Bug 120645

Summary:

REGRESSION(r154546): ASSERTION FAILED: frame().view() == this closing a page with SVG or video

Product:

WebKit

Reporter:

Simon Fraser (smfr) <simon.fraser>

Component:

Layout and Rendering

Assignee:

Andreas Kling <kling>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, d-r, esprehn+autocc, fmalita, glenn, kling, kondapallykalyan, pdr, schenney, simon.fraser

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

URL:

http://ie.microsoft.com/testdrive/graphics/hands-on-css3/hands-on_svg-filter-effects.htm

Attachments:

Description	Flags
Quickfix	none

Description Simon Fraser (smfr) 2013-09-03 11:49:15 PDT

I've started to see this on pages with video and svg:

ASSERTION FAILED: frame().view() == this
/Volumes/SSData/Development/OSX/webkit/OpenSource/Source/WebCore/page/FrameView.cpp(2422) : void WebCore::FrameView::scheduleRelayoutOfSubtree(WebCore::RenderObject *)
1   0x102b1aaf0 WTFCrash
2   0x103f629e9 WebCore::FrameView::scheduleRelayoutOfSubtree(WebCore::RenderObject*)
3   0x104c59af5 WebCore::RenderObject::scheduleRelayout()
4   0x104c59636 WebCore::RenderObject::markContainingBlocksForLayout(bool, WebCore::RenderObject*)
5   0x1039d3219 WebCore::RenderObject::setNeedsLayout(bool, WebCore::MarkingBehavior)
6   0x104ca7575 WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidation(WebCore::RenderObject*, bool)
7   0x104cace20 WebCore::RenderSVGResourceContainer::markAllClientsForInvalidation(WebCore::RenderSVGResourceContainer::InvalidationMode)
8   0x104cafd0c WebCore::RenderSVGResourceFilter::removeAllClientsFromCache(bool)
9   0x104cafd4c non-virtual thunk to WebCore::RenderSVGResourceFilter::removeAllClientsFromCache(bool)
10  0x104ca75fe WebCore::RenderSVGResource::markForLayoutAndParentResourceInvalidation(WebCore::RenderObject*, bool)
11  0x104ca1d34 WebCore::SVGResourcesCache::clientWillBeRemovedFromTree(WebCore::RenderObject*)
12  0x104ca1ce1 WebCore::RenderSVGContainer::removeChild(WebCore::RenderObject*)
13  0x104baa0b6 WebCore::RenderObject::remove()
14  0x104c6727d WebCore::RenderObject::willBeDestroyed()
15  0x104caa39b WebCore::RenderSVGModelObject::willBeDestroyed()
16  0x104c67b1d WebCore::RenderObject::destroy()
17  0x104c67a16 WebCore::RenderObject::destroyAndCleanupAnonymousWrappers()
18  0x1039d0d85 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
19  0x1039d0f30 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType)
20  0x1039d0d59 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
21  0x1039d0f30 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType)
22  0x1039d0d59 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
23  0x1039d0f30 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType)
24  0x1039d0d59 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
25  0x1039d0f30 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType)
26  0x1039d0d59 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
27  0x1039d0f30 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType)
28  0x1039d0d59 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
29  0x1039d0f30 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType)
30  0x1039d0d59 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType)
31  0x1039d0f30 WebCore::Style::detachChildren(WebCore::ContainerNode&, WebCore::Style::DetachType)

Steps:
1. Load http://ie.microsoft.com/testdrive/graphics/hands-on-css3/hands-on_svg-filter-effects.htm
2. Click Animations link in bottom right
3. Close window. asserts.

Comment 1 Simon Fraser (smfr) 2013-09-03 11:50:49 PDT

This is down under CachedPage::destroy().

Comment 2 Andreas Kling 2013-09-03 11:51:50 PDT

Sweet catch! Looks like we're scheduling a relayout unnecessarily during page teardown.

Comment 3 Andreas Kling 2013-09-03 12:10:15 PDT

This regressed in <http://trac.webkit.org/154546> when making RenderObject::view() return a reference.
RenderSVGResourceContainer was checking for a null RenderView to see if tree teardown was in progress.

Comment 4 Andreas Kling 2013-09-03 12:10:37 PDT

Sorry, <http://trac.webkit.org/r154546>

Comment 5 Andreas Kling 2013-09-03 12:17:26 PDT

Created attachment 210399 [details]
Quickfix

Comment 6 Simon Fraser (smfr) 2013-09-03 13:31:22 PDT

There's a video teardown equivalent for this bug too. I guess destroying a page i the page cache with video.

Comment 7 WebKit Commit Bot 2013-09-03 21:48:23 PDT

Comment on attachment 210399 [details]
Quickfix

Clearing flags on attachment: 210399

Committed r155018: <http://trac.webkit.org/changeset/155018>

Comment 8 WebKit Commit Bot 2013-09-03 21:48:25 PDT

All reviewed patches have been landed.  Closing bug.