Bug 118846

Summary: ASSERTION FAILED: listNode in WebCore::RenderListItem::updateListMarkerNumbers
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: abucur, esprehn, rwlbuis, WebkitBugTracker
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case
none
Test case none

Renata Hodovan
Reported 2013-07-18 05:40:07 PDT
The test causes the assertion: <a href='Actual: ' , ">" <div ", "> <li></li> <head> <link rel="stylesheet" href="foo.css"> </head> <body> <script> </script> </a> <link rel="stylesheet" href="foo.css"> Hint: the two (non-existent) css name should be identical ("foo.css"). The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff577f390 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff577f390 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 #1 0x00007ffff4a14eb3 in WebCore::RenderListItem::updateListMarkerNumbers (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderListItem.cpp:492 #2 0x00007ffff4a134f4 in WebCore::RenderListItem::willBeRemovedFromTree (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderListItem.cpp:92 #3 0x00007ffff4a3afe0 in WebCore::RenderObjectChildList::removeChildNode (this=0x753f50, owner=0x753ec8, oldChild=0x893258, notifyRenderer=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderObjectChildList.cpp:87 #4 0x00007ffff4a2e794 in WebCore::RenderObject::removeChild (this=0x753ec8, oldChild=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderObject.cpp:380 #5 0x00007ffff48e306a in WebCore::RenderBlock::removeChild (this=0x753ec8, oldChild=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1271 #6 0x00007ffff4a13127 in WebCore::RenderObject::remove (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderObject.h:950 #7 0x00007ffff4a37edd in WebCore::RenderObject::willBeDestroyed (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderObject.cpp:2454 #8 0x00007ffff4a0c0f1 in WebCore::RenderLayerModelObject::willBeDestroyed (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayerModelObject.cpp:89 #9 0x00007ffff495eb8a in WebCore::RenderBoxModelObject::willBeDestroyed (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBoxModelObject.cpp:376 #10 0x00007ffff4941e6e in WebCore::RenderBox::willBeDestroyed (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBox.cpp:168 #11 0x00007ffff48df8af in WebCore::RenderBlock::willBeDestroyed (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:304 #12 0x00007ffff4a134a8 in WebCore::RenderListItem::willBeDestroyed (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderListItem.cpp:78 #13 0x00007ffff4a3878b in WebCore::RenderObject::destroy (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderObject.cpp:2616 #14 0x00007ffff4a38763 in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers (this=0x893258) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderObject.cpp:2609 #15 0x00007ffff432df1f in WebCore::Node::detach (this=0x874cb0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.cpp:1028 #16 0x00007ffff428183c in WebCore::ContainerNode::detach (this=0x874cb0, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:800 #17 0x00007ffff42eaa53 in WebCore::Element::detach (this=0x874cb0, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1497 #18 0x00007ffff427ec75 in WebCore::ContainerNode::takeAllChildrenFrom (this=0x7a3f30, oldParent=0x7f2c10) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:125 #19 0x00007ffff45141a7 in WebCore::HTMLTreeBuilder::callTheAdoptionAgency (this=0x76bab0, token=0x7fffffffc840) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:1631 #20 0x00007ffff4515d8f in WebCore::HTMLTreeBuilder::processEndTagForInBody (this=0x76bab0, token=0x7fffffffc840) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:1930 #21 0x00007ffff451691b in WebCore::HTMLTreeBuilder::processEndTag (this=0x76bab0, token=0x7fffffffc840) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2080 #22 0x00007ffff450e380 in WebCore::HTMLTreeBuilder::processToken (this=0x76bab0, token=0x7fffffffc840) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:402 #23 0x00007ffff450e192 in WebCore::HTMLTreeBuilder::constructTree (this=0x76bab0, token=0x7fffffffc840) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:370 #24 0x00007ffff44efd6e in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x771770, rawToken=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:594 #25 0x00007ffff44efa04 in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x771770, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:551 #26 0x00007ffff44ef1d1 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x771770, mode=WebCore::HTMLDocumentParser::AllowYield) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:235 #27 0x00007ffff44f079d in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution (this=0x771770) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:896 #28 0x00007ffff44f0b12 in WebCore::HTMLDocumentParser::executeScriptsWaitingForStylesheets (this=0x771770) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:955 #29 0x00007ffff42963f5 in WebCore::Document::didRemoveAllPendingStylesheet (this=0x8729d0) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2808 #30 0x00007ffff42d727a in WebCore::DocumentStyleSheetCollection::removePendingSheet (this=0x771580, notification=WebCore::DocumentStyleSheetCollection::RemovePendingSheetNotifyImmediately) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/DocumentStyleSheetCollection.cpp:229 #31 0x00007ffff4490cb0 in WebCore::HTMLLinkElement::removePendingSheet (this=0x8ae940, notification=WebCore::HTMLLinkElement::RemovePendingSheetNotifyImmediately) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLLinkElement.cpp:472 #32 0x00007ffff4490818 in WebCore::HTMLLinkElement::sheetLoaded (this=0x8ae940) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLLinkElement.cpp:355 #33 0x00007ffff425e92a in WebCore::StyleSheetContents::checkLoaded (this=0x88ce00) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/css/StyleSheetContents.cpp:361 #34 0x00007ffff44905fa in WebCore::HTMLLinkElement::setCSSStyleSheet (this=0x8ae940, href=..., baseURL=..., charset=..., cachedStyleSheet=0x8afa20) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLLinkElement.cpp:327 #35 0x00007ffff46504f5 in WebCore::CachedCSSStyleSheet::checkNotify (this=0x8afa20) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedCSSStyleSheet.cpp:118 #36 0x00007ffff465bb43 in WebCore::CachedResource::error (this=0x8afa20, status=WebCore::CachedResource::LoadError) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:395 #37 0x00007ffff46bdcf6 in WebCore::SubresourceLoader::didFail (this=0x8af5e0, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:311 #38 0x00007ffff46b443b in WebCore::ResourceLoader::didFail (this=0x8af5e0, error=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:495 #39 0x00007ffff4b417ee in WebCore::QNetworkReplyHandler::finish (this=0x88e050) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:518 #40 0x00007ffff4b40462 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x88e088) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #41 0x00007ffff4b401de in WebCore::QNetworkReplyHandlerCallQueue::unlock (this=0x88e088) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:230 #42 0x00007ffff4b404f9 in WebCore::QueueLocker::~QueueLocker (this=0x7fffffffcdd0, __in_chrg=<optimized out>) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:258 #43 0x00007ffff4b41009 in WebCore::QNetworkReplyWrapper::emitMetaDataChanged (this=0x88b1c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:395 #44 0x00007ffff4b40b7e in WebCore::QNetworkReplyWrapper::receiveMetaData (this=0x88b1c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:334 #45 0x00007ffff4b43a9c in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x88b1c0, _c=QMetaObject::InvokeMetaMethod, _id=0, _a=0x7fffffffcf90) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:175 #46 0x00007ffff231e5cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #47 0x00007ffff231f84e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #48 0x00007ffff3165dbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #49 0x00007ffff3169075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #50 0x00007ffff22f9dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #51 0x00007ffff22fba76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #52 0x00007ffff2341333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #53 0x00007fffee4840a6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3058 #54 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3634 #55 0x00007fffee4843f8 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3705 #56 0x00007fffee48449c in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3766 #57 0x00007ffff23414bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #58 0x00007ffff22f8d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #59 0x00007ffff22fc120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #60 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49 ---Type <return> to continue, or q <return> to quit--- #61 0x0000000000423680 in main (argc=2, argv=0x7fffffffdc68) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318
Attachments
Test case (214 bytes, text/html)
2013-07-18 05:40 PDT, Renata Hodovan 		no flags
Details
Test case (42 bytes, text/html)
2014-03-21 12:57 PDT, Renata Hodovan 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Renata Hodovan
Comment 1 2013-07-18 05:40:57 PDT
Created attachment 206984 [details] Test case
Rob Buis
Comment 2 2013-08-14 16:38:32 PDT
I can't reproduce this with trunk.
Renata Hodovan
Comment 3 2014-03-21 12:57:36 PDT
Created attachment 227475 [details] Test case
Renata Hodovan
Comment 4 2014-03-21 12:59:25 PDT
(In reply to comment #2) > I can't reproduce this with trunk. Indeed, the old test doesn't make the assertion fire anymore. However, with the attached new test I can always reproduce the issue.
Renata Hodovan
Comment 5 2014-08-04 05:50:31 PDT
*** This bug has been marked as a duplicate of bug 134970 ***
Note You need to log in before you can comment on or make changes to this bug.