Bug 102957

Summary:

[CSS Regions] Crash when using hover and first-letter inside a flow-thread

Product:

WebKit

Reporter:

Alexandru Chiculita <achicu>

Component:

Layout and Rendering

Assignee:

Alexandru Chiculita <achicu>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abucur, dbates, donggwan.kim, eric, esprehn, inferno, mihnea, ojan, WebkitBugTracker, webkit.review.bot

Priority:

Keywords:

AdobeTracked

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

57312, 103324

Attachments:

Description	Flags
test case	none
Patch	buildbot: commit-queue-
Patch V1	none

Alexandru Chiculita

Reported 2012-11-21 10:06:23 PST

Use the attached test case. Hover the text in the first region. I got the following ASSERT in Debug and a crash in Release mode. ASSERTION FAILED: enclosingRenderFlowThread() /Users/achicu/code/chromium2/src/third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp(2451) : virtual void WebCore::RenderObject::willBeRemovedFromTree() 1 0x103d04932 WebCore::RenderObject::willBeRemovedFromTree() 2 0x103d084d5 WebCore::RenderObjectChildList::removeChildNode(WebCore::RenderObject*, WebCore::RenderObject*, bool) 3 0x103cf5974 WebCore::RenderObject::removeChild(WebCore::RenderObject*) 4 0x103c63336 WebCore::RenderObject::remove() 5 0x103d043ca WebCore::RenderObject::willBeDestroyed() 6 0x103de87cd WebCore::RenderText::willBeDestroyed() 7 0x103df9ea8 WebCore::RenderTextFragment::willBeDestroyed() 8 0x103d04b3d WebCore::RenderObject::destroy() 9 0x103d08339 WebCore::RenderObjectChildList::destroyLeftoverChildren() 10 0x103c6e048 WebCore::RenderInline::willBeDestroyed() 11 0x103d04b3d WebCore::RenderObject::destroy() 12 0x103df9e9c WebCore::RenderTextFragment::willBeDestroyed() 13 0x103d04b3d WebCore::RenderObject::destroy() 14 0x103d08339 WebCore::RenderObjectChildList::destroyLeftoverChildren() 15 0x103b6b7f7 WebCore::RenderBlock::willBeDestroyed() 16 0x103ccd4ba WebCore::RenderListItem::willBeDestroyed() 17 0x103d04b3d WebCore::RenderObject::destroy() 18 0x103d04b0c WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() 19 0x103a87ff5 WebCore::Node::detach() 20 0x102af0f6f WebCore::ContainerNode::detach() 21 0x102f0ebee WebCore::Element::detach() 22 0x102a852a6 WebCore::Node::reattach() 23 0x102f0f38f WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 24 0x102f0f9bf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 25 0x102f0f9bf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 26 0x102f0f9bf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 27 0x102d03874 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) 28 0x102cff95c WebCore::Document::updateStyleIfNeeded() 29 0x102d085f8 WebCore::Document::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::LayoutPoint const&, WebCore::PlatformMouseEvent const&) 30 0x102f42d51 WebCore::EventHandler::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::PlatformMouseEvent const&) 31 0x102f432ca WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool)

Attachments
test case (395 bytes, text/html) 2012-11-21 10:29 PST, Alexandru Chiculita	no flags	Details
Patch (10.09 KB, patch) 2012-11-27 04:47 PST, Andrei Bucur	buildbot: commit-queue-	Details Formatted Diff Diff
Patch V1 (11.07 KB, patch) 2012-11-28 11:16 PST, Alexandru Chiculita	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Alexandru Chiculita

Comment 1 2012-11-21 10:29:08 PST

Created attachment 175479 [details] test case

Andrei Bucur

Comment 2 2012-11-27 04:47:54 PST

Created attachment 176236 [details] Patch

Build Bot

Comment 3 2012-11-27 13:59:22 PST

Comment on attachment 176236 [details] Patch Attachment 176236 [details] did not pass mac-ews (mac): Output: http://queues.webkit.org/results/15025126

Alexandru Chiculita

Comment 4 2012-11-27 15:14:08 PST

The issue is easier than that. RenderObjectChildList::destroyLeftoverChildren has a case where it only removes the elements, but lets the object be destroyed by its owner. Because of that it will call remove() on the child objects after the parent is going to be removed already. I have a patch locally where I remove the children objects from the flow thread when the first remove() happens, so that by the time they get destroyed they are already removed and there's no need to lookup the flow thread anymore.

Alexandru Chiculita

Comment 5 2012-11-28 11:16:36 PST

Created attachment 176528 [details] Patch V1

Dave Hyatt

Comment 6 2012-11-28 12:02:19 PST

Comment on attachment 176528 [details] Patch V1 r=me

WebKit Review Bot

Comment 7 2012-11-28 12:40:41 PST

Comment on attachment 176528 [details] Patch V1 Clearing flags on attachment: 176528 Committed r136045: <http://trac.webkit.org/changeset/136045>

WebKit Review Bot

Comment 8 2012-11-28 12:40:45 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.