Bug 119781

Summary:

[WK2] Assertion failure in WebCore::Page::checkSubframeCountConsistency when going back

Product:

WebKit

Reporter:

ChangSeok Oh <changseok>

Component:

History

Assignee:

ChangSeok Oh <changseok>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, bdakin, beidson, buildbot, commit-queue, ggaren, kling, rniwa

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

Linux

Bug Depends on:

127476

Bug Blocks:

Attachments:

Description	Flags
Patch	none
Patch	none
Crash on mac	none
Archive of layout-test-results from webkit-ews-02 for mac-mountainlion	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Archive of layout-test-results from webkit-ews-16 for mac-mountainlion-wk2	none
Patch	none

ChangSeok Oh

Reported 2013-08-13 19:40:33 PDT

I faced this assertion failure when going back to a page which has multiple frames. The backtrace is ... Program received signal SIGSEGV, Segmentation fault. 0x00007ff42b9e9ee5 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:342 342 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ff42b9e9ee5 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:342 #1 0x00007ff42d7757f2 in WebCore::Page::checkSubframeCountConsistency ( this=0x1afc210) at ../../Source/WebCore/page/Page.cpp:1255 #2 0x00007ff42d3c9d02 in WebCore::Page::subframeCount (this=0x1afc210) at ../../Source/WebCore/page/Page.h:185 #3 0x00007ff42d74e152 in WebCore::Frame::isURLAllowed (this=0x3445710, url=...) at ../../Source/WebCore/page/Frame.cpp:1022 #4 0x00007ff42d489639 in WebCore::HTMLPlugInImageElement::allowedToLoadFrameURL ( this=0x374a410, url=...) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:177 #5 0x00007ff42d44e09e in WebCore::HTMLEmbedElement::updateWidget (this=0x374a410, pluginCreationOption=WebCore::CreateOnlyNonNetscapePlugins) at ../../Source/WebCore/html/HTMLEmbedElement.cpp:137 #6 0x00007ff42d489d03 in WebCore::HTMLPlugInImageElement::updateWidgetIfNecessary ( this=0x374a410) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:274 #7 0x00007ff42d489fc5 in WebCore::HTMLPlugInImageElement::updateWidgetCallback (n= 0x374a410) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:331 #8 0x00007ff42d207b2a in WebCore::ContainerNode::dispatchPostAttachCallbacks () at ../../Source/WebCore/dom/ContainerNode.cpp:772 #9 0x00007ff42d207981 in WebCore::ContainerNode::resumePostAttachCallbacks ( this=0x3748570) at ../../Source/WebCore/dom/ContainerNode.cpp:739 #10 0x00007ff42d229d79 in WebCore::PostAttachCallbackDisabler::~PostAttachCallbackDisabler (this=0x7fffaa656620, __in_chrg=<optimized out>) at ../../Source/WebCore/dom/ContainerNode.h:345 #11 0x00007ff42d489bac in WebCore::HTMLPlugInImageElement::attach (this=0x3748570, context=...) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:250 #12 0x00007ff42d2ff799 in WebCore::Node::reattach (this=0x3748570, context=...) at ../../Source/WebCore/dom/Node.h:811 #13 0x00007ff42da295d7 in WebCore::Style::resolveLocal (current=0x3748570, inheritedChange=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:152 #14 0x00007ff42da29b4b in WebCore::Style::resolveTree (current=0x3748570, change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:236 #15 0x00007ff42d489f09 in WebCore::HTMLPlugInImageElement::documentDidResumeFromPageCache (this=0x3748570) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:316 #16 0x00007ff42d2222b0 in WebCore::Document::documentDidResumeFromPageCache ( this=0x2be2f90) at ../../Source/WebCore/dom/Document.cpp:4023 #17 0x00007ff42d3c7d18 in WebCore::CachedFrameBase::restore (this=0x32ea688) at ../../Source/WebCore/history/CachedFrame.cpp:149 #18 0x00007ff42d6888b3 in WebCore::FrameLoader::open (this=0x3445790, cachedFrame=...) at ../../Source/WebCore/loader/FrameLoader.cpp:2023 ---Type <return> to continue, or q <return> to quit--- #19 0x00007ff42d3c82b8 in WebCore::CachedFrame::open (this=0x32ea680) at ../../Source/WebCore/history/CachedFrame.cpp:220 #20 0x00007ff42d3c7c1c in WebCore::CachedFrameBase::restore (this=0x21da638) at ../../Source/WebCore/history/CachedFrame.cpp:134 #21 0x00007ff42d6888b3 in WebCore::FrameLoader::open (this=0x1a39d20, cachedFrame=...) at ../../Source/WebCore/loader/FrameLoader.cpp:2023 #22 0x00007ff42d3c82b8 in WebCore::CachedFrame::open (this=0x21da630) at ../../Source/WebCore/history/CachedFrame.cpp:220 #23 0x00007ff42d3c9a75 in WebCore::CachedPage::restore (this=0x2ea4d40, page=0x1afc210) at ../../Source/WebCore/history/CachedPage.cpp:83 #24 0x00007ff42d687623 in WebCore::FrameLoader::commitProvisionalLoad (this=0x1a39d20) at ../../Source/WebCore/loader/FrameLoader.cpp:1742 #25 0x00007ff42d68d0ba in WebCore::FrameLoader::loadProvisionalItemFromCachedPage ( this=0x1a39d20) at ../../Source/WebCore/loader/FrameLoader.cpp:3040 #26 0x00007ff42d68bfdf in WebCore::FrameLoader::continueLoadAfterNavigationPolicy ( this=0x1a39d20, formState=..., shouldContinue=true) at ../../Source/WebCore/loader/FrameLoader.cpp:2882 #27 0x00007ff42d68b575 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy (argument=0x1a39d20, request=..., formState=..., shouldContinue=true) at ../../Source/WebCore/loader/FrameLoader.cpp:2718 #28 0x00007ff42d6b8029 in WebCore::PolicyCallback::call (this=0x7fffaa657010, shouldContinue=true) at ../../Source/WebCore/loader/PolicyCallback.cpp:103 #29 0x00007ff42d6b8f98 in WebCore::PolicyChecker::continueAfterNavigationPolicy ( this=0x1a39fa0, policy=WebCore::PolicyUse) at ../../Source/WebCore/loader/PolicyChecker.cpp:180 #30 0x00007ff42cecbc6a in WebKit::WebFrame::didReceivePolicyDecision (this=0x19f7230, listenerID=48, action=WebCore::PolicyUse, downloadID=0) at ../../Source/WebKit2/WebProcess/WebPage/WebFrame.cpp:234 #31 0x00007ff42cea321d in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction (this=0x19f7268, function= (void (WebCore::PolicyChecker::*)(WebCore::PolicyChecker * const, WebCore::PolicyAction)) 0x7ff42d6b8d2e <WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction)>, navigationAction=..., request=..., formState=...) at ../../Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:708 #32 0x00007ff42d6b8951 in WebCore::PolicyChecker::checkNavigationPolicy ( this=0x1a39fa0, request=..., loader=0x3111780, formState=..., function=0x7ff42d68b526 <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0x1a39d20) at ../../Source/WebCore/loader/PolicyChecker.cpp:99 #33 0x00007ff42d685d40 in WebCore::FrameLoader::loadWithDocumentLoader ( this=0x1a39d20, loader=0x3111780, type=WebCore::FrameLoadTypeBack, prpFormState=...) at ../../Source/WebCore/loader/FrameLoader.cpp:1422 ---Type <return> to continue, or q <return> to quit--- #34 0x00007ff42d68d699 in WebCore::FrameLoader::loadDifferentDocumentItem ( this=0x1a39d20, item=0x1c58a50, loadType=WebCore::FrameLoadTypeBack, cacheLoadPolicy=WebCore::FrameLoader::MayAttemptCacheOnlyLoadForFormSubmissionItem) at ../../Source/WebCore/loader/FrameLoader.cpp:3135 #35 0x00007ff42d68dd17 in WebCore::FrameLoader::loadItem (this=0x1a39d20, item=0x1c58a50, loadType=WebCore::FrameLoadTypeBack) at ../../Source/WebCore/loader/FrameLoader.cpp:3223 #36 0x00007ff42d696f10 in WebCore::HistoryController::recursiveGoToItem ( this=0x1a3a240, item=0x1c58a50, fromItem=0x36dc950, type=WebCore::FrameLoadTypeBack) at ../../Source/WebCore/loader/HistoryController.cpp:765 #37 0x00007ff42d694fb2 in WebCore::HistoryController::goToItem (this=0x1a3a240, targetItem=0x1c58a50, type=WebCore::FrameLoadTypeBack) at ../../Source/WebCore/loader/HistoryController.cpp:306 #38 0x00007ff42d77245a in WebCore::Page::goToItem (this=0x1afc210, item=0x1c58a50, type=WebCore::FrameLoadTypeBack) at ../../Source/WebCore/page/Page.cpp:432 #39 0x00007ff42ced5db9 in WebKit::WebPage::goBack (this=0x1afbb60, backForwardItemID=3) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1036 #40 0x00007ff42cf3b903 in CoreIPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long), unsigned long> (args=..., object=0x1afbb60, function= (void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ff42ced5d28 <WebKit::WebPage::goBack(unsigned long)>) at ../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:21 #41 0x00007ff42cf38905 in CoreIPC::handleMessage<Messages::WebPage::GoBack, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long)> (decoder=..., object=0x1afbb60, function= (void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ff42ced5d28 <WebKit::WebPage::goBack(unsigned long)>) at ../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:376 #42 0x00007ff42cf335be in WebKit::WebPage::didReceiveWebPageMessage (this=0x1afbb60, decoder=...) at DerivedSources/WebKit2/WebPageMessageReceiver.cpp:172 #43 0x00007ff42cedcaca in WebKit::WebPage::didReceiveMessage (this=0x1afbb60, connection=0x19934c0, decoder=...) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:3179 #44 0x00007ff42e43450e in CoreIPC::MessageReceiverMap::dispatchMessage ( this=0x19c3df0, connection=0x19934c0, decoder=...) at ../../Source/WebKit2/Platform/CoreIPC/MessageReceiverMap.cpp:86 #45 0x00007ff42cef376d in WebKit::WebProcess::didReceiveMessage (this=0x19c3d90, connection=0x19934c0, decoder=...) at ../../Source/WebKit2/WebProcess/WebProcess.cpp:638 #46 0x00007ff42e423ea4 in CoreIPC::Connection::dispatchMessage (this=0x19934c0, decoder=...) at ../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:793 ---Type <return> to continue, or q <return> to quit--- #47 0x00007ff42e423f84 in CoreIPC::Connection::dispatchMessage (this=0x19934c0, incomingMessage=...) at ../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:816 #48 0x00007ff42e424195 in CoreIPC::Connection::dispatchOneMessage (this=0x19934c0) at ../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:842 #49 0x00007ff42e43391f in WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>::operator() (this=0x7ff3d0001f90, c=0x19934c0) at ../../Source/WTF/wtf/Functional.h:218 #50 0x00007ff42e4334a4 in WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void (CoreIPC::Connection*)>::operator()() (this=0x7ff3d0001f80) at ../../Source/WTF/wtf/Functional.h:496 #51 0x00007ff42ceb4aed in WTF::Function<void ()>::operator()() const ( this=0x7fffaa658830) at ../../Source/WTF/wtf/Functional.h:704 #52 0x00007ff42e2f924f in WebCore::RunLoop::performWork (this=0x19c3c10) at ../../Source/WebCore/platform/RunLoop.cpp:104 #53 0x00007ff42e3198cc in WebCore::RunLoop::queueWork (runLoop=0x19c3c10) at ../../Source/WebCore/platform/gtk/RunLoopGtk.cpp:104 #54 0x00007ff426483fd5 in g_main_dispatch (context=0x19538c0) at gmain.c:3058 #55 g_main_context_dispatch (context=context@entry=0x19538c0) at gmain.c:3634 #56 0x00007ff426484318 in g_main_context_iterate (context=0x19538c0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3705 #57 0x00007ff42648478a in g_main_loop_run (loop=0x19c3c90) at gmain.c:3899 #58 0x00007ff42e319692 in WebCore::RunLoop::run () at ../../Source/WebCore/platform/gtk/RunLoopGtk.cpp:61 #59 0x00007ff42ce11d64 in WebKit::WebProcessMainGtk (argc=2, argv=0x7fffaa658b58) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:78 #60 0x000000000040080c in main (argc=2, argv=0x7fffaa658b58) at ../../Source/WebKit2/gtk/MainGtk.cpp:31

Attachments
Patch (5.44 KB, patch) 2013-08-14 10:50 PDT, ChangSeok Oh	no flags	Details Formatted Diff Diff
Patch (5.50 KB, patch) 2013-08-14 11:01 PDT, ChangSeok Oh	no flags	Details Formatted Diff Diff
Crash on mac (224.47 KB, image/png) 2013-08-15 07:36 PDT, ChangSeok Oh	no flags	Details
Archive of layout-test-results from webkit-ews-02 for mac-mountainlion (976.14 KB, application/zip) 2013-08-15 10:26 PDT, Build Bot	no flags	Details
Patch (5.94 KB, patch) 2013-08-16 00:53 PDT, ChangSeok Oh	no flags	Details Formatted Diff Diff
Patch (5.55 KB, patch) 2013-08-16 01:08 PDT, ChangSeok Oh	no flags	Details Formatted Diff Diff
Patch (5.60 KB, patch) 2013-08-18 04:43 PDT, ChangSeok Oh	no flags	Details Formatted Diff Diff
Patch (5.40 KB, patch) 2013-09-06 20:51 PDT, ChangSeok Oh	no flags	Details Formatted Diff Diff
Patch (5.44 KB, patch) 2013-09-06 21:18 PDT, ChangSeok Oh	no flags	Details Formatted Diff Diff
Archive of layout-test-results from webkit-ews-16 for mac-mountainlion-wk2 (1.09 MB, application/zip) 2013-09-07 00:05 PDT, Build Bot	no flags	Details
Patch (5.98 KB, patch) 2013-09-08 20:59 PDT, ChangSeok Oh	no flags	Details Formatted Diff Diff
Show Obsolete (7) View All Add attachment proposed patch, testcase, etc.

ChangSeok Oh

Comment 1 2013-08-14 10:50:35 PDT

Created attachment 208745 [details] Patch

ChangSeok Oh

Comment 2 2013-08-14 11:01:49 PDT

Created attachment 208746 [details] Patch

Brady Eidson

Comment 3 2013-08-14 11:18:35 PDT

Does your layout test reproduce in the main Mac port? We haven't seen this there.

Brady Eidson

Comment 4 2013-08-14 11:20:08 PDT

Comment on attachment 208746 [details] Patch This is a fundamental change for the page cache and I'm definitely not convinced this is the right fix without knowing more about the problem or how you arrived at this fix.

ChangSeok Oh

Comment 5 2013-08-14 22:22:16 PDT

(In reply to comment #4) > (From update of attachment 208746 [details]) > This is a fundamental change for the page cache and I'm definitely not convinced this is the right fix without knowing more about the problem or how you arrived at this fix. I've seen this in Gtk port now. Let me check other ports including mac port.

ChangSeok Oh

Comment 6 2013-08-15 07:36:17 PDT

Created attachment 208807 [details] Crash on mac (In reply to comment #3) > Does your layout test reproduce in the main Mac port? We haven't seen this there. Yes. it does. I confirmed mac port has the crash. Run go-back-to-iframe-with-plugin.html with debug build. EFL port seems not supporting flash plugin properly so I could not test it. I don't see the qt port yet. But very sure the crash is still there.

Build Bot

Comment 7 2013-08-15 10:26:38 PDT

Comment on attachment 208746 [details] Patch Attachment 208746 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/1469248 New failing tests: fast/events/pageshow-pagehide-on-back-cached-with-frames.html

Build Bot

Comment 8 2013-08-15 10:26:40 PDT

Created attachment 208819 [details] Archive of layout-test-results from webkit-ews-02 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-02 Port: mac-mountainlion Platform: Mac OS X 10.8.4

ChangSeok Oh

Comment 9 2013-08-16 00:53:38 PDT

Created attachment 208888 [details] Patch

ChangSeok Oh

Comment 10 2013-08-16 01:08:24 PDT

Created attachment 208890 [details] Patch

ChangSeok Oh

Comment 11 2013-08-18 04:43:11 PDT

Created attachment 209026 [details] Patch

ChangSeok Oh

Comment 12 2013-08-19 20:59:37 PDT

Review please?

ChangSeok Oh

Comment 13 2013-09-06 20:51:58 PDT

Created attachment 210834 [details] Patch

ChangSeok Oh

Comment 14 2013-09-06 21:18:31 PDT

Created attachment 210835 [details] Patch

Build Bot

Comment 15 2013-09-07 00:05:02 PDT

Comment on attachment 210835 [details] Patch Attachment 210835 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/1706668 New failing tests: fast/history/go-back-to-iframe-with-plugin.html inspector/storage-panel-dom-storage-update.html compositing/iframes/page-cache-layer-tree.html fast/events/pagehide-xhr-open.html platform/mac-wk2/tiled-drawing/null-parent-back-crash.html fast/events/suspend-timers.html

Build Bot

Comment 16 2013-09-07 00:05:05 PDT

Created attachment 210899 [details] Archive of layout-test-results from webkit-ews-16 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-16 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.4

ChangSeok Oh

Comment 17 2013-09-08 20:59:28 PDT

Created attachment 211005 [details] Patch

WebKit Commit Bot

Comment 18 2013-09-09 10:40:17 PDT

Comment on attachment 211005 [details] Patch Clearing flags on attachment: 211005 Committed r155361: <http://trac.webkit.org/changeset/155361>

WebKit Commit Bot

Comment 19 2013-09-09 10:40:20 PDT

All reviewed patches have been landed. Closing bug.

Beth Dakin

Comment 20 2013-09-09 13:24:49 PDT

This test appears to be crashing on the debug bots.

Beth Dakin

Comment 21 2013-09-09 14:58:52 PDT

(In reply to comment #20) > This test appears to be crashing on the debug bots. I confirmed that the test will crash even if the patch is rolled out, so at least this change did not introduce the crash. I will skip the test for now.

Beth Dakin

Comment 22 2013-09-09 15:15:19 PDT

I skipped the test with http://trac.webkit.org/changeset/155389 and filed https://bugs.webkit.org/show_bug.cgi?id=121053 to track fixing the test or the assertion.

Note You need to log in before you can comment on or make changes to this bug.