This regressed with http://trac.webkit.org/changeset/130783 That change accidentally made it possible to add nodes in the ScrollingStateTree for non-top-level frames. This is a problem since the scrolling tree only currently supports the main frame. Patch forthcoming. <rdar://problem/12470136>
Created attachment 168135 [details] Patch
Thanks Simon! http://trac.webkit.org/changeset/131007
*** Bug 98985 has been marked as a duplicate of this bug. ***
I just had the same crash in "WebCore::ScrollingStateScrollingNode::setNonFastScrollableRegion(WebCore::Region const&) + 13" with the current nightly after hitting the browser back button on a web page. I believe it was after loading a variety of phpmyadmin pages. I haven't found a repeatable test case, but it appears this bug was only partially fixed.
Here's more details. Process: WebProcess [22794] Path: /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.15+) Code Type: X86-64 (Native) Parent Process: ??? [1] User ID: 501 Date/Time: 2012-10-12 14:35:28.414 -0400 OS Version: Mac OS X 10.8.2 (12C60) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000050 VM Regions Near 0x50: --> __TEXT 0000000109c42000-0000000109c43000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010b11595d WebCore::ScrollingStateScrollingNode::setNonFastScrollableRegion(WebCore::Region const&) + 13 1 com.apple.WebCore 0x000000010aebfb1c WebCore::ScrollingCoordinatorMac::frameViewLayoutUpdated(WebCore::FrameView*) + 92 2 com.apple.WebCore 0x000000010a77ba04 WebCore::FrameView::performPostLayoutTasks() + 436 3 com.apple.WebCore 0x000000010a77b479 WebCore::FrameView::layout(bool) + 2489 4 com.apple.WebCore 0x000000010a77e818 WebCore::FrameView::visibleContentsResized() + 104 5 com.apple.WebCore 0x000000010aec5780 WebCore::ScrollView::updateScrollbars(WebCore::IntSize const&) + 960 6 com.apple.WebCore 0x000000010aec61cb WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) + 107 7 com.apple.WebCore 0x000000010a779abc WebCore::FrameView::setContentsSize(WebCore::IntSize const&) + 60 8 com.apple.WebCore 0x000000010a779bcc WebCore::FrameView::adjustViewSize() + 172 9 com.apple.WebCore 0x000000010a77b22a WebCore::FrameView::layout(bool) + 1898 10 com.apple.WebCore 0x000000010a7659a6 WebCore::FrameLoader::commitProvisionalLoad() + 822 11 com.apple.WebCore 0x000000010a764526 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 502 12 com.apple.WebCore 0x000000010a764610 WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 32 13 com.apple.WebCore 0x000000010ad0e3c4 WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, void (*)(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool), void*) + 484 14 com.apple.WebCore 0x000000010a7641d7 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) + 1287 15 com.apple.WebCore 0x000000010a760310 WebCore::FrameLoader::loadDifferentDocumentItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 96 16 com.apple.WebCore 0x000000010a7bab5c WebCore::HistoryController::recursiveGoToItem(WebCore::HistoryItem*, WebCore::HistoryItem*, WebCore::FrameLoadType) + 460 17 com.apple.WebCore 0x000000010a7ba768 WebCore::HistoryController::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 216 18 com.apple.WebCore 0x000000010ace8b25 WebCore::Page::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 85 19 com.apple.WebKit2 0x0000000109d2feed WebKit::WebPage::goBack(unsigned long long) + 39 20 com.apple.WebKit2 0x0000000109d3e9ee void CoreIPC::handleMessage<Messages::WebPage::GoBack, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long)>(CoreIPC::ArgumentDecoder*, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long)) + 59 21 com.apple.WebKit2 0x0000000109c8ca17 CoreIPC::Connection::dispatchMessage(CoreIPC::Connection::Message<CoreIPC::ArgumentDecoder>&) + 165 22 com.apple.WebKit2 0x0000000109c8df1b CoreIPC::Connection::dispatchOneMessage() + 139 23 com.apple.WebCore 0x000000010ae99ecc WebCore::RunLoop::performWork() + 156 24 com.apple.WebCore 0x000000010ae9a5e5 WebCore::RunLoop::performWork(void*) + 53 25 com.apple.CoreFoundation 0x00007fff8adcc101 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 26 com.apple.CoreFoundation 0x00007fff8adcba25 __CFRunLoopDoSources0 + 245 27 com.apple.CoreFoundation 0x00007fff8adeedc5 __CFRunLoopRun + 789 28 com.apple.CoreFoundation 0x00007fff8adee6b2 CFRunLoopRunSpecific + 290 29 com.apple.HIToolbox 0x00007fff8966b0a4 RunCurrentEventLoopInMode + 209 30 com.apple.HIToolbox 0x00007fff8966ae42 ReceiveNextEventCommon + 356 31 com.apple.HIToolbox 0x00007fff8966acd3 BlockUntilNextEventMatchingListInMode + 62 32 com.apple.AppKit 0x00007fff8877a613 _DPSNextEvent + 685 33 com.apple.AppKit 0x00007fff88779ed2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 34 com.apple.AppKit 0x00007fff88771283 -[NSApplication run] + 517 35 com.apple.WebCore 0x000000010ae9abc3 WebCore::RunLoop::run() + 67 36 com.apple.WebKit2 0x0000000109d78daa WebKit::WebProcessMain(WebKit::CommandLine const&) + 3772 37 com.apple.WebKit2 0x0000000109d24462 WebKitMain + 286 38 com.apple.WebProcess 0x0000000109c42e7b main + 214 39 libdyld.dylib 0x00007fff90ec57e1 start + 1
(In reply to comment #4) > I just had the same crash in "WebCore::ScrollingStateScrollingNode::setNonFastScrollableRegion(WebCore::Region const&) + 13" with the current nightly after hitting the browser back button on a web page. I believe it was after loading a variety of phpmyadmin pages. I haven't found a repeatable test case, but it appears this bug was only partially fixed. The crash trace indicates that we are trying to set things on a ScrollingStateNode that does not exist. So reproducible steps are really key to figuring out why we might still be falling into that case…it's probably for different reasons than the original crash and fix. Please let me know if you figure out how to reproduce this!
Here's some reproducible steps for a similar crash. Go to macupdate.com. Click on a software link to view it's details page, but before the page loads or finishes loading, click the back button. If you already have a page history, you can click right away, but if macupdate.com is the first page for the window, then you click the back button as soon as it enables. The difference yields a slightly different crash report. So, should this bug be re-opened or should I create a new bug with this info? Don't know if it's not still part of the same bug. Clicking when macupdate has no prior page history for the window: Process: WebProcess [21082] Path: /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.16+) Code Type: X86-64 (Native) Parent Process: SafariForWebKitDevelopment [21080] User ID: 501 Date/Time: 2012-10-17 18:35:49.121 -0400 OS Version: Mac OS X 10.8.2 (12C60) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000058 VM Regions Near 0x58: --> __TEXT 0000000108d84000-0000000108d85000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010a01c38d WebCore::ScrollingStateScrollingNode::setNonFastScrollableRegion(WebCore::Region const&) + 13 1 com.apple.WebCore 0x000000010a01a01c WebCore::ScrollingCoordinatorMac::frameViewLayoutUpdated(WebCore::FrameView*) + 92 2 com.apple.WebCore 0x00000001098cd994 WebCore::FrameView::performPostLayoutTasks() + 436 3 com.apple.WebCore 0x00000001098cd409 WebCore::FrameView::layout(bool) + 2489 4 com.apple.WebCore 0x00000001098b7936 WebCore::FrameLoader::commitProvisionalLoad() + 822 5 com.apple.WebCore 0x00000001098b64b6 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 502 6 com.apple.WebCore 0x00000001098b65a0 WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 32 7 com.apple.WebCore 0x0000000109e65fd4 WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, void (*)(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool), void*) + 484 8 com.apple.WebCore 0x00000001098b6167 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) + 1287 9 com.apple.WebCore 0x00000001098b22a0 WebCore::FrameLoader::loadDifferentDocumentItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 96 10 com.apple.WebCore 0x000000010990cfbc WebCore::HistoryController::recursiveGoToItem(WebCore::HistoryItem*, WebCore::HistoryItem*, WebCore::FrameLoadType) + 460 11 com.apple.WebCore 0x000000010990cbc8 WebCore::HistoryController::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 216 12 com.apple.WebCore 0x0000000109e3d755 WebCore::Page::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 85 13 com.apple.WebKit2 0x0000000108e71b03 WebKit::WebPage::goBack(unsigned long long) + 39 14 com.apple.WebKit2 0x0000000108e81e22 void CoreIPC::handleMessage<Messages::WebPage::GoBack, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long)>(CoreIPC::ArgumentDecoder*, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long)) + 59 15 com.apple.WebKit2 0x0000000108dcc1b1 CoreIPC::Connection::dispatchMessage(CoreIPC::Connection::Message<CoreIPC::ArgumentDecoder>&) + 165 16 com.apple.WebKit2 0x0000000108dcd6b5 CoreIPC::Connection::dispatchOneMessage() + 139 17 com.apple.WebCore 0x0000000109ff346c WebCore::RunLoop::performWork() + 156 18 com.apple.WebCore 0x0000000109ff3b85 WebCore::RunLoop::performWork(void*) + 53 19 com.apple.CoreFoundation 0x00007fff8d998101 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 20 com.apple.CoreFoundation 0x00007fff8d997a25 __CFRunLoopDoSources0 + 245 21 com.apple.CoreFoundation 0x00007fff8d9badc5 __CFRunLoopRun + 789 22 com.apple.CoreFoundation 0x00007fff8d9ba6b2 CFRunLoopRunSpecific + 290 23 com.apple.HIToolbox 0x00007fff8c2370a4 RunCurrentEventLoopInMode + 209 24 com.apple.HIToolbox 0x00007fff8c236e42 ReceiveNextEventCommon + 356 25 com.apple.HIToolbox 0x00007fff8c236cd3 BlockUntilNextEventMatchingListInMode + 62 26 com.apple.AppKit 0x00007fff8b346613 _DPSNextEvent + 685 27 com.apple.AppKit 0x00007fff8b345ed2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 28 com.apple.AppKit 0x00007fff8b33d283 -[NSApplication run] + 517 29 com.apple.WebCore 0x0000000109ff4163 WebCore::RunLoop::run() + 67 30 com.apple.WebKit2 0x0000000108ebb820 WebKit::WebProcessMain(WebKit::CommandLine const&) + 3772 31 com.apple.WebKit2 0x0000000108e65f6f WebKitMain + 299 32 com.apple.WebProcess 0x0000000108d84e7b main + 214 33 libdyld.dylib 0x00007fff93a917e1 start + 1 Clicking immediately before the page loads when there's already a history prior to macupdate.com: Process: WebProcess [21168] Path: /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Identifier: com.apple.WebProcess Version: 537+ (537.16+) Code Type: X86-64 (Native) Parent Process: SafariForWebKitDevelopment [21166] User ID: 501 Date/Time: 2012-10-17 18:39:19.983 -0400 OS Version: Mac OS X 10.8.2 (12C60) Report Version: 10 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000058 VM Regions Near 0x58: --> __TEXT 0000000109125000-0000000109126000 [ 4K] r-x/rwx SM=COW /Applications/WebKit.app/Contents/Frameworks/10.8/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010a3c02dd WebCore::ScrollingStateScrollingNode::setNonFastScrollableRegion(WebCore::Region const&) + 13 1 com.apple.WebCore 0x000000010a3bdf6c WebCore::ScrollingCoordinatorMac::frameViewLayoutUpdated(WebCore::FrameView*) + 92 2 com.apple.WebCore 0x0000000109c6fe54 WebCore::FrameView::performPostLayoutTasks() + 436 3 com.apple.WebCore 0x0000000109c6f8c9 WebCore::FrameView::layout(bool) + 2489 4 com.apple.WebCore 0x0000000109c72c68 WebCore::FrameView::visibleContentsResized() + 104 5 com.apple.WebCore 0x000000010a3c3a50 WebCore::ScrollView::updateScrollbars(WebCore::IntSize const&) + 960 6 com.apple.WebCore 0x000000010a3c449b WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) + 107 7 com.apple.WebCore 0x0000000109c6df0c WebCore::FrameView::setContentsSize(WebCore::IntSize const&) + 60 8 com.apple.WebCore 0x0000000109c6e01c WebCore::FrameView::adjustViewSize() + 172 9 com.apple.WebCore 0x0000000109c6f67a WebCore::FrameView::layout(bool) + 1898 10 com.apple.WebCore 0x0000000109c59df6 WebCore::FrameLoader::commitProvisionalLoad() + 822 11 com.apple.WebCore 0x0000000109c58976 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 502 12 com.apple.WebCore 0x0000000109c58a60 WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 32 13 com.apple.WebCore 0x000000010a209ad4 WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, void (*)(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool), void*) + 484 14 com.apple.WebCore 0x0000000109c58627 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) + 1287 15 com.apple.WebCore 0x0000000109c54760 WebCore::FrameLoader::loadDifferentDocumentItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 96 16 com.apple.WebCore 0x0000000109caf6ac WebCore::HistoryController::recursiveGoToItem(WebCore::HistoryItem*, WebCore::HistoryItem*, WebCore::FrameLoadType) + 460 17 com.apple.WebCore 0x0000000109caf2b8 WebCore::HistoryController::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 216 18 com.apple.WebCore 0x000000010a1e1135 WebCore::Page::goToItem(WebCore::HistoryItem*, WebCore::FrameLoadType) + 85 19 com.apple.WebKit2 0x0000000109212193 WebKit::WebPage::goBack(unsigned long long) + 39 20 com.apple.WebKit2 0x000000010922243a void CoreIPC::handleMessage<Messages::WebPage::GoBack, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long)>(CoreIPC::ArgumentDecoder*, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long)) + 59 21 com.apple.WebKit2 0x000000010916d21b CoreIPC::Connection::dispatchMessage(CoreIPC::Connection::Message<CoreIPC::ArgumentDecoder>&) + 165 22 com.apple.WebKit2 0x000000010916e71f CoreIPC::Connection::dispatchOneMessage() + 139 23 com.apple.WebCore 0x000000010a39736c WebCore::RunLoop::performWork() + 156 24 com.apple.WebCore 0x000000010a397a85 WebCore::RunLoop::performWork(void*) + 53 25 com.apple.CoreFoundation 0x00007fff8d998101 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 26 com.apple.CoreFoundation 0x00007fff8d997a25 __CFRunLoopDoSources0 + 245 27 com.apple.CoreFoundation 0x00007fff8d9badc5 __CFRunLoopRun + 789 28 com.apple.CoreFoundation 0x00007fff8d9ba6b2 CFRunLoopRunSpecific + 290 29 com.apple.HIToolbox 0x00007fff8c2370a4 RunCurrentEventLoopInMode + 209 30 com.apple.HIToolbox 0x00007fff8c236e42 ReceiveNextEventCommon + 356 31 com.apple.HIToolbox 0x00007fff8c236cd3 BlockUntilNextEventMatchingListInMode + 62 32 com.apple.AppKit 0x00007fff8b346613 _DPSNextEvent + 685 33 com.apple.AppKit 0x00007fff8b345ed2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 34 com.apple.AppKit 0x00007fff8b33d283 -[NSApplication run] + 517 35 com.apple.WebCore 0x000000010a398063 WebCore::RunLoop::run() + 67 36 com.apple.WebKit2 0x000000010925c980 WebKit::WebProcessMain(WebKit::CommandLine const&) + 3772 37 com.apple.WebKit2 0x00000001092065ff WebKitMain + 299 38 com.apple.WebProcess 0x0000000109125e7b main + 214 39 libdyld.dylib 0x00007fff93a917e1 start + 1
Hi Kevin, Thanks for this info! Let's open a new bug. This bug fix is still valid because it does fix one version of the crash, and that's why I think it makes the most sense to start a new bug. One of the problems with this stack trace is that it's kind of generic and essentially translates to "the ScrollingStateTree is in a state we did not expect!" And it is clear that there are a number of ways we can get in that state. I have a fix in mind that should fix all possible ways we can still hit this bug. Essentially, I will make it so that the ScrollingStateTree never destroys the root node.
OK, added Bug 99668 and cc'd you on it Beth.
(In reply to comment #9) > OK, added Bug 99668 and cc'd you on it Beth. Thank you! I'm woking on it now.