This is the backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007f888920a027 in WebCore::RenderPart::setWidget (this=0x1ed17f8, widget=...) at ../../../Source/WebCore/rendering/RenderPart.cpp:59 59 viewCleared(); (gdb) bt #0 0x00007f888920a027 in WebCore::RenderPart::setWidget (this=0x1ed17f8, widget=...) at ../../../Source/WebCore/rendering/RenderPart.cpp:59 #1 0x00007f8888f25db5 in WebCore::SubframeLoader::loadPlugin (this=0x1eb2b08, pluginElement=0x1f988f0, url=..., mimeType="application/x-webkit-test-netscape", paramNames=WTF::Vector of length 5, capacity 16 = {...}, paramValues=WTF::Vector of length 5, capacity 16 = {...}, useFallback=false) at ../../../Source/WebCore/loader/SubframeLoader.cpp:370 #2 0x00007f8888f24c12 in WebCore::SubframeLoader::requestPlugin (this=0x1eb2b08, ownerElement=0x1f988f0, url=..., mimeType="application/x-webkit-test-netscape", paramNames=WTF::Vector of length 5, capacity 16 = {...}, paramValues=WTF::Vector of length 5, capacity 16 = {...}, useFallback=false) at ../../../Source/WebCore/loader/SubframeLoader.cpp:122 #3 0x00007f8888f24de6 in WebCore::SubframeLoader::requestObject (this=0x1eb2b08, ownerElement=0x1f988f0, url="(null)", frameName="(null)", mimeType="application/x-webkit-test-netscape", paramNames=WTF::Vector of length 5, capacity 16 = {...}, paramValues=WTF::Vector of length 5, capacity 16 = {...}) at ../../../Source/WebCore/loader/SubframeLoader.cpp:142 #4 0x00007f8888d3a94a in WebCore::HTMLEmbedElement::updateWidget (this=0x1f988f0, pluginCreationOption=WebCore::CreateOnlyNonNetscapePlugins) at ../../../Source/WebCore/html/HTMLEmbedElement.cpp:184 #5 0x00007f8888d7297b in WebCore::HTMLPlugInImageElement::updateWidgetIfNecessary (this=0x1f988f0) at ../../../Source/WebCore/html/HTMLPlugInImageElement.cpp:170 #6 0x00007f8888d72a5d in WebCore::HTMLPlugInImageElement::updateWidgetCallback (n=0x1f988f0) at ../../../Source/WebCore/html/HTMLPlugInImageElement.cpp:193 #7 0x00007f8888b69fcb in WebCore::ContainerNode::dispatchPostAttachCallbacks () at ../../../Source/WebCore/dom/ContainerNode.cpp:746 #8 0x00007f8888b69e26 in WebCore::ContainerNode::resumePostAttachCallbacks (this=0x1f12bb0) at ../../../Source/WebCore/dom/ContainerNode.cpp:713 #9 0x00007f8888b7fdb6 in WebCore::Document::recalcStyle (this=0x1f12bb0, change=WebCore::Node::NoChange) at ../../../Source/WebCore/dom/Document.cpp:1605 #10 0x00007f8888b7ff5a in WebCore::Document::updateStyleIfNeeded (this=0x1f12bb0) at ../../../Source/WebCore/dom/Document.cpp:1627 #11 0x00007f8888f9d636 in WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive (this=0x1f12260) at ../../../Source/WebCore/page/FrameView.cpp:2809 #12 0x00007f88888f0604 in WebKit::WebPage::layoutIfNeeded (this=0x1ea4fd0) at ../../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:659 #13 0x00007f88888dddea in WebKit::DrawingAreaImpl::display (this=0x1eb5140, updateInfo=...) at ../../../Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp:619 #14 0x00007f88888dda5d in WebKit::DrawingAreaImpl::display (this=0x1eb5140) at ../../../Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp:566 #15 0x00007f88888dd8f4 in WebKit::DrawingAreaImpl::displayTimerFired (this=0x1eb5140) at ../../../Source/WebKit2/WebProcess/WebPage/DrawingAreaImpl.cpp:545 #16 0x00007f88888df0b2 in Timer<WebKit::DrawingAreaImpl>::fired (this=0x1eb51d0) at ../../../Source/WebKit2/Platform/RunLoop.h:127 #17 0x00007f8888757339 in RunLoop::TimerBase::timerFiredCallback (timer=0x1eb51d0) at ../../../Source/WebKit2/Platform/gtk/RunLoopGtk.cpp:106 #18 0x00007f8883d4ac09 in g_timeout_dispatch (source=0x1ee59d0, callback=0x7f88887572ee <RunLoop::TimerBase::timerFiredCallback(RunLoop::TimerBase*)>, user_data=0x1eb51d0) at gmain.c:3904 #19 0x00007f8883d4760c in g_main_dispatch (context=0x1e600f0) at gmain.c:2439 #20 0x00007f8883d48b52 in g_main_context_dispatch (context=0x1e600f0) at gmain.c:3008 #21 0x00007f8883d49008 in g_main_context_iterate (context=0x1e600f0, block=1, dispatch=1, self=0x1e238b0) at gmain.c:3086 #22 0x00007f8883d49766 in g_main_loop_run (loop=0x1e603a0) at gmain.c:3294 #23 0x00007f888875710d in RunLoop::run () at ../../../Source/WebKit2/Platform/gtk/RunLoopGtk.cpp:56 #24 0x00007f888885e5b1 in WebKit::WebProcessMainGtk (argc=2, argv=0x7fffe1226e58) at ../../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:64 #25 0x0000000000400984 in main (argc=2, argv=0x7fffe1226e58) at ../../../Source/WebKit2/gtk/MainGtk.cpp:31
Working on this...
Created attachment 112347 [details] Patch
Removing the GTK tag since this bug is platform-independent.
So this is the story of the bug as far as I understood it. This test loads a plugin that auto-removes itself from the document during plugin initialization. Thing is that the RenderWidget was autodestroying itself during that process because the plugin was triggering a ::destroy call over the RenderWidget when it was still running its setWidget() code needed to load the plugin. What I did in the patch above was to use RenderWidget's ref counting system to prevent the render from being destroyed while executing its own code. (maybe the other option is to use WebCore::RenderWidget::suspendWidgetHierarchyUpdates but not sure if we want to do that in this specific case) I don't have a clear explanation about why this was failing only in WebKit2 but maybe it's because they're just following different execution paths. I was tempted also to remove this test from the Skipped file for other ports but I'm still not sure how to proceed in this case. Should I first ask somebody else to try it before landing? (assuming the patch is correct of course). PS: adding to the Cc some people that looks familiar to this code
Comment on attachment 112347 [details] Patch I don't think this is the right fix - if this only happens in WebKit2 then we should try to fix it there.
Is this still the case on any platforms? I just ran the test on Mac locally, and it passed.
Seems to be marked as flaky on Mac, works on GTK+, and skipped on Windows since 2009. I'm just going to close this bug.