Bug 44863

Summary: Renderer ASSERT failure in Chrome when using click-to-play
Product: WebKit Reporter: Bernhard Bauer <bauerb>
Component: Plug-insAssignee: Dave Hyatt <hyatt>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, eric, fishd, hyatt, jamesr, jochen, mitz, simon.fraser, webkit-ews, webkit.review.bot
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
Always run pending style recalcs when layouting.
none
Patch sam: review+

Description Bernhard Bauer 2010-08-30 03:20:56 PDT 
Steps to reproduce:
1. Start Chrome with --enable-click-to-play
2. Navigate to a site with blocked plugins
3. Aw, Snap!

The assertion failure is an ASSERT(!root->needsLayout()) in FrameView.cpp (root being the WebCore::RenderView), caused by a style change setting root->m_normalChildNeedsLayout to true after root->layout() was called. It looks like it was introduced in http://trac.webkit.org/changeset/66115.
Comment 1 Bernhard Bauer 2010-08-30 03:25:09 PDT 
(See http://crbug.com/53817)
Comment 2 Bernhard Bauer 2010-08-30 08:55:15 PDT 
Stack trace to the point where root->m_normalChildNeedsLayout is set: 

#0  WebCore::RenderObject::markContainingBlocksForLayout (this=0x8eb2cdc, scheduleRelayout=true, newRoot=0x0) at RenderObject.h:967
#1  0x023446d3 in WebCore::RenderObject::setNeedsLayout (this=0x8eb2cdc, b=true, markParents=true) at RenderObject.h:886
#2  0x02315d7f in WebCore::RenderObject::setNeedsLayoutAndPrefWidthsRecalc (this=0x8eb2cdc) at RenderObject.h:467
#3  0x0230c934 in WebCore::RenderObject::styleDidChange (this=0x8eb2cdc, diff=WebCore::StyleDifferenceLayout, oldStyle=0x8d4b120) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../rendering/RenderObject.cpp:1879
#4  0x022a6a3a in WebCore::RenderBoxModelObject::styleDidChange (this=0x8eb2cdc, diff=WebCore::StyleDifferenceLayout, oldStyle=0x8d4b120) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../rendering/RenderBoxModelObject.cpp:282
#5  0x0229c577 in WebCore::RenderBox::styleDidChange (this=0x8eb2cdc, diff=WebCore::StyleDifferenceLayout, oldStyle=0x8d4b120) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../rendering/RenderBox.cpp:168
#6  0x0226a34a in WebCore::RenderBlock::styleDidChange (this=0x8eb2cdc, diff=WebCore::StyleDifferenceLayout, oldStyle=0x8d4b120) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../rendering/RenderBlock.cpp:233
#7  0x0230eb5a in WebCore::RenderObject::setStyle (this=0x8eb2cdc, style=@0xbfffa96c) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../rendering/RenderObject.cpp:1753
#8  0x0230c5f3 in WebCore::RenderObject::setAnimatableStyle (this=0x8eb2cdc, style=@0xbfffa99c) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../rendering/RenderObject.cpp:1679
#9  0x01e26e5b in WebCore::Node::setRenderStyle (this=0x8eb29e0, s=@0xbfffaa04) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../dom/Node.cpp:1436
#10 0x01e0ba46 in WebCore::Element::recalcStyle (this=0x8eb29e0, change=WebCore::Node::Force) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../dom/Element.cpp:935
#11 0x01dda1d8 in WebCore::Document::recalcStyle (this=0x9818200, change=WebCore::Node::Force) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../dom/Document.cpp:1447
#12 0x01dd9e9e in WebCore::Document::updateStyleIfNeeded (this=0x9818200) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../dom/Document.cpp:1491
#13 0x01ebf2ea in WebCore::SelectionController::updateAppearance (this=0x99376a4) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../editing/SelectionController.cpp:1437
#14 0x020ff917 in WebCore::FrameView::layout (this=0x98dbe00, allowSubtree=true) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../page/FrameView.cpp:785
#15 0x0210046a in WebCore::FrameView::visibleContentsResized (this=0x98dbe00) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../page/FrameView.cpp:1217
#16 0x02210e27 in WebCore::ScrollView::updateScrollbars (this=0x98dbe00, desiredOffset=@0x98dbe88) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../platform/ScrollView.cpp:345
#17 0x02211a88 in WebCore::ScrollView::setFrameRect (this=0x98dbe00, newRect=@0xbfffae70) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../platform/ScrollView.cpp:693
#18 0x02100e36 in WebCore::FrameView::setFrameRect (this=0x98dbe00, newRect=@0xbfffae70) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../page/FrameView.cpp:338
#19 0x021462ca in WebCore::Widget::resize (this=0x98dbe00, w=640, h=360) at Widget.h:158
#20 0x01c3c222 in WebKit::WebViewImpl::resize (this=0x8eb1420, newSize=@0xbfffaf38) at /build/chromium/src/third_party/WebKit/WebKit/chromium/src/WebViewImpl.cpp:906
#21 0x01749e3b in WebViewPlugin::updateGeometry (this=0x8eb13d0, frame_rect=@0xbfffaf8c, clip_rect=@0xbfffaf7c, cut_out_rects=@0xbfffafd8, is_visible=false) at /build/chromium/src/webkit/support/../glue/plugins/webview_plugin.cc:121
#22 0x01c2c098 in WebKit::WebPluginContainerImpl::reportGeometry (this=0x8eb0b30) at /build/chromium/src/third_party/WebKit/WebKit/chromium/src/WebPluginContainerImpl.cpp:286
#23 0x01c2c7f4 in WebKit::WebPluginContainerImpl::setParent (this=0x8eb0b30, view=0x980e600) at /build/chromium/src/third_party/WebKit/WebKit/chromium/src/WebPluginContainerImpl.cpp:221
#24 0x02210a2f in WebCore::ScrollView::addChild (this=0x980e600, prpChild=@0xbfffb08c) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../platform/ScrollView.cpp:69
#25 0x0238df5b in WebCore::moveWidgetToParentSoon (child=0x8eb0b30, parent=0x980e600) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../rendering/RenderWidget.cpp:90
#26 0x0238e1e7 in WebCore::RenderWidget::setWidget (this=0x8eaf45c, widget=@0xbfffb11c) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../rendering/RenderWidget.cpp:211
#27 0x023185f4 in WebCore::RenderPart::setWidget (this=0x8eaf45c, widget=@0xbfffb18c) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../rendering/RenderPart.cpp:50
#28 0x0209191c in WebCore::SubframeLoader::loadPlugin (this=0x90373a0, renderer=0x8eaf45c, url=@0xbfffb234, mimeType=@0xbfffb49c, paramNames=@0xbfffb420, paramValues=@0xbfffb414, useFallback=false) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../loader/SubframeLoader.cpp:350
#29 0x020926f1 in WebCore::SubframeLoader::requestObject (this=0x90373a0, renderer=0x8eaf45c, url=@0xbfffb4a0, frameName=@0x3c26ae4, mimeType=@0xbfffb49c, paramNames=@0xbfffb420, paramValues=@0xbfffb414) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../loader/SubframeLoader.cpp:129
#30 0x022b3634 in WebCore::RenderEmbeddedObject::updateWidget (this=0x8eaf45c, onlyCreateNonNetscapePlugins=false) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../rendering/RenderEmbeddedObject.cpp:278
#31 0x020fcc7a in WebCore::FrameView::updateWidgets (this=0x980e600) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../page/FrameView.cpp:1583
#32 0x020fcfc9 in WebCore::FrameView::performPostLayoutTasks (this=0x980e600) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../page/FrameView.cpp:1613
#33 0x020ffb0c in WebCore::FrameView::layout (this=0x980e600, allowSubtree=true) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../page/FrameView.cpp:826
#34 0x01dd9c6f in WebCore::Document::updateLayout (this=0x9815200) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../dom/Document.cpp:1523
#35 0x01ddba43 in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x9815200) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../dom/Document.cpp:1554
#36 0x01f71391 in WebCore::HTMLEmbedElement::renderWidgetForJSBindings (this=0x8eadd50) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../html/HTMLEmbedElement.cpp:72
#37 0x01fa7802 in WebCore::HTMLPlugInElement::pluginWidget (this=0x8eadd50) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../html/HTMLPlugInElement.cpp:103
#38 0x01fa7d50 in WebCore::HTMLPlugInElement::getInstance (this=0x8eadd50) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../html/HTMLPlugInElement.cpp:95
#39 0x01c8f262 in WebCore::npObjectNamedGetter<WebCore::V8HTMLEmbedElement> (name={<v8::Handle<v8::String>> = {val_ = 0x9844c4c}, <No data fields>}, info=@0xbfffb8a8) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../bindings/v8/custom/V8HTMLPlugInElementCustom.cpp:51
#40 0x01c8f346 in WebCore::V8HTMLEmbedElement::namedPropertyGetter (name={<v8::Handle<v8::String>> = {val_ = 0x9844c4c}, <No data fields>}, info=@0xbfffb8a8) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../bindings/v8/custom/V8HTMLPlugInElementCustom.cpp:86
#41 0x013bac03 in v8::internal::JSObject::GetPropertyWithInterceptor (this=0x1804a8d5, receiver=0x1804a8d5, name=0xaf17a51, attributes=0xbfffb9cc) at /build/chromium/src/v8/tools/gyp/../../src/objects.cc:6780
#42 0x013bafe9 in v8::internal::Object::GetProperty (this=0x1804a8d5, receiver=0x1804a8d5, result=0xbfffb99c, name=0xaf17a51, attributes=0xbfffb9cc) at /build/chromium/src/v8/tools/gyp/../../src/objects.cc:505
#43 0x0136c26d in v8::internal::CallICBase::LoadFunction (this=0xbfffba28, state=v8::internal::UNINITIALIZED, object={location_ = 0xbfffba80}, name={location_ = 0xbfffba7c}) at /build/chromium/src/v8/tools/gyp/../../src/ic.cc:522
#44 0x0136c50d in v8::internal::CallIC_Miss (args={<v8::internal::Embedded> = {<No data fields>}, length_ = 2, arguments_ = 0xbfffba80}) at /build/chromium/src/v8/tools/gyp/../../src/ic.cc:1551
#45 0x0af200ae in ?? ()
#46 0x0af34280 in ?? ()
#47 0x16d9d3de in ?? ()
#48 0x16d9b86b in ?? ()
#49 0x16d8b2ee in ?? ()
#50 0x16d88489 in ?? ()
#51 0x16d890e3 in ?? ()
#52 0x19776a29 in ?? ()
#53 0x19774328 in ?? ()
#54 0x1976d591 in ?? ()
#55 0x1976d2de in ?? ()
#56 0x194fb8fd in ?? ()
#57 0x194f9c0a in ?? ()
#58 0x0af215df in ?? ()
#59 0x19495f09 in ?? ()
#60 0x0af215df in ?? ()
#61 0x0af2cbcc in ?? ()
#62 0x0c5e0e58 in ?? ()
#63 0x0af215df in ?? ()
#64 0x1977599d in ?? ()
#65 0x0af215df in ?? ()
#66 0x163745f1 in ?? ()
#67 0x16375d22 in ?? ()
#68 0x0af215df in ?? ()
#69 0x0af2cbcc in ?? ()
#70 0x0c5e0e58 in ?? ()
#71 0x0af215df in ?? ()
#72 0x0af2f291 in ?? ()
#73 0x0af20fe2 in ?? ()
#74 0x0131c409 in v8::internal::Invoke (construct=false, func={location_ = 0x9844c2c}, receiver={location_ = 0x9844c30}, argc=1, args=0xbfffc080, has_pending_exception=0xbfffbfbf) at /build/chromium/src/v8/tools/gyp/../../src/execution.cc:94
#75 0x0131c915 in v8::internal::Execution::Call (func={location_ = 0x9844c2c}, receiver={location_ = 0x9844c30}, argc=1, args=0xbfffc080, pending_exception=0xbfffbfbf) at /build/chromium/src/v8/tools/gyp/../../src/execution.cc:121
#76 0x012c800b in v8::Function::Call (this=0x9844c2c, recv={val_ = 0x9844c30}, argc=1, argv=0xbfffc080) at /build/chromium/src/v8/tools/gyp/../../src/api.cc:2795
#77 0x01cd783a in WebCore::V8Proxy::callFunction (this=0x8d1c3f0, function={val_ = 0x9844c2c}, receiver={val_ = 0x9844c30}, argc=1, args=0xbfffc080) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../bindings/v8/V8Proxy.cpp:525
#78 0x01c8231b in WebCore::V8EventListener::callListenerFunction (this=0x8e8baf0, context=0x9815238, jsEvent={val_ = 0x9844c10}, event=0x8e96630) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../bindings/v8/custom/V8CustomEventListener.cpp:75
#79 0x01cbc87e in WebCore::V8AbstractEventListener::invokeEventHandler (this=0x8e8baf0, context=0x9815238, event=0x8e96630, jsEvent={val_ = 0x9844c10}) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../bindings/v8/V8AbstractEventListener.cpp:151
#80 0x01cbcd95 in WebCore::V8AbstractEventListener::handleEvent (this=0x8e8baf0, context=0x9815238, event=0x8e96630) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../bindings/v8/V8AbstractEventListener.cpp:94
#81 0x01e142c6 in WebCore::EventTarget::fireEventListeners (this=0x9819200, event=0x8e96630, d=0x9819458, entry=@0x8e8bda0) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../dom/EventTarget.cpp:339
#82 0x01e14962 in WebCore::EventTarget::fireEventListeners (this=0x9819200, event=0x8e96630) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../dom/EventTarget.cpp:300
#83 0x01e14af2 in WebCore::EventTarget::dispatchEvent (this=0x9819200, event=@0xbfffc28c) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../dom/EventTarget.cpp:286
#84 0x024e7942 in WebCore::XMLHttpRequestProgressEventThrottle::dispatchEvent (this=0x98194b8, event=@0xbfffc2e0, progressEventAction=WebCore::FlushProgressEvent) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../xml/XMLHttpRequestProgressEventThrottle.cpp:81
#85 0x024e3fcd in WebCore::XMLHttpRequest::callReadyStateChangeListener (this=0x9819200) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../xml/XMLHttpRequest.cpp:287
#86 0x024e41c3 in WebCore::XMLHttpRequest::changeState (this=0x9819200, newState=WebCore::XMLHttpRequest::DONE) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../xml/XMLHttpRequest.cpp:270
#87 0x024e47cb in WebCore::XMLHttpRequest::didFinishLoading (this=0x9819200, identifier=92) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../xml/XMLHttpRequest.cpp:913
#88 0x02058e41 in WebCore::DocumentThreadableLoader::didFinishLoading (this=0x8e8bde0, identifier=92) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../loader/DocumentThreadableLoader.cpp:245
#89 0x0205956b in WebCore::DocumentThreadableLoader::didFinishLoading (this=0x8e8bde0, loader=0x9919400) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../loader/DocumentThreadableLoader.cpp:235
#90 0x02093508 in WebCore::SubresourceLoader::didFinishLoading (this=0x9919400) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../loader/SubresourceLoader.cpp:183
#91 0x0208e526 in WebCore::ResourceLoader::didFinishLoading (this=0x9919400) at /build/chromium/src/third_party/WebKit/WebCore/WebCore.gyp/../loader/ResourceLoader.cpp:444
#92 0x01bead40 in WebCore::ResourceHandleInternal::didFinishLoading (this=0x8e8c4c0) at /build/chromium/src/third_party/WebKit/WebKit/chromium/src/ResourceHandle.cpp:191
#93 0x01788919 in webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest (this=0x8e8c400, status=@0xbfffc634, security_info=@0xbfffc63c) at /build/chromium/src/webkit/support/../glue/weburlloader_impl.cc:614
#94 0x000f3561 in ResourceDispatcher::OnRequestComplete (this=0xab05790, request_id=92, status=@0xbfffc634, security_info=@0xbfffc63c) at /build/chromium/src/chrome/common/resource_dispatcher.cc:471
#95 0x000f50ce in DispatchToMethod<ResourceDispatcher, void (ResourceDispatcher::*)(int, URLRequestStatus const&, std::string const&), int, URLRequestStatus, std::string> (obj=0xab05790, method={__pfn = 0xf33fc <ResourceDispatcher::OnRequestComplete(int, URLRequestStatus const&, std::string const&)>, __delta = 0}, arg=@0xbfffc630) at tuple.h:560
#96 0x000f7578 in IPC::MessageWithTuple<Tuple3<int, URLRequestStatus, std::string> >::Dispatch<ResourceDispatcher, void (ResourceDispatcher::*)(int, URLRequestStatus const&, std::string const&)> (msg=0xa9083fc, obj=0xab05790, func={__pfn = 0xf33fc <ResourceDispatcher::OnRequestComplete(int, URLRequestStatus const&, std::string const&)>, __delta = 0}) at ipc_message_utils.h:944
#97 0x000f2d55 in ResourceDispatcher::DispatchMessage (this=0xab05790, message=@0xa9083fc) at /build/chromium/src/chrome/common/resource_dispatcher.cc:540
#98 0x000f4001 in ResourceDispatcher::OnMessageReceived (this=0xab05790, message=@0xa9083fc) at /build/chromium/src/chrome/common/resource_dispatcher.cc:306
#99 0x0011e312 in ChildThread::OnMessageReceived (this=0xab05c64, msg=@0xa9083fc) at /build/chromium/src/chrome/common/child_thread.cc:139
#100 0x0167d880 in IPC::ChannelProxy::Context::OnDispatchMessage (this=0xab05430, message=@0xa9083fc) at /build/chromium/src/ipc/ipc_channel_proxy.cc:206
#101 0x0167e87e in DispatchToMethod<IPC::ChannelProxy::Context, void (IPC::ChannelProxy::Context::*)(IPC::Message const&), IPC::Message> (obj=0xab05430, method={__pfn = 0x167d7f0 <IPC::ChannelProxy::Context::OnDispatchMessage(IPC::Message const&)>, __delta = 0}, arg=@0xa9083fc) at tuple.h:547
#102 0x0167e8b9 in RunnableMethod<IPC::ChannelProxy::Context, void (IPC::ChannelProxy::Context::*)(IPC::Message const&), Tuple1<IPC::Message> >::Run (this=0xa9083e0) at task.h:327
#103 0x00bdef81 in MessageLoop::RunTask (this=0xbfffe584, task=0xa9083e0) at /build/chromium/src/base/message_loop.cc:408
#104 0x00bdf031 in MessageLoop::DeferOrRunPendingTask (this=0xbfffe584, pending_task=@0xbfffcd1c) at /build/chromium/src/base/message_loop.cc:417
#105 0x00bdf2c1 in MessageLoop::DoWork (this=0xbfffe584) at /build/chromium/src/base/message_loop.cc:524
#106 0x00c404ca in base::MessagePumpCFRunLoopBase::RunWork (this=0xae00d20) at /build/chromium/src/base/message_pump_mac.mm:291
#107 0x00c4050f in base::MessagePumpCFRunLoopBase::RunWorkSource (info=0xae00d20) at /build/chromium/src/base/message_pump_mac.mm:269
#108 0x967a5f91 in __CFRunLoopDoSources0 ()
#109 0x967a3bbf in __CFRunLoopRun ()
#110 0x967a3094 in CFRunLoopRunSpecific ()
#111 0x967a2ec1 in CFRunLoopRunInMode ()
#112 0x97cd2f9c in RunCurrentEventLoopInMode ()
#113 0x97cd2d51 in ReceiveNextEventCommon ()
#114 0x97cd2bd6 in BlockUntilNextEventMatchingListInMode ()
#115 0x95cf7a89 in _DPSNextEvent ()
#116 0x95cf72ca in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#117 0x95cb955b in -[NSApplication run] ()
#118 0x00c4000c in base::MessagePumpNSApplication::DoRun (this=0xae00d20, delegate=0xbfffe584) at /build/chromium/src/base/message_pump_mac.mm:677
#119 0x00c405fb in base::MessagePumpCFRunLoopBase::Run (this=0xae00d20, delegate=0xbfffe584) at /build/chromium/src/base/message_pump_mac.mm:213
#120 0x00bdfacc in MessageLoop::RunInternal (this=0xbfffe584) at /build/chromium/src/base/message_loop.cc:256
#121 0x00bdfae7 in MessageLoop::RunHandler (this=0xbfffe584) at /build/chromium/src/base/message_loop.cc:228
#122 0x00bdfb4b in MessageLoop::Run (this=0xbfffe584) at /build/chromium/src/base/message_loop.cc:206
#123 0x00b33484 in RendererMain (parameters=@0xbfffeffc) at /build/chromium/src/chrome/renderer/renderer_main.cc:294
#124 0x00008f44 in ChromeMain (argc=7, argv=0xbffff190) at /build/chromium/src/chrome/app/chrome_dll_main.cc:807
#125 0x00001f52 in main (argc=7, argv=0xbffff190) at /build/chromium/src/chrome/app/chrome_exe_main.mm:16

The stack trace for the failing ASSERT is pretty much the same, starting at frame 14, in FrameView.cpp:805, so I'm not repeating it here.
Comment 3 Bernhard Bauer 2010-08-31 06:34:12 PDT 
Created attachment 66043 [details]
Always run pending style recalcs when layouting.

It seems this is caused by a pending style recalculation when FrameView::layout is called. 

If a style recalc is pending, Document::updateStyleIfNeeded is called from m_frame->selection()->updateAppearance() in FrameView.cpp:784, which is after the layout has happened, so it sets the layout flag again.

My solution is to call updateStyleIfNeeded before layouting, which can conveniently done by moving it out of the else clause around FrameView.cpp:657.
Comment 4 Simon Fraser (smfr) 2010-08-31 08:35:36 PDT 
Dave Hyatt should review this.
Comment 5 Dave Hyatt 2010-08-31 09:39:56 PDT 
I thought reapplyStyles actually called styleSelectorChanged, so I don't quite understand why this is happening.
Comment 6 Dave Hyatt 2010-08-31 09:45:00 PDT 
The implementation of reapplyStyles contains:

m_doc->styleSelectorChanged(RecalcStyleImmediately);

I wouldn't think you could have a pending style recalculation after calling that.  Let me look into the implementation of that method.
Comment 7 Dave Hyatt 2010-08-31 09:53:49 PDT 
I'm going to take this bug.
Comment 8 Dave Hyatt 2010-08-31 09:54:31 PDT 
Comment on attachment 66043 [details]
Always run pending style recalcs when layouting.

Clearing flags.  I'm going to make a more comprehensive change here to eliminate the ability to even have this confusion.
Comment 9 Dave Hyatt 2010-08-31 21:51:22 PDT 
Created attachment 66166 [details]
Patch
Comment 10 Early Warning System Bot 2010-08-31 22:03:12 PDT 
Attachment 66166 [details] did not build on qt:
Build output: http://queues.webkit.org/results/3932006
Comment 11 Simon Fraser (smfr) 2010-08-31 22:17:17 PDT 
Comment on attachment 66166 [details]
Patch

>  void FrameView::enterCompositingMode()
>  {
>  #if USE(ACCELERATED_COMPOSITING)
> -    if (RenderView* view = m_frame->contentRenderer())
> +    if (RenderView* view = m_frame->contentRenderer()) {
>          view->compositor()->enableCompositingMode();
> +        if (!needsLayout())
> +            view->compositor()->scheduleCompositingLayerUpdate();
> +    }

Why isn't the updateCompositingLayers() at the end of recalcStyle() enough here? scheduleCompositingLayerUpdate() was added for a very specific case, and I'm trying to avoid more timer proliferation.

> +    if (Frame* frame = core([self _frame])) {
> +        if (frame->document() && frame->document()->inPageCache())
> +            return;
> +        frame->document()->scheduleForcedStyleRecalc();

Should scheduleForcedStyleRecalc() do the inPageCache() check?

r=me
Comment 12 Dave Hyatt 2010-08-31 23:01:15 PDT 
Fixed.
Comment 13 Dave Hyatt 2010-08-31 23:03:45 PDT 
I think it's not enough because you still haven't done the recalc style yet.  Maybe a better fix would be to force layerTreeAsText to update style after it does update layout.

It seems like layerTreeAsText is updating layout (which updates style and layout), but then we're left in a state because of the post tasks of needing to recalc style again (but I think it's just for a compositing update).
Comment 14 WebKit Review Bot 2010-08-31 23:06:27 PDT 
http://trac.webkit.org/changeset/66577 might have broken Qt Linux ARMv5 Release
Comment 15 Simon Fraser (smfr) 2010-09-01 08:18:51 PDT 
Maybe this is because plugin's specifically do an enableCompositingMode() outside of a style recalc.
Comment 16 Eric Seidel (no email) 2010-09-02 02:33:23 PDT 
There is suspicion this caused the fast/css/display-none-inline-style-change-crash failures on the SnowLeopard Bot.
Comment 17 Eric Seidel (no email) 2010-09-02 02:35:18 PDT 
--- /Volumes/Data/WebKit-BuildSlave/snowleopard-intel-release-tests/build/layout-test-results/fast/css/display-none-inline-style-change-crash-expected.txt	2010-09-01 23:31:45.000000000 -0700
+++ /Volumes/Data/WebKit-BuildSlave/snowleopard-intel-release-tests/build/layout-test-results/fast/css/display-none-inline-style-change-crash-actual.txt	2010-09-01 23:31:45.000000000 -0700
@@ -1,3 +1,4 @@
+ALERT: 1 rule(s) were returned from getMatchedCSSRules, expected zero.
 Test for http://bugs.webkit.org/show_bug.cgi?id=15887 REGRESSION (r27576): Crash in RenderStyle::affectedByHoverRules clicking link on Digg.
 
 This test should not crash.
Comment 18 Eric Seidel (no email) 2010-09-02 02:37:18 PDT 
http://build.webkit.org/builders/SnowLeopard%20Intel%20Release%20(Tests)/builds/16779

Was the first build to show this failure.  And

http://build.webkit.org/builders/SnowLeopard%20Intel%20Release%20(Tests)/builds/16776 was of the revision right before.  So that rather strongly indicates this change.
Comment 19 Eric Seidel (no email) 2010-09-02 02:38:25 PDT 
I'm not sure why the sheriff bot didn't say anything.

And sorry, I meant:
http://build.webkit.org/builders/SnowLeopard%20Intel%20Release%20(Tests)/builds/16778
in my previous comment. :)