Though I couldn't reproduce this issue yet, we've seen several crash reports for deviantart.com . http://code.google.com/p/chromium/issues/detail?id=58960 It seems this website uses media queries like "@media (max-width:768px) { ... }". Deepak kindly created a video where this issue is happening http://bit.ly/ecwpR6 . This video and the following stacktrace would suggest this is a timing issue. The media query evaluation is happening while frame->view is unset. We may need a NULL check just like other places. ../platform/graphics/IntSize.h:73] WebCore::ScrollView::layoutWidth MediaQueryEvaluator.cpp:350] WebCore::widthMediaFeatureEval MediaQueryEvaluator.cpp:424] WebCore::max_widthMediaFeatureEval MediaQueryEvaluator.cpp:535] WebCore::MediaQueryEvaluator::eval CSSStyleSelector.cpp:6542] WebCore::CSSStyleSelector::affectedByViewportChange FrameView.cpp:644] WebCore::FrameView::layout RenderWidget.cpp:353] WebCore::RenderWidget::updateWidgetPosition RenderView.cpp:584] WebCore::RenderView::updateWidgetPositions FrameView.cpp:1634] WebCore::FrameView::performPostLayoutTasks FrameView.cpp:819] WebCore::FrameView::layout Document.cpp:1566] WebCore::Document::updateLayout Document.cpp:1559] WebCore::Document::updateLayoutIgnorePendingStylesheets Element.cpp:320] WebCore::Element::offsetLeft V8Element.cpp:72] WebCore::ElementInternal::offsetLeftAttrGetter objects.cc:175] v8::internal::Object::GetPropertyWithCallback ic.cc:888] v8::internal::LoadIC::Load ic.cc:1609] v8::internal::LoadIC_Miss I'm not sure if this issue happens on other ports, but it seems android has a similar issue http://code.google.com/p/android/issues/detail?id=10967
Created attachment 75360 [details] Patch v1
Comment on attachment 75360 [details] Patch v1 No test? I bet you can repro pretty easily using an SVG image.
Alternatively, you can try an iframe that's be removed from the DOM but you still have a JavaScript pointer to.
Comment on attachment 75360 [details] Patch v1 r- due to no tests. This looks like an issue that should be reproducible.
Thanks Adam for the suggestion! I've tried to make a repro (by removing iframe) for a while but I couldn't reproduce this issue. Unfortunately, I'm not familiar with either iframe loading and SVG image in WebKit. Could you tell me a change or a test which is related to similar issue? Thanks!
Look for tests with SVG images. You then have a <foreignObject> element in your SVG (try greping the LayoutTests for an example). In the foriegnObject you can put your iframe. I think that should have a null view. Another option is to look at some other null checks of the view and see if they were added together with a similar test for what you need.
Thanks again for your suggestion. > Look for tests with SVG images. You then have a <foreignObject> element in your SVG (try greping the LayoutTests for an example). In the foriegnObject you can put your iframe. I think that should have a null view. I tried some HTMLs like <?xml version="1.0"?> <svg xmlns="http://www.w3.org/2000/svg" id="svg" width="600" height="400"> <foreignObject width="100%" height="100%"> <html xmlns="http://www.w3.org/1999/xhtml"> <body> <!-- foo.html contains @media (max-width:1768px) { ... } in its style --> <iframe id="iframe" src="foo.html"></iframe> </body> </html> </foreignObject> </svg> but iframe always had non-NULL views. Maybe I'm misunderstanding your suggestion? > Another option is to look at some other null checks of the view and see if they were added together with a similar test for what you need. I checked bunch of similar NULL checks. Unfortunately, most of them are part of big change and didn't have a corresponding test. This change was a small one but it doesn't have a test... http://trac.webkit.org/changeset/24800 It seems I need better understanding on frames lifetime...
The changes are already been merged in the MediaWueryEvaluator.cpp file.. So this issue should be Resolved. Thanks Deepak Mittal
Based on Comment 08, this can be closed. Thanks!
<rdar://problem/94752029>