* SUMMARY I hit an assertion failure logging into eHarmony.com last night. It's the same assertion failure as the one from Bug 13155. I was running Safari 3.0 beta with a local debug build of WebKit r22098 on Mac OS X 10.4.9 (8P135). * STEPS TO REPRODUCE 1. Launch Safari/WebKit. 2. Go to URL: http://www.eharmony.com/ 3. Enter username and password, then click Submit. NOTE: These steps are in theory; I haven't tried yet! * NOTES Console output: ASSERTION FAILED: !needsLayout() (/path/to/WebKit/WebCore/rendering/RenderView.cpp:139 virtual void WebCore::RenderView::paint(WebCore::RenderObject::PaintInfo&, int, int)) Segmentation fault Stack trace: Version: 3.0 (522.11) Build Version: 2 Project Name: WebBrowser Source Version: 45221100 PID: 731 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef Thread 0 Crashed: 0 com.apple.WebCore 0x011ad64c WebCore::RenderView::paint(WebCore::RenderObject::PaintInfo&, int, int) + 112 (RenderView.cpp:139) 1 com.apple.WebCore 0x011d0438 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, bool, WebCore::PaintRestriction, WebCore::RenderObject*) + 1092 (RenderLayer.cpp:1474) 2 com.apple.WebCore 0x011d0998 WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, WebCore::PaintRestriction, WebCore::RenderObject*) + 72 (RenderLayer.cpp:1394) 3 com.apple.WebCore 0x010f2690 WebCore::Frame::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) + 800 (Frame.cpp:1273) 4 com.apple.WebCore 0x0111f548 -[WebCoreFrameBridge drawRect:] + 372 (WebCoreFrameBridge.mm:409) 5 com.apple.WebKit 0x003513d0 -[WebHTMLView drawSingleRect:] + 760 (WebHTMLView.mm:2638) 6 com.apple.WebKit 0x0035187c -[WebHTMLView drawRect:] + 540 (WebHTMLView.mm:2693) 7 com.apple.AppKit 0x937e7858 -[NSView _drawRect:clip:] + 2128 8 com.apple.AppKit 0x937e6e18 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 404 9 com.apple.WebKit 0x00348398 -[WebHTMLView(WebPrivate) _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 796 (WebHTMLView.mm:900) 10 com.apple.AppKit 0x937e9b60 _recursiveDisplayInRect2 + 84 11 com.apple.CoreFoundation 0x907ee3ec CFArrayApplyFunction + 416 12 com.apple.AppKit 0x937e6f2c -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 680 13 com.apple.AppKit 0x937e9b60 _recursiveDisplayInRect2 + 84 14 com.apple.CoreFoundation 0x907ee3ec CFArrayApplyFunction + 416 15 com.apple.AppKit 0x937e6f2c -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 680 16 com.apple.AppKit 0x937e9b60 _recursiveDisplayInRect2 + 84 17 com.apple.CoreFoundation 0x907ee3ec CFArrayApplyFunction + 416 18 com.apple.AppKit 0x937e6f2c -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 680 19 com.apple.AppKit 0x937e63e0 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 196 20 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 21 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 22 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 23 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 24 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 25 com.apple.AppKit 0x93807044 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 192 26 com.apple.AppKit 0x937e0054 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 384 27 com.apple.AppKit 0x937d5348 -[NSView displayIfNeeded] + 248 28 com.apple.AppKit 0x937d51b8 -[NSWindow displayIfNeeded] + 180 29 com.apple.Safari 0x000133d4 0x1000 + 74708 30 com.apple.AppKit 0x937d5064 _handleWindowNeedsDisplay + 200 31 com.apple.CoreFoundation 0x907de76c __CFRunLoopDoObservers + 352 32 com.apple.CoreFoundation 0x907dea0c __CFRunLoopRun + 420 33 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 34 com.apple.HIToolbox 0x9329bb20 RunCurrentEventLoopInMode + 264 35 com.apple.HIToolbox 0x9329b1b4 ReceiveNextEventCommon + 380 36 com.apple.HIToolbox 0x9329b020 BlockUntilNextEventMatchingListInMode + 96 37 com.apple.AppKit 0x937a1ae4 _DPSNextEvent + 384 38 com.apple.AppKit 0x937a17a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 39 com.apple.Safari 0x00006770 0x1000 + 22384 40 com.apple.AppKit 0x9379dcec -[NSApplication run] + 472 41 com.apple.AppKit 0x9388e87c NSApplicationMain + 452 42 com.apple.Safari 0x0000244c 0x1000 + 5196 43 com.apple.Safari 0x0004f1b0 0x1000 + 319920
Copying Beth since she fixed Bug 13155.
Hmm...I may have been loading a message on Yahoo! Mail at the time as well. Need to try to reproduce the Yahoo! bug on the Safari 3 beta to see if it's present.
I saw this again, but was loading bugzilla.mozilla.org (along with some other pages, possibly). Still haven't figured out the trigger or how to reproduce it. Reproduced with Safari 3.0 Beta with a local debug build of WebKit r23502 with Mac OS X 10.4.9 (8P135). Console output: ASSERTION FAILED: !needsLayout() (/path/to/WebKit/WebCore/rendering/RenderView.cpp:139 virtual void WebCore::RenderView::paint(WebCore::RenderObject::PaintInfo&, int, int)) Segmentation fault Stack trace: Version: 3.0 (522.11) Build Version: 2 Project Name: WebBrowser Source Version: 45221100 PID: 643 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef Thread 0 Crashed: 0 com.apple.WebCore 0x011ad42c WebCore::RenderView::paint(WebCore::RenderObject::PaintInfo&, int, int) + 112 (RenderView.cpp:139) 1 com.apple.WebCore 0x011d0218 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, bool, WebCore::PaintRestriction, WebCore::RenderObject*) + 1092 (RenderLayer.cpp:1474) 2 com.apple.WebCore 0x011d0778 WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, WebCore::PaintRestriction, WebCore::RenderObject*) + 72 (RenderLayer.cpp:1394) 3 com.apple.WebCore 0x010f2470 WebCore::Frame::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) + 800 (Frame.cpp:1273) 4 com.apple.WebCore 0x0111f328 -[WebCoreFrameBridge drawRect:] + 372 (WebCoreFrameBridge.mm:409) 5 com.apple.WebKit 0x003513d0 -[WebHTMLView drawSingleRect:] + 760 (WebHTMLView.mm:2638) 6 com.apple.WebKit 0x0035187c -[WebHTMLView drawRect:] + 540 (WebHTMLView.mm:2693) 7 com.apple.AppKit 0x937e7858 -[NSView _drawRect:clip:] + 2128 8 com.apple.AppKit 0x937e6e18 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 404 9 com.apple.WebKit 0x00348398 -[WebHTMLView(WebPrivate) _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 796 (WebHTMLView.mm:900) 10 com.apple.AppKit 0x937e63e0 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 196 11 com.apple.WebKit 0x00347fe8 -[WebHTMLView(WebPrivate) _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 520 (WebHTMLView.mm:854) 12 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 13 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 14 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 15 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 16 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 17 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 18 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 19 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 20 com.apple.AppKit 0x93807044 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 192 21 com.apple.AppKit 0x937e0054 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 384 22 com.apple.AppKit 0x937d5348 -[NSView displayIfNeeded] + 248 23 com.apple.AppKit 0x937d51b8 -[NSWindow displayIfNeeded] + 180 24 com.apple.Safari 0x000133d4 0x1000 + 74708 25 com.apple.AppKit 0x937d5064 _handleWindowNeedsDisplay + 200 26 com.apple.CoreFoundation 0x907de76c __CFRunLoopDoObservers + 352 27 com.apple.CoreFoundation 0x907dea0c __CFRunLoopRun + 420 28 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 29 com.apple.HIToolbox 0x9329bb20 RunCurrentEventLoopInMode + 264 30 com.apple.HIToolbox 0x9329b12c ReceiveNextEventCommon + 244 31 com.apple.HIToolbox 0x9329b020 BlockUntilNextEventMatchingListInMode + 96 32 com.apple.AppKit 0x937a1ae4 _DPSNextEvent + 384 33 com.apple.AppKit 0x937a17a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 34 com.apple.Safari 0x00006770 0x1000 + 22384 35 com.apple.AppKit 0x9379dcec -[NSApplication run] + 472 36 com.apple.AppKit 0x9388e87c NSApplicationMain + 452 37 com.apple.Safari 0x0000244c 0x1000 + 5196 38 com.apple.Safari 0x0004f1b0 0x1000 + 319920
(In reply to comment #3) > I saw this again, but was loading bugzilla.mozilla.org (along with some other > pages, possibly). Still haven't figured out the trigger or how to reproduce > it. Saw this logging into usps.com web site when trying to reproduce Bug 4151 with a local debug build of WebKit r23502 with Safari 3.0 (522.11) on Mac OS X 10.4.9 (8P135).
(In reply to comment #4) > Saw this logging into usps.com web site when trying to reproduce Bug 4151 with > a local debug build of WebKit r23502 with Safari 3.0 (522.11) on Mac OS X > 10.4.9 (8P135). NOTE: This doesn't produce a crash every time--only when I don't want it to crash. * STEPS TO REPRODUCE 1. Open Safari/WebKit. 2. Go to URL: https://sss-web.usps.com/ 3. Click the "Sign In" button. As I mentioned above, this doesn't happen every time, but I think it usually happens in a tab (that's not the left-most tab) more often than not.
(In reply to comment #5) > * STEPS TO REPRODUCE > 1. Open Safari/WebKit. > 2. Go to URL: https://sss-web.usps.com/ > 3. Click the "Sign In" button. > > As I mentioned above, this doesn't happen every time, but I think it usually > happens in a tab (that's not the left-most tab) more often than not. If this doesn't crash the first time you hit it, try hitting Reload.
I'm seeing the same thing on the main http://yahoo.com page
At least on Yahoo, the bug seems to be due to the midLayout guards around the call to invalidateSelection() in FrameView::layout(). Those guards prevent layout from happening, and there's no guarantee that it will happen later before returning from FrameView::layout() (there is a call to scheduleRelayout near the end, but that call is: never supposed to be reached anyway, doesn't always guarantee a relayout, and the early return after it messes up the suspend/resume scheduled events mechanism). I think the same applies to the guards around updateWidgetPositions(). If I remember correctly. both of the above were added on a speculative basis. I don't think they're needed.
See bug 13455 comment #3 regarding the scheduleRelayout and early return being not supposed to be reached.
Created attachment 15282 [details] Possible fix
Opening maps.google.com causes this assertion failure for me each time today. I haven't tried applying the patch.
Created attachment 15289 [details] Test case (will ASSERT) The beloved updateLayoutIgnorePendingStylesheets() is involved in this case. It is called under invalidateSelection and -- since there are pending stylesheets -- it calls updateStyleSelector() which dirties the root. Normally the root gets a layout after that, but now because of the guard around invalidateSelection it doesn't. I'm going to add this test case to the patch an submit for review.
Created attachment 15290 [details] Remove midLayout guards around non-layout calls
Comment on attachment 15290 [details] Remove midLayout guards around non-layout calls This looks good to me.
Landed in r23866.