Bug 130346

Summary:

REGRESSION (r163560): ASSERTION FAILED: childrenInline() in WebCore::RenderSVGText::layout

Product:

WebKit

Reporter:

Renata Hodovan <rhodovan.u-szeged>

Component:

Layout and Rendering

Assignee:

Daniel Bates <dbates>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

allan.jensen, commit-queue, dbates, d-r, esprehn+autocc, fmalita, glenn, gyuyoung.kim, kondapallykalyan, krit, macpherson, menard, pdr, rwlbuis, schenney, sergio, zimmermann

Priority:

Keywords:

Regression

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

116980

Attachments:

Description	Flags
Patch and Layout test	none
Patch and Layout tests	kling: review+

Renata Hodovan

Reported 2014-03-17 10:01:32 PDT

The following test asserts on debug WebKit: <svg xmlns="http://www.w3.org/2000/svg"> <text> <tref display="inherit"></tref> </text> </svg> Backtrace: ASSERTION FAILED: childrenInline() /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/svg/RenderSVGText.cpp(411) : virtual void WebCore::RenderSVGText::layout() 1 0x7ffff5ed5075 WTFCrash 2 0x7ffff1a39ffe WebCore::RenderSVGText::layout() 3 0x7ffff1a4646e WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool) 4 0x7ffff1a323c0 WebCore::RenderSVGRoot::layout() 5 0x7ffff1796df1 WebCore::RenderElement::layoutIfNeeded() 6 0x7ffff1817f8c WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 7 0x7ffff17faef2 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 8 0x7ffff17fa265 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 9 0x7ffff17ca707 WebCore::RenderBlock::layout() 10 0x7ffff17fb2bc WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 11 0x7ffff17fadfe WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 12 0x7ffff17fa289 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 13 0x7ffff17ca707 WebCore::RenderBlock::layout() 14 0x7ffff17fb2bc WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 15 0x7ffff17fadfe WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 16 0x7ffff17fa289 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 17 0x7ffff17ca707 WebCore::RenderBlock::layout() 18 0x7ffff1994bb1 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) 19 0x7ffff19952ea WebCore::RenderView::layout() 20 0x7ffff15263cf WebCore::FrameView::layout(bool) 21 0x7ffff0f7e16f WebCore::Document::implicitClose() 22 0x7ffff13fb649 WebCore::FrameLoader::checkCallImplicitClose() 23 0x7ffff13fb3e4 WebCore::FrameLoader::checkCompleted() 24 0x7ffff13fb152 WebCore::FrameLoader::finishedParsing() 25 0x7ffff0f8580b WebCore::Document::finishedParsing() 26 0x7ffff1283e23 WebCore::HTMLConstructionSite::finishedParsing() 27 0x7ffff12bc8d5 WebCore::HTMLTreeBuilder::finished() 28 0x7ffff128b8c0 WebCore::HTMLDocumentParser::end() 29 0x7ffff128b9ab WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 30 0x7ffff128a5f5 WebCore::HTMLDocumentParser::prepareToStopParsing() 31 0x7ffff128b9ee WebCore::HTMLDocumentParser::attemptToEnd() Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5ed507a in WTFCrash () at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5ed507a in WTFCrash () at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff1a39ffe in WebCore::RenderSVGText::layout (this=0xfe7f70) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/svg/RenderSVGText.cpp:411 #2 0x00007ffff1a4646e in WebCore::SVGRenderSupport::layoutChildren (start=..., selfNeedsLayout=true) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:270 #3 0x00007ffff1a323c0 in WebCore::RenderSVGRoot::layout (this=0xfd1700) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/svg/RenderSVGRoot.cpp:210 #4 0x00007ffff1796df1 in WebCore::RenderElement::layoutIfNeeded (this=0xfd1700) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderElement.h:99 #5 0x00007ffff1817f8c in WebCore::RenderBlockFlow::layoutLineBoxes (this=0xf89c70, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1694 #6 0x00007ffff17faef2 in WebCore::RenderBlockFlow::layoutInlineChildren (this=0xf89c70, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:568 #7 0x00007ffff17fa265 in WebCore::RenderBlockFlow::layoutBlock (this=0xf89c70, relayoutChildren=true, pageLogicalHeight=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:394 #8 0x00007ffff17ca707 in WebCore::RenderBlock::layout (this=0xf89c70) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1286 #9 0x00007ffff17fb2bc in WebCore::RenderBlockFlow::layoutBlockChild (this=0xf88610, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:629 #10 0x00007ffff17fadfe in WebCore::RenderBlockFlow::layoutBlockChildren (this=0xf88610, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:548 #11 0x00007ffff17fa289 in WebCore::RenderBlockFlow::layoutBlock (this=0xf88610, relayoutChildren=true, pageLogicalHeight=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:396 #12 0x00007ffff17ca707 in WebCore::RenderBlock::layout (this=0xf88610) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1286 #13 0x00007ffff17fb2bc in WebCore::RenderBlockFlow::layoutBlockChild (this=0x95f570, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:629 #14 0x00007ffff17fadfe in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x95f570, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:548 #15 0x00007ffff17fa289 in WebCore::RenderBlockFlow::layoutBlock (this=0x95f570, relayoutChildren=true, pageLogicalHeight=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:396 #16 0x00007ffff17ca707 in WebCore::RenderBlock::layout (this=0x95f570) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1286 #17 0x00007ffff1994bb1 in WebCore::RenderView::layoutContent (this=0x95f570, state=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:152 #18 0x00007ffff19952ea in WebCore::RenderView::layout (this=0x95f570) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:281 #19 0x00007ffff15263cf in WebCore::FrameView::layout (this=0x96b550, allowSubtree=true) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1252 #20 0x00007ffff0f7e16f in WebCore::Document::implicitClose (this=0x9898f0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2456 #21 0x00007ffff13fb649 in WebCore::FrameLoader::checkCallImplicitClose (this=0x77cee8) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:884 #22 0x00007ffff13fb3e4 in WebCore::FrameLoader::checkCompleted (this=0x77cee8) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:830 #23 0x00007ffff13fb152 in WebCore::FrameLoader::finishedParsing (this=0x77cee8) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:754 #24 0x00007ffff0f8580b in WebCore::Document::finishedParsing (this=0x9898f0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4458 #25 0x00007ffff1283e23 in WebCore::HTMLConstructionSite::finishedParsing (this=0x910f68) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:393 #26 0x00007ffff12bc8d5 in WebCore::HTMLTreeBuilder::finished (this=0x910f50) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2988 #27 0x00007ffff128b8c0 in WebCore::HTMLDocumentParser::end (this=0x80a7b0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:439 #28 0x00007ffff128b9ab in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x80a7b0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:450 #29 0x00007ffff128a5f5 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x80a7b0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:165 ---Type <return> to continue, or q <return> to quit--- #30 0x00007ffff128b9ee in WebCore::HTMLDocumentParser::attemptToEnd (this=0x80a7b0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:462 #31 0x00007ffff128baa5 in WebCore::HTMLDocumentParser::finish (this=0x80a7b0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:490 #32 0x00007ffff13ed49f in WebCore::DocumentWriter::end (this=0x8ceae0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:248 #33 0x00007ffff13d7e41 in WebCore::DocumentLoader::finishedLoading (this=0x8cea40, finishTime=0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:440 #34 0x00007ffff13d7baa in WebCore::DocumentLoader::notifyFinished (this=0x8cea40, resource=0x7576e0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:374 #35 0x00007ffff14805a4 in WebCore::CachedResource::checkNotify (this=0x7576e0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:332 #36 0x00007ffff1480682 in WebCore::CachedResource::finishLoading (this=0x7576e0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:348 #37 0x00007ffff147d056 in WebCore::CachedRawResource::finishLoading (this=0x7576e0, data=0x76ae30) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:96 #38 0x00007ffff143873a in WebCore::SubresourceLoader::didFinishLoading (this=0x757c20, finishTime=0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:310 #39 0x00007ffff1434a11 in WebCore::ResourceLoader::didFinishLoading (this=0x757c20, finishTime=0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:508 #40 0x00007ffff1d16a55 in WebCore::readCallback (asyncResult=0x8071c0, data=0x823960) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1322 #41 0x00007fffe8f3e02a in async_ready_callback_wrapper (source_object=0x91e9e0, res=0x8071c0, user_data=0x823960) at ginputstream.c:530 #42 0x00007fffe8f5d5bb in g_task_return_now (task=0x8071c0) at gtask.c:1105 #43 0x00007fffe8f5d5d9 in complete_in_idle_cb (task=0x8071c0) at gtask.c:1114 #44 0x00007fffed2e7f46 in g_main_dispatch (context=0x8068d0) at gmain.c:3054 #45 g_main_context_dispatch (context=context@entry=0x8068d0) at gmain.c:3630 #46 0x00007ffff78de6e8 in _ecore_glib_select__locked (ecore_timeout=<optimized out>, efds=<optimized out>, wfds=0x7fffffffc620, rfds=0x7fffffffc5a0, ecore_fds=10, ctx=<optimized out>) at ecore_glib.c:171 #47 _ecore_glib_select (ecore_fds=10, rfds=0x7fffffffc5a0, wfds=0x7fffffffc620, efds=<optimized out>, ecore_timeout=<optimized out>) at ecore_glib.c:205 #48 0x00007ffff78d8b37 in _ecore_main_select (timeout=timeout@entry=0) at ecore_main.c:1466 #49 0x00007ffff78d962c in _ecore_main_loop_iterate_internal (once_only=once_only@entry=0) at ecore_main.c:1860 #50 0x00007ffff78d99c7 in ecore_main_loop_begin () at ecore_main.c:956 #51 0x0000000000406866 in main (argc=2, argv=0x7fffffffdab8) at /home/reni2/data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:1002

Attachments
Patch and Layout test (7.04 KB, patch) 2014-03-18 10:00 PDT, Daniel Bates	no flags	Details Formatted Diff Diff
Patch and Layout tests (8.25 KB, patch) 2014-03-18 12:50 PDT, Daniel Bates	kling: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Daniel Bates

Comment 1 2014-03-18 10:00:17 PDT

Created attachment 227062 [details] Patch and Layout test

Andreas Kling

Comment 2 2014-03-18 11:28:25 PDT

Comment on attachment 227062 [details] Patch and Layout test Oh wow. Good catch :)

Daniel Bates

Comment 3 2014-03-18 12:50:08 PDT

Created attachment 227090 [details] Patch and Layout tests

Daniel Bates

Comment 4 2014-03-18 12:52:24 PDT

(In reply to comment #3) > Created an attachment (id=227090) [details] > Patch and Layout tests I added another layout test for an SVG <a> with display block. Notice that SVG <a> is an inline-level element when it's a child of <text> by default.

Andreas Kling

Comment 5 2014-03-18 12:54:28 PDT

Comment on attachment 227090 [details] Patch and Layout tests Even better! r=me

Daniel Bates

Comment 6 2014-03-18 12:59:38 PDT

Committed r165836: <http://trac.webkit.org/changeset/165836>

Note You need to log in before you can comment on or make changes to this bug.