Bug 19249

Summary:

Assertion failure in FrameView::scheduleRelayout() (m_frame->view() == this) clicking an image from the Phoenix Mars mission

Product:

WebKit

Reporter:

mitz

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

beidson, dev+webkit

Priority:

Keywords:

HasReduction, InRadar

Version:

528+ (Nightly build)

Hardware:

Mac

OS:

OS X 10.5

URL:

http://fawkes1.lpl.arizona.edu/images.php?gID=0&cID=8

Attachments:

Description	Flags
Reduction (save as a file and open; will ASSERT)	none
Reduction without visited links (will ASSERT)	none

Description mitz 2008-05-25 20:18:54 PDT

Clicking a thumbnail in the URL leads to

ASSERTION FAILED: m_frame->view() == this
(/WebCore/page/FrameView.cpp:778 void WebCore::FrameView::scheduleRelayout())

Comment 1 mitz 2008-05-25 20:29:47 PDT

I think the key is Document::updateDocumentsRendering() in the backtrace. The old document has changed children but it is no longer in the frame, so it should not update. Perhaps the function that puts a document into the page cache should take it out of the changedDocuments set.

The bug doesn't happen when the back/forward cache is disabled.

Comment 2 mitz 2008-05-25 21:55:45 PDT

The URL is already dead and I cannot reproduce with other image galleries on the site :-(

Comment 3 mitz 2008-05-25 21:58:10 PDT

(In reply to comment #2)
> I cannot reproduce with other image galleries on the site :-(

Turns out disabling the back/forward cache is a sticky setting :-)
I can reproduce with other galleries. URL updated.

Comment 4 mitz 2008-05-25 22:28:17 PDT

Created attachment 21345 [details]
Reduction (save as a file and open; will ASSERT)

While the page is in the back/forward cache, the link changes to visited, which changes the document and triggers a style recalc in the cached document.

Comment 5 mitz 2008-05-25 22:30:37 PDT

Comment on attachment 21345 [details]
Reduction (save as a file and open; will ASSERT)

Note: the reduction doesn't work when served over https from Bugzilla, because secure pages never enter the page cache.

Comment 6 mitz 2008-05-26 00:29:30 PDT

The issue appears to be more general: a script can hold a reference to a document in the back/forward cache and modify it, requiring relayout.

Comment 7 mitz 2008-05-26 13:59:08 PDT

Created attachment 21350 [details]
Reduction without visited links (will ASSERT)

An example of the same problem with a script modifying a document in the back/forward cache. A script can conceivably retroactively make the page ineligible for the back/forward cache, too.

Comment 8 mitz 2008-05-26 14:01:05 PDT

<rdar://problem/5963470>

Comment 9 mitz 2008-08-01 00:06:28 PDT

*** Bug 20248 has been marked as a duplicate of this bug. ***

Comment 10 Brady Eidson 2009-04-30 17:12:04 PDT

This no longer reproduces.