Bug 155640

Summary: ASSERTION FAILED: rendererHasOutlineAutoAncestor || renderer->outlineStyleForRepaint().outlineStyleIsAuto() || (is<RenderElement>(*renderer) && downcast<RenderElement>(*renderer).hasContinuation()) in WebCore::RenderObject::propagateRepaintToParentWithOut
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: Layout and RenderingAssignee: alan <zalan>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, esprehn+autocc, glenn, kondapallykalyan, simon.fraser, webkit-bug-importer, zalan
Priority: P2    
Version: WebKit Local Build   
Hardware: Mac   
OS: OS X 10.11   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case
none
Patch none

Renata Hodovan
Reported 2016-03-18 09:01:52 PDT
Created attachment 274416 [details] Test case Load the attached test with MiniBrowser: <!DOCTYPE html> <script> window.onload = function() { document.execCommand('selectAll') child = document.createElement('frame') parent = document.getElementById('id_3') parent.appendChild(child) } </script> <style> h3 { outline: auto } </style> <h3> <a> <animateMotion> <metadata id="id_3"></metadata> a </animateMotion> </a> </h3> OS: Mac OS X 10.11.1 (x86_64), x86_64 Checked build: ASAN debug Checked version: 5e169ea Backtrace: "ASSERTION FAILED: rendererHasOutlineAutoAncestor || renderer->outlineStyleForRepaint().outlineStyleIsAuto() || (is<RenderElement>(*renderer) && downcast<RenderElement>(*renderer).hasContinuation()) /Users/reni/work/WebKit/Source/WebCore/rendering/RenderObject.cpp(902) : void WebCore::RenderObject::propagateRepaintToParentWithOutlineAutoIfNeeded(const WebCore::RenderLayerModelObject &, const WebCore::LayoutRect &) const 1 0x10df4b0d4 WTFCrash 2 0x116b2d867 WebCore::RenderObject::propagateRepaintToParentWithOutlineAutoIfNeeded(WebCore::RenderLayerModelObject const&, WebCore::LayoutRect const&) const 3 0x116b2edde WebCore::RenderObject::repaintUsingContainer(WebCore::RenderLayerModelObject const*, WebCore::LayoutRect const&, bool) const 4 0x116ba400a WebCore::RenderSelectionInfoBase::repaintRectangle(WebCore::LayoutRect const&) 5 0x116ba487a WebCore::RenderSelectionInfo::repaint() 6 0x116eb3f18 WebCore::RenderView::applySubtreeSelection(WebCore::SelectionSubtreeRoot const&, WebCore::RenderView::SelectionRepaintMode, WebCore::SelectionSubtreeRoot::OldSelectionData const&) 7 0x116eb00d4 WebCore::RenderView::updateSelectionForSubtrees(WTF::HashMap<WebCore::SelectionSubtreeRoot*, WebCore::SelectionSubtreeRoot::SelectionSubtreeData, WTF::PtrHash<WebCore::SelectionSubtreeRoot*>, WTF::HashTraits<WebCore::SelectionSubtreeRoot*>, WTF::HashTraits<WebCore::SelectionSubtreeRoot::SelectionSubtreeData> >&, WebCore::RenderView::SelectionRepaintMode) 8 0x116eaf6bd WebCore::RenderView::setSelection(WebCore::RenderObject*, int, WebCore::RenderObject*, int, WebCore::RenderView::SelectionRepaintMode) 9 0x1137cfded WebCore::FrameSelection::updateAppearance() 10 0x1137cee44 WebCore::FrameSelection::updateAndRevealSelection(WebCore::AXTextStateChangeIntent const&) 11 0x1137e8ea5 WebCore::FrameSelection::updateAppearanceAfterLayout() 12 0x1137fc732 WebCore::FrameView::performPostLayoutTasks() 13 0x11380a9e5 WebCore::FrameView::layout(bool) 14 0x112d546b6 WebCore::Document::implicitClose() 15 0x113773669 WebCore::FrameLoader::checkCallImplicitClose() 16 0x11377314c WebCore::FrameLoader::checkCompleted() 17 0x11376f718 WebCore::FrameLoader::finishedParsing() 18 0x112d7797a WebCore::Document::finishedParsing() 19 0x113b32e96 WebCore::HTMLConstructionSite::finishedParsing() 20 0x113e6343c WebCore::HTMLTreeBuilder::finished() 21 0x113ba7b8c WebCore::HTMLDocumentParser::end() 22 0x113ba3d9a WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 23 0x113ba3a09 WebCore::HTMLDocumentParser::prepareToStopParsing() 24 0x113ba7c2e WebCore::HTMLDocumentParser::attemptToEnd() 25 0x113ba7c88 WebCore::HTMLDocumentParser::finish() 26 0x112f335e0 WebCore::DocumentWriter::end() 27 0x112e85a5d WebCore::DocumentLoader::finishedLoading(double) 28 0x112e8556b WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) 29 0x11225de67 WebCore::CachedResource::checkNotify() 30 0x11225e054 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) 31 0x1122543cd WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) ASAN:SIGSEGV ================================================================= ==20754==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010df4b10c bp 0x7fff5ad83ad0 sp 0x7fff5ad83ac0 T0) #0 0x10df4b10b in WTFCrash (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2b2110b) #1 0x116b2d866 in WebCore::RenderObject::propagateRepaintToParentWithOutlineAutoIfNeeded(WebCore::RenderLayerModelObject const&, WebCore::LayoutRect const&) const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4ee8866) #2 0x116b2eddd in WebCore::RenderObject::repaintUsingContainer(WebCore::RenderLayerModelObject const*, WebCore::LayoutRect const&, bool) const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4ee9ddd) #3 0x116ba4009 in WebCore::RenderSelectionInfoBase::repaintRectangle(WebCore::LayoutRect const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4f5f009) #4 0x116ba4879 in WebCore::RenderSelectionInfo::repaint() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4f5f879) #5 0x116eb3f17 in WebCore::RenderView::applySubtreeSelection(WebCore::SelectionSubtreeRoot const&, WebCore::RenderView::SelectionRepaintMode, WebCore::SelectionSubtreeRoot::OldSelectionData const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x526ef17) #6 0x116eb00d3 in WebCore::RenderView::updateSelectionForSubtrees(WTF::HashMap<WebCore::SelectionSubtreeRoot*, WebCore::SelectionSubtreeRoot::SelectionSubtreeData, WTF::PtrHash<WebCore::SelectionSubtreeRoot*>, WTF::HashTraits<WebCore::SelectionSubtreeRoot*>, WTF::HashTraits<WebCore::SelectionSubtreeRoot::SelectionSubtreeData> >&, WebCore::RenderView::SelectionRepaintMode) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x526b0d3) #7 0x116eaf6bc in WebCore::RenderView::setSelection(WebCore::RenderObject*, int, WebCore::RenderObject*, int, WebCore::RenderView::SelectionRepaintMode) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x526a6bc) #8 0x1137cfdec in WebCore::FrameSelection::updateAppearance() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b8adec) #9 0x1137cee43 in WebCore::FrameSelection::updateAndRevealSelection(WebCore::AXTextStateChangeIntent const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b89e43) #10 0x1137e8ea4 in WebCore::FrameSelection::updateAppearanceAfterLayout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ba3ea4) #11 0x1137fc731 in WebCore::FrameView::performPostLayoutTasks() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1bb7731) #12 0x11380a9e4 in WebCore::FrameView::layout(bool) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1bc59e4) #13 0x112d546b5 in WebCore::Document::implicitClose() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x110f6b5) #14 0x113773668 in WebCore::FrameLoader::checkCallImplicitClose() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b2e668) #15 0x11377314b in WebCore::FrameLoader::checkCompleted() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b2e14b) #16 0x11376f717 in WebCore::FrameLoader::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b2a717) #17 0x112d77979 in WebCore::Document::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1132979) #18 0x113b32e95 in WebCore::HTMLConstructionSite::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eede95) #19 0x113e6343b in WebCore::HTMLTreeBuilder::finished() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x221e43b) #20 0x113ba7b8b in WebCore::HTMLDocumentParser::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62b8b) #21 0x113ba3d99 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5ed99) #22 0x113ba3a08 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f5ea08) #23 0x113ba7c2d in WebCore::HTMLDocumentParser::attemptToEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62c2d) #24 0x113ba7c87 in WebCore::HTMLDocumentParser::finish() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f62c87) #25 0x112f335df in WebCore::DocumentWriter::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12ee5df) #26 0x112e85a5c in WebCore::DocumentLoader::finishedLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1240a5c) #27 0x112e8556a in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x124056a) #28 0x11225de66 in WebCore::CachedResource::checkNotify() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x618e66) #29 0x11225e053 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x619053) #30 0x1122543cc in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60f3cc) #31 0x117919d20 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cd4d20) #32 0x10699f15c in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b1315c) #33 0x1069b34f2 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b274f2) #34 0x1069b3171 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b27171) #35 0x1069af52e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b2352e) #36 0x1069ac5ad in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b205ad) #37 0x1057224f2 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x8964f2) #38 0x10505ffa0 in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d3fa0) #39 0x105047501 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1bb501) #40 0x105060d90 in IPC::Connection::dispatchOneMessage() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d4d90) #41 0x1050904dc in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2044dc) #42 0x1050904ac in void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2044ac) #43 0x1050902cb in std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2042cb) #44 0x10cd839fa in std::__1::function<void ()>::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x19599fa) #45 0x10e0258dd in WTF::RunLoop::performWork() (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2bfb8dd) #46 0x10e026849 in WTF::RunLoop::performWork(void*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2bfc849) #47 0x7fff888498b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0) #48 0x7fff888290ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab) #49 0x7fff888285ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce) #50 0x7fff88827fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #51 0x7fff86540d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54) #52 0x7fff86540b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e) #53 0x7fff865409ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce) #54 0x7fff97bc6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95) #55 0x7fff97bc61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4) #56 0x7fff97bbad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27) #57 0x7fff97b83fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd) #58 0x7fff9408b4f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1) #59 0x7fff94089f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d) #60 0x104e761cb in main (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000021cb) #61 0x7fff908b05ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #62 0x0 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 WTFCrash ==20754==ABORTING #CRASHED - com.apple.WebKit.WebContent.Development (pid 20754) LEAK: 1 WebProcessPool LEAK: 1 WebPageProxy
Attachments
Test case (399 bytes, text/html)
2016-03-18 09:01 PDT, Renata Hodovan 		no flags
Details
Patch (3.94 KB, patch)
2016-03-26 18:20 PDT, alan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
alan
Comment 1 2016-03-26 18:20:49 PDT
Created attachment 274992 [details] Patch
WebKit Commit Bot
Comment 2 2016-03-28 11:39:20 PDT
Comment on attachment 274992 [details] Patch Clearing flags on attachment: 274992 Committed r198753: <http://trac.webkit.org/changeset/198753>
WebKit Commit Bot
Comment 3 2016-03-28 11:39:26 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.