Bug 42561 - Crash when computing pseudo-style of a vanished scrollbar in inspector
Summary: Crash when computing pseudo-style of a vanished scrollbar in inspector
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows 7
: P2 Normal
Assignee: Simon Fraser (smfr)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-19 06:50 PDT by Alexander Pavlov (apavlov)
Modified: 2010-07-29 09:57 PDT (History)
3 users (show)

See Also:

Attachments
Reduced test case (396 bytes, text/html)
2010-07-22 08:57 PDT, Alexander Pavlov (apavlov) 		no flags Details
Patch (8.42 KB, patch)
2010-07-28 17:02 PDT, Simon Fraser (smfr) 		pfeldman: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Pavlov (apavlov) 2010-07-19 06:50:36 PDT 
1. Open the attached page
2. Open Web Inspector and set a breakpoint on line 8 (return document.getElementById(id);)
3. Click the button.
4. In the Web Inspector, position the mouse pointer over the "zzz" variable. A popup with the variable value appears shortly.
5. Quickly move the pointer over the horizontal scrollbar in the popup and press LMB.
6. If the popup does not disappear shortly, move the pointer outside of the popup with the LMB still pressed.
7. Release LMB after the popup disappears.

The following crash happens:

>	WebKit.dll!WTF::OwnPtr<WebCore::CSSStyleSelector>::operator!()  Line 68 + 0x13 bytes	C++
 	WebKit.dll!WebCore::Document::styleSelector()  Line 392 + 0xe bytes	C++
 	WebKit.dll!WebCore::RenderObject::getUncachedPseudoStyle(WebCore::PseudoId pseudo=SCROLLBAR_THUMB, WebCore::RenderStyle * parentStyle=0x0a59d4ac, WebCore::RenderStyle * ownStyle=0x00000000)  Line 2381 + 0x21 bytes	C++
 	WebKit.dll!WebCore::RenderScrollbar::getScrollbarPseudoStyle(WebCore::ScrollbarPart partType=ThumbPart, WebCore::PseudoId pseudoId=SCROLLBAR_THUMB)  Line 135 + 0x27 bytes	C++
 	WebKit.dll!WebCore::RenderScrollbar::updateScrollbarPart(WebCore::ScrollbarPart partType=ThumbPart, bool destroy=false)  Line 202 + 0x25 bytes	C++
 	WebKit.dll!WebCore::RenderScrollbar::setPressedPart(WebCore::ScrollbarPart part=NoPart)  Line 112	C++
 	WebKit.dll!WebCore::Scrollbar::mouseUp()  Line 385 + 0x11 bytes	C++
 	WebKit.dll!WebCore::EventHandler::handleMouseReleaseEvent(const WebCore::PlatformMouseEvent & mouseEvent={...})  Line 1548 + 0x15 bytes	C++
 	WebKit.dll!WebView::handleMouseEvent(unsigned int message=514, unsigned int wParam=0, long lParam=13762658)  Line 1397	C++
 	WebKit.dll!WebView::WebViewWndProc(HWND__ * hWnd=0x00020dfe, unsigned int message=514, unsigned int wParam=0, long lParam=13762658)  Line 2047 + 0x14 bytes	C++



If this helps debugging, the following crash occurs in Chromium:

>	chrome.dll!WTF::RefCountedBase::ref()  Line 36 + 0x24 bytes	C++
 	chrome.dll!WTF::refIfNotNull<WebCore::RenderStyle>(WebCore::RenderStyle * ptr=0x04c0d480)  Line 53	C++
 	chrome.dll!WTF::RefPtr<WebCore::RenderStyle>::operator=(WebCore::RenderStyle * optr=0x04c0d480)  Line 129 + 0x9 bytes	C++
 	chrome.dll!WebCore::CSSStyleSelector::pseudoStyleForElement(WebCore::PseudoId pseudo=SCROLLBAR_THUMB, WebCore::Element * e=0x050201e0, WebCore::RenderStyle * parentStyle=0x04c0d480, bool matchVisitedPseudoClass=false)  Line 1503	C++
 	chrome.dll!WebCore::RenderObject::getUncachedPseudoStyle(WebCore::PseudoId pseudo=SCROLLBAR_THUMB, WebCore::RenderStyle * parentStyle=0x04c0d480, WebCore::RenderStyle * ownStyle=0x00000000)  Line 2381 + 0x28 bytes	C++
 	chrome.dll!WebCore::RenderScrollbar::getScrollbarPseudoStyle(WebCore::ScrollbarPart partType=ThumbPart, WebCore::PseudoId pseudoId=SCROLLBAR_THUMB)  Line 135 + 0x27 bytes	C++
 	chrome.dll!WebCore::RenderScrollbar::updateScrollbarPart(WebCore::ScrollbarPart partType=ThumbPart, bool destroy=false)  Line 202 + 0x25 bytes	C++
 	chrome.dll!WebCore::RenderScrollbar::setPressedPart(WebCore::ScrollbarPart part=NoPart)  Line 112	C++
 	chrome.dll!WebCore::Scrollbar::mouseUp()  Line 385 + 0x11 bytes	C++
 	chrome.dll!WebCore::EventHandler::handleMouseReleaseEvent(const WebCore::PlatformMouseEvent & mouseEvent={...})  Line 1548 + 0x15 bytes	C++
 	chrome.dll!WebKit::WebViewImpl::mouseUp(const WebKit::WebMouseEvent & event={...})  Line 487	C++
 	chrome.dll!WebKit::WebViewImpl::handleInputEvent(const WebKit::WebInputEvent & inputEvent={...})  Line 1030	C++
 	chrome.dll!RenderWidget::OnHandleInputEvent(const IPC::Message & message={...})  Line 316 + 0x19 bytes	C++
Comment 1 Alexander Pavlov (apavlov) 2010-07-22 08:57:13 PDT 
Created attachment 62305 [details]
Reduced test case
Comment 2 Pavel Feldman 2010-07-28 13:06:49 PDT 
In CSSStyleSelector::SelectorChecker::checkScrollbarPseudoClass's

case CSSSelector::PseudoCornerPresent:
            return scrollbar->client()->scrollbarCornerPresent();

scrollbar has no client. We probably need to add a check in between Scrollbar::mouseUp() and this call, but I am not sure where it should be done. Dave, do you have a suggestion?
Comment 3 Pavel Feldman 2010-07-28 13:26:51 PDT 
Reproduces on latest nightly. Adding the client check late does not help, it crashes in other event handlers.

 	chrome.dll!WTF::RefCountedBase::ref()  Line 36 + 0x24 bytes	C++
 	chrome.dll!WTF::refIfNotNull<WebCore::RenderStyle>(WebCore::RenderStyle * ptr=0x0a20a060)  Line 53	C++
 	chrome.dll!WTF::RefPtr<WebCore::RenderStyle>::operator=(WebCore::RenderStyle * optr=0x0a20a060)  Line 129 + 0x9 bytes	C++
 	chrome.dll!WebCore::CSSStyleSelector::pseudoStyleForElement(WebCore::PseudoId pseudo=SCROLLBAR_THUMB, WebCore::Element * e=0x0a1fb820, WebCore::RenderStyle * parentStyle=0x0a20a060, bool matchVisitedPseudoClass=false)  Line 1503	C++
 	chrome.dll!WebCore::RenderObject::getUncachedPseudoStyle(WebCore::PseudoId pseudo=SCROLLBAR_THUMB, WebCore::RenderStyle * parentStyle=0x0a20a060, WebCore::RenderStyle * ownStyle=0x00000000)  Line 2381 + 0x28 bytes	C++
 	chrome.dll!WebCore::RenderScrollbar::getScrollbarPseudoStyle(WebCore::ScrollbarPart partType=ThumbPart, WebCore::PseudoId pseudoId=SCROLLBAR_THUMB)  Line 135 + 0x27 bytes	C++
 	chrome.dll!WebCore::RenderScrollbar::updateScrollbarPart(WebCore::ScrollbarPart partType=ThumbPart, bool destroy=false)  Line 202 + 0x25 bytes	C++
 	chrome.dll!WebCore::RenderScrollbar::setHoveredPart(WebCore::ScrollbarPart part=NoPart)  Line 100	C++
 	chrome.dll!WebCore::Scrollbar::mouseExited()  Line 379 + 0x11 bytes	C++
>	chrome.dll!WebCore::EventHandler::updateLastScrollbarUnderMouse(WebCore::Scrollbar * scrollbar=0x00000000, bool setLast=true)  Line 2805	C++
 	chrome.dll!WebCore::EventHandler::handleMouseMoveEvent(const WebCore::PlatformMouseEvent &
Comment 4 Simon Fraser (smfr) 2010-07-28 15:49:11 PDT 
Part of the issue is that the inspector runs a runloop, which causes us to re-enter the dispatchEvent machinery. Here's the stack for the destruction of the RenderLayer's scrollbar:

(gdb) bt
#0  WebCore::RenderLayer::destroyScrollbar (this=0x122b792d8, orientation=WebCore::HorizontalScrollbar) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayer.cpp:1794
#1  0x0000000103be078a in WebCore::RenderLayer::~RenderLayer (this=0x122b792d8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayer.cpp:197
#2  0x0000000103bd8133 in WebCore::RenderLayer::destroy (this=0x122b792d8, renderArena=0x10965e7e0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderLayer.cpp:968
#3  0x0000000103baa7e7 in WebCore::RenderBoxModelObject::destroyLayer (this=0x11f27a0c8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderBoxModelObject.cpp:209
#4  0x0000000103c0b27b in WebCore::RenderObject::destroy (this=0x11f27a0c8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderObject.cpp:2167
#5  0x0000000103baa743 in WebCore::RenderBoxModelObject::destroy (this=0x11f27a0c8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderBoxModelObject.cpp:220
#6  0x0000000103ba203a in WebCore::RenderBox::destroy (this=0x11f27a0c8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderBox.cpp:96
#7  0x0000000103b6fe6f in WebCore::RenderBlock::destroy (this=0x11f27a0c8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/rendering/RenderBlock.cpp:199
#8  0x0000000103aebbe7 in WebCore::Node::detach (this=0x11f2fbe10) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:1270
#9  0x000000010334ca4c in WebCore::ContainerNode::detach (this=0x11f2fbe10) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/ContainerNode.cpp:647
#10 0x0000000103596103 in WebCore::Element::detach (this=0x11f2fbe10) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Element.cpp:837
#11 0x000000010334ca26 in WebCore::ContainerNode::detach (this=0x1262816c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/ContainerNode.cpp:645
#12 0x0000000103596103 in WebCore::Element::detach (this=0x1262816c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Element.cpp:837
#13 0x000000010334dea7 in WebCore::ContainerNode::removeChild (this=0x12301a0e0, oldChild=0x1262816c0, ec=@0x7fff5fbfc2e8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/ContainerNode.cpp:374
#14 0x0000000103924408 in WebCore::JSNode::removeChild (this=0x1222a8c40, exec=0x11e0102c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/JSNodeCustom.cpp:97
#15 0x0000000103922b9e in WebCore::jsNodePrototypeFunctionRemoveChild (exec=0x11e0102c0) at /Volumes/InternalData/Development/webkit/OpenSource/WebKitBuild/Debug/DerivedSources/WebCore/JSNode.cpp:453
#16 0x000040b4118001aa in ?? ()
#17 0x0000000101dab28c in JSC::JITCode::execute (this=0x126e36ff8, registerFile=0x10935af68, callFrame=0x11e010150, globalData=0x10a04c000, exception=0x10a04d920) at JITCode.h:77
#18 0x0000000101da6caa in JSC::Interpreter::executeCall (this=0x10935af50, callFrame=0x109673a08, function=0x122ac4d40, callType=JSC::CallTypeJS, callData=@0x7fff5fbfc7a0, thisValue={m_ptr = 0x122ac2a40}, args=@0x7fff5fbfc760, exception=0x10a04d920) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:780
#19 0x0000000101d62a83 in JSC::call (exec=0x109673a08, functionObject={m_ptr = 0x122ac4d40}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfc7a0, thisValue={m_ptr = 0x122ac2a40}, args=@0x7fff5fbfc760) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/CallData.cpp:38
#20 0x00000001037f53b7 in WebCore::JSMainThreadExecState::call (exec=0x109673a08, functionObject={m_ptr = 0x122ac4d40}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfc7a0, thisValue={m_ptr = 0x122ac2a40}, args=@0x7fff5fbfc760) at JSMainThreadExecState.h:48
#21 0x000000010388c1fa in WebCore::JSEventListener::handleEvent (this=0x10c8805f0, scriptExecutionContext=0x10c040468, event=0x107d482e0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/JSEventListener.cpp:124
#22 0x00000001035b10de in WebCore::EventTarget::fireEventListeners (this=0x10c862750, event=0x107d482e0, d=0x10c862300, entry=@0x10c880260) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/EventTarget.cpp:329
#23 0x00000001035b16ff in WebCore::EventTarget::fireEventListeners (this=0x10c862750, event=0x107d482e0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/EventTarget.cpp:290
#24 0x0000000103ae62db in WebCore::Node::handleLocalEvents (this=0x10c862750, event=0x107d482e0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2582
#25 0x0000000103ae695e in WebCore::Node::dispatchGenericEvent (this=0x126eb8310, prpEvent=@0x7fff5fbfcba0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2717
#26 0x0000000103ae6ec7 in WebCore::Node::dispatchEvent (this=0x126eb8310, prpEvent=@0x7fff5fbfcd30) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2645
#27 0x0000000103ae512f in WebCore::Node::dispatchMouseEvent (this=0x126eb8310, eventType=@0x109384e18, button=0, detail=1, pageX=237, pageY=222, screenX=2191, screenY=316, ctrlKey=false, altKey=false, shiftKey=false, metaKey=false, isSimulated=false, relatedTargetArg=0x0, underlyingEvent=@0x7fff5fbfceb0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2937
#28 0x0000000103ae5613 in WebCore::Node::dispatchMouseEvent (this=0x126eb8310, event=@0x7fff5fbfd250, eventType=@0x109384e18, detail=1, relatedTarget=0x0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2846
#29 0x00000001035a04d2 in WebCore::EventHandler::dispatchMouseEvent (this=0x10c024f48, eventType=@0x109384e18, targetNode=0x126eb8310, clickCount=1, mouseEvent=@0x7fff5fbfd250, setUnder=true) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/EventHandler.cpp:1845
#30 0x00000001035a63d1 in WebCore::EventHandler::handleMousePressEvent (this=0x10c024f48, mouseEvent=@0x7fff5fbfd250) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/EventHandler.cpp:1305
#31 0x00000001035ac108 in WebCore::EventHandler::mouseDown (this=0x10c024f48, event=0x107d49c60) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/mac/EventHandlerMac.mm:494
#32 0x00000001025190fd in -[WebHTMLView mouseDown:] (self=0x109622b20, _cmd=0x7fff875b1de8, event=0x107d49c60) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebHTMLView.mm:3538
#33 0x00007fff86fac763 in -[NSWindow sendEvent:] ()
#34 0x00007fff86ee1ee2 in -[NSApplication sendEvent:] ()
#35 0x0000000100080f7f in -[BrowserApplication sendEvent:] (self=0x109010880, _cmd=0x7fff875a7b60, event=0x107d49c60) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/BrowserApplication.mm:400
#36 0x00000001035ad6ee in WebCore::EventLoop::cycle (this=0x7fff5fbfd98e) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/platform/mac/EventLoopMac.mm:39
#37 0x0000000103ccbe91 in WebCore::ScriptDebugServer::pauseIfNeeded (this=0x109374080, page=0x10c8047b0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/ScriptDebugServer.cpp:456
#38 0x0000000103ccc4d9 in WebCore::ScriptDebugServer::atStatement (this=0x109374080, debuggerCallFrame=@0x7fff5fbfda30, sourceID=4817558224, lineNumber=8) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/ScriptDebugServer.cpp:485
#39 0x0000000101da5401 in JSC::Interpreter::debug (this=0x10935af50, callFrame=0x11e0100a0, debugHookID=JSC::WillExecuteStatement, firstLine=8, lastLine=8) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:1125
#40 0x0000000101dcc774 in cti_op_debug (args=0x7fff5fbfdae0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/jit/JITStubs.cpp:3452
Could not find the frame base for "WTF::doubleHash(unsigned int)".
#41 0x0000000101dcb1df in WTF::doubleHash (key=) at HashTable.h:447
#42 0x0000000101dab28c in JSC::JITCode::execute (this=0x11f384028, registerFile=0x10935af68, callFrame=0x11e010040, globalData=0x10a04c000, exception=0x10a04d920) at JITCode.h:77
#43 0x0000000101da6caa in JSC::Interpreter::executeCall (this=0x10935af50, callFrame=0x11f28e4c8, function=0x122ae76c0, callType=JSC::CallTypeJS, callData=@0x7fff5fbfdf20, thisValue={m_ptr = 0x122ae7800}, args=@0x7fff5fbfdee0, exception=0x10a04d920) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/interpreter/Interpreter.cpp:780
#44 0x0000000101d62a83 in JSC::call (exec=0x11f28e4c8, functionObject={m_ptr = 0x122ae76c0}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfdf20, thisValue={m_ptr = 0x122ae7800}, args=@0x7fff5fbfdee0) at /Volumes/InternalData/Development/webkit/OpenSource/JavaScriptCore/runtime/CallData.cpp:38
#45 0x00000001037f53b7 in WebCore::JSMainThreadExecState::call (exec=0x11f28e4c8, functionObject={m_ptr = 0x122ae76c0}, callType=JSC::CallTypeJS, callData=@0x7fff5fbfdf20, thisValue={m_ptr = 0x122ae7800}, args=@0x7fff5fbfdee0) at JSMainThreadExecState.h:48
#46 0x000000010388c1fa in WebCore::JSEventListener::handleEvent (this=0x11f262d50, scriptExecutionContext=0x10886ec68, event=0x11f384ae0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/bindings/js/JSEventListener.cpp:124
#47 0x00000001035b10de in WebCore::EventTarget::fireEventListeners (this=0x11f262c30, event=0x11f384ae0, d=0x11f2617c0, entry=@0x11f261860) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/EventTarget.cpp:329
#48 0x00000001035b16ff in WebCore::EventTarget::fireEventListeners (this=0x11f262c30, event=0x11f384ae0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/EventTarget.cpp:290
#49 0x0000000103ae62db in WebCore::Node::handleLocalEvents (this=0x11f262c30, event=0x11f384ae0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2582
#50 0x0000000103ae69e7 in WebCore::Node::dispatchGenericEvent (this=0x11f262c30, prpEvent=@0x7fff5fbfe320) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2725
#51 0x0000000103ae6ec7 in WebCore::Node::dispatchEvent (this=0x11f262c30, prpEvent=@0x7fff5fbfe4b0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2645
#52 0x0000000103ae512f in WebCore::Node::dispatchMouseEvent (this=0x11f262c30, eventType=@0x109384d10, button=0, detail=1, pageX=47, pageY=14, screenX=123, screenY=115, ctrlKey=false, altKey=false, shiftKey=false, metaKey=false, isSimulated=false, relatedTargetArg=0x0, underlyingEvent=@0x7fff5fbfe630) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2937
#53 0x0000000103ae5613 in WebCore::Node::dispatchMouseEvent (this=0x11f262c30, event=@0x7fff5fbfe8a0, eventType=@0x109384d10, detail=1, relatedTarget=0x0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/dom/Node.cpp:2846
#54 0x00000001035a04d2 in WebCore::EventHandler::dispatchMouseEvent (this=0x109808948, eventType=@0x109384d10, targetNode=0x11f262c30, clickCount=1, mouseEvent=@0x7fff5fbfe8a0, setUnder=true) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/EventHandler.cpp:1845
#55 0x00000001035a3c15 in WebCore::EventHandler::handleMouseReleaseEvent (this=0x109808948, mouseEvent=@0x7fff5fbfe8a0) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/EventHandler.cpp:1573
#56 0x00000001035abea5 in WebCore::EventHandler::mouseUp (this=0x109808948, event=0x11f384670) at /Volumes/InternalData/Development/webkit/OpenSource/WebCore/page/mac/EventHandlerMac.mm:534
#57 0x00000001025181bd in -[WebHTMLView mouseUp:] (self=0x10c805c60, _cmd=0x7fff875b27c4, event=0x11f384670) at /Volumes/InternalData/Development/webkit/OpenSource/WebKit/mac/WebView/WebHTMLView.mm:3697
#58 0x00007fff86fac7ed in -[NSWindow sendEvent:] ()
#59 0x0000000100380ccc in -[Window sendEvent:] (self=0x10961ebe0, _cmd=0x7fff875a7b60, event=0x11f384670) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/Window.m:100
#60 0x00000001000c5b35 in -[BrowserWindow sendEvent:] (self=0x10961ebe0, _cmd=0x7fff875a7b60, event=0x11f384670) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/BrowserWindow.mm:417
#61 0x00007fff86ee1ee2 in -[NSApplication sendEvent:] ()
#62 0x0000000100080f7f in -[BrowserApplication sendEvent:] (self=0x109010880, _cmd=0x7fff875a7b60, event=0x11f384670) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/BrowserApplication.mm:400
#63 0x00007fff86e78922 in -[NSApplication run] ()
#64 0x00007fff86e715f8 in NSApplicationMain ()
#65 0x00000001002300e9 in main (argc=5, argv=0x7fff5fbff150) at /Volumes/InternalData/Development/webkit/Internal/Safari/mac/main.mm:157
Current language:  auto; currently objective-c++
Warning: the current language does not match this frame.
(gdb)
Comment 5 Simon Fraser (smfr) 2010-07-28 17:02:36 PDT 
Created attachment 62893 [details]
Patch
Comment 6 Pavel Feldman 2010-07-28 22:00:00 PDT 
Comment on attachment 62893 [details]
Patch

Thanks for fixing this. I should have mentioning that we were running our own loop while on a breakpoint.

WebCore/rendering/RenderScrollbar.h:52
 +      void setOwningRenderer(RenderBox* owner) { m_owner = owner; }
Nit: you seem to only use this with 0, maybe you should keep the API less rich and introduce clearOwningRenderer() instead.
Comment 7 Simon Fraser (smfr) 2010-07-29 09:57:16 PDT 
http://trac.webkit.org/changeset/64289