65492 – Crash in MainFrameScrollbarGtk::detachAdjustment (v. 1.4.2)

Bug 65492 - Crash in MainFrameScrollbarGtk::detachAdjustment (v. 1.4.2)

Summary: Crash in MainFrameScrollbarGtk::detachAdjustment (v. 1.4.2)

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKitGTK (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:	https://bugzilla.gnome.org/show_bug.c...
Keywords:

Depends on:
Blocks:

Reported:	2011-08-01 15:10 PDT by Ed Catmur
Modified:	2011-08-29 14:21 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
MainFrameScrollbarGtk.patch (764 bytes, patch) 2011-08-01 15:12 PDT, Ed Catmur	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ed Catmur 2011-08-01 15:10:56 PDT

See downstream for full stack trace.

#0  0x005457a3 in g_type_check_instance_cast (type_instance=0xfffffffe, iface_type=80) at gtype.c:3969
#1  0x42489475 in WebCore::MainFrameScrollbarGtk::detachAdjustment (this=0xad9131b0) at WebCore/platform/gtk/MainFrameScrollbarGtk.cpp:79
#2  0x4249543b in WebCore::ScrollView::setHorizontalAdjustment (this=0xa8bc7a00, hadj=0x0, resetValues=true) at WebCore/platform/gtk/ScrollViewGtk.cpp:92
#3  0x42495705 in WebCore::ScrollView::setGtkAdjustments (this=0xa8bc7a00, hadj=0x0, vadj=0x0, resetValues=true) at WebCore/platform/gtk/ScrollViewGtk.cpp:161
#4  0x424c7ecd in WebKit::FrameLoaderClient::savePlatformDataToCachedFrame (this=0xa8ba50d0, cachedFrame=0xadd4ed20) at WebKit/gtk/WebCoreSupport/FrameLoaderClientGtk.cpp:1270
#5  0x41f1012e in WebCore::CachedFrame::CachedFrame (this=0xadd4ed20, frame=0xa8ba0c00) at WebCore/history/CachedFrame.cpp:144
#6  0x41f1017c in create (this=0xadd4e780, frame=0xaa23c200) at WebCore/history/CachedFrame.h:73
#7  WebCore::CachedFrame::CachedFrame (this=0xadd4e780, frame=0xaa23c200) at WebCore/history/CachedFrame.cpp:148
#8  0x41f10502 in create (this=0xb6fa9260, page=0xad19df20) at WebCore/history/CachedFrame.h:73

On branch releases/WebKitGTK/webkit-1.4, if a ScrollView that previously did not have a parent acquires a parent, ScrollView::setHorizontalAdjustment()/ScrollView::setVerticalAdjustment() expect m_horizontalScrollbar/m_verticalScrollbar to be a MainFrameScrollbarGtk when it is actually a Scrollbar.  Result is heap UMR or similar.

Proposed fix is to remove the scrollbars when a ScrollView that previously did not have a parent acquires a parent; patch to follow.

Trunk does not have this issue as the dangerous casts are absent.

Comment 1 Ed Catmur 2011-08-01 15:12:12 PDT

Created attachment 102568 [details]
MainFrameScrollbarGtk.patch

Comment 2 Martin Robinson 2011-08-03 05:43:11 PDT

Perhaps the right thing to do here is to merge the real scrollbar fix into stable. This was the one which moved adjustment handling out of WebCore entirely.

Comment 3 Gustavo Noronha (kov) 2011-08-05 04:29:06 PDT

I'm in favor of what you propose Martin. It's a big change, but also one we know improves stability by making the whole thing less complex.

Comment 4 Martin Robinson 2011-08-29 14:21:43 PDT

Should be fixed as of http://trac.webkit.org/changeset/94012. This fix will be in WebKitGTK+ 1.4.3.