Bug 70422

Summary: REGRESSION: Crash in WebCore::RenderBox::mapAbsoluteToLocalPoint due to assert failure
Product: WebKit Reporter: Dimitris Apostolou <dimitris.apostolou>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Critical CC: simon.fraser
Priority: P1    
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.7   
Attachments:
Description Flags
Crash log.
none
One more crash log.
none
One more. none

Dimitris Apostolou
Reported 2011-10-19 08:47:26 PDT
Created attachment 111628 [details] Crash log. r97844 Reproducibility: once Steps: I think I clicked into a text filed in JIRA and scrolled the content. What happened: Assert failure and then crash. ASSERTION FAILED: !view() || !view()->layoutStateEnabled() /Users/rex/WebKit/Source/WebCore/rendering/RenderBox.cpp(1383) : virtual void WebCore::RenderBox::mapAbsoluteToLocalPoint(bool, bool, WebCore::TransformState &) const 1 0x105330d84 WebCore::RenderBox::mapAbsoluteToLocalPoint(bool, bool, WebCore::TransformState&) const 2 0x1053f8e95 WebCore::RenderObject::absoluteToLocal(WebCore::FloatPoint const&, bool, bool) const 3 0x10494e873 WebCore::FrameView::convertToRenderer(WebCore::RenderObject const*, WebCore::IntPoint const&) const 4 0x1053a5c5e WebCore::RenderLayer::convertFromContainingViewToScrollbar(WebCore::Scrollbar const*, WebCore::IntPoint const&) const 5 0x105576fe8 WebCore::Scrollbar::convertFromContainingView(WebCore::IntPoint const&) const 6 0x10556ea48 -[WebScrollbarPainterControllerDelegate scrollerImpPair:convertContentPoint:toScrollerImp:] 7 0x109ad42d8 -[NSScrollerImpPair _updateOverlayScrollersStateWithReason:forceAtLeastKnobsVisible:] 8 0x105571f04 WebCore::ScrollAnimatorMac::notifyPositionChanged() 9 0x105571a18 WebCore::ScrollAnimatorMac::immediateScrollToPoint(WebCore::FloatPoint const&) 10 0x105571963 WebCore::ScrollAnimatorMac::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) 11 0x10556c1fc WebCore::ScrollableArea::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) 12 0x1053a2763 WebCore::RenderLayer::scrollToOffset(int, int, WebCore::RenderLayer::ScrollOffsetClamping) 13 0x1053a7187 WebCore::RenderLayer::updateScrollInfoAfterLayout() 14 0x1052c8f11 WebCore::RenderBlock::updateScrollInfoAfterLayout() 15 0x1052c9cb3 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 16 0x1052c8f67 WebCore::RenderBlock::layout() 17 0x10494664c WebCore::FrameView::layout(bool) 18 0x10468bd11 WebCore::Document::updateLayout() 19 0x10468be44 WebCore::Document::updateLayoutIgnorePendingStylesheets() 20 0x1048276dd WebCore::EditCommand::updateLayout() const 21 0x1046738b2 WebCore::DeleteSelectionCommand::fixupWhitespace() 22 0x104675d22 WebCore::DeleteSelectionCommand::doApply() 23 0x104827628 WebCore::EditCommand::apply() 24 0x104494afd WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) 25 0x1044970d6 WebCore::CompositeEditCommand::deleteSelection(WebCore::VisibleSelection const&, bool, bool, bool, bool) 26 0x10579f659 WebCore::TypingCommand::deleteKeyPressed(WebCore::TextGranularity, bool) 27 0x1057a190a WebCore::TypingCommand::doApply() 28 0x104827628 WebCore::EditCommand::apply() 29 0x10579e72e WebCore::TypingCommand::deleteKeyPressed(WebCore::Document*, unsigned int, WebCore::TextGranularity) 30 0x10483636e WebCore::Editor::deleteWithDirection(WebCore::SelectionDirection, WebCore::TextGranularity, bool, bool) 31 0x10484c047 _ZN7WebCoreL21executeDeleteBackwardEPNS_5FrameEPNS_5EventENS_19EditorCommandSourceERKN3WTF6StringE Expected result: WebKit does not crash.
Attachments
Crash log. (53.07 KB, text/plain)
2011-10-19 08:47 PDT, Dimitris Apostolou 		no flags
Details
One more crash log. (51.25 KB, application/octet-stream)
2011-10-19 09:32 PDT, Dimitris Apostolou 		no flags
Details
One more. (52.61 KB, text/plain)
2011-10-24 13:50 PDT, Dimitris Apostolou 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Dimitris Apostolou
Comment 1 2011-10-19 09:32:23 PDT
Created attachment 111635 [details] One more crash log.
Dimitris Apostolou
Comment 2 2011-10-19 09:34:07 PDT
Got it again. Happened while I was typing into a JIRA text field which searches within the database for stored values and presents the ones matching the typed string. ASSERTION FAILED: !view() || !view()->layoutStateEnabled() /Users/rex/WebKit/Source/WebCore/rendering/RenderBox.cpp(1383) : virtual void WebCore::RenderBox::mapAbsoluteToLocalPoint(bool, bool, WebCore::TransformState &) const 1 0x1108577a4 WebCore::RenderBox::mapAbsoluteToLocalPoint(bool, bool, WebCore::TransformState&) const 2 0x11091f8b5 WebCore::RenderObject::absoluteToLocal(WebCore::FloatPoint const&, bool, bool) const 3 0x10fe74de3 WebCore::FrameView::convertToRenderer(WebCore::RenderObject const*, WebCore::IntPoint const&) const 4 0x1108cc67e WebCore::RenderLayer::convertFromContainingViewToScrollbar(WebCore::Scrollbar const*, WebCore::IntPoint const&) const 5 0x110a9f0d8 WebCore::Scrollbar::convertFromContainingView(WebCore::IntPoint const&) const 6 0x110a96b38 -[WebScrollbarPainterControllerDelegate scrollerImpPair:convertContentPoint:toScrollerImp:] 7 0x1150022d8 -[NSScrollerImpPair _updateOverlayScrollersStateWithReason:forceAtLeastKnobsVisible:] 8 0x110a99ff4 WebCore::ScrollAnimatorMac::notifyPositionChanged() 9 0x110a99b08 WebCore::ScrollAnimatorMac::immediateScrollToPoint(WebCore::FloatPoint const&) 10 0x110a99a53 WebCore::ScrollAnimatorMac::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) 11 0x110a942ec WebCore::ScrollableArea::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) 12 0x1108c9183 WebCore::RenderLayer::scrollToOffset(int, int, WebCore::RenderLayer::ScrollOffsetClamping) 13 0x1108cdba7 WebCore::RenderLayer::updateScrollInfoAfterLayout() 14 0x1107ef931 WebCore::RenderBlock::updateScrollInfoAfterLayout() 15 0x1107f06d3 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 16 0x1107ef987 WebCore::RenderBlock::layout() 17 0x10fe6cbbc WebCore::FrameView::layout(bool) 18 0x10fbb2501 WebCore::Document::updateLayout() 19 0x10fbb2634 WebCore::Document::updateLayoutIgnorePendingStylesheets() 20 0x10fd4decd WebCore::EditCommand::updateLayout() const 21 0x10fb9a0a2 WebCore::DeleteSelectionCommand::fixupWhitespace() 22 0x10fb9c512 WebCore::DeleteSelectionCommand::doApply() 23 0x10fd4de18 WebCore::EditCommand::apply() 24 0x10f9bb1ad WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) 25 0x10f9bd786 WebCore::CompositeEditCommand::deleteSelection(WebCore::VisibleSelection const&, bool, bool, bool, bool) 26 0x110cc78e9 WebCore::TypingCommand::deleteKeyPressed(WebCore::TextGranularity, bool) 27 0x110cc9b9a WebCore::TypingCommand::doApply() 28 0x10fd4de18 WebCore::EditCommand::apply() 29 0x110cc69be WebCore::TypingCommand::deleteKeyPressed(WebCore::Document*, unsigned int, WebCore::TextGranularity) 30 0x10fd5cb5e WebCore::Editor::deleteWithDirection(WebCore::SelectionDirection, WebCore::TextGranularity, bool, bool) 31 0x10fd72837 _ZN7WebCoreL21executeDeleteBackwardEPNS_5FrameEPNS_5EventENS_19EditorCommandSourceERKN3WTF6StringE
Alexey Proskuryakov
Comment 3 2011-10-19 13:05:37 PDT
Jeff, this sounds like something you've been working on. Changes for bug 70152 have been rolled out though, so I'm not sure.
Jeff Miller
Comment 4 2011-10-19 15:26:13 PDT
(In reply to comment #3) > Jeff, this sounds like something you've been working on. Changes for bug 70152 have been rolled out though, so I'm not sure. Since those changes were rolled out in http://trac.webkit.org/changeset/97688, I don't think this is related to anything I'm working on.
Dimitris Apostolou
Comment 5 2011-10-24 13:50:04 PDT
r98256 Found a way to reproduce always. 1. Edit a JIRA issue. 2. Triple click on some text in the description in order to select the whole line and hit backspace to delete. ASSERTION FAILED: !view() || !view()->layoutStateEnabled() /Users/rex/WebKit/Source/WebCore/rendering/RenderBox.cpp(1388) : virtual void WebCore::RenderBox::mapAbsoluteToLocalPoint(bool, bool, WebCore::TransformState &) const 1 0x105bf3024 WebCore::RenderBox::mapAbsoluteToLocalPoint(bool, bool, WebCore::TransformState&) const 2 0x105cbb4a5 WebCore::RenderObject::absoluteToLocal(WebCore::FloatPoint const&, bool, bool) const 3 0x10520eb43 WebCore::FrameView::convertToRenderer(WebCore::RenderObject const*, WebCore::IntPoint const&) const 4 0x105c6800e WebCore::RenderLayer::convertFromContainingViewToScrollbar(WebCore::Scrollbar const*, WebCore::IntPoint const&) const 5 0x105e39a28 WebCore::Scrollbar::convertFromContainingView(WebCore::IntPoint const&) const 6 0x105e31078 -[WebScrollbarPainterControllerDelegate scrollerImpPair:convertContentPoint:toScrollerImp:] 7 0x10a3a52d8 -[NSScrollerImpPair _updateOverlayScrollersStateWithReason:forceAtLeastKnobsVisible:] 8 0x105e34731 WebCore::ScrollAnimatorMac::notifyPositionChanged() 9 0x105e34218 WebCore::ScrollAnimatorMac::immediateScrollToPoint(WebCore::FloatPoint const&) 10 0x105e34163 WebCore::ScrollAnimatorMac::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) 11 0x105e2e82c WebCore::ScrollableArea::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) 12 0x105c64b23 WebCore::RenderLayer::scrollToOffset(int, int, WebCore::RenderLayer::ScrollOffsetClamping) 13 0x105c69537 WebCore::RenderLayer::updateScrollInfoAfterLayout() 14 0x105b8b101 WebCore::RenderBlock::updateScrollInfoAfterLayout() 15 0x105b8bea3 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 16 0x105b8b157 WebCore::RenderBlock::layout() 17 0x10520686c WebCore::FrameView::layout(bool) 18 0x104f4e901 WebCore::Document::updateLayout() 19 0x104f4ea34 WebCore::Document::updateLayoutIgnorePendingStylesheets() 20 0x1050e72cd WebCore::EditCommand::updateLayout() const 21 0x104f364a2 WebCore::DeleteSelectionCommand::fixupWhitespace() 22 0x104f38912 WebCore::DeleteSelectionCommand::doApply() 23 0x1050e7218 WebCore::EditCommand::apply() 24 0x104d57a0d WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>) 25 0x104d59fe6 WebCore::CompositeEditCommand::deleteSelection(WebCore::VisibleSelection const&, bool, bool, bool, bool) 26 0x106062429 WebCore::TypingCommand::deleteKeyPressed(WebCore::TextGranularity, bool) 27 0x1060646da WebCore::TypingCommand::doApply() 28 0x1050e7218 WebCore::EditCommand::apply() 29 0x1060614fe WebCore::TypingCommand::deleteKeyPressed(WebCore::Document*, unsigned int, WebCore::TextGranularity) 30 0x1050f5f3e WebCore::Editor::deleteWithDirection(WebCore::SelectionDirection, WebCore::TextGranularity, bool, bool) 31 0x10510bd87 _ZN7WebCoreL21executeDeleteBackwardEPNS_5FrameEPNS_5EventENS_19EditorCommandSourceERKN3WTF6StringE
Dimitris Apostolou
Comment 6 2011-10-24 13:50:47 PDT
Created attachment 112242 [details] One more.
Dimitris Apostolou
Comment 7 2011-10-24 13:53:09 PDT
Really important: The line to be delete must be a URL.
Dimitris Apostolou
Comment 8 2011-10-25 23:23:12 PDT
*** Bug 70844 has been marked as a duplicate of this bug. ***
Dimitris Apostolou
Comment 9 2011-10-25 23:24:52 PDT
New steps to reproduce 100% 1. Paste the actual stack trace of this bug into the "Additional Comments" field... 2. Edit -> Undo Typing (or press Cmd+Z)
Alexey Proskuryakov
Comment 10 2011-10-26 08:21:20 PDT
*** This bug has been marked as a duplicate of bug 69187 ***
Note You need to log in before you can comment on or make changes to this bug.