WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
149302
Null dereference loading Blink layout test fast/css/zoom-on-nested-scroll-crash.html
https://bugs.webkit.org/show_bug.cgi?id=149302
Summary
Null dereference loading Blink layout test fast/css/zoom-on-nested-scroll-cra...
Jon Honeycutt
Reported
2015-09-17 15:08:54 PDT
Created
attachment 261436
[details]
crashing test Null dereference loading Blink layout test fast/css/zoom-on-nested-scroll-crash.html. Stack trace: Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000028 Exception Note: EXC_CORPSE_NOTIFY VM Regions Near 0x28: --> __TEXT 000000010bcc8000-000000010bcca000 [ 8K] r-x/rwx SM=COW /Users/USER/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: CRASHING TEST: temp-tests/fast/css/zoom-on-nested-scroll-crash.html Global Trace Buffer (reverse chronological seconds): 57.772360 CFNetwork 0x00007fff88d43b97 Explicitly setting CF cookie storage singleton 57.772701 CFNetwork 0x00007fff88d8f211 Explicitly setting cookie storage singleton Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000011450e98b WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 491 (IntPoint.h:69) 1 com.apple.WebCore 0x00000001144de4a1 WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 145 (RenderObject.h:970) 2 com.apple.WebCore 0x00000001145f2348 WebCore::RenderScrollbarPart::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 24 (RenderObject.h:969) 3 com.apple.WebCore 0x0000000114540692 WebCore::RenderElement::setStyle(WTF::Ref<WebCore::RenderStyle>&&, WebCore::StyleDifference) + 594 (RenderElement.h:66) 4 com.apple.WebCore 0x00000001145f0191 WebCore::RenderScrollbar::updateScrollbarPart(WebCore::ScrollbarPart) + 353 (Ref.h:55) 5 com.apple.WebCore 0x00000001145f061e WebCore::RenderScrollbar::updateScrollbarParts() + 30 (RenderScrollbar.cpp:159) 6 com.apple.WebCore 0x0000000114599c09 WebCore::RenderLayer::styleChanged(WebCore::StyleDifference, WebCore::RenderStyle const*) + 985 (RefPtr.h:75) 7 com.apple.WebCore 0x00000001145b3f8e WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 542 (RenderLayerModelObject.cpp:160) 8 com.apple.WebCore 0x000000011450e7c2 WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 34 (Ref.h:120) 9 com.apple.WebCore 0x00000001144de4a1 WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 145 (RenderObject.h:970) 10 com.apple.WebCore 0x00000001144fb49c WebCore::RenderBlockFlow::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 28 (RenderObject.h:958) 11 com.apple.WebCore 0x0000000114540692 WebCore::RenderElement::setStyle(WTF::Ref<WebCore::RenderStyle>&&, WebCore::StyleDifference) + 594 (RenderElement.h:66) 12 com.apple.WebCore 0x00000001147f95cf WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WebCore::Style::Change) + 1711 (Ref.h:55) 13 com.apple.WebCore 0x00000001147f99c2 WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WebCore::Style::Change) + 2722 (StyleResolveTree.cpp:827) 14 com.apple.WebCore 0x00000001147f99c2 WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::RenderTreePosition&, WebCore::Style::Change) + 2722 (StyleResolveTree.cpp:827) 15 com.apple.WebCore 0x00000001147f8f10 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 336 (StyleResolveTree.cpp:867) 16 com.apple.WebCore 0x0000000113c39f7d WebCore::Document::recalcStyle(WebCore::Style::Change) + 285 (Document.cpp:1864) 17 com.apple.WebCore 0x0000000113c45275 WebCore::Document::finishedParsing() + 405 (Frame.h:327) 18 com.apple.WebCore 0x0000000113e71e05 WebCore::HTMLDocumentParser::prepareToStopParsing() + 165 (RefCounted.h:99) 19 com.apple.WebCore 0x0000000113c7569a WebCore::DocumentWriter::end() + 58 (StdLibExtras.h:366) 20 com.apple.WebCore 0x0000000113c5d9ec WebCore::DocumentLoader::finishedLoading(double) + 268 (ResourceErrorBase.h:42) 21 com.apple.WebCore 0x0000000113a8e179 WebCore::CachedResource::checkNotify() + 153 (CachedResourceClientWalker.h:51) 22 com.apple.WebCore 0x0000000113a8a433 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 227 (CachedRawResource.cpp:104) 23 com.apple.WebCore 0x0000000114805501 WebCore::SubresourceLoader::didFinishLoading(double) + 1153 (ResourceLoader.h:154) 24 com.apple.WebKit 0x000000011234b98d WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 561 (HandleMessage.h:16) 25 com.apple.WebKit 0x00000001121251f1 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 127 (memory:2636) 26 com.apple.WebKit 0x0000000112127b4a IPC::Connection::dispatchOneMessage() + 126 (memory:2656) 27 com.apple.JavaScriptCore 0x0000000113569985 WTF::RunLoop::performWork() + 437 (functional:1742) 28 com.apple.JavaScriptCore 0x0000000113569d32 WTF::RunLoop::performWork(void*) + 34 (RunLoopCF.cpp:39) 29 com.apple.CoreFoundation 0x00007fff949e2c01 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 30 com.apple.CoreFoundation 0x00007fff949d4b1c __CFRunLoopDoSources0 + 556 31 com.apple.CoreFoundation 0x00007fff949d403f __CFRunLoopRun + 927 32 com.apple.CoreFoundation 0x00007fff949d3a38 CFRunLoopRunSpecific + 296 33 com.apple.HIToolbox 0x00007fff88e673bd RunCurrentEventLoopInMode + 235 34 com.apple.HIToolbox 0x00007fff88e67153 ReceiveNextEventCommon + 432 35 com.apple.HIToolbox 0x00007fff88e66f93 _BlockUntilNextEventMatchingListInModeWithFilter + 71 36 com.apple.AppKit 0x00007fff870b81e7 _DPSNextEvent + 1076 37 com.apple.AppKit 0x00007fff8748490d -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 38 com.apple.AppKit 0x00007fff870ae0b8 -[NSApplication run] + 682 39 com.apple.AppKit 0x00007fff87030396 NSApplicationMain + 1176 40 libxpc.dylib 0x00007fff8c70ff70 _xpc_objc_main + 793 41 libxpc.dylib 0x00007fff8c7116bf xpc_main + 494 42 com.apple.WebKit.WebContent.Development 0x000000010bcc9424 main + 409 (XPCServiceMain.Development.mm:187) 43 libdyld.dylib 0x00007fff93aa15ad start + 1
Attachments
crashing test
(459 bytes, text/html)
2015-09-17 15:08 PDT
,
Jon Honeycutt
no flags
Details
Patch
(3.66 KB, patch)
2015-10-07 17:43 PDT
,
Jiewen Tan
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2015-09-17 15:09:43 PDT
<
rdar://problem/22747292
>
Jiewen Tan
Comment 2
2015-10-07 17:43:40 PDT
Created
attachment 262663
[details]
Patch
WebKit Commit Bot
Comment 3
2015-10-08 10:40:41 PDT
Comment on
attachment 262663
[details]
Patch Clearing flags on attachment: 262663 Committed
r190732
: <
http://trac.webkit.org/changeset/190732
>
WebKit Commit Bot
Comment 4
2015-10-08 10:40:44 PDT
All reviewed patches have been landed. Closing bug.
zalan
Comment 5
2015-10-16 20:56:08 PDT
By looking at the stacktrace, I think what the problem here is that RenderScrollbarPart does not create a render layer (requiresLayer() returns false) while we assume that a box with overflow clip always has a layer. This unexpected behavior will surely show up at other places too. I'd rather check explicitly for scrollbarpart here and assert on layer(), so that we can catch other offenders.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug