Bug 14118

Summary:

ASSERTION FAILED: !needsLayout() seen again

Product:

WebKit

Reporter:

David Kilzer (:ddkilzer) <ddkilzer>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, bdakin, hyatt, mitz

Priority:

Keywords:

NeedsReduction

Version:

523.x (Safari 3)

Hardware:

Mac

OS:

OS X 10.4

URL:

http://www.eharmony.com/

Attachments:

Description	Flags
Possible fix	none
Test case (will ASSERT)	none
Remove midLayout guards around non-layout calls	bdakin: review+

David Kilzer (:ddkilzer)

Reported 2007-06-13 06:17:03 PDT

* SUMMARY I hit an assertion failure logging into eHarmony.com last night. It's the same assertion failure as the one from Bug 13155. I was running Safari 3.0 beta with a local debug build of WebKit r22098 on Mac OS X 10.4.9 (8P135). * STEPS TO REPRODUCE 1. Launch Safari/WebKit. 2. Go to URL: http://www.eharmony.com/ 3. Enter username and password, then click Submit. NOTE: These steps are in theory; I haven't tried yet! * NOTES Console output: ASSERTION FAILED: !needsLayout() (/path/to/WebKit/WebCore/rendering/RenderView.cpp:139 virtual void WebCore::RenderView::paint(WebCore::RenderObject::PaintInfo&, int, int)) Segmentation fault Stack trace: Version: 3.0 (522.11) Build Version: 2 Project Name: WebBrowser Source Version: 45221100 PID: 731 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef Thread 0 Crashed: 0 com.apple.WebCore 0x011ad64c WebCore::RenderView::paint(WebCore::RenderObject::PaintInfo&, int, int) + 112 (RenderView.cpp:139) 1 com.apple.WebCore 0x011d0438 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, bool, WebCore::PaintRestriction, WebCore::RenderObject*) + 1092 (RenderLayer.cpp:1474) 2 com.apple.WebCore 0x011d0998 WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, WebCore::PaintRestriction, WebCore::RenderObject*) + 72 (RenderLayer.cpp:1394) 3 com.apple.WebCore 0x010f2690 WebCore::Frame::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) + 800 (Frame.cpp:1273) 4 com.apple.WebCore 0x0111f548 -[WebCoreFrameBridge drawRect:] + 372 (WebCoreFrameBridge.mm:409) 5 com.apple.WebKit 0x003513d0 -[WebHTMLView drawSingleRect:] + 760 (WebHTMLView.mm:2638) 6 com.apple.WebKit 0x0035187c -[WebHTMLView drawRect:] + 540 (WebHTMLView.mm:2693) 7 com.apple.AppKit 0x937e7858 -[NSView _drawRect:clip:] + 2128 8 com.apple.AppKit 0x937e6e18 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 404 9 com.apple.WebKit 0x00348398 -[WebHTMLView(WebPrivate) _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 796 (WebHTMLView.mm:900) 10 com.apple.AppKit 0x937e9b60 _recursiveDisplayInRect2 + 84 11 com.apple.CoreFoundation 0x907ee3ec CFArrayApplyFunction + 416 12 com.apple.AppKit 0x937e6f2c -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 680 13 com.apple.AppKit 0x937e9b60 _recursiveDisplayInRect2 + 84 14 com.apple.CoreFoundation 0x907ee3ec CFArrayApplyFunction + 416 15 com.apple.AppKit 0x937e6f2c -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 680 16 com.apple.AppKit 0x937e9b60 _recursiveDisplayInRect2 + 84 17 com.apple.CoreFoundation 0x907ee3ec CFArrayApplyFunction + 416 18 com.apple.AppKit 0x937e6f2c -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 680 19 com.apple.AppKit 0x937e63e0 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 196 20 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 21 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 22 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 23 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 24 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 25 com.apple.AppKit 0x93807044 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 192 26 com.apple.AppKit 0x937e0054 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 384 27 com.apple.AppKit 0x937d5348 -[NSView displayIfNeeded] + 248 28 com.apple.AppKit 0x937d51b8 -[NSWindow displayIfNeeded] + 180 29 com.apple.Safari 0x000133d4 0x1000 + 74708 30 com.apple.AppKit 0x937d5064 _handleWindowNeedsDisplay + 200 31 com.apple.CoreFoundation 0x907de76c __CFRunLoopDoObservers + 352 32 com.apple.CoreFoundation 0x907dea0c __CFRunLoopRun + 420 33 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 34 com.apple.HIToolbox 0x9329bb20 RunCurrentEventLoopInMode + 264 35 com.apple.HIToolbox 0x9329b1b4 ReceiveNextEventCommon + 380 36 com.apple.HIToolbox 0x9329b020 BlockUntilNextEventMatchingListInMode + 96 37 com.apple.AppKit 0x937a1ae4 _DPSNextEvent + 384 38 com.apple.AppKit 0x937a17a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 39 com.apple.Safari 0x00006770 0x1000 + 22384 40 com.apple.AppKit 0x9379dcec -[NSApplication run] + 472 41 com.apple.AppKit 0x9388e87c NSApplicationMain + 452 42 com.apple.Safari 0x0000244c 0x1000 + 5196 43 com.apple.Safari 0x0004f1b0 0x1000 + 319920

Attachments
Possible fix (1.29 KB, patch) 2007-06-27 16:43 PDT, mitz	no flags	Details Formatted Diff Diff
Test case (will ASSERT) (785 bytes, text/html) 2007-06-28 06:49 PDT, mitz	no flags	Details
Remove midLayout guards around non-layout calls (4.64 KB, patch) 2007-06-28 07:10 PDT, mitz	bdakin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

David Kilzer (:ddkilzer)

Comment 1 2007-06-13 06:17:38 PDT

Copying Beth since she fixed Bug 13155.

David Kilzer (:ddkilzer)

Comment 2 2007-06-13 10:31:25 PDT

Hmm...I may have been loading a message on Yahoo! Mail at the time as well. Need to try to reproduce the Yahoo! bug on the Safari 3 beta to see if it's present.

David Kilzer (:ddkilzer)

Comment 3 2007-06-14 10:53:14 PDT

I saw this again, but was loading bugzilla.mozilla.org (along with some other pages, possibly). Still haven't figured out the trigger or how to reproduce it. Reproduced with Safari 3.0 Beta with a local debug build of WebKit r23502 with Mac OS X 10.4.9 (8P135). Console output: ASSERTION FAILED: !needsLayout() (/path/to/WebKit/WebCore/rendering/RenderView.cpp:139 virtual void WebCore::RenderView::paint(WebCore::RenderObject::PaintInfo&, int, int)) Segmentation fault Stack trace: Version: 3.0 (522.11) Build Version: 2 Project Name: WebBrowser Source Version: 45221100 PID: 643 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_INVALID_ADDRESS (0x0001) at 0xbbadbeef Thread 0 Crashed: 0 com.apple.WebCore 0x011ad42c WebCore::RenderView::paint(WebCore::RenderObject::PaintInfo&, int, int) + 112 (RenderView.cpp:139) 1 com.apple.WebCore 0x011d0218 WebCore::RenderLayer::paintLayer(WebCore::RenderLayer*, WebCore::GraphicsContext*, WebCore::IntRect const&, bool, WebCore::PaintRestriction, WebCore::RenderObject*) + 1092 (RenderLayer.cpp:1474) 2 com.apple.WebCore 0x011d0778 WebCore::RenderLayer::paint(WebCore::GraphicsContext*, WebCore::IntRect const&, WebCore::PaintRestriction, WebCore::RenderObject*) + 72 (RenderLayer.cpp:1394) 3 com.apple.WebCore 0x010f2470 WebCore::Frame::paint(WebCore::GraphicsContext*, WebCore::IntRect const&) + 800 (Frame.cpp:1273) 4 com.apple.WebCore 0x0111f328 -[WebCoreFrameBridge drawRect:] + 372 (WebCoreFrameBridge.mm:409) 5 com.apple.WebKit 0x003513d0 -[WebHTMLView drawSingleRect:] + 760 (WebHTMLView.mm:2638) 6 com.apple.WebKit 0x0035187c -[WebHTMLView drawRect:] + 540 (WebHTMLView.mm:2693) 7 com.apple.AppKit 0x937e7858 -[NSView _drawRect:clip:] + 2128 8 com.apple.AppKit 0x937e6e18 -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 404 9 com.apple.WebKit 0x00348398 -[WebHTMLView(WebPrivate) _recursiveDisplayAllDirtyWithLockFocus:visRect:] + 796 (WebHTMLView.mm:900) 10 com.apple.AppKit 0x937e63e0 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 196 11 com.apple.WebKit 0x00347fe8 -[WebHTMLView(WebPrivate) _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 520 (WebHTMLView.mm:854) 12 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 13 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 14 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 15 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 16 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 17 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 18 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 19 com.apple.AppKit 0x937e69a8 -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 1676 20 com.apple.AppKit 0x93807044 -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] + 192 21 com.apple.AppKit 0x937e0054 -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] + 384 22 com.apple.AppKit 0x937d5348 -[NSView displayIfNeeded] + 248 23 com.apple.AppKit 0x937d51b8 -[NSWindow displayIfNeeded] + 180 24 com.apple.Safari 0x000133d4 0x1000 + 74708 25 com.apple.AppKit 0x937d5064 _handleWindowNeedsDisplay + 200 26 com.apple.CoreFoundation 0x907de76c __CFRunLoopDoObservers + 352 27 com.apple.CoreFoundation 0x907dea0c __CFRunLoopRun + 420 28 com.apple.CoreFoundation 0x907de4ac CFRunLoopRunSpecific + 268 29 com.apple.HIToolbox 0x9329bb20 RunCurrentEventLoopInMode + 264 30 com.apple.HIToolbox 0x9329b12c ReceiveNextEventCommon + 244 31 com.apple.HIToolbox 0x9329b020 BlockUntilNextEventMatchingListInMode + 96 32 com.apple.AppKit 0x937a1ae4 _DPSNextEvent + 384 33 com.apple.AppKit 0x937a17a8 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 116 34 com.apple.Safari 0x00006770 0x1000 + 22384 35 com.apple.AppKit 0x9379dcec -[NSApplication run] + 472 36 com.apple.AppKit 0x9388e87c NSApplicationMain + 452 37 com.apple.Safari 0x0000244c 0x1000 + 5196 38 com.apple.Safari 0x0004f1b0 0x1000 + 319920

David Kilzer (:ddkilzer)

Comment 4 2007-06-14 11:18:29 PDT

(In reply to comment #3) > I saw this again, but was loading bugzilla.mozilla.org (along with some other > pages, possibly). Still haven't figured out the trigger or how to reproduce > it. Saw this logging into usps.com web site when trying to reproduce Bug 4151 with a local debug build of WebKit r23502 with Safari 3.0 (522.11) on Mac OS X 10.4.9 (8P135).

David Kilzer (:ddkilzer)

Comment 5 2007-06-15 11:10:23 PDT

(In reply to comment #4) > Saw this logging into usps.com web site when trying to reproduce Bug 4151 with > a local debug build of WebKit r23502 with Safari 3.0 (522.11) on Mac OS X > 10.4.9 (8P135). NOTE: This doesn't produce a crash every time--only when I don't want it to crash. * STEPS TO REPRODUCE 1. Open Safari/WebKit. 2. Go to URL: https://sss-web.usps.com/ 3. Click the "Sign In" button. As I mentioned above, this doesn't happen every time, but I think it usually happens in a tab (that's not the left-most tab) more often than not.

David Kilzer (:ddkilzer)

Comment 6 2007-06-15 11:14:57 PDT

(In reply to comment #5) > * STEPS TO REPRODUCE > 1. Open Safari/WebKit. > 2. Go to URL: https://sss-web.usps.com/ > 3. Click the "Sign In" button. > > As I mentioned above, this doesn't happen every time, but I think it usually > happens in a tab (that's not the left-most tab) more often than not. If this doesn't crash the first time you hit it, try hitting Reload.

Glenn Howes

Comment 7 2007-06-16 19:21:01 PDT

I'm seeing the same thing on the main http://yahoo.com page

mitz

Comment 8 2007-06-27 16:22:07 PDT

At least on Yahoo, the bug seems to be due to the midLayout guards around the call to invalidateSelection() in FrameView::layout(). Those guards prevent layout from happening, and there's no guarantee that it will happen later before returning from FrameView::layout() (there is a call to scheduleRelayout near the end, but that call is: never supposed to be reached anyway, doesn't always guarantee a relayout, and the early return after it messes up the suspend/resume scheduled events mechanism). I think the same applies to the guards around updateWidgetPositions(). If I remember correctly. both of the above were added on a speculative basis. I don't think they're needed.

mitz

Comment 9 2007-06-27 16:37:24 PDT

See bug 13455 comment #3 regarding the scheduleRelayout and early return being not supposed to be reached.

mitz

Comment 10 2007-06-27 16:43:43 PDT

Created attachment 15282 [details] Possible fix

Alexey Proskuryakov

Comment 11 2007-06-27 22:15:28 PDT

Opening maps.google.com causes this assertion failure for me each time today. I haven't tried applying the patch.

mitz

Comment 12 2007-06-28 06:49:25 PDT

Created attachment 15289 [details] Test case (will ASSERT) The beloved updateLayoutIgnorePendingStylesheets() is involved in this case. It is called under invalidateSelection and -- since there are pending stylesheets -- it calls updateStyleSelector() which dirties the root. Normally the root gets a layout after that, but now because of the guard around invalidateSelection it doesn't. I'm going to add this test case to the patch an submit for review.

mitz

Comment 13 2007-06-28 07:10:04 PDT

Created attachment 15290 [details] Remove midLayout guards around non-layout calls

Beth Dakin

Comment 14 2007-06-28 13:28:42 PDT

Comment on attachment 15290 [details] Remove midLayout guards around non-layout calls This looks good to me.

Sam Weinig

Comment 15 2007-06-28 19:47:26 PDT

Landed in r23866.

Note You need to log in before you can comment on or make changes to this bug.