Bug 13771

Summary: Assertion failure ASSERT(m_layer) when running Hamachi fuzz tester
Product: WebKit Reporter: Anders Carlsson <andersca>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mitz
Priority: P1    
Version: 523.x (Safari 3)   
Hardware: Mac   
OS: OS X 10.4   
Attachments:
Description Flags
Reduction none

Description Anders Carlsson 2007-05-18 05:10:29 PDT 
0x01150c81 in WebCore::RenderFlow::paintLines (this=0x227a9bcc, paintInfo=@0xbfffbff8, tx=8, ty=41133) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderFlow.cpp:353
353             ASSERT(m_layer); // The only way a compact/run-in/inline could paint like this is if it has a layer.
(gdb) bt
#0  0x01150c81 in WebCore::RenderFlow::paintLines (this=0x227a9bcc, paintInfo=@0xbfffbff8, tx=8, ty=41133) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderFlow.cpp:353
#1  0x01153a3e in WebCore::RenderInline::paint (this=0x227a9bcc, paintInfo=@0xbfffbff8, tx=8, ty=41133) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderInline.cpp:278
#2  0x012768d8 in WebCore::RenderFrameSet::paint (this=0x227e328c, paintInfo=@0xbfffbff8, tx=8, ty=41133) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderFrameSet.cpp:143
#3  0x0112aca9 in WebCore::RenderBlock::paintChildren (this=0x17059aac, paintInfo=@0xbfffc178, tx=8, ty=289) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1465
#4  0x0112aef1 in WebCore::RenderBlock::paintContents (this=0x17059aac, paintInfo=@0xbfffc178, tx=8, ty=289) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1441
#5  0x01138c3a in WebCore::RenderBlock::paintObject (this=0x17059aac, paintInfo=@0xbfffc178, tx=8, ty=289) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1523
#6  0x0112a8f8 in WebCore::RenderBlock::paint (this=0x17059aac, paintInfo=@0xbfffc178, tx=8, ty=289) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1353
#7  0x0112aca9 in WebCore::RenderBlock::paintChildren (this=0x1700ac2c, paintInfo=@0xbfffc2f8, tx=8, ty=8) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1465
#8  0x0112aef1 in WebCore::RenderBlock::paintContents (this=0x1700ac2c, paintInfo=@0xbfffc2f8, tx=8, ty=8) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1441
#9  0x01138c3a in WebCore::RenderBlock::paintObject (this=0x1700ac2c, paintInfo=@0xbfffc2f8, tx=8, ty=8) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1523
#10 0x0112a8f8 in WebCore::RenderBlock::paint (this=0x1700ac2c, paintInfo=@0xbfffc2f8, tx=8, ty=8) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1353
#11 0x0112aca9 in WebCore::RenderBlock::paintChildren (this=0x17092abc, paintInfo=@0xbfffc494, tx=0, ty=0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1465
#12 0x0112aef1 in WebCore::RenderBlock::paintContents (this=0x17092abc, paintInfo=@0xbfffc494, tx=0, ty=0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1441
#13 0x01138c3a in WebCore::RenderBlock::paintObject (this=0x17092abc, paintInfo=@0xbfffc494, tx=0, ty=0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1523
#14 0x0112a8f8 in WebCore::RenderBlock::paint (this=0x17092abc, paintInfo=@0xbfffc494, tx=0, ty=0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderBlock.cpp:1353
#15 0x0115e475 in WebCore::RenderLayer::paintLayer (this=0x170cdf3c, rootLayer=0x170c6a7c, p=0xbfffc6b4, paintDirtyRect=@0xbfffc6bc, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderLayer.cpp:1501
#16 0x0115e633 in WebCore::RenderLayer::paintLayer (this=0x170c6a7c, rootLayer=0x170c6a7c, p=0xbfffc6b4, paintDirtyRect=@0xbfffc6bc, haveTransparency=false, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderLayer.cpp:1526
#17 0x0115e6f8 in WebCore::RenderLayer::paint (this=0x170c6a7c, p=0xbfffc6b4, damageRect=@0xbfffc6bc, paintRestriction=WebCore::PaintRestrictionNone, paintingRoot=0x0) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderLayer.cpp:1393
#18 0x010b722f in WebCore::Frame::paint (this=0x2970b90, p=0xbfffc6b4, rect=@0xbfffc6bc) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/Frame.cpp:1302
#19 0x010d84d4 in -[WebCoreFrameBridge drawRect:] (self=0x298dab0, _cmd=0x90aa5bac, rect={origin = {x = 0, y = 41133}, size = {width = 1203, height = 681}}) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/mac/WebCoreFrameBridge.mm:409
#20 0x0043c2d5 in -[WebHTMLView drawSingleRect:] (self=0x170bf600, _cmd=0x13fc2cc, rect={origin = {x = 0, y = 41133}, size = {width = 1203, height = 681}}) at /Volumes/Shared/WebKit/OpenSource/WebKit/WebView/WebHTMLView.mm:2635
#21 0x0043c6ab in -[WebHTMLView drawRect:] (self=0x170bf600, _cmd=0x90aa5bac, rect={origin = {x = 0, y = 41133}, size = {width = 1203, height = 681}}) at /Volumes/Shared/WebKit/OpenSource/WebKit/WebView/WebHTMLView.mm:2687
#22 0x9330c3b1 in -[NSView _drawRect:clip:] ()
#23 0x9330a893 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#24 0x00435a8f in -[WebHTMLView(WebPrivate) _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] (self=0x170bf600, _cmd=0x90a865e4, rect={origin = {x = 0, y = 41133}, size = {width = 1203, height = 681}}, isVisibleRect=1 '\001', visibleView=0x29839f0, topView=0 '\0') at /Volumes/Shared/WebKit/OpenSource/WebKit/WebView/WebHTMLView.mm:842
#25 0x9330b041 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] ()
#26 0x93309362 in -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] ()
#27 0x93308c8e in -[NSView displayIfNeeded] ()
#28 0x932ff38b in -[NSClipView _immediateScrollToPoint:] ()
#29 0x93436d6a in -[NSScrollView scrollClipView:toPoint:] ()
#30 0x932ca32f in -[NSClipView _scrollTo:animate:] ()
#31 0x932c9e1b in -[NSClipView _scrollTo:] ()
#32 0x9330119f in -[NSClipView _scrollRectToVisible:fromView:] ()
#33 0x932b3e7c in -[NSView scrollRectToVisible:] ()
warning: internal error: no C/C++ fundamental type 1
#34 0x011fbc81 in WebCore::ScrollView::scrollRectIntoViewRecursively (this=0x2969c00, r=@0xbfffd59c) at /Volumes/Shared/WebKit/OpenSource/WebCore/platform/mac/ScrollViewMac.mm:195
#35 0x010c1310 in WebCore::FrameView::scrollRectIntoViewRecursively (this=0x2969c00, r=@0xbfffd59c) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/FrameView.cpp:610
#36 0x0115b4e8 in WebCore::RenderLayer::scrollRectToVisible (this=0x170c6a7c, rect=@0xbfffd7cc, alignX=@0x15f386c, alignY=@0x15f3854) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderLayer.cpp:756
#37 0x0115b50e in WebCore::RenderLayer::scrollRectToVisible (this=0x170cdf3c, rect=@0xbfffd870, alignX=@0x15f386c, alignY=@0x15f3854) at /Volumes/Shared/WebKit/OpenSource/WebCore/rendering/RenderLayer.cpp:762
#38 0x01226791 in WebCore::Element::scrollIntoView (this=0x227e1e00, alignToTop=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/Element.cpp:210
#39 0x01218f84 in WebCore::JSElementPrototypeFunction::callAsFunction (this=0x173f51e0, exec=0xbfffdd74, thisObj=0x17933b00, args=@0xbfffdabc) at /Users/andersca/Build/Debug/DerivedSources/WebCore/JSElement.cpp:415
#40 0x006bdf2e in KJS::JSObject::call (this=0x173f51e0, exec=0xbfffdd74, thisObj=0x17933b00, args=@0xbfffdabc) at object.cpp:98
#41 0x006e753d in KJS::FunctionCallDotNode::evaluate (this=0x22916160, exec=0xbfffdd74) at nodes.cpp:790
#42 0x006b1efd in KJS::AssignExprNode::evaluate (this=0x229077b0, exec=0xbfffdd74) at nodes.cpp:1578
#43 0x006e5052 in KJS::VarDeclNode::evaluate (this=0x229133f0, exec=0xbfffdd74) at nodes.cpp:1596
#44 0x006e4f9b in KJS::VarDeclListNode::evaluate (this=0x22917280, exec=0xbfffdd74) at nodes.cpp:1643
#45 0x006e4df9 in KJS::VarStatementNode::execute (this=0x22915550, exec=0xbfffdd74) at nodes.cpp:1667
#46 0x006e1e6b in KJS::SourceElementsNode::execute (this=0x22915da0, exec=0xbfffdd74) at nodes.cpp:2522
#47 0x006baa94 in KJS::BlockNode::execute (this=0x223cbef0, exec=0xbfffdd74) at nodes.cpp:1699
#48 0x006e0144 in KJS::GlobalFuncImp::callAsFunction (this=0x17371b00, exec=0xbfffe43c, args=@0xbfffde84) at function.cpp:803
#49 0x006bdf2e in KJS::JSObject::call (this=0x17371b00, exec=0xbfffe43c, thisObj=0x17370000, args=@0xbfffde84) at object.cpp:98
#50 0x006e7bbf in KJS::FunctionCallResolveNode::evaluate (this=0x170bc630, exec=0xbfffe43c) at nodes.cpp:694
#51 0x006e4c93 in KJS::ExprStatementNode::execute (this=0x170bc640, exec=0xbfffe43c) at nodes.cpp:1723
#52 0x006e1e6b in KJS::SourceElementsNode::execute (this=0x170bc660, exec=0xbfffe43c) at nodes.cpp:2522
#53 0x006baa94 in KJS::BlockNode::execute (this=0x170bc680, exec=0xbfffe43c) at nodes.cpp:1699
#54 0x006d5ee5 in KJS::TryNode::execute (this=0x170bc6d0, exec=0xbfffe43c) at nodes.cpp:2344
#55 0x006e1f76 in KJS::SourceElementsNode::execute (this=0x170c7a40, exec=0xbfffe43c) at nodes.cpp:2528
#56 0x006baa94 in KJS::BlockNode::execute (this=0x170f5960, exec=0xbfffe43c) at nodes.cpp:1699
#57 0x006e4b9d in KJS::IfNode::execute (this=0x170f5980, exec=0xbfffe43c) at nodes.cpp:1742
#58 0x006e1e6b in KJS::SourceElementsNode::execute (this=0x170f59a0, exec=0xbfffe43c) at nodes.cpp:2522
#59 0x006baa94 in KJS::BlockNode::execute (this=0x170f59c0, exec=0xbfffe43c) at nodes.cpp:1699
#60 0x006e38cf in KJS::ForInNode::execute (this=0x170f59e0, exec=0xbfffe43c) at nodes.cpp:1999
#61 0x006e1e6b in KJS::SourceElementsNode::execute (this=0x170f5a30, exec=0xbfffe43c) at nodes.cpp:2522
#62 0x006baa94 in KJS::BlockNode::execute (this=0x170d2c50, exec=0xbfffe43c) at nodes.cpp:1699
#63 0x006bab5f in KJS::DeclaredFunctionImp::execute (this=0x173710c0, exec=0xbfffe43c) at function.cpp:317
#64 0x006d5c85 in KJS::FunctionImp::callAsFunction (this=0x173710c0, exec=0xbfffe99c, thisObj=0x17370000, args=@0xbfffe4f4) at function.cpp:104
#65 0x006bdf2e in KJS::JSObject::call (this=0x173710c0, exec=0xbfffe99c, thisObj=0x17370000, args=@0xbfffe4f4) at object.cpp:98
#66 0x006e7bbf in KJS::FunctionCallResolveNode::evaluate (this=0x1709c9e0, exec=0xbfffe99c) at nodes.cpp:694
#67 0x006e4c93 in KJS::ExprStatementNode::execute (this=0x1709c9f0, exec=0xbfffe99c) at nodes.cpp:1723
#68 0x006e1f76 in KJS::SourceElementsNode::execute (this=0x1709f8c0, exec=0xbfffe99c) at nodes.cpp:2528
#69 0x006baa94 in KJS::BlockNode::execute (this=0x17086740, exec=0xbfffe99c) at nodes.cpp:1699
#70 0x006e4b9d in KJS::IfNode::execute (this=0x17086760, exec=0xbfffe99c) at nodes.cpp:1742
#71 0x006e1f76 in KJS::SourceElementsNode::execute (this=0x170dcc50, exec=0xbfffe99c) at nodes.cpp:2528
#72 0x006baa94 in KJS::BlockNode::execute (this=0x170867a0, exec=0xbfffe99c) at nodes.cpp:1699
#73 0x006e38cf in KJS::ForInNode::execute (this=0x170867c0, exec=0xbfffe99c) at nodes.cpp:1999
#74 0x006e1f76 in KJS::SourceElementsNode::execute (this=0x170dcb00, exec=0xbfffe99c) at nodes.cpp:2528
#75 0x006baa94 in KJS::BlockNode::execute (this=0x1701d540, exec=0xbfffe99c) at nodes.cpp:1699
#76 0x006bab5f in KJS::DeclaredFunctionImp::execute (this=0x17370f80, exec=0xbfffe99c) at function.cpp:317
#77 0x006d5c85 in KJS::FunctionImp::callAsFunction (this=0x17370f80, exec=0xbfffec4c, thisObj=0x17370000, args=@0xbfffea54) at function.cpp:104
#78 0x006bdf2e in KJS::JSObject::call (this=0x17370f80, exec=0xbfffec4c, thisObj=0x17370000, args=@0xbfffea54) at object.cpp:98
#79 0x006e7bbf in KJS::FunctionCallResolveNode::evaluate (this=0x17037df0, exec=0xbfffec4c) at nodes.cpp:694
#80 0x006e4c93 in KJS::ExprStatementNode::execute (this=0x17037e00, exec=0xbfffec4c) at nodes.cpp:1723
#81 0x006e1f76 in KJS::SourceElementsNode::execute (this=0x17033b50, exec=0xbfffec4c) at nodes.cpp:2528
#82 0x006baa94 in KJS::BlockNode::execute (this=0x17038480, exec=0xbfffec4c) at nodes.cpp:1699
#83 0x006bab5f in KJS::DeclaredFunctionImp::execute (this=0x17370f00, exec=0xbfffec4c) at function.cpp:317
#84 0x006d5c85 in KJS::FunctionImp::callAsFunction (this=0x17370f00, exec=0xbfffeefc, thisObj=0x17370000, args=@0xbfffed04) at function.cpp:104
#85 0x006bdf2e in KJS::JSObject::call (this=0x17370f00, exec=0xbfffeefc, thisObj=0x17370000, args=@0xbfffed04) at object.cpp:98
#86 0x006e7bbf in KJS::FunctionCallResolveNode::evaluate (this=0x17069120, exec=0xbfffeefc) at nodes.cpp:694
#87 0x006e4c93 in KJS::ExprStatementNode::execute (this=0x17027ef0, exec=0xbfffeefc) at nodes.cpp:1723
#88 0x006e1e6b in KJS::SourceElementsNode::execute (this=0x29f6fe0, exec=0xbfffeefc) at nodes.cpp:2522
#89 0x006baa94 in KJS::BlockNode::execute (this=0x17020460, exec=0xbfffeefc) at nodes.cpp:1699
#90 0x006bab5f in KJS::DeclaredFunctionImp::execute (this=0x1737ad00, exec=0xbfffeefc) at function.cpp:317
#91 0x006d5c85 in KJS::FunctionImp::callAsFunction (this=0x1737ad00, exec=0x170cb2cc, thisObj=0x1737ad40, args=@0xbfffefc0) at function.cpp:104
#92 0x006bdf2e in KJS::JSObject::call (this=0x1737ad00, exec=0x170cb2cc, thisObj=0x1737ad40, args=@0xbfffefc0) at object.cpp:98
#93 0x0123dfa4 in KJS::JSAbstractEventListener::handleEvent (this=0x17057770, ele=0x294e1d0, isWindowEvent=false) at /Volumes/Shared/WebKit/OpenSource/WebCore/bindings/js/kjs_events.cpp:127
#94 0x012081d6 in WebCore::EventTargetNode::handleLocalEvents (this=0x17057690, evt=0x294e1d0, useCapture=false) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:168
#95 0x012089e3 in WebCore::EventTargetNode::dispatchGenericEvent (this=0x17057690, e=@0xbffff14c, tempEvent=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:222
#96 0x0120a645 in WebCore::EventTargetNode::dispatchEvent (this=0x17057690, e=@0xbffff19c, ec=@0xbffff274, tempEvent=true, target=0x170576b4) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:308
#97 0x0120a6c1 in WebCore::EventTargetNode::dispatchEvent (this=0x17057690, e=@0xbffff280, ec=@0xbffff274, tempEvent=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:292
#98 0x01209479 in WebCore::EventTargetNode::dispatchMouseEvent (this=0x17057690, eventType=@0x165aaac, button=0, detail=1, pageX=42, pageY=267, screenX=84, screenY=387, ctrlKey=false, altKey=false, shiftKey=false, metaKey=false, isSimulated=false, relatedTargetArg=0x0, underlyingEvent=@0xbffff324) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:470
#99 0x01209b86 in WebCore::EventTargetNode::dispatchMouseEvent (this=0x17057690, event=@0xbffff4c0, eventType=@0x165aaac, detail=1, relatedTarget=0x0) at /Volumes/Shared/WebKit/OpenSource/WebCore/dom/EventTargetNode.cpp:397
#100 0x013b6098 in WebCore::EventHandler::dispatchMouseEvent (this=0x204e910, eventType=@0x165aaac, targetNode=0x17057690, cancelable=true, clickCount=1, mouseEvent=@0xbffff4c0, setUnder=true) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/EventHandler.cpp:1157
#101 0x013b6851 in WebCore::EventHandler::handleMouseReleaseEvent (this=0x204e910, mouseEvent=@0xbffff4c0) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/EventHandler.cpp:991
warning: internal error: no C/C++ fundamental type 1
#102 0x013afbe9 in WebCore::EventHandler::mouseUp (this=0x204e910, event=0x29f0120) at /Volumes/Shared/WebKit/OpenSource/WebCore/page/mac/EventHandlerMac.mm:519
#103 0x0043dbf1 in -[WebHTMLView mouseUp:] (self=0x170bf600, _cmd=0x90ab6cd8, event=0x29f0120) at /Volumes/Shared/WebKit/OpenSource/WebKit/WebView/WebHTMLView.mm:3004
#104 0x9336a42b in -[NSWindow sendEvent:] ()
#105 0x000aed78 in -[Window sendEvent:] (self=0x29e9150, _cmd=0x90ac24c4, event=0x29f0120) at /Volumes/Shared/WebKit/Internal/WebBrowser/Window.m:84
#106 0x9335c350 in -[NSApplication sendEvent:] ()
#107 0x000224d9 in -[BrowserApplication sendEvent:] (self=0x291f680, _cmd=0x90ac24c4, event=0x29f0120) at /Volumes/Shared/WebKit/Internal/WebBrowser/BrowserApplication.m:142
#108 0x93286dfe in -[NSApplication run] ()
#109 0x9327ad2f in NSApplicationMain ()
#110 0x000a9d33 in main (argc=1, argv=0xbffff984) at /Volumes/Shared/WebKit/Internal/WebBrowser/main.m:26
Current language:  auto; currently c++
Comment 1 Anders Carlsson 2007-05-18 05:11:51 PDT 
Created attachment 14603 [details]
Reduction

It's happening because the frameset has an inline child
Comment 2 Anders Carlsson 2007-05-19 06:38:50 PDT 
Committed revision 21600.