174559 2017-07-15 20:50:00 -0700 ASSERTION FAILURE: LayoutDisallowedScope::isLayoutAllowed() in Document::updateLayout() 2017-07-16 19:06:26 -0700 1 1 1 Unclassified WebKit Accessibility WebKit Local Build All All NEW InRadar P2 Normal --- 173912 1 dbates rniwa cfleizach dbates simon.fraser webkit-bug-importer zalan oldest_to_newest 1329299 0 315584 dbates 2017-07-15 20:50:00 -0700 Created attachment 315584 Test case When using WebKit1 MiniBrowser with a debug build of WebKit r219539 I hit ASSERT(LayoutDisallowedScope::isLayoutAllowed()) by performing the following: 1. Enable VoiceOver. (You can do this by pressing Command-F5 or by opening System Preferences > Accessibility, click Voice Over and then click Enable VoiceOver). 2. Open the attached test case. 3. Click anywhere in the HTML body element. Then WebKit will crash because ASSERT(LayoutDisallowedScope::isLayoutAllowed()) fails in Document::updateLayout(). For completeness, this assertion was added in the patch for bug #173912. 1329300 1 webkit-bug-importer 2017-07-15 20:50:30 -0700 <rdar://problem/33337919> 1329301 2 dbates 2017-07-15 20:50:54 -0700 (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: 0x0000000111bb5d54 JavaScriptCore`::WTFCrash() at Assertions.cpp:278 frame #1: 0x0000000104d68315 WebCore`WebCore::Document::updateLayout(this=0x000000011aea3000) at Document.cpp:1914 frame #2: 0x0000000104d6cf7e WebCore`WebCore::Document::updateLayoutIgnorePendingStylesheets(this=0x000000011aea3000, runPostLayoutTasks=Asynchronously) at Document.cpp:1949 frame #3: 0x00000001046336b7 WebCore`WebCore::AccessibilityObject::updateBackingStore(this=0x000000011aeed5a0) at AccessibilityObject.cpp:1771 frame #4: 0x0000000107204f91 WebCore`::-[WebAccessibilityObjectWrapperBase updateObjectBackingStore](self=0x0000618000002240, _cmd="updateObjectBackingStore") at WebAccessibilityObjectWrapperBase.mm:294 frame #5: 0x000000010721c23b WebCore`::-[WebAccessibilityObjectWrapper accessibilityIsIgnored](self=0x0000618000002240, _cmd="accessibilityIsIgnored") at WebAccessibilityObjectWrapperMac.mm:3303 frame #6: 0x00007fffbc337704 AppKit`__NSAccessibilityEntryPointIsAccessibilityElement_block_invoke + 192 frame #7: 0x00007fffbc3375e8 AppKit`NSAccessibilityPerformEntryPointBOOL + 19 frame #8: 0x00007fffbbd6b35c AppKit`NSAccessibilityEntryPointIsAccessibilityElement + 96 frame #9: 0x00007fffbbdd48d9 AppKit`NSAccessibilityPostNotificationForObservedElementWithUserInfo + 215 frame #10: 0x00000001048174f5 WebCore`WebCore::AXPostNotificationWithUserInfo(object=0x0000618000002240, notification="AXValueChanged", userInfo=3 key/value pairs) at AXObjectCacheMac.mm:258 frame #11: 0x0000000104818104 WebCore`WebCore::postUserInfoForChanges(rootWebArea=0x000000011aeed5a0, object=0x00000001208b7000, changes=1 element) at AXObjectCacheMac.mm:460 frame #12: 0x0000000104818283 WebCore`WebCore::AXObjectCache::postTextReplacementPlatformNotificationForTextControl(this=0x000000011aed0700, object=0x00000001208b7000, deletedText={ length = 0, contents = '' }, insertedText={ length = 1, contents = '1' }, textControl=0x000000011aedc380) at AXObjectCacheMac.mm:497 frame #13: 0x00000001047ed623 WebCore`WebCore::AXObjectCache::postTextReplacementNotificationForTextControl(this=0x000000011aed0700, textControl=0x000000011aedc380, deletedText={ length = 0, contents = '' }, insertedText={ length = 1, contents = '1' }) at AXObjectCache.cpp:1308 frame #14: 0x0000000105415803 WebCore`WebCore::HTMLTextFormControlElement::setInnerTextValue(this=0x000000011aedc380, value={ length = 1, contents = '1' }) at HTMLTextFormControlElement.cpp:582 frame #15: 0x00000001070804dc WebCore`WebCore::TextFieldInputType::updateInnerTextValue(this=0x000000011ae52f78) at TextFieldInputType.cpp:576 frame #16: 0x0000000107081e6c WebCore`WebCore::TextFieldInputType::attributeChanged(this=0x000000011ae52f78, attributeName=0x00007fff5fbfda28) at TextFieldInputType.cpp:352 frame #17: 0x000000010535fa92 WebCore`WebCore::HTMLInputElement::parseAttribute(this=0x000000011aedc380, name=0x00007fff5fbfda28, value={ length = 1, contents = '1' }) at HTMLInputElement.cpp:777 frame #18: 0x0000000104f0cbc9 WebCore`WebCore::Element::attributeChanged(this=0x000000011aedc380, name=0x00007fff5fbfda28, oldValue={ length = 0, contents = '' }, newValue={ length = 1, contents = '1' }, (null)=ModifiedDirectly) at Element.cpp:1333 frame #19: 0x0000000106e79ddf WebCore`WebCore::StyledElement::attributeChanged(this=0x000000011aedc380, name=0x00007fff5fbfda28, oldValue={ length = 0, contents = '' }, newValue={ length = 1, contents = '1' }, reason=ModifiedDirectly) at StyledElement.cpp:90 frame #20: 0x0000000104f18e84 WebCore`WebCore::Element::didModifyAttribute(this=0x000000011aedc380, name=0x00007fff5fbfda28, oldValue={ length = 0, contents = '' }, newValue={ length = 1, contents = '1' }) at Element.cpp:3376 frame #21: 0x0000000104f0c789 WebCore`WebCore::Element::setAttributeInternal(this=0x000000011aedc380, index=2, name=0x00007fff5fbfda98, newValue={ length = 1, contents = '1' }, inSynchronizationOfLazyAttribute=NotInSynchronizationOfLazyAttribute) at Element.cpp:1290 frame #22: 0x0000000104f0c461 WebCore`WebCore::Element::setAttribute(this=0x000000011aedc380, localName={ length = 5, contents = 'value' }, value={ length = 1, contents = '1' }) at Element.cpp:1237 frame #23: 0x0000000105a7e2c7 WebCore`WebCore::jsElementPrototypeFunctionSetAttributeBody(state=0x00007fff5fbfdcb0, castedThis=0x000000012066c0e0, throwScope=0x00007fff5fbfdc38) at JSElement.cpp:1893 frame #24: 0x0000000105a7321e WebCore`long long WebCore::IDLOperation<WebCore::JSElement>::call<&(state=0x00007fff5fbfdcb0, operationName="setAttribute")), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) at JSDOMOperation.h:53 frame #25: 0x0000000105a72fac WebCore`WebCore::jsElementPrototypeFunctionSetAttribute(state=0x00007fff5fbfdcb0) at JSElement.cpp:1899 frame #26: 0x00004dc87ae01028 frame #27: 0x000000011173d183 JavaScriptCore`llint_entry at LowLevelInterpreter.asm:795 frame #28: 0x00000001117357e7 JavaScriptCore`llintPCRangeStart at LowLevelInterpreter64.asm:256 frame #29: 0x00000001115229fe JavaScriptCore`JSC::JITCode::execute(this=0x000000011ae18d20, vm=0x0000000120500000, protoCallFrame=0x00007fff5fbfdf08) at JITCode.cpp:81 frame #30: 0x00000001114d2af5 JavaScriptCore`JSC::Interpreter::executeCall(this=0x000000011aefcc68, callFrame=0x00000001206e00e8, function=0x00000001206794b0, callType=JS, callData=0x00007fff5fbfe520, thisValue=JSValue @ 0x00007fff5fbfe020, args=0x00007fff5fbfe408) at Interpreter.cpp:971 frame #31: 0x0000000110c9f7f8 JavaScriptCore`JSC::call(exec=0x00000001206e00e8, functionObject=JSValue @ 0x00007fff5fbfe0a0, callType=JS, callData=0x00007fff5fbfe520, thisValue=JSValue @ 0x00007fff5fbfe098, args=0x00007fff5fbfe408) at CallData.cpp:40 frame #32: 0x0000000110c9f909 JavaScriptCore`JSC::call(exec=0x00000001206e00e8, functionObject=JSValue @ 0x00007fff5fbfe190, callType=JS, callData=0x00007fff5fbfe520, thisValue=JSValue @ 0x00007fff5fbfe188, args=0x00007fff5fbfe408, returnedException=0x00007fff5fbfe430) at CallData.cpp:47 frame #33: 0x0000000110c9fb8d JavaScriptCore`JSC::profiledCall(exec=0x00000001206e00e8, reason=Other, functionObject=JSValue @ 0x00007fff5fbfe220, callType=JS, callData=0x00007fff5fbfe520, thisValue=JSValue @ 0x00007fff5fbfe218, args=0x00007fff5fbfe408, returnedException=0x00007fff5fbfe430) at CallData.cpp:66 frame #34: 0x00000001057d0b2b WebCore`WebCore::JSMainThreadExecState::profiledCall(exec=0x00000001206e00e8, reason=Other, functionObject=JSValue @ 0x00007fff5fbfe2b0, callType=JS, callData=0x00007fff5fbfe520, thisValue=JSValue @ 0x00007fff5fbfe2a8, args=0x00007fff5fbfe408, returnedException=0x00007fff5fbfe430) at JSMainThreadExecState.h:72 frame #35: 0x0000000105aa6ee9 WebCore`WebCore::JSEventListener::handleEvent(this=0x00000001208dd3f0, scriptExecutionContext=0x000000011aea3000, event=0x000000011ae81ed8) at JSEventListener.cpp:155 frame #36: 0x0000000104f73a96 WebCore`WebCore::EventTarget::fireEventListeners(this=0x000000011ae065b0, event=0x000000011ae81ed8, listeners={ size = 1, capacity = 0 }) at EventTarget.cpp:264 frame #37: 0x0000000104f7365e WebCore`WebCore::EventTarget::fireEventListeners(this=0x000000011ae065b0, event=0x000000011ae81ed8) at EventTarget.cpp:209 frame #38: 0x0000000106620981 WebCore`WebCore::Node::handleLocalEvents(this=0x000000011ae065b0, event=0x000000011ae81ed8) at Node.cpp:2368 frame #39: 0x0000000104f416cb WebCore`WebCore::EventContext::handleLocalEvents(this=0x000000011ae18c58, event=0x000000011ae81ed8) const at EventContext.cpp:54 frame #40: 0x0000000104f4199a WebCore`WebCore::MouseOrFocusEventContext::handleLocalEvents(this=0x000000011ae18c58, event=0x000000011ae81ed8) const at EventContext.cpp:85 frame #41: 0x0000000104f423c8 WebCore`WebCore::dispatchEventInDOM(event=0x000000011ae81ed8, path=0x00007fff5fbfe928) at EventDispatcher.cpp:105 frame #42: 0x0000000104f41e67 WebCore`WebCore::EventDispatcher::dispatchEvent(node=0x000000011ae06618, event=0x000000011ae81ed8) at EventDispatcher.cpp:163 frame #43: 0x00000001066209dd WebCore`WebCore::Node::dispatchEvent(this=0x000000011ae06618, event=0x000000011ae81ed8) at Node.cpp:2382 frame #44: 0x0000000104f0628f WebCore`WebCore::Element::dispatchMouseEvent(this=0x000000011ae06618, platformEvent=0x00007fff5fbfeed0, eventType={ length = 7, contents = 'mouseup' }, detail=1, relatedTarget=0x0000000000000000) at Element.cpp:285 frame #45: 0x0000000104f4b1ec WebCore`WebCore::EventHandler::dispatchMouseEvent(this=0x000000011aef1600, eventType={ length = 7, contents = 'mouseup' }, targetNode=0x000000011aef4af0, (null)=true, clickCount=1, platformMouseEvent=0x00007fff5fbfeed0, setUnder=false) at EventHandler.cpp:2553 frame #46: 0x0000000104f4dbb3 WebCore`WebCore::EventHandler::handleMouseReleaseEvent(this=0x000000011aef1600, platformMouseEvent=0x00007fff5fbfeed0) at EventHandler.cpp:2077 frame #47: 0x0000000104f5cd88 WebCore`WebCore::EventHandler::mouseUp(this=0x000000011aef1600, event=0x0000608000121720, correspondingPressureEvent=0x0000000000000000) at EventHandlerMac.mm:547 frame #48: 0x0000000103c8b507 WebKitLegacy`::-[WebHTMLView mouseUp:](self=0x00006100001612c0, _cmd="mouseUp:", event=0x0000608000121720) at WebHTMLView.mm:4777 frame #49: 0x00007fffbc60fb0a AppKit`-[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 1544 frame #50: 0x00007fffbc60f136 AppKit`-[NSWindow(NSEventRouting) sendEvent:] + 541 frame #51: 0x00007fffbc493835 AppKit`-[NSApplication(NSEvent) sendEvent:] + 1145 frame #52: 0x00007fffbbd0e98b AppKit`-[NSApplication run] + 1002 frame #53: 0x00007fffbbcd9372 AppKit`NSApplicationMain + 1237 frame #54: 0x0000000100008e09 MiniBrowser`main(argc=5, argv=0x00007fff5fbff808) at main.m:32 frame #55: 0x00007fffd4034235 libdyld.dylib`start + 1 frame #56: 0x00007fffd4034235 libdyld.dylib`start + 1 1329466 3 rniwa 2017-07-16 18:37:16 -0700 Why is AccessibilityObject::updateBackingStore updating layout!? 1329470 4 zalan 2017-07-16 18:44:48 -0700 (In reply to Ryosuke Niwa from comment #3) > Why is AccessibilityObject::updateBackingStore updating layout!? Because it's designed to be eager -which I am incrementally changing to be post-layout. 1329471 5 rniwa 2017-07-16 18:49:08 -0700 (In reply to zalan from comment #4) > (In reply to Ryosuke Niwa from comment #3) > > Why is AccessibilityObject::updateBackingStore updating layout!? > > Because it's designed to be eager -which I am incrementally changing to be > post-layout. Okay. We really need to finish this work. Otherwise, we would be triggering sync layout whenever input.value is changed with AX tree turned on. It's a serious performance degradation. 1329473 6 rniwa 2017-07-16 19:06:26 -0700 Does the assertion happen in WK2? 315584 2017-07-15 20:50:00 -0700 2017-07-15 20:50:00 -0700 Test case test.html text/html 352 dbates PCFET0NUWVBFIGh0bWw+CjxodG1sPgo8aGVhZD4KPHN0eWxlPgpib2R5IHsgaGVpZ2h0OiAxMDAw cHggfQo8L3N0eWxlPgo8c2NyaXB0Pgp2YXIgY291bnQgPSAwOwp3aW5kb3cub25sb2FkID0gZnVu Y3Rpb24gKCkKewogICAgZG9jdW1lbnQuYm9keS5vbm1vdXNldXAgPSBmdW5jdGlvbiAoKSB7CiAg ICAgICAgZG9jdW1lbnQuZ2V0RWxlbWVudEJ5SWQoImlucHV0Iikuc2V0QXR0cmlidXRlKCJ2YWx1 ZSIsICsrY291bnQpOwogICAgfQp9Cjwvc2NyaXB0Pgo8L2hlYWQ+Cjxib2R5Pgo8cD5DbGljayBh bnl3aGVyZTwvcD4KPGlucHV0IGlkPSJpbnB1dCIgdHlwZT0idGV4dCIgdmFsdWU9IiI+CjwvYm9k eT4KPC9odG1sPg==