27137 – REGRESSION (r44311): Reproducible crash due to infinite recursion into FrameLoader::gotoAnchor() -> FrameView::layout()

RESOLVED FIXED27137

REGRESSION (r44311): Reproducible crash due to infinite recursion into FrameLoader::gotoAnchor() -> FrameView::layout()

https://bugs.webkit.org/show_bug.cgi?id=27137

Summary REGRESSION (r44311): Reproducible crash due to infinite recursion into FrameL...

mitz

Reported 2009-07-09 16:43:49 PDT

<rdar://problem/7043124> VIsiting the URL makes Safari crash with a stack showing many repititions of com.apple.WebCore 0x9547f226 WebCore::FrameLoader::gotoAnchor() + 0x56 com.apple.WebCore 0x9549a348 WebCore::FrameView::layout(bool) + 0x828 com.apple.WebCore 0x956124ad WebCore::FrameLoader::gotoAnchor(WebCore::String const&) + 0x26d We may need to make the going-to-anchor a post-layoiut task. I suspect that this was introduced by a recent patch to improve locking-to-anchor during loading, but I haven’t verified this yet.

Attachments
Make lock-scroll-to-anchor a function of FrameView, and perform it as a post-layout task (11.27 KB, patch) 2009-07-09 23:04 PDT, mitz	simon.fraser: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

mitz

Comment 1 2009-07-09 16:47:48 PDT

<http://trac.webkit.org/changeset/44311/> is the change I had in mind.

mitz

Comment 2 2009-07-09 16:56:53 PDT

Confirmed that reverting r44311 fixes the crash.

mitz

Comment 3 2009-07-09 17:20:19 PDT

Having looked at the code, I don’t think moving to post-layout is the right solution here. If the frame needs layout at that point, there’s no use scrolling it until that layout occurs. But also, it seems somewhat inefficient to go through gotoAnchor() every time. Perhaps instead of the lockedToAnchor boolean, a RefPtr<Node> could be used and the frame could track that node without calling back into the loader.

Adam Barth

Comment 4 2009-07-09 19:08:27 PDT

Concensus on IRC was not to back the patch out tonight. Nate will look into this tomorrow. If we can't find a fix shortly, we will revert the offending change.

mitz

Comment 5 2009-07-09 23:04:03 PDT

Created attachment 32551 [details] Make lock-scroll-to-anchor a function of FrameView, and perform it as a post-layout task

Simon Fraser (smfr)

Comment 6 2009-07-10 08:13:16 PDT

Comment on attachment 32551 [details] Make lock-scroll-to-anchor a function of FrameView, and perform it as a post-layout task > +void FrameView::keepScrolledToAnchorNode(Node* anchorNode) I'm not a big fan of this method name; maybe something like maintainScrollPositionToAnchorNode? > + if (anchorNode != m_frame->document()) > + rect = anchorNode->getRect(); getRect(true) will make this transform-friendly! r=me

mitz

Comment 7 2009-07-10 09:57:17 PDT

Fixed in <http://trac.webkit.org/projects/webkit/changeset/45710> and <http://trac.webkit.org/projects/webkit/changeset/45711>.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P1

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Mac

OS OS X 10.5

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2009-07-09 16:43 PDT

Modified

2009-07-10 09:57 PDT History

CC List

2 users Show

URL

http://hsivonen.iki.fi/doctype/#handling

Keywords InRadar, NeedsReduction, Regression

Depends on

Blocks