Bug 130346

Summary: REGRESSION (r163560): ASSERTION FAILED: childrenInline() in WebCore::RenderSVGText::layout
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: Layout and RenderingAssignee: Daniel Bates <dbates>
Status: RESOLVED FIXED    
Severity: Normal CC: allan.jensen, commit-queue, dbates, d-r, esprehn+autocc, fmalita, glenn, gyuyoung.kim, kondapallykalyan, krit, macpherson, menard, pdr, rwlbuis, schenney, sergio, zimmermann
Priority: P2 Keywords: Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Patch and Layout test
none
Patch and Layout tests kling: review+

Description Renata Hodovan 2014-03-17 10:01:32 PDT 
The following test asserts on debug WebKit:

<svg xmlns="http://www.w3.org/2000/svg">
	<text>
		<tref display="inherit"></tref>
	</text>
</svg>

Backtrace:

ASSERTION FAILED: childrenInline()
/home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/svg/RenderSVGText.cpp(411) : virtual void WebCore::RenderSVGText::layout()
1   0x7ffff5ed5075 WTFCrash
2   0x7ffff1a39ffe WebCore::RenderSVGText::layout()
3   0x7ffff1a4646e WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool)
4   0x7ffff1a323c0 WebCore::RenderSVGRoot::layout()
5   0x7ffff1796df1 WebCore::RenderElement::layoutIfNeeded()
6   0x7ffff1817f8c WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
7   0x7ffff17faef2 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
8   0x7ffff17fa265 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
9   0x7ffff17ca707 WebCore::RenderBlock::layout()
10  0x7ffff17fb2bc WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
11  0x7ffff17fadfe WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
12  0x7ffff17fa289 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
13  0x7ffff17ca707 WebCore::RenderBlock::layout()
14  0x7ffff17fb2bc WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
15  0x7ffff17fadfe WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
16  0x7ffff17fa289 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
17  0x7ffff17ca707 WebCore::RenderBlock::layout()
18  0x7ffff1994bb1 WebCore::RenderView::layoutContent(WebCore::LayoutState const&)
19  0x7ffff19952ea WebCore::RenderView::layout()
20  0x7ffff15263cf WebCore::FrameView::layout(bool)
21  0x7ffff0f7e16f WebCore::Document::implicitClose()
22  0x7ffff13fb649 WebCore::FrameLoader::checkCallImplicitClose()
23  0x7ffff13fb3e4 WebCore::FrameLoader::checkCompleted()
24  0x7ffff13fb152 WebCore::FrameLoader::finishedParsing()
25  0x7ffff0f8580b WebCore::Document::finishedParsing()
26  0x7ffff1283e23 WebCore::HTMLConstructionSite::finishedParsing()
27  0x7ffff12bc8d5 WebCore::HTMLTreeBuilder::finished()
28  0x7ffff128b8c0 WebCore::HTMLDocumentParser::end()
29  0x7ffff128b9ab WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
30  0x7ffff128a5f5 WebCore::HTMLDocumentParser::prepareToStopParsing()
31  0x7ffff128b9ee WebCore::HTMLDocumentParser::attemptToEnd()

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5ed507a in WTFCrash () at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
333	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff5ed507a in WTFCrash () at /home/reni2/data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff1a39ffe in WebCore::RenderSVGText::layout (this=0xfe7f70)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/svg/RenderSVGText.cpp:411
#2  0x00007ffff1a4646e in WebCore::SVGRenderSupport::layoutChildren (start=..., selfNeedsLayout=true)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/svg/SVGRenderSupport.cpp:270
#3  0x00007ffff1a323c0 in WebCore::RenderSVGRoot::layout (this=0xfd1700)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/svg/RenderSVGRoot.cpp:210
#4  0x00007ffff1796df1 in WebCore::RenderElement::layoutIfNeeded (this=0xfd1700)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderElement.h:99
#5  0x00007ffff1817f8c in WebCore::RenderBlockFlow::layoutLineBoxes (this=0xf89c70, relayoutChildren=true, repaintLogicalTop=..., 
    repaintLogicalBottom=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1694
#6  0x00007ffff17faef2 in WebCore::RenderBlockFlow::layoutInlineChildren (this=0xf89c70, relayoutChildren=true, repaintLogicalTop=..., 
    repaintLogicalBottom=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:568
#7  0x00007ffff17fa265 in WebCore::RenderBlockFlow::layoutBlock (this=0xf89c70, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:394
#8  0x00007ffff17ca707 in WebCore::RenderBlock::layout (this=0xf89c70)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1286
#9  0x00007ffff17fb2bc in WebCore::RenderBlockFlow::layoutBlockChild (this=0xf88610, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:629
#10 0x00007ffff17fadfe in WebCore::RenderBlockFlow::layoutBlockChildren (this=0xf88610, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:548
#11 0x00007ffff17fa289 in WebCore::RenderBlockFlow::layoutBlock (this=0xf88610, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:396
#12 0x00007ffff17ca707 in WebCore::RenderBlock::layout (this=0xf88610)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1286
#13 0x00007ffff17fb2bc in WebCore::RenderBlockFlow::layoutBlockChild (this=0x95f570, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:629
#14 0x00007ffff17fadfe in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x95f570, relayoutChildren=true, maxFloatLogicalBottom=...)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:548
#15 0x00007ffff17fa289 in WebCore::RenderBlockFlow::layoutBlock (this=0x95f570, relayoutChildren=true, pageLogicalHeight=...)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:396
#16 0x00007ffff17ca707 in WebCore::RenderBlock::layout (this=0x95f570)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1286
#17 0x00007ffff1994bb1 in WebCore::RenderView::layoutContent (this=0x95f570, state=...)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:152
#18 0x00007ffff19952ea in WebCore::RenderView::layout (this=0x95f570) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:281
#19 0x00007ffff15263cf in WebCore::FrameView::layout (this=0x96b550, allowSubtree=true)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1252
#20 0x00007ffff0f7e16f in WebCore::Document::implicitClose (this=0x9898f0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2456
#21 0x00007ffff13fb649 in WebCore::FrameLoader::checkCallImplicitClose (this=0x77cee8)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:884
#22 0x00007ffff13fb3e4 in WebCore::FrameLoader::checkCompleted (this=0x77cee8)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:830
#23 0x00007ffff13fb152 in WebCore::FrameLoader::finishedParsing (this=0x77cee8)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:754
#24 0x00007ffff0f8580b in WebCore::Document::finishedParsing (this=0x9898f0) at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4458
#25 0x00007ffff1283e23 in WebCore::HTMLConstructionSite::finishedParsing (this=0x910f68)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:393
#26 0x00007ffff12bc8d5 in WebCore::HTMLTreeBuilder::finished (this=0x910f50)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2988
#27 0x00007ffff128b8c0 in WebCore::HTMLDocumentParser::end (this=0x80a7b0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:439
#28 0x00007ffff128b9ab in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x80a7b0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:450
#29 0x00007ffff128a5f5 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x80a7b0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:165
---Type <return> to continue, or q <return> to quit---
#30 0x00007ffff128b9ee in WebCore::HTMLDocumentParser::attemptToEnd (this=0x80a7b0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:462
#31 0x00007ffff128baa5 in WebCore::HTMLDocumentParser::finish (this=0x80a7b0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:490
#32 0x00007ffff13ed49f in WebCore::DocumentWriter::end (this=0x8ceae0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:248
#33 0x00007ffff13d7e41 in WebCore::DocumentLoader::finishedLoading (this=0x8cea40, finishTime=0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:440
#34 0x00007ffff13d7baa in WebCore::DocumentLoader::notifyFinished (this=0x8cea40, resource=0x7576e0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:374
#35 0x00007ffff14805a4 in WebCore::CachedResource::checkNotify (this=0x7576e0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:332
#36 0x00007ffff1480682 in WebCore::CachedResource::finishLoading (this=0x7576e0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:348
#37 0x00007ffff147d056 in WebCore::CachedRawResource::finishLoading (this=0x7576e0, data=0x76ae30)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:96
#38 0x00007ffff143873a in WebCore::SubresourceLoader::didFinishLoading (this=0x757c20, finishTime=0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:310
#39 0x00007ffff1434a11 in WebCore::ResourceLoader::didFinishLoading (this=0x757c20, finishTime=0)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:508
#40 0x00007ffff1d16a55 in WebCore::readCallback (asyncResult=0x8071c0, data=0x823960)
    at /home/reni2/data/REPOS/webkit_sec/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1322
#41 0x00007fffe8f3e02a in async_ready_callback_wrapper (source_object=0x91e9e0, res=0x8071c0, user_data=0x823960) at ginputstream.c:530
#42 0x00007fffe8f5d5bb in g_task_return_now (task=0x8071c0) at gtask.c:1105
#43 0x00007fffe8f5d5d9 in complete_in_idle_cb (task=0x8071c0) at gtask.c:1114
#44 0x00007fffed2e7f46 in g_main_dispatch (context=0x8068d0) at gmain.c:3054
#45 g_main_context_dispatch (context=context@entry=0x8068d0) at gmain.c:3630
#46 0x00007ffff78de6e8 in _ecore_glib_select__locked (ecore_timeout=<optimized out>, efds=<optimized out>, wfds=0x7fffffffc620, rfds=0x7fffffffc5a0, 
    ecore_fds=10, ctx=<optimized out>) at ecore_glib.c:171
#47 _ecore_glib_select (ecore_fds=10, rfds=0x7fffffffc5a0, wfds=0x7fffffffc620, efds=<optimized out>, ecore_timeout=<optimized out>)
    at ecore_glib.c:205
#48 0x00007ffff78d8b37 in _ecore_main_select (timeout=timeout@entry=0) at ecore_main.c:1466
#49 0x00007ffff78d962c in _ecore_main_loop_iterate_internal (once_only=once_only@entry=0) at ecore_main.c:1860
#50 0x00007ffff78d99c7 in ecore_main_loop_begin () at ecore_main.c:956
#51 0x0000000000406866 in main (argc=2, argv=0x7fffffffdab8) at /home/reni2/data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:1002
Comment 1 Daniel Bates 2014-03-18 10:00:17 PDT 
Created attachment 227062 [details]
Patch and Layout test
Comment 2 Andreas Kling 2014-03-18 11:28:25 PDT 
Comment on attachment 227062 [details]
Patch and Layout test

Oh wow. Good catch :)
Comment 3 Daniel Bates 2014-03-18 12:50:08 PDT 
Created attachment 227090 [details]
Patch and Layout tests
Comment 4 Daniel Bates 2014-03-18 12:52:24 PDT 
(In reply to comment #3)
> Created an attachment (id=227090) [details]
> Patch and Layout tests

I added another layout test for an SVG <a> with display block. Notice that SVG <a> is an inline-level element when it's a child of <text> by default.
Comment 5 Andreas Kling 2014-03-18 12:54:28 PDT 
Comment on attachment 227090 [details]
Patch and Layout tests

Even better! r=me
Comment 6 Daniel Bates 2014-03-18 12:59:38 PDT 
Committed r165836: <http://trac.webkit.org/changeset/165836>