Bug 70678

Summary:

Crash in WebCore::RenderTableSection::addChild due to assert failure

Product:

WebKit

Reporter:

Dimitris Apostolou <dimitris.apostolou>

Component:

WebCore Misc.

Assignee:

Fady Samuel <fsamuel>

Status:

RESOLVED FIXED

Severity:

Critical

CC:

fsamuel, hyatt, inferno, mitz, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Mac (Intel)

OS:

OS X 10.7

URL:

http://dictionary.reference.com/browse/hem

Attachments:

Description	Flags
Crash log.	none
Reduction: Inserting span between two rows triggers an ASSERT failure	none
Improved Reduction	none
Patch	none
Patch	none

Dimitris Apostolou

Reported 2011-10-22 05:05:10 PDT

Created attachment 112086 [details] Crash log. r Reproducibility: always Steps: Go to http://dictionary.reference.com/browse/hem What happened: Infinite loop, assert failure and crash. ASSERTION FAILED: row->isAnonymous() /Users/rex/WebKit/Source/WebCore/rendering/RenderTableSection.cpp(123) : virtual void WebCore::RenderTableSection::addChild(WebCore::RenderObject *, WebCore::RenderObject *) 1 0x1054c81e8 WebCore::RenderTableSection::addChild(WebCore::RenderObject*, WebCore::RenderObject*) 2 0x105247e20 WebCore::NodeRendererFactory::createRendererIfNeeded() 3 0x10522cad9 WebCore::Node::createRendererIfNeeded() 4 0x104885a78 WebCore::Element::attach() 5 0x1044867d6 WebCore::Node::reattach() 6 0x1048863f3 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 7 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 8 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 9 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 10 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 11 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 12 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 13 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 14 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 15 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 16 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 17 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 18 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 19 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 20 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 21 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 22 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 23 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 24 0x1046b74e1 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) 25 0x1046b8559 WebCore::Document::updateStyleIfNeeded() 26 0x1046c2cff WebCore::Document::finishedParsing() 27 0x104af8eff WebCore::HTMLTreeBuilder::finished() 28 0x104a449e9 WebCore::HTMLDocumentParser::end() 29 0x104a4398c WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 30 0x104a43787 WebCore::HTMLDocumentParser::prepareToStopParsing() 31 0x104a441a1 WebCore::HTMLDocumentParser::endIfDelayed() Expected result: No infinite loop, no assert failure, no crash.

Attachments
Crash log. (45.26 KB, text/plain) 2011-10-22 05:05 PDT, Dimitris Apostolou	no flags	Details
Reduction: Inserting span between two rows triggers an ASSERT failure (905 bytes, text/html) 2011-10-24 11:58 PDT, Fady Samuel	no flags	Details
Improved Reduction (975 bytes, text/html) 2011-10-24 12:17 PDT, Fady Samuel	no flags	Details
Patch (12.13 KB, patch) 2011-10-24 15:49 PDT, Fady Samuel	no flags	Details Formatted Diff Diff
Patch (12.14 KB, patch) 2011-10-24 16:01 PDT, Fady Samuel	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Dimitris Apostolou

Comment 1 2011-10-22 05:05:38 PDT

r98157

Fady Samuel

Comment 2 2011-10-24 07:45:58 PDT

I'm seeing this bug in Chromium on Linux as well.

Abhishek Arya

Comment 3 2011-10-24 11:13:04 PDT

(In reply to comment #2) > I'm seeing this bug in Chromium on Linux as well. We would need a reduction to see what is going on. But as i understand, we should probably need to change that assert into a hard check, and not adding it as a child when previous sibling is not anonymous. We should just continue forward in that function and let it get shoved into a new anonymous block. note that you would need fixes in rendertable, rendertablesection, rendertablerow and rendertablecell. (same code exists there, check out bug 69536.)

Fady Samuel

Comment 4 2011-10-24 11:58:24 PDT

Created attachment 112224 [details] Reduction: Inserting span between two rows triggers an ASSERT failure

Abhishek Arya

Comment 5 2011-10-24 12:01:26 PDT

Nice, so now you need to see whether the span has to go in its own new anonymous block or it has to go as a last child of row-1. Please compare with firefox, opera renderings.

Abhishek Arya

Comment 6 2011-10-24 12:10:04 PDT

(In reply to comment #5) > Nice, so now you need to see whether the span has to go in its own new anonymous block or it has to go as a last child of row-1. Please compare with firefox, opera renderings. Add this to testcase. spanElement.appendChild(document.createTextNode("Some text.")); You will see the wrong rendering. You need to change that assert into a hard check. We need to add the child into its own new anonymous row.

Fady Samuel

Comment 7 2011-10-24 12:17:00 PDT

(In reply to comment #6) > (In reply to comment #5) > > Nice, so now you need to see whether the span has to go in its own new anonymous block or it has to go as a last child of row-1. Please compare with firefox, opera renderings. > > Add this to testcase. spanElement.appendChild(document.createTextNode("Some text.")); > > You will see the wrong rendering. You need to change that assert into a hard check. We need to add the child into its own new anonymous row. Yup, Firefox inserts the text as a row between row-1, and row-2.

Fady Samuel

Comment 8 2011-10-24 12:17:27 PDT

Created attachment 112230 [details] Improved Reduction

Abhishek Arya

Comment 9 2011-10-24 12:20:03 PDT

(In reply to comment #8) > Created an attachment (id=112230) [details] > Improved Reduction Perfect, do remember to fix all the three places Source/WebCore/rendering/RenderTable.cpp (view diffs) Source/WebCore/rendering/RenderTableRow.cpp (view diffs) Source/WebCore/rendering/RenderTableSection.cpp (view diffs)

Fady Samuel

Comment 10 2011-10-24 13:13:43 PDT

(In reply to comment #9) > (In reply to comment #8) > > Created an attachment (id=112230) [details] [details] > > Improved Reduction > > Perfect, do remember to fix all the three places > > Source/WebCore/rendering/RenderTable.cpp (view diffs) > Source/WebCore/rendering/RenderTableRow.cpp (view diffs) > Source/WebCore/rendering/RenderTableSection.cpp (view diffs) Yup, will do, I probably needs tests for all three cases right? Three layout tests.

Abhishek Arya

Comment 11 2011-10-24 13:16:23 PDT

(In reply to comment #10) > (In reply to comment #9) > > (In reply to comment #8) > > > Created an attachment (id=112230) [details] [details] [details] > > > Improved Reduction > > > > Perfect, do remember to fix all the three places > > > > Source/WebCore/rendering/RenderTable.cpp (view diffs) > > Source/WebCore/rendering/RenderTableRow.cpp (view diffs) > > Source/WebCore/rendering/RenderTableSection.cpp (view diffs) > > Yup, will do, I probably needs tests for all three cases right? Three layout tests. Yeah. You can add all the cases in one test too.

Fady Samuel

Comment 12 2011-10-24 15:49:09 PDT

Created attachment 112265 [details] Patch

Simon Fraser (smfr)

Comment 13 2011-10-24 15:55:51 PDT

Comment on attachment 112265 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=112265&action=review > Source/WebCore/ChangeLog:13 > + we need to create a new anonymous Section/Row/Cell respectively, insteading failing an "insteading" -> instead of

Fady Samuel

Comment 14 2011-10-24 16:01:11 PDT

Created attachment 112267 [details] Patch

Fady Samuel

Comment 15 2011-10-24 16:01:30 PDT

(In reply to comment #13) > (From update of attachment 112265 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=112265&action=review > > > Source/WebCore/ChangeLog:13 > > + we need to create a new anonymous Section/Row/Cell respectively, insteading failing an > > "insteading" -> instead of Oops, fixed.

Dave Hyatt

Comment 16 2011-10-25 11:12:33 PDT

Comment on attachment 112267 [details] Patch r=me

WebKit Review Bot

Comment 17 2011-10-25 12:10:07 PDT

Comment on attachment 112267 [details] Patch Clearing flags on attachment: 112267 Committed r98372: <http://trac.webkit.org/changeset/98372>

WebKit Review Bot

Comment 18 2011-10-25 12:10:13 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.