To reproduce, with a release build on Leopard, run-webkit-tests fast/images/embed-image.html fast/images/extra-image-in-image-document.html Here is an example of the crash <http://build.webkit.org/results/Leopard%20Intel%20Debug%20(Tests)/r82794%20(28446)/fast/images/extra-image-in-image-document-crash-log.txt>. Backtrace follows. I think this may have started happening after http://trac.webkit.org/changeset/82782 since that seems to force the layout that triggers the crash. Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x000000000000004c Crashed Thread: 0 Thread 0 Crashed: 0 DumpRenderTree 0x00037e67 std::_Rb_tree<std::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::_Identity<std::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::begin() const + 9 (stl_tree.h:588) 1 DumpRenderTree 0x00037e8f std::set<std::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::basic_string<char, std::char_traits<char>, std::allocator<char> > > >::begin() const + 17 (stl_set.h:239) 2 DumpRenderTree 0x00037a40 -[ResourceLoadDelegate webView:resource:willSendRequest:redirectResponse:fromDataSource:] + 944 (ResourceLoadDelegate.mm:163) 3 com.apple.WebKit 0x00e4d364 CallDelegate + 390 (WebDelegateImplementationCaching.mm:327) 4 com.apple.WebKit 0x00e4d3f2 CallResourceLoadDelegate + 60 (WebDelegateImplementationCaching.mm:540) 5 com.apple.WebKit 0x00e6ebad WebFrameLoaderClient::dispatchWillSendRequest(WebCore::DocumentLoader*, unsigned long, WebCore::ResourceRequest&, WebCore::ResourceResponse const&) + 259 (WebFrameLoaderClient.mm:388) 6 com.apple.WebCore 0x038d4952 WebCore::ResourceLoadNotifier::dispatchWillSendRequest(WebCore::DocumentLoader*, unsigned long, WebCore::ResourceRequest&, WebCore::ResourceResponse const&) + 154 7 com.apple.WebCore 0x038d4ccc WebCore::ResourceLoadNotifier::willSendRequest(WebCore::ResourceLoader*, WebCore::ResourceRequest&, WebCore::ResourceResponse const&) + 96 8 com.apple.WebCore 0x038d3233 WebCore::ResourceLoader::willSendRequest(WebCore::ResourceRequest&, WebCore::ResourceResponse const&) + 305 9 com.apple.WebCore 0x038d39c3 WebCore::ResourceLoader::init(WebCore::ResourceRequest const&) + 539 10 com.apple.WebCore 0x036b2dd9 WebCore::NetscapePlugInStreamLoader::create(WebCore::Frame*, WebCore::NetscapePlugInStreamLoaderClient*, WebCore::ResourceRequest const&) + 193 11 com.apple.WebCore 0x038d5f48 WebCore::ResourceLoadScheduler::schedulePluginStreamLoad(WebCore::Frame*, WebCore::NetscapePlugInStreamLoaderClient*, WebCore::ResourceRequest const&) + 38 12 com.apple.WebKit 0x00eb311d WebNetscapePluginStream::start() + 397 (WebNetscapePluginStream.mm:286) 13 com.apple.WebKit 0x00ebafdb -[WebNetscapePluginDocumentView(WebNPPCallbacks) loadRequest:inTarget:withNotifyData:sendNotification:] + 1255 (WebNetscapePluginView.mm:1772) 14 com.apple.WebKit 0x00ebd647 -[WebNetscapePluginDocumentView loadStream] + 385 (WebNetscapePluginView.mm:1173) 15 com.apple.WebKit 0x00e38633 -[WebBaseNetscapePluginView start] + 859 (WebBaseNetscapePluginView.mm:475) 16 com.apple.WebKit 0x00e35647 -[WebBaseNetscapePluginView viewDidMoveToWindow] + 265 (WebBaseNetscapePluginView.mm:662) 17 com.apple.AppKit 0x938c5ddc -[NSView _setWindow:] + 1413 18 com.apple.AppKit 0x938cebe5 -[NSView addSubview:] + 470 19 com.apple.WebKit 0x00e8d14b -[WebHTMLView addSubview:] + 61 (WebHTMLView.mm:3090) 20 com.apple.WebCore 0x03928d19 WebCore::ScrollView::platformAddChild(WebCore::Widget*) + 461 21 com.apple.WebCore 0x03924349 WebCore::ScrollView::addChild(WTF::PassRefPtr<WebCore::Widget>) + 267 22 com.apple.WebCore 0x038bd83a __ZN7WebCoreL22moveWidgetToParentSoonEPNS_6WidgetEPNS_9FrameViewE + 70 23 com.apple.WebCore 0x038bdbaa WebCore::RenderWidget::setWidget(WTF::PassRefPtr<WebCore::Widget>) + 688 24 com.apple.WebCore 0x0380e1b2 WebCore::RenderPart::setWidget(WTF::PassRefPtr<WebCore::Widget>) + 72 25 com.apple.WebCore 0x039a27e0 WebCore::SubframeLoader::loadPlugin(WebCore::HTMLPlugInImageElement*, WebCore::KURL const&, WTF::String const&, WTF::Vector<WTF::String, 0ul> const&, WTF::Vector<WTF::String, 0ul> const&, bool) + 544 26 com.apple.WebCore 0x039a35d8 WebCore::SubframeLoader::requestPlugin(WebCore::HTMLPlugInImageElement*, WebCore::KURL const&, WTF::String const&, WTF::Vector<WTF::String, 0ul> const&, WTF::Vector<WTF::String, 0ul> const&, bool) + 448 27 com.apple.WebCore 0x039a3779 WebCore::SubframeLoader::requestObject(WebCore::HTMLPlugInImageElement*, WTF::String const&, WTF::AtomicString const&, WTF::String const&, WTF::Vector<WTF::String, 0ul> const&, WTF::Vector<WTF::String, 0ul> const&) + 401 28 com.apple.WebCore 0x031de24e WebCore::HTMLEmbedElement::updateWidget(WebCore::PluginCreationOption) + 642 29 com.apple.WebCore 0x0314fabe WebCore::FrameView::updateWidget(WebCore::RenderEmbeddedObject*) + 388 30 com.apple.WebCore 0x0314fc7d WebCore::FrameView::updateWidgets() + 365 31 com.apple.WebCore 0x0314ffe3 WebCore::FrameView::performPostLayoutTasks() + 287 32 com.apple.WebCore 0x03153f53 WebCore::FrameView::layout(bool) + 3641 33 com.apple.WebCore 0x0312c487 WebCore::Frame::scalePage(float, WebCore::IntPoint const&) + 259 34 com.apple.WebKit 0x00f0cad4 -[WebView(WebPrivate) _scaleWebView:atOrigin:] + 88 (WebView.mm:2696) 35 DumpRenderTree 0x00015349 __ZL42resetWebViewToConsistentStateBeforeTestingv + 213 36 DumpRenderTree 0x00016149 __ZL7runTestRKSs + 747 37 DumpRenderTree 0x00016ab1 __ZL20runTestingServerLoopv + 119 38 DumpRenderTree 0x00016d44 dumpRenderTree(int, char const**) + 340 39 DumpRenderTree 0x00016f70 main + 94 (DumpRenderTree.mm:726) 40 DumpRenderTree 0x00002f4e start + 54
The crash happens because the callback is made after clearing the previous test’s layout test controller and before making a new one for the next test, so gLayoutTestController is null.
Created attachment 88022 [details] Avoid unnecessary layout when the page scale is not changing
Comment on attachment 88022 [details] Avoid unnecessary layout when the page scale is not changing r=me
Fixed in r82795. <http://trac.webkit.org/changeset/82795>