0x00007fff50c47b70, shouldContinue=true) + 137 at PolicyCallback.cpp:95
    frame #9: 0x00000001170bede5 WebCore`WebCore::PolicyChecker::continueAfterNavigationPolicy(this=0x000000012596d000, policy=PolicyUse) + 677 at PolicyChecker.cpp:204
    frame #10: 0x00000001170c23de WebCore`WebCore::PolicyChecker::checkNavigationPolicy(this=0x00007fff50c47f98, action=PolicyUse)>)::$_1::operator()(WebCore::PolicyAction) const + 30 at PolicyChecker.cpp:121
    frame #11: 0x00000001170c23af WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&, WebCore::PolicyAction>(WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&&&, WebCore::PolicyAction&&) [inlined] decltype(__f=0x00007fff50c47f98, __args=0x00007fff50c47f2c)>)::$_1&>(fp)(std::__1::forward<WebCore::PolicyAction>(fp0))) std::__1::__invoke<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&, WebCore::PolicyAction>(WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&&&, WebCore::PolicyAction&&) + 79 at __functional_base:415
    frame #12: 0x00000001170c2390 WebCore`void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::PolicyChecker::checkNavigationPolicy(__args=0x00007fff50c47f98, __args=0x00007fff50c47f2c)>)::$_1&, WebCore::PolicyAction>(WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1&&&, WebCore::PolicyAction&&) + 48 at __functional_base:440
    frame #13: 0x00000001170c232c WebCore`std::__1::__function::__func<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1, std::__1::allocator<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, std::__1::function<void (WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>)::$_1>, void (WebCore::PolicyAction)>::operator(this=0x00007fff50c47f90, __arg=0x00007fff50c47f2c)(WebCore::PolicyAction&&) + 60 at functional:1407
    frame #14: 0x000000010f6bfc8c WebKit`std::__1::function<void (WebCore::PolicyAction)>::operator(this=0x00007fff50c47f90, __arg=PolicyUse)(WebCore::PolicyAction) const + 44 at functional:1793
    frame #15: 0x000000010f6bb35c WebKit`WebKit::WebFrame::didReceivePolicyDecision(this=0x00007f969b7035d0, listenerID=10, action=PolicyUse, navigationID=6, downloadID=(m_downloadID = 0)) + 332 at WebFrame.cpp:246
    frame #16: 0x000000010f6c6b14 WebKit`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(this=0x00007f969d103f80, navigationAction=0x00007fff50c48540, request=0x000000012623a750, prpFormState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c483d8, function=WebCore::FramePolicyFunction @ 0x00007fff50c48680)>) + 2196 at WebFrameLoaderClient.cpp:829
    frame #17: 0x00000001170bea8b WebCore`WebCore::PolicyChecker::checkNavigationPolicy(this=0x000000012596d000, request=0x000000012623a750, loader=0x000000012623a280, formState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c48850, function=WebCore::NavigationPolicyDecisionFunction @ 0x00007fff50c48c30)>) + 1531 at PolicyChecker.cpp:120
    frame #18: 0x0000000116028f07 WebCore`WebCore::FrameLoader::loadWithDocumentLoader(this=0x000000012596e0a0, loader=0x000000012623a280, type=Back, prpFormState=PassRefPtr<WebCore::FormState> @ 0x00007fff50c49508, allowNavigationToInvalidURL=Yes) + 1735 at FrameLoader.cpp:1445
    frame #19: 0x0000000116025445 WebCore`WebCore::FrameLoader::loadDifferentDocumentItem(this=0x000000012596e0a0, item=0x00000001259bf0c8, loadType=Back, cacheLoadPolicy=MayAttemptCacheOnlyLoadForFormSubmissionItem) + 373 at FrameLoader.cpp:3279
    frame #20: 0x0000000116030945 WebCore`WebCore::FrameLoader::loadItem(this=0x000000012596e0a0, item=0x00000001259bf0c8, loadType=Back) + 165 at FrameLoader.cpp:3368
    frame #21: 0x000000011614f030 WebCore`WebCore::HistoryController::recursiveGoToItem(this=0x00000001259f23f0, item=0x00000001259bf0c8, fromItem=0x00000001297c33e8, type=Back) + 96 at HistoryController.cpp:747
    frame #22: 0x000000011614edf1 WebCore`WebCore::HistoryController::goToItem(this=0x00000001259f23f0, targetItem=0x00000001259bf0c8, type=Back) + 401 at HistoryController.cpp:320
    frame #23: 0x000000011701fa76 WebCore`WebCore::Page::goToItem(this=0x0000000125801c00, item=0x00000001259bf0c8, type=Back) + 198 at Page.cpp:436
    frame #24: 0x00000001157b93c9 WebCore`WebCore::BackForwardController::goBack(this=0x00000001259f7050) + 73 at BackForwardController.cpp:86
    frame #25: 0x000000010f806b07 WebKit`WebKit::WebPage::performNonEditingBehaviorForSelector(this=0x00007f969e007e10, selector=0x0000000126182540, event=0x00000001259a02a8) + 1287 at WebPageMac.mm:554
    frame #26: 0x000000010f806100 WebKit`WebKit::WebPage::executeKeypressCommandsInternal(this=0x00007f969e007e10, commands=0x00000001259a0320, event=0x00000001259a02a8) + 912 at WebPageMac.mm:250
    frame #27: 0x000000010f806fed WebKit`WebKit::WebPage::handleEditingKeyboardEvent(this=0x00007f969e007e10, event=0x00000001259a02a8) + 797 at WebPageMac.mm:293
    frame #28: 0x000000010f6b3191 WebKit`WebKit::WebEditorClient::handleKeyboardEvent(this=0x00007f969d102ba0, event=0x00000001259a02a8) + 33 at WebEditorClientMac.mm:66
    frame #29: 0x0000000115e12e72 WebCore`WebCore::Editor::handleKeyboardEvent(this=0x0000000125975c00, event=0x00000001259a02a8) + 66 at Editor.cpp:189
    frame #30: 0x0000000115e803a1 WebCore`WebCore::EventHandler::defaultKeyboardEventHandler(this=0x000000012596c000, event=0x00000001259a02a8) + 97 at EventHandler.cpp:3221
    frame #31: 0x0000000116fdf541 WebCore`WebCore::Node::defaultEventHandler(this=0x000000012595a780, event=0x00000001259a02a8) + 241 at Node.cpp:2175
    frame #32: 0x000000011627d99c WebCore`WebCore::HTMLPlugInElement::defaultEventHandler(this=0x000000012595a780, event=0x00000001259a02a8) + 396 at HTMLPlugInElement.cpp:234
    frame #33: 0x00000001162851a8 WebCore`WebCore::HTMLPlugInImageElement::defaultEventHandler(this=0x000000012595a780, event=0x00000001259a02a8) + 296 at HTMLPlugInImageElement.cpp:756
    frame #34: 0x0000000115e6dd96 WebCore`WebCore::callDefaultEventHandlersInTheBubblingOrder(event=0x00000001259a02a8, path=0x00007fff50c4a020) + 102 at EventDispatcher.cpp:134
    frame #35: 0x0000000115e6d4e1 WebCore`WebCore::EventDispatcher::dispatchEvent(origin=0x000000012595a780, event=0x00000001259a02a8) + 881 at EventDispatcher.cpp:239
    frame #36: 0x0000000116fdf03d WebCore`WebCore::Node::dispatchEvent(this=0x000000012595a780, event=0x00000001259a02a8) + 29 at Node.cpp:2108
    frame #37: 0x0000000115e7f90f WebCore`WebCore::EventHandler::keyEvent(this=0x000000012596c000, initialKeyEvent=0x00007fff50c4a4a8) + 1519 at EventHandler.cpp:3054
    frame #38: 0x0000000117b06682 WebCore`WebCore::UserInputBridge::handleKeyEvent(this=0x00007f969d1017f0, keyEvent=0x00007fff50c4a4a8, inputSource=User) + 466 at UserInputBridge.cpp:170
    frame #39: 0x000000010f7b648d WebKit`WebKit::handleKeyEvent(keyboardEvent=0x00007fff50c4a708, page=0x0000000125801c00) + 221 at WebPage.cpp:2138
    frame #40: 0x000000010f7b6342 WebKit`WebKit::WebPage::keyEvent(this=0x00007f969e007e10, keyboardEvent=0x00007fff50c4a708) + 162 at WebPage.cpp:2150
Comment 12 Simon Fraser (smfr) 2016-02-16 18:29:05 PST 
Fragile fix:
diff --git a/Source/WebCore/html/HTMLPlugInElement.cpp b/Source/WebCore/html/HTMLPlugInElement.cpp
index 57a532e98da402bc737b54e8f6494fc791e23133..f22d93b4464406f83b9425278b21256c662d8be4 100644
--- a/Source/WebCore/html/HTMLPlugInElement.cpp
+++ b/Source/WebCore/html/HTMLPlugInElement.cpp
@@ -225,12 +225,14 @@ void HTMLPlugInElement::defaultEventHandler(Event* event)
             return;
     }
 
-    RefPtr<Widget> widget = downcast<RenderWidget>(*renderer).widget();
-    if (!widget)
-        return;
-    widget->handleEvent(event);
-    if (event->defaultHandled())
-        return;
+    {
+        RefPtr<Widget> widget = downcast<RenderWidget>(*renderer).widget();
+        if (!widget)
+            return;
+        widget->handleEvent(event);
+        if (event->defaultHandled())
+            return;
+    }
     HTMLFrameOwnerElement::defaultEventHandler(event);
 }
Comment 13 Simon Fraser (smfr) 2016-02-17 12:14:39 PST 
Created attachment 271575 [details]
Patch
Comment 14 Simon Fraser (smfr) 2016-02-17 12:15:28 PST 
To reproduce this bug:
1. Load a page with a link to a long (scrollable) pdf
2. Click the link
3. Use Command-Left Arrow to go back.

Crashes under GuardMalloc.
Comment 15 Brent Fulgham 2016-02-17 12:23:51 PST 
Comment on attachment 271575 [details]
Patch

r=me. Thank you for figuring out the *true* fix to this problem!
Comment 16 Simon Fraser (smfr) 2016-02-17 13:27:23 PST 
https://trac.webkit.org/r196717