RESOLVED FIXED 148237
HistoryItems with null CachedPages should never be left in the list of items; causes crash 
https://bugs.webkit.org/show_bug.cgi?id=148237
Summary HistoryItems with null CachedPages should never be left in the list of items;...
Beth Dakin
Reported 2015-08-20 12:34:27 PDT
WK1 can re-enter layout during FrameView destruction and crash Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff91ab948a WebCore::PageCache::markPagesForContentsSizeChanged(WebCore::Page&) + 42 1 com.apple.WebCore 0x00007fff90fda0bd WebCore::FrameView::setContentsSize(WebCore::IntSize const&) + 221 2 com.apple.WebCore 0x00007fff9100de56 WebCore::FrameView::adjustViewSize() + 150 3 com.apple.WebCore 0x00007fff91003e90 WebCore::FrameView::layout(bool) + 3312 4 com.apple.WebKitLegacy 0x00007fff9e2508fc -[WebHTMLView layoutToMinimumPageWidth:height:originalPageWidth:originalPageHeight:maximumShrinkRatio:adjustingViewSize:] + 316 5 com.apple.WebKitLegacy 0x00007fff9e249f3e -[WebDynamicScrollBarsView(WebInternal) updateScrollers] + 158 6 com.apple.WebCore 0x00007fff91c6fb4d WebCore::ScrollView::platformSetScrollbarModes() + 45 7 com.apple.WebCore 0x00007fff90fcdf21 WebCore::ScrollView::setScrollbarModes(WebCore::ScrollbarMode, WebCore::ScrollbarMode, bool, bool) + 241 8 com.apple.WebCore 0x00007fff91003906 WebCore::FrameView::layout(bool) + 1894 9 com.apple.WebKitLegacy 0x00007fff9e2508fc -[WebHTMLView layoutToMinimumPageWidth:height:originalPageWidth:originalPageHeight:maximumShrinkRatio:adjustingViewSize:] + 316 10 com.apple.WebKitLegacy 0x00007fff9e24a4f9 -[WebDynamicScrollBarsView(WebInternal) updateScrollers] + 1625 11 com.apple.WebCore 0x00007fff91c6fb4d WebCore::ScrollView::platformSetScrollbarModes() + 45 12 com.apple.WebCore 0x00007fff90fcdf21 WebCore::ScrollView::setScrollbarModes(WebCore::ScrollbarMode, WebCore::ScrollbarMode, bool, bool) + 241 13 com.apple.WebCore 0x00007fff91034f50 WebCore::FrameView::~FrameView() + 224 14 com.apple.WebCore 0x00007fff91034e5e WebCore::FrameView::~FrameView() + 14 rdar://problem/22356782
Attachments
Patch (2.21 KB, patch)
2015-08-20 12:38 PDT, Beth Dakin 		zalan: review+
DetailsFormatted DiffDiff
Patch (2.07 KB, patch)
2015-08-20 15:19 PDT, Beth Dakin 		zalan: review+
DetailsFormatted DiffDiff
Patch (2.27 KB, patch)
2015-08-20 23:15 PDT, Beth Dakin 		beidson: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Beth Dakin
Comment 1 2015-08-20 12:38:23 PDT
Created attachment 259486 [details] Patch
Beth Dakin
Comment 2 2015-08-20 15:19:44 PDT
Created attachment 259505 [details] Patch It turns out that fix did not work, so here is a new patch that does work.
zalan
Comment 3 2015-08-20 15:24:08 PDT
Comment on attachment 259505 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=259505&action=review > Source/WebCore/page/FrameView.cpp:277 > I hope that none of the setHas*Scrollbar() calls (few lines below) trigger similar layout.
Beth Dakin
Comment 4 2015-08-20 15:36:08 PDT
(In reply to comment #3) > Comment on attachment 259505 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=259505&action=review > > > Source/WebCore/page/FrameView.cpp:277 > > > > I hope that none of the setHas*Scrollbar() calls (few lines below) trigger > similar layout. From what I can tell, they do not, but this is a great example of why this fix is hack-ish.
Beth Dakin
Comment 5 2015-08-20 15:37:50 PDT
http://trac.webkit.org/changeset/188712 Thanks Zalan!
WebKit Commit Bot
Comment 6 2015-08-20 17:51:53 PDT
Re-opened since this is blocked by bug 148274
Tim Horton
Comment 7 2015-08-20 18:03:59 PDT
Rolled out in http://trac.webkit.org/changeset/188723
Beth Dakin
Comment 8 2015-08-20 22:27:18 PDT
Re-naming the bug to reflect my new approach for a crash fix,
Beth Dakin
Comment 9 2015-08-20 23:15:29 PDT
Created attachment 259586 [details] Patch Here's another go.
Simon Fraser (smfr)
Comment 10 2015-08-20 23:24:07 PDT
Comment on attachment 259586 [details] Patch This seems pretty risky.
Simon Fraser (smfr)
Comment 11 2015-08-20 23:25:58 PDT
I wonder if the earlier patch broke everything because frame().view() is null normally, meaning frame().view() == this is never true?
Beth Dakin
Comment 12 2015-08-21 10:36:38 PDT
(In reply to comment #10) > Comment on attachment 259586 [details] > Patch > > This seems pretty risky. Can you elaborate? I think it seems extremely safe. Safer than limiting calls to resetScrollbars() from the FrameView destructor now that I have a better understanding of those implications.
Brady Eidson
Comment 13 2015-08-21 10:46:31 PDT
Comment on attachment 259586 [details] Patch I think this is fine, as long as all the layout tests actually run and don't crash :)
Beth Dakin
Comment 14 2015-08-21 12:24:02 PDT
Thanks Brady! I ran WK1 and WK2 tests locally, and everything seems good. http://trac.webkit.org/changeset/188765
Simon Fraser (smfr)
Comment 15 2015-08-21 17:45:32 PDT
I think it would be good to land a layout test for this, if we can make one.
Note You need to log in before you can comment on or make changes to this bug.