71044 – RenderLayer::hasVisibleContent() can be called when m_visibleContentStatusDirty is true

NEW 71044

RenderLayer::hasVisibleContent() can be called when m_visibleContentStatusDirty is true

https://bugs.webkit.org/show_bug.cgi?id=71044

Summary RenderLayer::hasVisibleContent() can be called when m_visibleContentStatusDir...

Simon Fraser (smfr)

Reported 2011-10-27 11:50:21 PDT

RenderBox::clippedOverflowRectForRepaint() calls enclosingLayer()->hasVisibleContent() in cases where hasVisibleContent() may return incorrect data. Here's one stack trace where this happens: 1 0x1048e712c WebCore::RenderLayer::hasVisibleContent() const 2 0x104a09aca WebCore::RenderReplaced::clippedOverflowRectForRepaint(WebCore::RenderBoxModelObject*) const 3 0x1049f3ff8 WebCore::RenderObject::repaint(bool) 4 0x1049f6fde WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) 5 0x1049f664b WebCore::RenderObject::setAnimatableStyle(WTF::PassRefPtr<WebCore::RenderStyle>) 6 0x1047ff7d3 WebCore::Node::setRenderStyle(WTF::PassRefPtr<WebCore::RenderStyle>) 7 0x103e57c09 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 8 0x103e5809f WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 9 0x103e5809f WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 10 0x103e5809f WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 11 0x103c88c91 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) 12 0x103c89d09 WebCore::Document::updateStyleIfNeeded() 13 0x103c89ece WebCore::Document::updateLayout() 14 0x103c8a074 WebCore::Document::updateLayoutIgnorePendingStylesheets() 15 0x103e54e19 WebCore::Element::getBoundingClientRect() 16 0x1043820bf WebCore::jsElementPrototypeFunctionGetBoundingClientRect(JSC::ExecState*) 17 0x5127366014f8 18 0x101b8ef49 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) 19 0x101b8b866 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 20 0x101ae2bd1 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 21 0x1042799e3 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 22 0x104b36263 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) 23 0x104b35d49 WebCore::ScheduledAction::execute(WebCore::Document*) 24 0x104b35b74 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*) 25 0x103def266 WebCore::DOMTimer::fired() 26 0x104d8de67 WebCore::ThreadTimers::sharedTimerFiredInternal() 27 0x104d8dc39 WebCore::ThreadTimers::sharedTimerFired() 28 0x104bb7873 _ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv but I also see it during style updates before event handling. Detected with: - bool hasVisibleContent() const { return m_hasVisibleContent; } - bool hasVisibleDescendant() const { return m_hasVisibleDescendant; } + bool hasVisibleContent() const { ASSERT(!m_visibleContentStatusDirty); return m_hasVisibleContent; } + bool hasVisibleDescendant() const { ASSERT(!m_visibleDescendantStatusDirty); return m_hasVisibleDescendant; }

Attachments
Add attachment proposed patch, testcase, etc.

Simon Fraser (smfr)

Comment 1 2011-10-27 13:12:16 PDT

Here's another example: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010396a0d0 WebCore::RenderLayer::hasVisibleContent() const + 96 (RenderLayer.h:388) 1 com.apple.WebCore 0x0000000103a7a433 WebCore::RenderObject::styleWillChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 483 (RenderObject.cpp:1781) 2 com.apple.WebCore 0x00000001039c3c0a WebCore::RenderBoxModelObject::styleWillChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 1418 (RenderBoxModelObject.cpp:343) 3 com.apple.WebCore 0x00000001039ac4a0 WebCore::RenderBox::styleWillChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 864 (RenderBox.cpp:341) 4 com.apple.WebCore 0x000000010394585e WebCore::RenderBlock::styleWillChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 798 (RenderBlock.cpp:238) 5 com.apple.WebCore 0x0000000103a79a35 WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) + 389 (RenderObject.cpp:1713) 6 com.apple.WebCore 0x0000000103b36900 WebCore::RenderTextControl::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 320 (RenderTextControl.cpp:93) 7 com.apple.WebCore 0x0000000103a79ec3 WebCore::RenderObject::setStyle(WTF::PassRefPtr<WebCore::RenderStyle>) + 1555 (RenderObject.cpp:1729) 8 com.apple.WebCore 0x0000000103a7961b WebCore::RenderObject::setAnimatableStyle(WTF::PassRefPtr<WebCore::RenderStyle>) + 139 (RenderObject.cpp:1640) 9 com.apple.WebCore 0x0000000103882773 WebCore::Node::setRenderStyle(WTF::PassRefPtr<WebCore::RenderStyle>) + 83 (Node.cpp:1506) 10 com.apple.WebCore 0x0000000102edaba9 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 1433 (Element.cpp:1141) 11 com.apple.WebCore 0x0000000102edb03f WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 2607 (Element.cpp:1184) 12 com.apple.WebCore 0x0000000102edb03f WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 2607 (Element.cpp:1184) 13 com.apple.WebCore 0x0000000102edb03f WebCore::Element::recalcStyle(WebCore::Node::StyleChange) + 2607 (Element.cpp:1184) 14 com.apple.WebCore 0x0000000102d0bc31 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) + 945 (Document.cpp:1507) 15 com.apple.WebCore 0x0000000102d0cca9 WebCore::Document::updateStyleIfNeeded() + 361 (Document.cpp:1569) 16 com.apple.WebCore 0x0000000102d0ce6e WebCore::Document::updateLayout() + 158 (Document.cpp:1596) 17 com.apple.WebCore 0x0000000102d0d014 WebCore::Document::updateLayoutIgnorePendingStylesheets() + 196 (Document.cpp:1631) 18 com.apple.WebCore 0x0000000102edcace WebCore::Element::focus(bool) + 126 (Element.cpp:1605) 19 com.apple.WebCore 0x000000010340370f WebCore::jsElementPrototypeFunctionFocus(JSC::ExecState*) + 351 (JSElement.cpp:1903) 20 ??? 0x00004c9c8b2011f8 0 + 84235232743928 21 com.apple.JavaScriptCore 0x0000000101a08f49 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) + 121 (JITCode.h:103) 22 com.apple.JavaScriptCore 0x0000000101a04eaa JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 4890 (Interpreter.cpp:897) 23 com.apple.JavaScriptCore 0x0000000101979e9a JSC::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 458 (Completion.cpp:70) 24 com.apple.WebCore 0x0000000103519a31 WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::ScopeChainNode*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 81 (JSMainThreadExecState.h:58) 25 com.apple.WebCore 0x0000000103bc5b5f WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) + 495 (ScriptController.cpp:145) 26 com.apple.WebCore 0x0000000103bc5cc4 WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) + 68 (ScriptController.cpp:163) 27 com.apple.WebCore 0x0000000103bdb159 WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) + 473 (ScriptElement.cpp:297) 28 com.apple.WebCore 0x0000000103bd9e6d WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 1853 (ScriptElement.cpp:247) 29 com.apple.WebCore 0x000000010311254c WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) + 460 (HTMLScriptRunner.cpp:298) 30 com.apple.WebCore 0x00000001031122df WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) + 159 (HTMLScriptRunner.cpp:172) 31 com.apple.WebCore 0x0000000103098b4c WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 332 (HTMLDocumentParser.cpp:207) 32 com.apple.WebCore 0x0000000103098c3b WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) + 171 (HTMLDocumentParser.cpp:225) 33 com.apple.WebCore 0x00000001030984b6 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 470 (HTMLDocumentParser.cpp:263) 34 com.apple.WebCore 0x00000001030980c8 WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 200 (HTMLDocumentParser.cpp:178) 35 com.apple.WebCore 0x000000010309912f WebCore::HTMLDocumentParser::append(WebCore::SegmentedString const&) + 335 (HTMLDocumentParser.cpp:372) 36 com.apple.WebCore 0x0000000102cdce7d WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter*, char const*, unsigned long) + 237 (DecodedDataDocumentParser.cpp:50) 37 com.apple.WebCore 0x0000000102d6969d WebCore::DocumentWriter::addData(char const*, unsigned long) + 93 (DocumentWriter.cpp:207) 38 com.apple.WebCore 0x0000000102d4909e WebCore::DocumentLoader::commitData(char const*, unsigned long) + 286 (DocumentLoader.cpp:318) 39 com.apple.WebKit 0x00000001023574d6 -[WebFrame(WebInternal) _commitData:] + 214 (WebFrame.mm:858) 40 com.apple.WebKit 0x000000010238eb50 -[WebHTMLRepresentation receivedData:withDataSource:] + 128 (WebHTMLRepresentation.mm:185) 41 com.apple.WebKit 0x0000000102336baa -[WebDataSource(WebInternal) _receivedData:] + 90 (WebDataSource.mm:233) 42 com.apple.WebKit 0x0000000102364bb1 WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) + 129 (WebFrameLoaderClient.mm:890) 43 com.apple.WebCore 0x0000000102d48f48 WebCore::DocumentLoader::commitLoad(char const*, int) + 216 (DocumentLoader.cpp:304) 44 com.apple.WebCore 0x0000000102d4916a WebCore::DocumentLoader::receivedData(char const*, int) + 90 (DocumentLoader.cpp:330) 45 com.apple.WebCore 0x000000010380a9f7 WebCore::MainResourceLoader::addData(char const*, int, bool) + 87 (MainResourceLoader.cpp:169) 46 com.apple.WebCore 0x0000000103b88239 WebCore::ResourceLoader::didReceiveData(char const*, int, long long, bool) + 265 (ResourceLoader.cpp:291) 47 com.apple.WebCore 0x000000010380c38f WebCore::MainResourceLoader::didReceiveData(char const*, int, long long, bool) + 863 (MainResourceLoader.cpp:468) 48 com.apple.WebCore 0x0000000103b88bbd WebCore::ResourceLoader::didReceiveData(WebCore::ResourceHandle*, char const*, int, int) + 157 (ResourceLoader.cpp:442) 49 com.apple.WebCore 0x0000000103b851b2 -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 306 (ResourceHandleMac.mm:833) 50 com.apple.Foundation 0x00007fff8ab86459 ___NSURLConnectionDidReceiveData_block_invoke_1 + 144 51 com.apple.Foundation 0x00007fff8ab863c3 _NSURLConnectionDidReceiveData + 86 52 com.apple.CFNetwork 0x00007fff925795ec URLConnectionClient::_clientDidReceiveData(__CFArray const*, URLConnectionClient::ClientConnectionEventQueue*) + 348 53 com.apple.CFNetwork 0x00007fff9262aceb URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 827 54 com.apple.CFNetwork 0x00007fff92555dfd URLConnectionClient::processEvents() + 185 from one of these tests (not sure which) fast/forms/cursor-at-editable-content-boundary.html -> unexpected DumpRenderTree crash fast/dynamic/positioned-movement-with-positioned-children.html -> unexpected DumpRenderTree crash

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2011-10-27 11:50 PDT

Modified

2021-08-12 09:58 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks