Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASSERTION FAILED: frame().view() == this in WebCore::FrameView::layout #34

Open
renatahodovan opened this issue Nov 4, 2013 · 2 comments
Open

ASSERTION FAILED: frame().view() == this in WebCore::FrameView::layout #34

renatahodovan opened this issue Nov 4, 2013 · 2 comments

Comments

@renatahodovan
Copy link

The following test fails on the assert above (however it doesn't crash on the trunk EFL build):

<html>
    <big>
        <object>
    </big>
    <iframe height="50%"></iframe>
    <iframe srcdoc="foo" 
            onload="document.designMode='on';
                    document.execCommand('selectall');      
                    document.execCommand('RemoveFormat');"></iframe>
    <iframe srcdoc="dummy"></iframe>
</html>

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffa6be0700 (LWP 31244)]
0x00007ffff4af0ac1 in WTFCrash () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Assertions.cpp:342
342     *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff4af0ac1 in WTFCrash () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff3732a5b in WebCore::FrameView::layout (this=0x7ef220, allowSubtree=true)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/page/FrameView.cpp:1109
#2  0x00007ffff3a9515d in WebCore::RenderFrameBase::layoutWithFlattening (this=0x84f2a0, hasFixedWidth=false, hasFixedHeight=false)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderFrameBase.cpp:63
#3  0x00007ffff3aa8a59 in WebCore::RenderIFrame::layout (this=0x84f2a0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderIFrame.cpp:169
#4  0x00007ffff399219d in WebCore::RenderElement::layoutIfNeeded (this=0x84f2a0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderElement.h:99
#5  0x00007ffff3a0efa5 in WebCore::RenderBlockFlow::layoutLineBoxes (this=0x7fc150, relayoutChildren=false, repaintLogicalTop=..., repaintLogicalBottom=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1910
#6  0x00007ffff39f25a4 in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x7fc150, relayoutChildren=false, repaintLogicalTop=..., 
    repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:532
#7  0x00007ffff39f18d5 in WebCore::RenderBlockFlow::layoutBlock (this=0x7fc150, relayoutChildren=false, pageLogicalHeight=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:357
#8  0x00007ffff39c422f in WebCore::RenderBlock::layout (this=0x7fc150) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1292
#9  0x00007ffff39f2986 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7fc540, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:593
#10 0x00007ffff39f24a2 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7fc540, relayoutChildren=false, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:512
#11 0x00007ffff39f18f9 in WebCore::RenderBlockFlow::layoutBlock (this=0x7fc540, relayoutChildren=false, pageLogicalHeight=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:359
#12 0x00007ffff39c422f in WebCore::RenderBlock::layout (this=0x7fc540) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1292
#13 0x00007ffff39f2986 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x6ba590, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:593
#14 0x00007ffff39f24a2 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x6ba590, relayoutChildren=false, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:512
#15 0x00007ffff39f18f9 in WebCore::RenderBlockFlow::layoutBlock (this=0x6ba590, relayoutChildren=false, pageLogicalHeight=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:359
#16 0x00007ffff39c422f in WebCore::RenderBlock::layout (this=0x6ba590) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1292
#17 0x00007ffff3b89f27 in WebCore::RenderView::layoutContent (this=0x6ba590, state=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderView.cpp:152
#18 0x00007ffff3b8aae2 in WebCore::RenderView::layout (this=0x6ba590) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderView.cpp:338
#19 0x00007ffff37333bd in WebCore::FrameView::layout (this=0x7faaf0, allowSubtree=true)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/page/FrameView.cpp:1255
#20 0x00007ffff320a588 in WebCore::Document::implicitClose (this=0x8a1470) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/Document.cpp:2415
#21 0x00007ffff3632b01 in WebCore::FrameLoader::checkCallImplicitClose (this=0x7a1778)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:850
#22 0x00007ffff3632895 in WebCore::FrameLoader::checkCompleted (this=0x7a1778) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:793
#23 0x00007ffff3633766 in WebCore::FrameLoader::completed (this=0x83a9e8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:1100
#24 0x00007ffff36328b8 in WebCore::FrameLoader::checkCompleted (this=0x83a9e8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:797
#25 0x00007ffff363a908 in WebCore::FrameLoader::receivedMainResourceError (this=0x83a9e8, error=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:2638
#26 0x00007ffff3613970 in WebCore::DocumentLoader::mainReceivedError (this=0x775cb0, error=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:243
#27 0x00007ffff3618263 in WebCore::DocumentLoader::cancelMainResourceLoad (this=0x775cb0, resourceError=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:1436
#28 0x00007ffff3613b51 in WebCore::DocumentLoader::stopLoading (this=0x775cb0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:298
#29 0x00007ffff3636315 in WebCore::FrameLoader::stopAllLoaders (this=0x83a9e8, clearProvisionalItemPolicy=WebCore::ShouldClearProvisionalItem)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:1583
#30 0x00007ffff363972d in WebCore::FrameLoader::frameDetached (this=0x83a9e8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:2386
#31 0x00007ffff3413676 in WebCore::HTMLFrameOwnerElement::disconnectContentFrame (this=0x85de00)
---Type <return> to continue, or q <return> to quit---
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/HTMLFrameOwnerElement.cpp:86
#32 0x00007ffff31f35c6 in WebCore::ChildFrameDisconnector::disconnectCollectedFrameOwners (this=0x7fffffffbee0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/ContainerNodeAlgorithms.h:318
#33 0x00007ffff31f369e in WebCore::ChildFrameDisconnector::disconnect (this=0x7fffffffbee0, policy=WebCore::ChildFrameDisconnector::RootAndDescendants)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/ContainerNodeAlgorithms.h:338
#34 0x00007ffff31ef96e in WebCore::willRemoveChild (child=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/ContainerNode.cpp:503
#35 0x00007ffff31efc55 in WebCore::ContainerNode::removeChild (this=0x7fbf70, oldChild=0x7ef7d0, ec=@0x7fffffffc040: 0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/ContainerNode.cpp:568
#36 0x00007ffff329efa4 in WebCore::Node::remove (this=0x7ef7d0, ec=@0x7fffffffc040: 0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/Node.cpp:487
#37 0x00007ffff336b330 in WebCore::RemoveNodeCommand::doApply (this=0x87ba20)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/RemoveNodeCommand.cpp:55
#38 0x00007ffff330fb3c in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x87b5b0, prpCommand=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:262
#39 0x00007ffff3310a55 in WebCore::CompositeEditCommand::removeNode (this=0x87b5b0, node=<incomplete type>, 
    shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:400
#40 0x00007ffff336b7b3 in WebCore::RemoveNodePreservingChildrenCommand::doApply (this=0x87b5b0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp:51
#41 0x00007ffff330fb3c in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x87af60, prpCommand=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:262
#42 0x00007ffff3310ae0 in WebCore::CompositeEditCommand::removeNodePreservingChildren (this=0x87af60, node=<incomplete type>, 
    shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:405
#43 0x00007ffff33044d5 in WebCore::ApplyStyleCommand::removeInlineStyleFromElement (this=0x87af60, style=0x7fc350, element=<incomplete type>, 
    mode=WebCore::ApplyStyleCommand::RemoveIfNeeded, extractedStyle=0x87b590)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/ApplyStyleCommand.cpp:890
#44 0x00007ffff3305175 in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode (this=0x87af60, style=0x7fc350, targetNode=0x7ee800)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/ApplyStyleCommand.cpp:1051
#45 0x00007ffff33057c3 in WebCore::ApplyStyleCommand::removeInlineStyle (this=0x87af60, style=0x7fc350, start=..., end=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/ApplyStyleCommand.cpp:1104
#46 0x00007ffff3302a12 in WebCore::ApplyStyleCommand::applyInlineStyle (this=0x87af60, style=0x7fc350)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/ApplyStyleCommand.cpp:630
#47 0x00007ffff32ffe57 in WebCore::ApplyStyleCommand::doApply (this=0x87af60)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/ApplyStyleCommand.cpp:220
#48 0x00007ffff330fb3c in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x838700, prpCommand=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:262
#49 0x00007ffff336afc5 in WebCore::RemoveFormatCommand::doApply (this=0x838700)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/RemoveFormatCommand.cpp:92
#50 0x00007ffff330f8fc in WebCore::CompositeEditCommand::apply (this=0x838700)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:211
#51 0x00007ffff330f6fc in WebCore::applyCommand (command=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:170
#52 0x00007ffff3333335 in WebCore::Editor::removeFormattingAndStyle (this=0x7a1e90) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/Editor.cpp:700
#53 0x00007ffff3347652 in WebCore::executeRemoveFormat (frame=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/EditorCommand.cpp:977
#54 0x00007ffff33491af in WebCore::Editor::Command::execute (this=0x7fffffffc9d0, parameter=..., triggeringEvent=0x0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/EditorCommand.cpp:1713
#55 0x00007ffff32106ac in WebCore::Document::execCommand (this=0x8a1470, commandName=..., userInterface=false, value=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/Document.cpp:4110
#56 0x00007ffff3fab309 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fffa37fef50)
    at /home/reni/Data/REPOS/webkitnix/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:2705
#57 0x00007fffaa282105 in ?? ()
#58 0x00007fffffffcb10 in ?? ()
---Type <return> to continue, or q <return> to quit---
#59 0x00007ffff4875638 in llint_op_call () from /home/reni/Data/REPOS/webkitnix/WebKitBuild/Debug/lib/libWebKitNix.so.0
#60 0x00007fffaa282940 in ?? ()
#61 0x000000000068a4e8 in ?? ()
#62 0x0000000000611920 in ?? ()
#63 0x00007ffff081b9a0 in thread_context_stack () from /home/reni/Data/REPOS/webkitnix/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#64 0x00000000008cc700 in ?? ()
#65 0x00007ffff3615de2 in WebCore::DocumentLoader::commitData (this=0x7fffaa2820c0, bytes=0x7fffa37fef98 "\001", length=140737488341616)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:816
#66 0x00007fffffffcb60 in ?? ()
#67 0x00007ffff45f340e in JSC::JITCode::execute (this=0x458b48014dacdfe8, stack=0x14da99de801b0bf, callFrame=0x4b3d8d480000032e, vm=0xbe01b15497158d48)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/jit/JITCode.cpp:46
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
@qrwteyrutiyoup
Copy link
Member

It doesn't happen on EFL because their Minibrowser doesn't enable frame flattening, as we do with ours. I have reported it upstream at https://bugs.webkit.org/show_bug.cgi?id=123759 and added it to your Fuzzinator meta bug.

@renatahodovan
Copy link
Author

Alright, thanks :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qrwteyrutiyoup @renatahodovan