137954 2014-10-22 05:30:57 -0700 ASSERTION FAILED: !document.inPageCache() in WebCore::FrameView::layout 2016-08-03 17:41:35 -0700 1 1 1 Unclassified WebKit Frames 528+ (Nightly build) Unspecified Unspecified RESOLVED WORKSFORME P2 Normal --- 116980 1 rhodovan.u-szeged webkit-unassigned ap beidson bfulgham cdumez darin kling koivisto rniwa simon.fraser oldest_to_newest 1043426 0 240268 rhodovan.u-szeged 2014-10-22 05:30:57 -0700 Created attachment 240268 Test case The failing test case: <!DOCTYPE html> <script> function test() { document.execCommand("selectAll", false, null); document.execCommand("unlink" ,true, null); window.open("chrome-extension://foo.bar","_top","toolbar=0,width=10",false); } </script> <body onload='test()'> <object> Backtrace: ASSERTION FAILED: !document.inPageCache() ../../Source/WebCore/page/FrameView.cpp(1160) : void WebCore::FrameView::layout(bool) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff98c1f700 (LWP 3602)] 0x00007fffedae91b5 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; #0 0x00007fffedae91b5 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff365f4fb in WebCore::FrameView::layout (this=0x84ff60, allowSubtree=true) at ../../Source/WebCore/page/FrameView.cpp:1160 #2 0x00007ffff302a527 in WebCore::Document::updateLayout (this=0x788a60) at ../../Source/WebCore/dom/Document.cpp:1868 #3 0x00007ffff302a62a in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x788a60, runPostLayoutTasks=WebCore::Document::Asynchronously) at ../../Source/WebCore/dom/Document.cpp:1900 #4 0x00007ffff31a8319 in WebCore::updateSelectionByUpdatingLayoutOrStyle (frame=...) at ../../Source/WebCore/editing/FrameSelection.cpp:350 #5 0x00007ffff31aecf5 in WebCore::FrameSelection::absoluteCaretBounds (this=0x899910) at ../../Source/WebCore/editing/FrameSelection.cpp:1361 #6 0x00007ffff29dc0c1 in WebKit::WebPage::editorState (this=0x97a030) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:781 #7 0x00007ffff29e93e1 in WebKit::WebPage::didChangeSelection (this=0x97a030) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:4331 #8 0x00007ffff2999693 in WebKit::WebEditorClient::respondToChangedSelection (this=0xb06210, frame=0x898e20) at ../../Source/WebKit2/WebProcess/WebCoreSupport/WebEditorClient.cpp:194 #9 0x00007ffff3197941 in WebCore::Editor::respondToChangedSelection (this=0x899660, options=6) at ../../Source/WebCore/editing/Editor.cpp:3313 #10 0x00007ffff31a80c8 in WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance (this=0x899910, newSelectionPossiblyWithoutDirection=..., options=6, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:317 #11 0x00007ffff31ae53d in WebCore::FrameSelection::prepareForDestruction (this=0x899910) at ../../Source/WebCore/editing/FrameSelection.cpp:1284 #12 0x00007ffff3510685 in WebCore::FrameLoader::clear (this=0x898eb8, newDocument=0x8ab330, clearWindowProperties=true, clearScriptObjects=true, clearFrameView=true) at ../../Source/WebCore/loader/FrameLoader.cpp:629 #13 0x00007ffff35029a1 in WebCore::DocumentWriter::begin (this=0xa7bb50, urlReference=..., dispatch=false, ownerDocument=0x0) at ../../Source/WebCore/loader/DocumentWriter.cpp:140 #14 0x00007ffff34f0726 in WebCore::DocumentLoader::commitData (this=0xa7bab0, bytes=0xa7e110 "<html><body>URL cannot be shown</body></html>", length=45) at ../../Source/WebCore/loader/DocumentLoader.cpp:790 #15 0x00007ffff29a20c7 in WebKit::WebFrameLoaderClient::committedLoad (this=0x97a800, loader=0xa7bab0, data=0xa7e110 "<html><body>URL cannot be shown</body></html>", length=45) at ../../Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:891 #16 0x00007ffff34f0575 in WebCore::DocumentLoader::commitLoad (this=0xa7bab0, data=0xa7e110 "<html><body>URL cannot be shown</body></html>", length=45) at ../../Source/WebCore/loader/DocumentLoader.cpp:771 #17 0x00007ffff34f0bb9 in WebCore::DocumentLoader::dataReceived (this=0xa7bab0, resource=0x0, data=0xa7e110 "<html><body>URL cannot be shown</body></html>", length=45) at ../../Source/WebCore/loader/DocumentLoader.cpp:888 #18 0x00007ffff34f0400 in WebCore::DocumentLoader::continueAfterContentPolicy (this=0xa7bab0, policy=WebCore::PolicyUse) at ../../Source/WebCore/loader/DocumentLoader.cpp:750 #19 0x00007ffff34efafc in WebCore::DocumentLoader::responseReceived (this=0xa7bab0, resource=0x0, response=...) at ../../Source/WebCore/loader/DocumentLoader.cpp:653 #20 0x00007ffff34eea49 in WebCore::DocumentLoader::handleSubstituteDataLoadNow (this=0xa7bab0) at ../../Source/WebCore/loader/DocumentLoader.cpp:476 #21 0x00007ffff34fdbcc in std::_Mem_fn<void (WebCore::DocumentLoader::*)(WebCore::Timer<WebCore::DocumentLoader>*)>::operator()<WebCore::Timer<WebCore::DocumentLoader>*&, void> (this=0xa3b250, __object=0xa7bab0) at /usr/include/c++/4.8/functional:601 #22 0x00007ffff34fcf8d in std::_Bind<std::_Mem_fn<void (WebCore::DocumentLoader::*)(WebCore::Timer<WebCore::DocumentLoader>*)> (WebCore::DocumentLoader*, WebCore::Timer<WebCore::DocumentLoader>*)>::__call<void, , 0ul, 1ul>(std::tuple<>&&, std::_Index_tuple<0ul, 1ul>) (this=0xa3b250, __args=<unknown type in /home/reni/data/REPOS/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x2988f338, DIE 0x299c22c1>) at /usr/include/c++/4.8/functional:1296 #23 0x00007ffff34fbb20 in std::_Bind<std::_Mem_fn<void (WebCore::DocumentLoader::*)(WebCore::Timer<WebCore::DocumentLoader>*)> (WebCore::DocumentLoader*, WebCore::Timer<WebCore::DocumentLoader>*)>::operator()<, void>() (this=0xa3b250) at /usr/include/c++/4.8/functional:1355 #24 0x00007ffff34fa06f in std::_Function_handler<void (), std::_Bind<std::_Mem_fn<void (WebCore::DocumentLoader::*)(WebCore::Timer<WebCore::DocumentLoader>*)> (WebCore::DocumentLoader*, WebCore::Timer<WebCore::DocumentLoader>*)> >::_M_invoke(std::_Any_data const&) (__functor=...) at /usr/include/c++/4.8/functional:2071 #25 0x00007ffff26dc5a6 in std::function<void ()>::operator()() const (this=0xa7c340) at /usr/include/c++/4.8/functional:2464 #26 0x00007ffff34feb54 in WebCore::Timer<WebCore::DocumentLoader>::fired (this=0xa7c308) at ../../Source/WebCore/platform/Timer.h:133 #27 0x00007ffff373bd1f in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0xb028b0) at ../../Source/WebCore/platform/ThreadTimers.cpp:132 #28 0x00007ffff373bbcd in WebCore::ThreadTimers::sharedTimerFired () at ../../Source/WebCore/platform/ThreadTimers.cpp:107 #29 0x00007ffff3bf37a3 in std::_Function_handler<void (), void (*)()>::_M_invoke(std::_Any_data const&) (__functor=...) at /usr/include/c++/4.8/functional:2071 #30 0x00007ffff26dc5a6 in std::function<void ()>::operator()() const (this=0x7fffffffd4a8) at /usr/include/c++/4.8/functional:2464 #31 0x00007fffedb32896 in WTF::GMainLoopSource::voidCallback (this=0x7ffff7dd7f60 <WebCore::gSharedTimer>) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:364 #32 0x00007fffedb32ff7 in WTF::GMainLoopSource::voidSourceCallback (source=0x7ffff7dd7f60 <WebCore::gSharedTimer>) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:454 #33 0x00007fffedb31a13 in WTF::__lambda0::operator() (__closure=0x0, source=0x8add20, callback=0x7fffedb32fd4 <WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*)>, userData=0x7ffff7dd7f60 <WebCore::gSharedTimer>) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:247 #34 0x00007fffedb31a81 in WTF::__lambda0::_FUN (source=0x8add20, callback=0x7fffedb32fd4 <WTF::GMainLoopSource::voidSourceCallback(WTF::GMainLoopSource*)>, userData=0x7ffff7dd7f60 <WebCore::gSharedTimer>) at ../../Source/WTF/wtf/gobject/GMainLoopSource.cpp:251 #35 0x00007fffeaad1a2d in g_main_dispatch (context=0x6777f0) at gmain.c:3064 #36 g_main_context_dispatch (context=context@entry=0x6777f0) at gmain.c:3663 #37 0x00007fffeaad1d98 in g_main_context_iterate (context=0x6777f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734 #38 0x00007fffeaad205a in g_main_loop_run (loop=0xb00db0) at gmain.c:3928 #39 0x00007ffff457c386 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59 #40 0x00007ffff2ad6a46 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd8b8) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #41 0x00007ffff2ad68ab in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd8b8) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73 #42 0x0000000000400871 in main (argc=2, argv=0x7fffffffd8b8) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44 1043665 1 simon.fraser 2014-10-22 20:19:12 -0700 Issue seems to be in Editor::respondToChangedSelection() 1217285 2 bfulgham 2016-08-03 17:41:35 -0700 This issue no longer happens in r204037 under GuardMalloc or ASAN. If you believe there is still an issue, please reopen this bug with a revised test case. 240268 2014-10-22 05:30:57 -0700 2014-10-22 05:30:57 -0700 Test case crash.html text/html 271 rhodovan.u-szeged PCFET0NUWVBFIGh0bWw+CjxzY3JpcHQ+CmZ1bmN0aW9uIHRlc3QoKSB7CiAgICBkb2N1bWVudC5l eGVjQ29tbWFuZCgic2VsZWN0QWxsIiwgZmFsc2UsIG51bGwpOwogICAgZG9jdW1lbnQuZXhlY0Nv bW1hbmQoInVubGluayIgICAsdHJ1ZSwgICBudWxsKTsKICAgIHdpbmRvdy5vcGVuKCJjaHJvbWUt ZXh0ZW5zaW9uOi8vZm9vLmJhciIsIl90b3AiLCJ0b29sYmFyPTAsd2lkdGg9MTAiLGZhbHNlKTsK fQo8L3NjcmlwdD4KPGJvZHkgb25sb2FkPSd0ZXN0KCknPgo8b2JqZWN0Pg==