RESOLVED FIXED 57736
REGRESSION (r81992): Quickly navigating OpenStreetMap crashes WebKit Nigthly 
https://bugs.webkit.org/show_bug.cgi?id=57736
Summary REGRESSION (r81992): Quickly navigating OpenStreetMap crashes WebKit Nigthly
lars.sonchocky-helldorf
Reported Monday, April 4, 2011 12:25:49 AM UTC
Steps to reproduce: 1. Go to http://www.openstreetmap.org/ 2. Start double-clicking (to zoom in) and dragging (to move around) the map in a rapid manner, e.g. before all tiles are loaded. 3. WebKit Nightly will crash occasionally while the latest release of Safari (Version 5.0.4 (6533.20.27)) won't crash (at least I couldn't crash it) see attached crash log
Attachments
crash log for the bug (38.28 KB, text/plain)
2011-04-03 16:27 PDT, lars.sonchocky-helldorf 		no flags
Details
Mark parent chain of static-positioned objects (1.03 KB, patch)
2011-04-05 10:22 PDT, mitz 		no flags
DetailsFormatted DiffDiff
Patch (34.98 KB, patch)
2011-04-07 14:47 PDT, Dave Hyatt 		no flags
DetailsFormatted DiffDiff
Patch (34.98 KB, patch)
2011-04-07 14:48 PDT, Dave Hyatt 		mitz: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
lars.sonchocky-helldorf
Comment 1 Monday, April 4, 2011 12:27:41 AM UTC
Created attachment 88023 [details] crash log for the bug
Alexey Proskuryakov
Comment 2 Monday, April 4, 2011 6:33:32 AM UTC
<rdar://problem/9228106>
mitz
Comment 3 Tuesday, April 5, 2011 5:39:08 PM UTC
ASSERTION FAILED: !node() || documentBeingDestroyed() || !frame()->view() || frame()->view()->layoutRoot() != this Source/WebCore/rendering/RenderObject.cpp(229) : virtual WebCore::RenderObject::~RenderObject() #0 0x0000000104c4bd19 in WebCore::RenderObject::~RenderObject() at Source/WebCore/rendering/RenderObject.cpp:229 #1 0x0000000104baab9c in WebCore::RenderBoxModelObject::~RenderBoxModelObject() at Source/WebCore/rendering/RenderBoxModelObject.cpp:257 #2 0x0000000104b927bc in WebCore::RenderBox::~RenderBox() () #3 0x0000000104b2a214 in WebCore::RenderBlock::~RenderBlock() () #4 0x0000000104b29c85 in WebCore::RenderBlock::~RenderBlock() () #5 0x0000000104b29c0d in WebCore::RenderBlock::~RenderBlock() () #6 0x0000000104c58e76 in WebCore::RenderObject::arenaDelete(WebCore::RenderArena*, void*) () #7 0x0000000104c58c6d in WebCore::RenderObject::destroy() () #8 0x0000000104baad92 in WebCore::RenderBoxModelObject::destroy() () #9 0x0000000104b92f2b in WebCore::RenderBox::destroy() () #10 0x0000000104b2a4f5 in WebCore::RenderBlock::destroy() () #11 0x0000000104a538b0 in WebCore::Node::detach() () #12 0x0000000103c3e766 in WebCore::ContainerNode::detach() () #13 0x0000000104032667 in WebCore::Element::detach() () #14 0x0000000104033079 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #15 0x0000000104033be8 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #16 0x0000000104033be8 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #17 0x0000000104033be8 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #18 0x0000000104033be8 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #19 0x0000000104033be8 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #20 0x0000000104033be8 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #21 0x0000000104033be8 in WebCore::Element::recalcStyle(WebCore::Node::StyleChange) () #22 0x0000000103e6443a in WebCore::Document::recalcStyle(WebCore::Node::StyleChange) () #23 0x0000000103e659eb in WebCore::Document::updateStyleIfNeeded() () #24 0x0000000103e65c24 in WebCore::Document::updateLayout() () #25 0x0000000103e65dfd in WebCore::Document::updateLayoutIgnorePendingStylesheets() () #26 0x000000010402f101 in WebCore::Element::scrollLeft() const () #27 0x000000010460f84c in WebCore::jsElementScrollLeft(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&) () #28 0x0000000101ce46fa in cti_op_get_by_id_custom_stub () #29 0x0000000101cf54b0 in jscGeneratedNativeCode () #30 0x0000000101ca3cac in JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) () #31 0x0000000101c9fe73 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () #32 0x0000000101c31bef in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) at Source/JavaScriptCore/runtime/CallData.cpp:38 #33 0x0000000104517f0f in WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) () #34 0x000000010462f227 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) () #35 0x000000010406e00a in WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) () #36 0x000000010406dd0c in WebCore::EventTarget::fireEventListeners(WebCore::Event*) () #37 0x0000000104a5abb1 in WebCore::Node::handleLocalEvents(WebCore::Event*) () #38 0x0000000104040b7c in WebCore::EventContext::handleLocalEvents(WebCore::Event*) const () #39 0x0000000104042003 in WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) () #40 0x00000001040438f1 in WebCore::EventDispatcher::dispatchMouseEvent(WebCore::Node*, WebCore::PlatformMouseEvent const&, WTF::AtomicString const&, int, WebCore::Node*) () #41 0x0000000104a5b55f in WebCore::Node::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomicString const&, int, WebCore::Node*) () #42 0x000000010404ec15 in WebCore::EventHandler::dispatchMouseEvent(WTF::AtomicString const&, WebCore::Node*, bool, int, WebCore::PlatformMouseEvent const&, bool) () #43 0x000000010404f6bd in WebCore::EventHandler::handleMouseDoubleClickEvent(WebCore::PlatformMouseEvent const&) () #44 0x000000010405fd09 in WebCore::EventHandler::mouseUp(NSEvent*) () #45 0x0000000102622707 in -[WebHTMLView mouseUp:] ()
mitz
Comment 4 Tuesday, April 5, 2011 5:42:07 PM UTC
(Forgot to mention that the assertion fails because the destroyed object is the layout root). The destroyed object corresponds to * DIV 0x113d2d0e0 STYLE=overflow-x: hidden; overflow-y: hidden; position: absolute; z-index: 1; left: 841px; top: 725px; width: 256px; height: 256px; display: none;
mitz
Comment 5 Tuesday, April 5, 2011 5:54:29 PM UTC
Caused by <http://trac.webkit.org/changeset/81992>, which was for bug 56909.
mitz
Comment 6 Tuesday, April 5, 2011 6:22:03 PM UTC
Created attachment 88268 [details] Mark parent chain of static-positioned objects This appears to fix the crash (and the assertion). I suspect that making a test case would be the hard part.
Dave Hyatt
Comment 7 Thursday, April 7, 2011 10:47:26 PM UTC
Created attachment 88704 [details] Patch
Dave Hyatt
Comment 8 Thursday, April 7, 2011 10:48:39 PM UTC
Created attachment 88705 [details] Patch
WebKit Review Bot
Comment 9 Thursday, April 7, 2011 10:49:48 PM UTC
Attachment 88704 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast..." exit_code: 1 Source/WebCore/page/FrameView.cpp:1692: Should have a space between // and comment [whitespace/comments] [4] Total errors found: 1 in 9 files If any of these errors are false positives, please file a bug against check-webkit-style.
mitz
Comment 10 Thursday, April 7, 2011 11:24:57 PM UTC
Comment on attachment 88705 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=88705&action=review > LayoutTests/fast/block/positioning/complex-positioned-movement.html:22 > +PASS if you don't crash<br> > +and green block is shifted. If you put this text in an HTML comment, we might not need to have half a dozen copies of platform-specific expected results in the tree.
Dave Hyatt
Comment 11 Thursday, April 7, 2011 11:33:55 PM UTC
Fixed in r83221.
Note You need to log in before you can comment on or make changes to this bug.