Bug 13771

Summary:

Assertion failure ASSERT(m_layer) when running Hamachi fuzz tester

Product:

WebKit

Reporter:

Anders Carlsson <andersca>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

mitz

Priority:

Version:

523.x (Safari 3)

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
Reduction	none

Anders Carlsson

Reported 2007-05-18 05:10:29 PDT

0x01150c81 in WebCore::RenderFlow::paintLines (this=0x227a9bcc, paintInfo=@0xbfffbff8, tx=8, ty=41133) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderFlow.cpp:353 353 ASSERT(m_layer); // The only way a compact/run-in/inline could paint like this is if it has a layer. (gdb) bt #0 0x01150c81 in WebCore::RenderFlow::paintLines (this=0x227a9bcc, paintInfo=@0xbfffbff8, tx=8, ty=41133) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderFlow.cpp:353 #1 0x01153a3e in WebCore::RenderInline::paint (this=0x227a9bcc, paintInfo=@0xbfffbff8, tx=8, ty=41133) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderInline.cpp:278 #2 0x012768d8 in WebCore::RenderFrameSet::paint (this=0x227e328c, paintInfo=@0xbfffbff8, tx=8, ty=41133) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderFrameSet.cpp:143 #3 0x0112aca9 in WebCore::RenderBlock::paintChildren (this=0x17059aac, paintInfo=@0xbfffc178, tx=8, ty=289) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1465 #4 0x0112aef1 in WebCore::RenderBlock::paintContents (this=0x17059aac, paintInfo=@0xbfffc178, tx=8, ty=289) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1441 #5 0x01138c3a in WebCore::RenderBlock::paintObject (this=0x17059aac, paintInfo=@0xbfffc178, tx=8, ty=289) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1523 #6 0x0112a8f8 in WebCore::RenderBlock::paint (this=0x17059aac, paintInfo=@0xbfffc178, tx=8, ty=289) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1353 #7 0x0112aca9 in WebCore::RenderBlock::paintChildren (this=0x1700ac2c, paintInfo=@0xbfffc2f8, tx=8, ty=8) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1465 #8 0x0112aef1 in WebCore::RenderBlock::paintContents (this=0x1700ac2c, paintInfo=@0xbfffc2f8, tx=8, ty=8) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1441 #9 0x01138c3a in WebCore::RenderBlock::paintObject (this=0x1700ac2c, paintInfo=@0xbfffc2f8, tx=8, ty=8) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1523 #10 0x0112a8f8 in WebCore::RenderBlock::paint (this=0x1700ac2c, paintInfo=@0xbfffc2f8, tx=8, ty=8) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1353 #11 0x0112aca9 in WebCore::RenderBlock::paintChildren (this=0x17092abc, paintInfo=@0xbfffc494, tx=0, ty=0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1465 #12 0x0112aef1 in WebCore::RenderBlock::paintContents (this=0x17092abc, paintInfo=@0xbfffc494, tx=0, ty=0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1441 #13 0x01138c3a in WebCore::RenderBlock::paintObject (this=0x17092abc, paintInfo=@0xbfffc494, tx=0, ty=0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1523 #14 0x0112a8f8 in WebCore::RenderBlock::paint (this=0x17092abc, paintInfo=@0xbfffc494, tx=0, ty=0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1353 #15 0x0115e475 in WebCore::RenderLayer::paintLayer (this=0x170cdf3c, rootLayer=0x170c6a7c, p=0xbfffc6b4, paintDirtyRect=@0xbfffc6bc, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderLayer.cpp:1501 #16 0x0115e633 in WebCore::RenderLayer::paintLayer (this=0x170c6a7c, rootLayer=0x170c6a7c, p=0xbfffc6b4, paintDirtyRect=@0xbfffc6bc, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderLayer.cpp:1526 #17 0x0115e6f8 in WebCore::RenderLayer::paint (this=0x170c6a7c, p=0xbfffc6b4, damageRect=@0xbfffc6bc, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderLayer.cpp:1393 #18 0x010b722f in WebCore::Frame::paint (this=0x2970b90, p=0xbfffc6b4, rect=@0xbfffc6bc) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/Frame.cpp:1302 #19 0x010d84d4 in -[WebCoreFrameBridge drawRect:] (self=0x298dab0, _cmd=0x90aa5bac, rect={origin = {x = 0, y = 41133}, size = {width = 1203, height = 681}}) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/mac/WebCoreFrameBridge.mm:409 #20 0x0043c2d5 in -[WebHTMLView drawSingleRect:] (self=0x170bf600, _cmd=0x13fc2cc, rect={origin = {x = 0, y = 41133}, size = {width = 1203, height = 681}}) at /Volumes/Shared/WebKit/OpenSource/WebKit/WebView/WebHTMLView.mm:2635 #21 0x0043c6ab in -[WebHTMLView drawRect:] (self=0x170bf600, _cmd=0x90aa5bac, rect={origin = {x = 0, y = 41133}, size = {width = 1203, height = 681}}) at /Volumes/Shared/WebKit/OpenSource/WebKit/WebView/WebHTMLView.mm:2687 #22 0x9330c3b1 in -[NSView _drawRect:clip:] () #23 0x9330a893 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #24 0x00435a8f in -[WebHTMLView(WebPrivate) _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] (self=0x170bf600, _cmd=0x90a865e4, rect={origin = {x = 0, y = 41133}, size = {width = 1203, height = 681}}, isVisibleRect=1 '\001', visibleView=0x29839f0, topView=0 '\0') at /Volumes/Shared/WebKit/OpenSource/WebKit/WebView/WebHTMLView.mm:842 #25 0x9330b041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] () #26 0x93309362 in -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] () #27 0x93308c8e in -[NSView displayIfNeeded] () #28 0x932ff38b in -[NSClipView _immediateScrollToPoint:] () #29 0x93436d6a in -[NSScrollView scrollClipView:toPoint:] () #30 0x932ca32f in -[NSClipView _scrollTo:animate:] () #31 0x932c9e1b in -[NSClipView _scrollTo:] () #32 0x9330119f in -[NSClipView _scrollRectToVisible:fromView:] () #33 0x932b3e7c in -[NSView scrollRectToVisible:] () warning: internal error: no C/C++ fundamental type 1 #34 0x011fbc81 in WebCore::ScrollView::scrollRectIntoViewRecursively (this=0x2969c00, r=@0xbfffd59c) at /Volumes/Shared/WebKit/OpenSource/WebCore/platform/mac/ScrollViewMac.mm:195 #35 0x010c1310 in WebCore::FrameView::scrollRectIntoViewRecursively (this=0x2969c00, r=@0xbfffd59c) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/FrameView.cpp:610 #36 0x0115b4e8 in WebCore::RenderLayer::scrollRectToVisible (this=0x170c6a7c, rect=@0xbfffd7cc, alignX=@0x15f386c, alignY=@0x15f3854) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderLayer.cpp:756 #37 0x0115b50e in WebCore::RenderLayer::scrollRectToVisible (this=0x170cdf3c, rect=@0xbfffd870, alignX=@0x15f386c, alignY=@0x15f3854) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderLayer.cpp:762 #38 0x01226791 in WebCore::Element::scrollIntoView (this=0x227e1e00, alignToTop=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/Element.cpp:210 #39 0x01218f84 in WebCore::JSElementPrototypeFunction::callAsFunction (this=0x173f51e0, exec=0xbfffdd74, thisObj=0x17933b00, args=@0xbfffdabc) at /Users/andersca/Build/Debug/DerivedSources/WebCore/JSElement.cpp:415 #40 0x006bdf2e in KJS::JSObject::call (this=0x173f51e0, exec=0xbfffdd74, thisObj=0x17933b00, args=@0xbfffdabc) at object.cpp:98 #41 0x006e753d in KJS::FunctionCallDotNode::evaluate (this=0x22916160, exec=0xbfffdd74) at nodes.cpp:790 #42 0x006b1efd in KJS::AssignExprNode::evaluate (this=0x229077b0, exec=0xbfffdd74) at nodes.cpp:1578 #43 0x006e5052 in KJS::VarDeclNode::evaluate (this=0x229133f0, exec=0xbfffdd74) at nodes.cpp:1596 #44 0x006e4f9b in KJS::VarDeclListNode::evaluate (this=0x22917280, exec=0xbfffdd74) at nodes.cpp:1643 #45 0x006e4df9 in KJS::VarStatementNode::execute (this=0x22915550, exec=0xbfffdd74) at nodes.cpp:1667 #46 0x006e1e6b in KJS::SourceElementsNode::execute (this=0x22915da0, exec=0xbfffdd74) at nodes.cpp:2522 #47 0x006baa94 in KJS::BlockNode::execute (this=0x223cbef0, exec=0xbfffdd74) at nodes.cpp:1699 #48 0x006e0144 in KJS::GlobalFuncImp::callAsFunction (this=0x17371b00, exec=0xbfffe43c, args=@0xbfffde84) at function.cpp:803 #49 0x006bdf2e in KJS::JSObject::call (this=0x17371b00, exec=0xbfffe43c, thisObj=0x17370000, args=@0xbfffde84) at object.cpp:98 #50 0x006e7bbf in KJS::FunctionCallResolveNode::evaluate (this=0x170bc630, exec=0xbfffe43c) at nodes.cpp:694 #51 0x006e4c93 in KJS::ExprStatementNode::execute (this=0x170bc640, exec=0xbfffe43c) at nodes.cpp:1723 #52 0x006e1e6b in KJS::SourceElementsNode::execute (this=0x170bc660, exec=0xbfffe43c) at nodes.cpp:2522 #53 0x006baa94 in KJS::BlockNode::execute (this=0x170bc680, exec=0xbfffe43c) at nodes.cpp:1699 #54 0x006d5ee5 in KJS::TryNode::execute (this=0x170bc6d0, exec=0xbfffe43c) at nodes.cpp:2344 #55 0x006e1f76 in KJS::SourceElementsNode::execute (this=0x170c7a40, exec=0xbfffe43c) at nodes.cpp:2528 #56 0x006baa94 in KJS::BlockNode::execute (this=0x170f5960, exec=0xbfffe43c) at nodes.cpp:1699 #57 0x006e4b9d in KJS::IfNode::execute (this=0x170f5980, exec=0xbfffe43c) at nodes.cpp:1742 #58 0x006e1e6b in KJS::SourceElementsNode::execute (this=0x170f59a0, exec=0xbfffe43c) at nodes.cpp:2522 #59 0x006baa94 in KJS::BlockNode::execute (this=0x170f59c0, exec=0xbfffe43c) at nodes.cpp:1699 #60 0x006e38cf in KJS::ForInNode::execute (this=0x170f59e0, exec=0xbfffe43c) at nodes.cpp:1999 #61 0x006e1e6b in KJS::SourceElementsNode::execute (this=0x170f5a30, exec=0xbfffe43c) at nodes.cpp:2522 #62 0x006baa94 in KJS::BlockNode::execute (this=0x170d2c50, exec=0xbfffe43c) at nodes.cpp:1699 #63 0x006bab5f in KJS::DeclaredFunctionImp::execute (this=0x173710c0, exec=0xbfffe43c) at function.cpp:317 #64 0x006d5c85 in KJS::FunctionImp::callAsFunction (this=0x173710c0, exec=0xbfffe99c, thisObj=0x17370000, args=@0xbfffe4f4) at function.cpp:104 #65 0x006bdf2e in KJS::JSObject::call (this=0x173710c0, exec=0xbfffe99c, thisObj=0x17370000, args=@0xbfffe4f4) at object.cpp:98 #66 0x006e7bbf in KJS::FunctionCallResolveNode::evaluate (this=0x1709c9e0, exec=0xbfffe99c) at nodes.cpp:694 #67 0x006e4c93 in KJS::ExprStatementNode::execute (this=0x1709c9f0, exec=0xbfffe99c) at nodes.cpp:1723 #68 0x006e1f76 in KJS::SourceElementsNode::execute (this=0x1709f8c0, exec=0xbfffe99c) at nodes.cpp:2528 #69 0x006baa94 in KJS::BlockNode::execute (this=0x17086740, exec=0xbfffe99c) at nodes.cpp:1699 #70 0x006e4b9d in KJS::IfNode::execute (this=0x17086760, exec=0xbfffe99c) at nodes.cpp:1742 #71 0x006e1f76 in KJS::SourceElementsNode::execute (this=0x170dcc50, exec=0xbfffe99c) at nodes.cpp:2528 #72 0x006baa94 in KJS::BlockNode::execute (this=0x170867a0, exec=0xbfffe99c) at nodes.cpp:1699 #73 0x006e38cf in KJS::ForInNode::execute (this=0x170867c0, exec=0xbfffe99c) at nodes.cpp:1999 #74 0x006e1f76 in KJS::SourceElementsNode::execute (this=0x170dcb00, exec=0xbfffe99c) at nodes.cpp:2528 #75 0x006baa94 in KJS::BlockNode::execute (this=0x1701d540, exec=0xbfffe99c) at nodes.cpp:1699 #76 0x006bab5f in KJS::DeclaredFunctionImp::execute (this=0x17370f80, exec=0xbfffe99c) at function.cpp:317 #77 0x006d5c85 in KJS::FunctionImp::callAsFunction (this=0x17370f80, exec=0xbfffec4c, thisObj=0x17370000, args=@0xbfffea54) at function.cpp:104 #78 0x006bdf2e in KJS::JSObject::call (this=0x17370f80, exec=0xbfffec4c, thisObj=0x17370000, args=@0xbfffea54) at object.cpp:98 #79 0x006e7bbf in KJS::FunctionCallResolveNode::evaluate (this=0x17037df0, exec=0xbfffec4c) at nodes.cpp:694 #80 0x006e4c93 in KJS::ExprStatementNode::execute (this=0x17037e00, exec=0xbfffec4c) at nodes.cpp:1723 #81 0x006e1f76 in KJS::SourceElementsNode::execute (this=0x17033b50, exec=0xbfffec4c) at nodes.cpp:2528 #82 0x006baa94 in KJS::BlockNode::execute (this=0x17038480, exec=0xbfffec4c) at nodes.cpp:1699 #83 0x006bab5f in KJS::DeclaredFunctionImp::execute (this=0x17370f00, exec=0xbfffec4c) at function.cpp:317 #84 0x006d5c85 in KJS::FunctionImp::callAsFunction (this=0x17370f00, exec=0xbfffeefc, thisObj=0x17370000, args=@0xbfffed04) at function.cpp:104 #85 0x006bdf2e in KJS::JSObject::call (this=0x17370f00, exec=0xbfffeefc, thisObj=0x17370000, args=@0xbfffed04) at object.cpp:98 #86 0x006e7bbf in KJS::FunctionCallResolveNode::evaluate (this=0x17069120, exec=0xbfffeefc) at nodes.cpp:694 #87 0x006e4c93 in KJS::ExprStatementNode::execute (this=0x17027ef0, exec=0xbfffeefc) at nodes.cpp:1723 #88 0x006e1e6b in KJS::SourceElementsNode::execute (this=0x29f6fe0, exec=0xbfffeefc) at nodes.cpp:2522 #89 0x006baa94 in KJS::BlockNode::execute (this=0x17020460, exec=0xbfffeefc) at nodes.cpp:1699 #90 0x006bab5f in KJS::DeclaredFunctionImp::execute (this=0x1737ad00, exec=0xbfffeefc) at function.cpp:317 #91 0x006d5c85 in KJS::FunctionImp::callAsFunction (this=0x1737ad00, exec=0x170cb2cc, thisObj=0x1737ad40, args=@0xbfffefc0) at function.cpp:104 #92 0x006bdf2e in KJS::JSObject::call (this=0x1737ad00, exec=0x170cb2cc, thisObj=0x1737ad40, args=@0xbfffefc0) at object.cpp:98 #93 0x0123dfa4 in KJS::JSAbstractEventListener::handleEvent (this=0x17057770, ele=0x294e1d0, isWindowEvent=false) at /Volumes/Shared/WebKit/OpenSource/WebCore/bindings/js/kjs_events.cpp:127 #94 0x012081d6 in WebCore::EventTargetNode::handleLocalEvents (this=0x17057690, evt=0x294e1d0, useCapture=false) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:168 #95 0x012089e3 in WebCore::EventTargetNode::dispatchGenericEvent (this=0x17057690, e=@0xbffff14c, tempEvent=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:222 #96 0x0120a645 in WebCore::EventTargetNode::dispatchEvent (this=0x17057690, e=@0xbffff19c, ec=@0xbffff274, tempEvent=true, target=0x170576b4) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:308 #97 0x0120a6c1 in WebCore::EventTargetNode::dispatchEvent (this=0x17057690, e=@0xbffff280, ec=@0xbffff274, tempEvent=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:292 #98 0x01209479 in WebCore::EventTargetNode::dispatchMouseEvent (this=0x17057690, eventType=@0x165aaac, button=0, detail=1, pageX=42, pageY=267, screenX=84, screenY=387, ctrlKey=false, altKey=false, shiftKey=false, metaKey=false, isSimulated=false, relatedTargetArg=0x0, underlyingEvent=@0xbffff324) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:470 #99 0x01209b86 in WebCore::EventTargetNode::dispatchMouseEvent (this=0x17057690, event=@0xbffff4c0, eventType=@0x165aaac, detail=1, relatedTarget=0x0) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:397 #100 0x013b6098 in WebCore::EventHandler::dispatchMouseEvent (this=0x204e910, eventType=@0x165aaac, targetNode=0x17057690, cancelable=true, clickCount=1, mouseEvent=@0xbffff4c0, setUnder=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/EventHandler.cpp:1157 #101 0x013b6851 in WebCore::EventHandler::handleMouseReleaseEvent (this=0x204e910, mouseEvent=@0xbffff4c0) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/EventHandler.cpp:991 warning: internal error: no C/C++ fundamental type 1 #102 0x013afbe9 in WebCore::EventHandler::mouseUp (this=0x204e910, event=0x29f0120) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/mac/EventHandlerMac.mm:519 #103 0x0043dbf1 in -[WebHTMLView mouseUp:] (self=0x170bf600, _cmd=0x90ab6cd8, event=0x29f0120) at /Volumes/Shared/WebKit/OpenSource/WebKit/WebView/WebHTMLView.mm:3004 #104 0x9336a42b in -[NSWindow sendEvent:] () #105 0x000aed78 in -[Window sendEvent:] (self=0x29e9150, _cmd=0x90ac24c4, event=0x29f0120) at /Volumes/Shared/WebKit/Internal/WebBrowser/Window.m:84 #106 0x9335c350 in -[NSApplication sendEvent:] () #107 0x000224d9 in -[BrowserApplication sendEvent:] (self=0x291f680, _cmd=0x90ac24c4, event=0x29f0120) at /Volumes/Shared/WebKit/Internal/WebBrowser/BrowserApplication.m:142 #108 0x93286dfe in -[NSApplication run] () #109 0x9327ad2f in NSApplicationMain () #110 0x000a9d33 in main (argc=1, argv=0xbffff984) at /Volumes/Shared/WebKit/Internal/WebBrowser/main.m:26 Current language: auto; currently c++

Attachments
Reduction (361 bytes, text/html) 2007-05-18 05:11 PDT, Anders Carlsson	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Anders Carlsson

Comment 1 2007-05-18 05:11:51 PDT

Created attachment 14603 [details] Reduction It's happening because the frameset has an inline child

Anders Carlsson

Comment 2 2007-05-19 06:38:50 PDT

Committed revision 21600.

Note You need to log in before you can comment on or make changes to this bug.