RESOLVED DUPLICATE of bug 103432 105932
[Mac] http/tests/inspector/resource-har-pages.html asserts in updateLayerPositionsAfterScroll on Debug builds 
https://bugs.webkit.org/show_bug.cgi?id=105932
Summary [Mac] http/tests/inspector/resource-har-pages.html asserts in updateLayerPosi...
Ryosuke Niwa
Reported 2013-01-02 11:06:10 PST
http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r138620%20(4245)/http/tests/inspector/resource-har-pages-crash-log.txt Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 0000000109c49000-0000000109ce5000 [ 624K] r-x/rwx SM=COW /Volumes/VOLUME/* Application Specific Information: CRASHING TEST: /inspector/resource-har-pages.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010c97f78c WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 620 (RenderLayer.cpp:726) 1 com.apple.WebCore 0x000000010c97f899 WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 889 (RenderLayer.cpp:730) 2 com.apple.WebCore 0x000000010c97f899 WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 889 (RenderLayer.cpp:730) 3 com.apple.WebCore 0x000000010c97f899 WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 889 (RenderLayer.cpp:730) 4 com.apple.WebCore 0x000000010c97fa05 WebCore::RenderLayer::updateLayerPositionsAfterOverflowScroll() + 165 (RenderLayer.cpp:689) 5 com.apple.WebCore 0x000000010c985289 WebCore::RenderLayer::scrollTo(int, int) + 505 (RenderLayer.cpp:2017) 6 com.apple.WebCore 0x000000010c987cae WebCore::RenderLayer::setScrollOffset(WebCore::IntPoint const&) + 62 (RenderLayer.cpp:2355) 7 com.apple.WebCore 0x000000010cbd4a90 WebCore::ScrollableArea::scrollPositionChanged(WebCore::IntPoint const&) + 96 (ScrollableArea.cpp:156) 8 com.apple.WebCore 0x000000010cbd4d81 WebCore::ScrollableArea::setScrollOffsetFromAnimation(WebCore::IntPoint const&) + 81 (ScrollableArea.cpp:200) 9 com.apple.WebCore 0x000000010cbd72cb WebCore::ScrollAnimator::notifyPositionChanged() + 59 (ScrollAnimator.cpp:145) 10 com.apple.WebCore 0x000000010cbdb639 WebCore::ScrollAnimatorMac::notifyPositionChanged() + 41 (ScrollAnimatorMac.mm:741) 11 com.apple.WebCore 0x000000010cbdb182 WebCore::ScrollAnimatorMac::immediateScrollTo(WebCore::FloatPoint const&) + 210 (ScrollAnimatorMac.mm:720) 12 com.apple.WebCore 0x000000010cbdb0a3 WebCore::ScrollAnimatorMac::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) + 67 (ScrollAnimatorMac.mm:696) 13 com.apple.WebCore 0x000000010cbd48dc WebCore::ScrollableArea::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) + 60 (ScrollableArea.cpp:130) 14 com.apple.WebCore 0x000000010c984b35 WebCore::RenderLayer::scrollToOffset(WebCore::IntSize const&, WebCore::RenderLayer::ScrollOffsetClamping) + 197 (RenderLayer.cpp:1979) 15 com.apple.WebCore 0x000000010c8fd4dd WebCore::RenderLayer::scrollToYOffset(int, WebCore::RenderLayer::ScrollOffsetClamping) + 61 (RenderLayer.h:333) 16 com.apple.WebCore 0x000000010c8e329b WebCore::RenderBox::setScrollTop(int) + 75 (RenderBox.cpp:435) 17 com.apple.WebCore 0x000000010bbf08e3 WebCore::Element::setScrollTop(int) + 147 (Element.cpp:556) 18 com.apple.WebCore 0x000000010c237b4d WebCore::setJSElementScrollTop(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) + 93 (JSElement.cpp:1229) 19 com.apple.WebCore 0x000000010c241699 bool JSC::lookupPut<WebCore::JSElement>(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::HashTable const*, WebCore::JSElement*, bool) + 249 (Lookup.h:373) 20 com.apple.WebCore 0x000000010c2400b8 void JSC::lookupPut<WebCore::JSElement, WebCore::JSNode>(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::HashTable const*, WebCore::JSElement*, JSC::PutPropertySlot&) + 120 (Lookup.h:389) 21 com.apple.WebCore 0x000000010c234937 WebCore::JSElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 279 (JSElement.cpp:1212) 22 com.apple.WebCore 0x000000010c2bd89c void JSC::lookupPut<WebCore::JSHTMLElement, WebCore::JSElement>(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLElement*, JSC::PutPropertySlot&) + 172 (Lookup.h:391) 23 com.apple.WebCore 0x000000010c2baab7 WebCore::JSHTMLElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 279 (JSHTMLElement.cpp:446) 24 com.apple.WebCore 0x000000010c2b418c void JSC::lookupPut<WebCore::JSHTMLDivElement, WebCore::JSHTMLElement>(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::HashTable const*, WebCore::JSHTMLDivElement*, JSC::PutPropertySlot&) + 172 (Lookup.h:391) 25 com.apple.WebCore 0x000000010c2b3217 WebCore::JSHTMLDivElement::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 279 (JSHTMLDivElement.cpp:144) 26 com.apple.JavaScriptCore 0x000000010a04a319 JSC::JSValue::put(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 185 (JSObject.h:1523) 27 com.apple.JavaScriptCore 0x000000010a2f29f0 llint_slow_path_put_by_id + 416 (LLIntSlowPaths.cpp:981) 28 com.apple.JavaScriptCore 0x000000010a2fb977 llint_op_put_by_id + 155 29 com.apple.JavaScriptCore 0x000000010a0fbb74 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*) + 84 (JITCode.h:134) 30 com.apple.JavaScriptCore 0x000000010a0f8def JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1519 (Interpreter.cpp:1055) 31 com.apple.JavaScriptCore 0x0000000109f74e32 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 306 (CallData.cpp:39) 32 com.apple.JavaScriptCore 0x000000010a150407 JSC::boundFunctionCall(JSC::ExecState*) + 647 (JSBoundFunction.cpp:53) 33 com.apple.JavaScriptCore 0x000000010a0f8e19 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1561 (Interpreter.cpp:1058) 34 com.apple.JavaScriptCore 0x0000000109f74e32 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 306 (CallData.cpp:39) 35 com.apple.WebCore 0x000000010c1186e2 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 146 (JSMainThreadExecState.h:56) 36 com.apple.WebCore 0x000000010cb92baf WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 559 (ScheduledAction.cpp:112) 37 com.apple.WebCore 0x000000010cb92773 WebCore::ScheduledAction::execute(WebCore::Document*) + 323 (ScheduledAction.cpp:134) 38 com.apple.WebCore 0x000000010cb925b4 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*) + 116 (ScheduledAction.cpp:80) 39 com.apple.WebCore 0x000000010bb8110a WebCore::DOMTimer::fired() + 538 (DOMTimer.cpp:139) 40 com.apple.WebCore 0x000000010cf248e6 WebCore::ThreadTimers::sharedTimerFiredInternal() + 294 (ThreadTimers.cpp:119) 41 com.apple.WebCore 0x000000010cf24679 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:94) 42 com.apple.WebCore 0x000000010cc53343 WebCore::timerFired(__CFRunLoopTimer*, void*) + 67 (SharedTimerMac.mm:167) 43 com.apple.CoreFoundation 0x00007fff8a050da4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 44 com.apple.CoreFoundation 0x00007fff8a0508bd __CFRunLoopDoTimer + 557 45 com.apple.CoreFoundation 0x00007fff8a036099 __CFRunLoopRun + 1513 46 com.apple.CoreFoundation 0x00007fff8a0356b2 CFRunLoopRunSpecific + 290 47 com.apple.Foundation 0x00007fff8702389e -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 268 48 DumpRenderTree 0x0000000109c60839 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 5017 (DumpRenderTree.mm:1381) 49 DumpRenderTree 0x0000000109c5f42a runTestingServerLoop() + 282 (DumpRenderTree.mm:846) 50 DumpRenderTree 0x0000000109c5ecf7 dumpRenderTree(int, char const**) + 391 (DumpRenderTree.mm:893) 51 DumpRenderTree 0x0000000109c61029 main + 105 (DumpRenderTree.mm:931) 52 libdyld.dylib 0x00007fff89ebe7e1 start + 1 Also see webkit.org/b/92279 and webkit.org/b/85615
Attachments
Add attachment proposed patch, testcase, etc.
Jessie Berlin
Comment 2 2013-01-29 12:04:02 PST
Nope, appears to happen on Lion WK1 as well: http://build.webkit.org/results/Apple%20Lion%20Debug%20WK1%20(Tests)/r141128%20(6314)/http/tests/inspector/resource-har-pages-crash-log.txt Process: DumpRenderTree [15683] Path: /Volumes/VOLUME/*/DumpRenderTree Identifier: DumpRenderTree Version: ??? (???) Code Type: X86-64 (Native) Parent Process: Python [15682] Date/Time: 2013-01-29 10:47:19.314 -0800 OS Version: Mac OS X 10.7.5 (11G56) Report Version: 9 Anonymous UUID: 8D613337-F106-4023-88AB-11A474AF2011 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 0000000102e72000-0000000102f0f000 [ 628K] r-x/rwx SM=COW /Volumes/VOLUME/* Application Specific Information: CRASHING TEST: /inspector/resource-har-pages.html objc[15683]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000105d6e68f WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 623 (RenderLayer.cpp:765) 1 com.apple.WebCore 0x0000000105d6e79c WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 892 (RenderLayer.cpp:769) 2 com.apple.WebCore 0x0000000105d6e79c WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 892 (RenderLayer.cpp:769) 3 com.apple.WebCore 0x0000000105d6e79c WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, unsigned int) + 892 (RenderLayer.cpp:769) 4 com.apple.WebCore 0x0000000105d6e905 WebCore::RenderLayer::updateLayerPositionsAfterOverflowScroll() + 165 (RenderLayer.cpp:728) 5 com.apple.WebCore 0x0000000105d74079 WebCore::RenderLayer::scrollTo(int, int) + 505 (RenderLayer.cpp:2087) 6 com.apple.WebCore 0x0000000105d76a9e WebCore::RenderLayer::setScrollOffset(WebCore::IntPoint const&) + 62 (RenderLayer.cpp:2429) 7 com.apple.WebCore 0x0000000105fcee70 WebCore::ScrollableArea::scrollPositionChanged(WebCore::IntPoint const&) + 96 (ScrollableArea.cpp:156) 8 com.apple.WebCore 0x0000000105fcf161 WebCore::ScrollableArea::setScrollOffsetFromAnimation(WebCore::IntPoint const&) + 81 (ScrollableArea.cpp:200) 9 com.apple.WebCore 0x0000000105fd16ab WebCore::ScrollAnimator::notifyPositionChanged() + 59 (ScrollAnimator.cpp:145) 10 com.apple.WebCore 0x0000000105fd5a19 WebCore::ScrollAnimatorMac::notifyPositionChanged() + 41 (ScrollAnimatorMac.mm:741) 11 com.apple.WebCore 0x0000000105fd5562 WebCore::ScrollAnimatorMac::immediateScrollTo(WebCore::FloatPoint const&) + 210 (ScrollAnimatorMac.mm:720) 12 com.apple.WebCore 0x0000000105fd5483 WebCore::ScrollAnimatorMac::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) + 67 (ScrollAnimatorMac.mm:696) 13 com.apple.WebCore 0x0000000105fcecbc WebCore::ScrollableArea::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) + 60 (ScrollableArea.cpp:130) 14 com.apple.WebCore 0x0000000105d73922 WebCore::RenderLayer::scrollToOffset(WebCore::IntSize const&, WebCore::RenderLayer::ScrollOffsetClamping) + 178 (RenderLayer.cpp:2049) 15 com.apple.WebCore 0x0000000105ce554d WebCore::RenderLayer::scrollToYOffset(int, WebCore::RenderLayer::ScrollOffsetClamping) + 61 (RenderLayer.h:335) 16 com.apple.WebCore 0x0000000105cca5db WebCore::RenderBox::setScrollTop(int) + 75 (RenderBox.cpp:475) 17 com.apple.WebCore 0x0000000104ef2353 WebCore::Element::setScrollTop(int) + 147 (Element.cpp:596) 18 com.apple.WebCore 0x00000001055f06fd WebCore::setJSElementScrollTop(JSC::ExecState*, JSC::JSObject*, JSC::JSValue) + 93
Jessie Berlin
Comment 3 2013-01-29 12:14:46 PST
<rdar://problem/12841615>
Simon Fraser (smfr)
Comment 4 2013-01-29 16:02:43 PST
See also bug 105096, *** This bug has been marked as a duplicate of bug 103432 ***
Note You need to log in before you can comment on or make changes to this bug.