Bug 68686

Summary: Crash on editing/pasteboard/drag-drop-input-in-svg.svg
Product: WebKit Reporter: Xan Lopez <xan.lopez>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: hyatt, mrobinson, robert, zan
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Xan Lopez 2011-09-23 03:33:03 PDT
Happens in GTK+ debug bot, trace as follows:

Thread 1 (Thread 0x2b09e1f26e40 (LWP 15228)):
#0  0x00002b09d4aaa1f0 in WebCore::deleteLineRange (layoutState=..., arena=0x2e27a520, startLine=0x2e2c3068, stopLine=0x0) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:984
#1  0x00002b09d4aab7ed in WebCore::RenderBlock::linkToEndLineIfNeeded (this=0x2e2b7498, layoutState=...) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1220
#2  0x00002b09d4aaa6d2 in WebCore::RenderBlock::layoutRunsAndFloats (this=0x2e2b7498, layoutState=..., hasInlineChild=true) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1050
#3  0x00002b09d4aac27a in WebCore::RenderBlock::layoutInlineChildren (this=0x2e2b7498, relayoutChildren=false, repaintLogicalTop=@0x7fffff1b311c, repaintLogicalBottom=@0x7fffff1b3118) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1336
#4  0x00002b09d4a6d85e in WebCore::RenderBlock::layoutBlock (this=0x2e2b7498, relayoutChildren=false, pageLogicalHeight=0, layoutPass=WebCore::RenderBlock::NormalLayoutPass) at ../../Source/WebCore/rendering/RenderBlock.cpp:1266
#5  0x00002b09d4a6d09e in WebCore::RenderBlock::layout (this=0x2e2b7498) at ../../Source/WebCore/rendering/RenderBlock.cpp:1154
#6  0x00002b09d4a70d6e in WebCore::RenderBlock::layoutBlockChild (this=0x2e2b70c8, child=0x2e2b7498, marginInfo=..., previousFloatLogicalBottom=@0x7fffff1b33fc, maxFloatLogicalBottom=@0x7fffff1b3544) at ../../Source/WebCore/rendering/RenderBlock.cpp:2024
#7  0x00002b09d4a70990 in WebCore::RenderBlock::layoutBlockChildren (this=0x2e2b70c8, relayoutChildren=false, maxFloatLogicalBottom=@0x7fffff1b3544) at ../../Source/WebCore/rendering/RenderBlock.cpp:1961
#8  0x00002b09d4a6d87f in WebCore::RenderBlock::layoutBlock (this=0x2e2b70c8, relayoutChildren=false, pageLogicalHeight=0, layoutPass=WebCore::RenderBlock::NormalLayoutPass) at ../../Source/WebCore/rendering/RenderBlock.cpp:1268
#9  0x00002b09d4a6d09e in WebCore::RenderBlock::layout (this=0x2e2b70c8) at ../../Source/WebCore/rendering/RenderBlock.cpp:1154
#10 0x00002b09d4bd415c in WebCore::RenderSVGForeignObject::layout (this=0x2e2b70c8) at ../../Source/WebCore/rendering/svg/RenderSVGForeignObject.cpp:132
#11 0x00002b09d4c05a71 in WebCore::SVGRenderSupport::layoutChildren (start=0x2e2b5678, selfNeedsLayout=false) at ../../Source/WebCore/rendering/svg/SVGRenderSupport.cpp:242
#12 0x00002b09d4bf941c in WebCore::RenderSVGRoot::layout (this=0x2e2b5678) at ../../Source/WebCore/rendering/svg/RenderSVGRoot.cpp:227
#13 0x00002b09d48c98ba in WebCore::FrameView::layout (this=0x2df45420, allowSubtree=true) at ../../Source/WebCore/page/FrameView.cpp:1086
#14 0x00002b09d447ca6b in WebCore::Document::updateLayout (this=0x2e1fc6f0) at ../../Source/WebCore/dom/Document.cpp:1653
#15 0x00002b09d45e5d37 in WebCore::VisibleSelection::toNormalizedRange (this=0x7fffff1b40f0) at ../../Source/WebCore/editing/VisibleSelection.cpp:144
#16 0x00002b09d456e47d in WebCore::enclosingDeletableElement (selection=...) at ../../Source/WebCore/editing/DeleteButtonController.cpp:153
#17 0x00002b09d456e61d in WebCore::DeleteButtonController::respondToChangedSelection (this=0xcdeed0, oldSelection=...) at ../../Source/WebCore/editing/DeleteButtonController.cpp:176
#18 0x00002b09d458b28f in WebCore::Editor::respondToChangedSelection (this=0xceb910, oldSelection=...) at ../../Source/WebCore/editing/Editor.cpp:493
#19 0x00002b09d4598248 in WebCore::Editor::respondToChangedSelection (this=0xceb910, oldSelection=..., options=0) at ../../Source/WebCore/editing/Editor.cpp:3161
#20 0x00002b09d459c1f0 in WebCore::FrameSelection::setSelection (this=0xceb9d0, newSelection=..., options=0, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:233
#21 0x00002b09d459c975 in WebCore::FrameSelection::respondToNodeModification (this=0xceb9d0, node=0x2e2ba5d0, baseRemoved=true, extentRemoved=true, startRemoved=true, endRemoved=true) at ../../Source/WebCore/editing/FrameSelection.cpp:329
#22 0x00002b09d459c674 in WebCore::FrameSelection::nodeWillBeRemoved (this=0xceb9d0, node=0x2e2ba5d0) at ../../Source/WebCore/editing/FrameSelection.cpp:292
#23 0x00002b09d44830c4 in WebCore::Document::nodeWillBeRemoved (this=0x2e1fc6f0, n=0x2e2ba5d0) at ../../Source/WebCore/dom/Document.cpp:3370
#24 0x00002b09d446264f in WebCore::willRemoveChild (child=0x2e2ba5d0) at ../../Source/WebCore/dom/ContainerNode.cpp:387
#25 0x00002b09d4462868 in WebCore::ContainerNode::removeChild (this=0x2e2b7360, oldChild=0x2e2ba5d0, ec=@0x7fffff1b452c) at ../../Source/WebCore/dom/ContainerNode.cpp:432
#26 0x00002b09d44f2e77 in WebCore::Node::removeChild (this=0x2e2b7360, oldChild=0x2e2ba5d0, ec=@0x7fffff1b452c) at ../../Source/WebCore/dom/Node.cpp:674
#27 0x00002b09d42acd72 in WebCore::JSNode::removeChild (this=0x2b0a23be3320, exec=0x2b0a237d70e8) at ../../Source/WebCore/bindings/js/JSNodeCustom.cpp:172
#28 0x00002b09d4fdd483 in WebCore::jsNodePrototypeFunctionRemoveChild (exec=0x2b0a237d70e8) at DerivedSources/WebCore/JSNode.cpp:529
#29 0x00002b09e239d1f8 in ?? ()
#30 0x00007fffff1b4640 in ?? ()
#31 0x00002b09e23a6a8f in ?? ()
#32 0x00007fffff1b45c0 in ?? ()
#33 0x00002b0a23be3320 in ?? ()
#34 0x000000002e276538 in ?? ()
#35 0x00002b0a00000001 in ?? ()
Comment 1 Martin Robinson 2011-09-23 06:58:03 PDT
CCing some people who have touched this file recently. Do either of you know what might be causing this new crash?
Comment 2 Zan Dobersek 2012-07-15 10:37:51 PDT
The crash no longer occurs so the expectation was removed in http://trac.webkit.org/changeset/118474. Closing the bug.