Bug 117025

Summary: ASSERTION FAILED: this in WebCore::Node::document()
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: ap, eric.carlson, rwlbuis
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case none

Description Renata Hodovan 2013-05-30 04:40:39 PDT
The following test crashes in debug webkit:

<html>
<body>
	<applet code="lc3.class">
		<embed type="video/webm">
		<video width="28" controls="1"></video>
	</applet>
</body>
</html>

Hint: don't try to run it with nouveau driver on the latest kernel (3.8.0.19) because it will kill your X (nvidia can handle it)!!!

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56abebe in WTFCrash () at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WTF/wtf/Assertions.cpp:339
339	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56abebe in WTFCrash () at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WTF/wtf/Assertions.cpp:339
#1  0x00007ffff3b40005 in WebCore::Node::document (this=0x0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/dom/Node.h:422
#2  0x00007ffff3d3ebe6 in WebCore::RenderObject::document (this=0x9bb518)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderObject.h:650
#3  0x00007ffff463f170 in WebCore::RenderObject::renderArena (this=0x9bb518)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderObject.h:319
#4  0x00007ffff463f4a1 in WebCore::RenderWidget::ref (this=0x9bb518)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderWidget.h:72
#5  0x00007ffff4648b3c in WebCore::FrameView::updateWidgets (this=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2671
#6  0x00007ffff4648fa6 in WebCore::FrameView::performPostLayoutTasks (this=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2752
#7  0x00007ffff4644018 in WebCore::FrameView::layout (this=0x76b0b0, allowSubtree=true)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:1379
#8  0x00007ffff4186316 in WebCore::Document::updateLayout (this=0x7fcb10)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/dom/Document.cpp:1912
#9  0x00007ffff41863e7 in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x7fcb10)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/dom/Document.cpp:1944
#10 0x00007ffff4368070 in WebCore::HTMLEmbedElement::renderWidgetForJSBindings (this=0x84e440)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/html/HTMLEmbedElement.cpp:73
#11 0x00007ffff43930ca in WebCore::HTMLPlugInElement::pluginWidget (this=0x84e440)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/html/HTMLPlugInElement.cpp:161
#12 0x00007ffff3f5d46a in WebCore::pluginScriptObjectFromPluginViewBase (pluginElement=0x84e440, globalObject=0x7fffe405f470)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:60
#13 0x00007ffff3f5d594 in WebCore::pluginScriptObject (exec=0x7fffe405f678, jsHTMLElement=0x7fff9c08fe90)
---Type <return> to continue, or q <return> to quit---
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:90
#14 0x00007ffff3f5d6ad in WebCore::runtimeObjectCustomGetOwnPropertySlot (exec=0x7fffe405f678, propertyName=..., slot=..., element=0x7fff9c08fe90)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:115
#15 0x00007ffff3f499ed in WebCore::pluginElementCustomGetOwnPropertySlot<WebCore::JSHTMLEmbedElement, WebCore::JSHTMLElement> (exec=0x7fffe405f678, 
    propertyName=..., slot=..., element=0x7fff9c08fe90)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bindings/js/JSPluginElementFunctions.h:58
#16 0x00007ffff3f49864 in WebCore::JSHTMLEmbedElement::getOwnPropertySlotDelegate (this=0x7fff9c08fe90, exec=0x7fffe405f678, propertyName=..., 
    slot=...) at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bindings/js/JSHTMLEmbedElementCustom.cpp:38
#17 0x00007ffff4fadd68 in WebCore::JSHTMLEmbedElement::getOwnPropertySlot (cell=0x7fff9c08fe90, exec=0x7fffe405f678, propertyName=..., slot=...)
    at generated/JSHTMLEmbedElement.cpp:138
#18 0x00007ffff3d809ab in JSC::JSCell::fastGetOwnPropertySlot (this=0x7fff9c08fe90, exec=0x7fffe405f678, propertyName=..., slot=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/JavaScriptCore/runtime/JSCellInlines.h:169
#19 0x00007ffff3d80766 in JSC::JSObject::getPropertySlot (this=0x7fff9c08fe90, exec=0x7fffe405f678, propertyName=..., slot=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/JavaScriptCore/runtime/JSObject.h:1186
#20 0x00007ffff3d80890 in JSC::JSObject::get (this=0x7fff9c08fe90, exec=0x7fffe405f678, propertyName=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/JavaScriptCore/runtime/JSObject.h:1211
#21 0x00007ffff3fa0056 in _NPN_GetProperty (o=0x9f15f0, propertyName=0x9d6d90, variant=0x7fffffffc6d0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bridge/NP_jsobject.cpp:295
#22 0x00007fff9638ebd0 in totemPlugin::Init(char*, unsigned short, short, char**, char**, _NPSavedData*) ()
   from /usr/lib/mozilla/plugins/libtotem-cone-plugin.so
#23 0x00007fff9638c0f7 in ?? () from /usr/lib/mozilla/plugins/libtotem-cone-plugin.so
#24 0x00007ffff478ad09 in WebCore::PluginView::start (this=0x7fd730)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/plugins/PluginView.cpp:251
#25 0x00007ffff478ab21 in WebCore::PluginView::startOrAddToUnstartedList (this=0x7fd730)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/plugins/PluginView.cpp:231
#26 0x00007ffff478aa28 in WebCore::PluginView::init (this=0x7fd730)
---Type <return> to continue, or q <return> to quit---
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/plugins/PluginView.cpp:209
#27 0x00007ffff4a7a43a in WebCore::PluginView::setParent (this=0x7fd730, parent=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/plugins/qt/PluginViewQt.cpp:499
#28 0x00007ffff47555ab in WebCore::ScrollView::addChild (this=0x76b0b0, prpChild=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/platform/ScrollView.cpp:72
#29 0x00007ffff49a2c15 in WebCore::moveWidgetToParentSoon (child=0x7fd730, parent=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderWidget.cpp:81
#30 0x00007ffff49a3693 in WebCore::RenderWidget::setWidget (this=0x9bb518, widget=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderWidget.cpp:213
#31 0x00007ffff4943acc in WebCore::RenderPart::setWidget (this=0x9bb518, widget=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderPart.cpp:57
#32 0x00007ffff45b3607 in WebCore::SubframeLoader::loadPlugin (this=0x76a970, pluginElement=0x84e440, url=..., mimeType=..., paramNames=..., 
    paramValues=..., useFallback=false) at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/loader/SubframeLoader.cpp:465
#33 0x00007ffff45b1e7b in WebCore::SubframeLoader::requestPlugin (this=0x76a970, ownerElement=0x84e440, url=..., mimeType=..., paramNames=..., 
    paramValues=..., useFallback=false) at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/loader/SubframeLoader.cpp:160
#34 0x00007ffff45b24f6 in WebCore::SubframeLoader::requestObject (this=0x76a970, ownerElement=0x84e440, url=..., frameName=..., mimeType=..., 
    paramNames=..., paramValues=...) at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/loader/SubframeLoader.cpp:235
#35 0x00007ffff4368782 in WebCore::HTMLEmbedElement::updateWidget (this=0x84e440, pluginCreationOption=WebCore::CreateAnyWidgetType)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/html/HTMLEmbedElement.cpp:173
#36 0x00007ffff464895e in WebCore::FrameView::updateWidget (this=0x76b0b0, object=0x9bb518)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2637
#37 0x00007ffff4648bb5 in WebCore::FrameView::updateWidgets (this=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2677
#38 0x00007ffff4648fa6 in WebCore::FrameView::performPostLayoutTasks (this=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2752
#39 0x00007ffff4649570 in WebCore::FrameView::postLayoutTimerFired (this=0x76b0b0)
---Type <return> to continue, or q <return> to quit---
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2831
#40 0x00007ffff4654068 in WebCore::Timer<WebCore::FrameView>::fired (this=0x76b258)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/platform/Timer.h:113
#41 0x00007ffff4774767 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x6c3440)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/platform/ThreadTimers.cpp:129
#42 0x00007ffff477467b in WebCore::ThreadTimers::sharedTimerFired ()
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/platform/ThreadTimers.cpp:105
#43 0x00007ffff4a63ffc in WebCore::SharedTimerQt::timerEvent (this=0x6c3470, ev=0x7fffffffd790)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/platform/qt/SharedTimerQt.cpp:113
#44 0x00007ffff20ec459 in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#45 0x00007ffff2f421f4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#46 0x00007ffff2f455d1 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#47 0x00007ffff20c5a24 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#48 0x00007ffff210c6bc in QTimerInfoList::activateTimers() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#49 0x00007ffff210cf4d in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#50 0x00007fffeee34d53 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#51 0x00007fffeee350a0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#52 0x00007fffeee35164 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#53 0x00007ffff210d634 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#54 0x00007ffff20c48fb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#55 0x00007ffff20c7e9e in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#56 0x0000000000421e4c in launcherMain (app=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Tools/QtTestBrowser/qttestbrowser.cpp:49
#57 0x0000000000423b93 in main (argc=2, argv=0x7fffffffdd98)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Tools/QtTestBrowser/qttestbrowser.cpp:318
Comment 1 Renata Hodovan 2013-05-30 04:41:41 PDT
Created attachment 203343 [details]
Test case
Comment 2 Rob Buis 2013-08-15 09:42:33 PDT
Can't reproduce in trunk.
Comment 3 Renata Hodovan 2014-09-08 02:44:00 PDT
I cannot reproduce this issue anymore.