Bug 119626

Summary:

ASSERTION FAILED: roundedIntPoint(rendererMappedResult) == roundedIntPoint(result) in WebCore::RenderGeometryMap::mapToContainer

Product:

WebKit

Reporter:

Renata Hodovan <rhodovan.u-szeged>

Component:

Layout and Rendering

Assignee:

Said Abou-Hallawa <sabouhallawa>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

buildbot, bunhere, cdumez, commit-queue, d-r, esprehn+autocc, fmalita, glenn, gyuyoung.kim, hyatt, kondapallykalyan, ossy, pdr, rniwa, sabouhallawa, schenney, sergio, simon.fraser

Priority:

Keywords:

BlinkMergeCandidate, InRadar

Version:

528+ (Nightly build)

Hardware:

OS:

Linux

Bug Depends on:

Bug Blocks:

116980

Attachments:

Description	Flags
Test case	none
New test case	none
Proposed patch	buildbot: commit-queue-
Archive of layout-test-results from webkit-ews-12 for mac-mountainlion-wk2	none
Archive of layout-test-results from webkit-ews-08 for mac-mountainlion	none
Archive of layout-test-results from webkit-ews-05 for mac-mountainlion	none
Proposed patch	none
Proposed patch	simon.fraser: review+, simon.fraser: commit-queue-
Proposed patch	ossy: review-, ossy: commit-queue-
Proposed patch	none
Patch	none

Renata Hodovan

Reported 2013-08-09 05:58:53 PDT

The crash happens on the following test: <html> <tr> <div contenteditable="plaintext-only"></div> <h2></h2> </tr> <br><br> <textarea cols="150,*" rows="100000000"></textarea> <textarea></textarea> </html> Note: if you decrease the value of "rows" property of textarea then the crash disappears. The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff56f53e4 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff56f53e4 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ffff48e8b16 in WebCore::RenderGeometryMap::mapToContainer (this=0x7fffffffc010, p=..., container=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderGeometryMap.cpp:117 #2 0x00007ffff4905b62 in WebCore::RenderGeometryMap::absolutePoint (this=0x7fffffffc010, p=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderGeometryMap.h:84 #3 0x00007ffff4907144 in WebCore::RenderLayer::updateLayerPositions (this=0x8aaef8, geometryMap=0x7fffffffc010, flags=14) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:431 #4 0x00007ffff4907563 in WebCore::RenderLayer::updateLayerPositions (this=0x7b13a8, geometryMap=0x7fffffffc010, flags=14) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:499 #5 0x00007ffff4907563 in WebCore::RenderLayer::updateLayerPositions (this=0x76fe58, geometryMap=0x7fffffffc010, flags=14) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:499 #6 0x00007ffff490708b in WebCore::RenderLayer::updateLayerPositionsAfterLayout (this=0x76fe58, rootLayer=0x76fe58, flags=14) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:414 #7 0x00007ffff467a7a9 in WebCore::FrameView::layout (this=0x774890, allowSubtree=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1354 #8 0x00007ffff467dd40 in WebCore::FrameView::visibleContentsResized (this=0x774890) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:2218 #9 0x00007ffff4795ef8 in WebCore::ScrollView::updateScrollbars (this=0x774890, desiredOffset=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollView.cpp:556 #10 0x00007ffff479497d in WebCore::ScrollView::setContentsSize (this=0x774890, newSize=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollView.cpp:305 #11 0x00007ffff4678219 in WebCore::FrameView::setContentsSize (this=0x774890, size=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:595 #12 0x00007ffff4678456 in WebCore::FrameView::adjustViewSize (this=0x774890) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:624 #13 0x00007ffff467a70a in WebCore::FrameView::layout (this=0x774890, allowSubtree=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1345 #14 0x00007ffff41b2e8f in WebCore::Document::implicitClose (this=0x87c150) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2452 #15 0x00007ffff45b349f in WebCore::FrameLoader::checkCallImplicitClose (this=0x7b0bd8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:844 #16 0x00007ffff45b3210 in WebCore::FrameLoader::checkCompleted (this=0x7b0bd8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:787 #17 0x00007ffff45b2f45 in WebCore::FrameLoader::finishedParsing (this=0x7b0bd8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:720 #18 0x00007ffff41b9e35 in WebCore::Document::finishedParsing (this=0x87c150) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4427 #19 0x00007ffff440ce97 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7f3338) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:348 #20 0x00007ffff44415b9 in WebCore::HTMLTreeBuilder::finished (this=0x7f3320) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2926 #21 0x00007ffff4414596 in WebCore::HTMLDocumentParser::end (this=0x775160) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:763 #22 0x00007ffff4414681 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x775160) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:774 #23 0x00007ffff44131f0 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x775160) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:211 #24 0x00007ffff44146c6 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x775160) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:786 #25 0x00007ffff441477f in WebCore::HTMLDocumentParser::finish (this=0x775160) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:835 #26 0x00007ffff45aada5 in WebCore::DocumentWriter::end (this=0x6942f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:248 #27 0x00007ffff459d8e4 in WebCore::DocumentLoader::finishedLoading (this=0x694250, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:402 #28 0x00007ffff459d652 in WebCore::DocumentLoader::notifyFinished (this=0x694250, resource=0x7a9840) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344 #29 0x00007ffff4584948 in WebCore::CachedResource::checkNotify (this=0x7a9840) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369 ---Type <return> to continue, or q <return> to quit--- #30 0x00007ffff4584a1e in WebCore::CachedResource::finishLoading (this=0x7a9840) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385 #31 0x00007ffff4581170 in WebCore::CachedRawResource::finishLoading (this=0x7a9840, data=0x8668e0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #32 0x00007ffff45e7765 in WebCore::SubresourceLoader::didFinishLoading (this=0x78d780, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:282 #33 0x00007ffff45de04f in WebCore::ResourceLoader::didFinishLoading (this=0x78d780, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488 #34 0x00007ffff4a878e3 in WebCore::QNetworkReplyHandler::finish (this=0x7a9690) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516 #35 0x00007ffff4a86602 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7a96c8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #36 0x00007ffff4a862ff in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7a96c8, method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4a87728 <WebCore::QNetworkReplyHandler::finish()>) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216 #37 0x00007ffff4a8724c in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7aa3f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409 #38 0x00007ffff4a89bde in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7aa3f0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffcf80) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176 #39 0x00007ffff22115cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #40 0x00007ffff221284e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #41 0x00007ffff3058dbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #42 0x00007ffff305c075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #43 0x00007ffff21ecdbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #44 0x00007ffff21eea76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #45 0x00007ffff2234333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #46 0x00007fffee3790a6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3058 #47 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3634 #48 0x00007fffee3793f8 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3705 #49 0x00007fffee37949c in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3766 #50 0x00007ffff22344bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #51 0x00007ffff21ebd3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #52 0x00007ffff21ef120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #53 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49 #54 0x0000000000423680 in main (argc=2, argv=0x7fffffffdc58) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318

Attachments
Test case (191 bytes, text/html) 2013-08-09 06:00 PDT, Renata Hodovan	no flags	Details
New test case (188 bytes, text/html) 2014-01-16 05:13 PST, Renata Hodovan	no flags	Details
Proposed patch (5.69 KB, patch) 2014-02-27 06:36 PST, Martin Hodovan	buildbot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from webkit-ews-12 for mac-mountainlion-wk2 (2.77 MB, application/zip) 2014-02-27 07:36 PST, Build Bot	no flags	Details
Archive of layout-test-results from webkit-ews-08 for mac-mountainlion (2.82 MB, application/zip) 2014-02-27 07:59 PST, Build Bot	no flags	Details
Archive of layout-test-results from webkit-ews-05 for mac-mountainlion (2.82 MB, application/zip) 2014-02-27 08:58 PST, Build Bot	no flags	Details
Proposed patch (7.77 KB, patch) 2014-02-27 09:39 PST, Martin Hodovan	no flags	Details Formatted Diff Diff
Proposed patch (16.23 KB, patch) 2014-02-27 10:15 PST, Martin Hodovan	simon.fraser: review+ simon.fraser: commit-queue-	Details Formatted Diff Diff
Proposed patch (4.81 KB, patch) 2014-02-28 07:16 PST, Martin Hodovan	ossy: review- ossy: commit-queue-	Details Formatted Diff Diff
Proposed patch (4.80 KB, patch) 2014-02-28 07:56 PST, Martin Hodovan	no flags	Details Formatted Diff Diff
Patch (4.33 KB, patch) 2014-11-06 18:12 PST, Said Abou-Hallawa	no flags	Details Formatted Diff Diff
Show Obsolete (6) View All Add attachment proposed patch, testcase, etc.

Renata Hodovan

Comment 1 2013-08-09 06:00:35 PDT

Created attachment 208424 [details] Test case

Renata Hodovan

Comment 2 2014-01-16 05:13:26 PST

Created attachment 221367 [details] New test case The previous test doesn't produce the assertion above anymore, but we can achieve it with this new one.

Renata Hodovan

Comment 3 2014-01-16 06:37:07 PST

As a side note, I have also tested it with the newest EFL debug build in EWebLauncher and MiniBrowser on r161958 (and not in QtTestBrowser as the backtrace suggest).

Martin Hodovan

Comment 4 2014-02-27 06:36:49 PST

Created attachment 225363 [details] Proposed patch Backported from Blink: https://codereview.chromium.org/143363004

Build Bot

Comment 5 2014-02-27 07:36:23 PST

Comment on attachment 225363 [details] Proposed patch Attachment 225363 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/6233206076473344 New failing tests: svg/transforms/svg-geometry-crash.html

Build Bot

Comment 6 2014-02-27 07:36:27 PST

Created attachment 225368 [details] Archive of layout-test-results from webkit-ews-12 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-12 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.5

Build Bot

Comment 7 2014-02-27 07:59:45 PST

Comment on attachment 225363 [details] Proposed patch Attachment 225363 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/4864332353503232 New failing tests: svg/transforms/svg-geometry-crash.html

Build Bot

Comment 8 2014-02-27 07:59:49 PST

Created attachment 225371 [details] Archive of layout-test-results from webkit-ews-08 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-08 Port: mac-mountainlion Platform: Mac OS X 10.8.5

Build Bot

Comment 9 2014-02-27 08:58:28 PST

Comment on attachment 225363 [details] Proposed patch Attachment 225363 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/4896495216099328 New failing tests: svg/transforms/svg-geometry-crash.html

Build Bot

Comment 10 2014-02-27 08:58:32 PST

Created attachment 225373 [details] Archive of layout-test-results from webkit-ews-05 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-05 Port: mac-mountainlion Platform: Mac OS X 10.8.5

Martin Hodovan

Comment 11 2014-02-27 09:39:15 PST

Created attachment 225382 [details] Proposed patch

Martin Hodovan

Comment 12 2014-02-27 10:15:46 PST

Created attachment 225389 [details] Proposed patch

Simon Fraser (smfr)

Comment 13 2014-02-27 10:18:45 PST

Comment on attachment 225389 [details] Proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=225389&action=review r=me but the tests should not need to dump pixel results. > LayoutTests/ChangeLog:14 > + * platform/efl/svg/transforms/svg-geometry-crash-expected.png: Added. > + * platform/efl/svg/transforms/svg-geometry-crash-expected.txt: Added. > + * platform/mac/svg/transforms/svg-geometry-crash-expected.png: Added. > + * platform/mac/svg/transforms/svg-geometry-crash-expected.txt: Added. > + * svg/transforms/svg-geometry-crash.html: Added. Why can't these be dumpAsText() tests?

Martin Hodovan

Comment 14 2014-02-28 07:16:05 PST

Created attachment 225460 [details] Proposed patch

Csaba Osztrogonác

Comment 15 2014-02-28 07:20:04 PST

Comment on attachment 225460 [details] Proposed patch You shouldn't set r+ yourself, but add "Reviewed by Simon Fraser." to the changelog and set only cq?

Martin Hodovan

Comment 16 2014-02-28 07:56:10 PST

Created attachment 225464 [details] Proposed patch

WebKit Commit Bot

Comment 17 2014-02-28 08:29:54 PST

Comment on attachment 225464 [details] Proposed patch Clearing flags on attachment: 225464 Committed r164861: <http://trac.webkit.org/changeset/164861>

WebKit Commit Bot

Comment 18 2014-02-28 08:29:59 PST

All reviewed patches have been landed. Closing bug.

Said Abou-Hallawa

Comment 19 2014-11-05 21:30:35 PST

The fix committed for this bug was wrong. It was reverted by Blink because it broke their SVG display. It also broke the WebKit SVG search. Bug https://bugs.webkit.org/show_bug.cgi?id=138439 was logged to track reverting this change. The same assertion is still firing with or without this change and it is tracked by bug https://bugs.webkit.org/show_bug.cgi?id=122027.

Said Abou-Hallawa

Comment 20 2014-11-06 11:34:58 PST

(In reply to comment #19) > The same assertion is still firing with or without this change > and it is tracked by bug https://bugs.webkit.org/show_bug.cgi?id=122027. I was wrong about the relationship between the assertion here and the assertion filed in the https://bugs.webkit.org/show_bug.cgi?id=122027. The assertion are different and actually they are in different overloaded functions.

Said Abou-Hallawa

Comment 21 2014-11-06 18:12:15 PST

Reopening to attach new patch.

Said Abou-Hallawa

Comment 22 2014-11-06 18:12:20 PST

Created attachment 241152 [details] Patch

Said Abou-Hallawa

Comment 23 2014-11-06 18:22:05 PST

Comment on attachment 241152 [details] Patch By mistake the patch of https://bugs.webkit.org/show_bug.cgi?id=138439 got into this one and reopened it. I am obsoleting it and closing the bug again.

Said Abou-Hallawa

Comment 24 2014-11-06 18:23:03 PST

*** This bug has been marked as a duplicate of bug 138439 ***

Radar WebKit Bug Importer

Comment 25 2015-02-13 22:01:05 PST

<rdar://problem/19837156>

Note You need to log in before you can comment on or make changes to this bug.