Bug 102957 - [CSS Regions] Crash when using hover and first-letter inside a flow-thread
Summary: [CSS Regions] Crash when using hover and first-letter inside a flow-thread
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alexandru Chiculita
URL:
Keywords: AdobeTracked
Depends on:
Blocks: 57312 103324
  Show dependency treegraph
 
Reported: 2012-11-21 10:06 PST by Alexandru Chiculita
Modified: 2012-11-28 12:40 PST (History)
10 users (show)

See Also:

Attachments
test case (395 bytes, text/html)
2012-11-21 10:29 PST, Alexandru Chiculita 		no flags Details
Patch (10.09 KB, patch)
2012-11-27 04:47 PST, Andrei Bucur 		buildbot: commit-queue-
Details | Formatted Diff | Diff
Patch V1 (11.07 KB, patch)
2012-11-28 11:16 PST, Alexandru Chiculita 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandru Chiculita 2012-11-21 10:06:23 PST 
Use the attached test case. Hover the text in the first region.

I got the following ASSERT in Debug and a crash in Release mode.

ASSERTION FAILED: enclosingRenderFlowThread()
/Users/achicu/code/chromium2/src/third_party/WebKit/Source/WebCore/rendering/RenderObject.cpp(2451) : virtual void WebCore::RenderObject::willBeRemovedFromTree()
1   0x103d04932 WebCore::RenderObject::willBeRemovedFromTree()
2   0x103d084d5 WebCore::RenderObjectChildList::removeChildNode(WebCore::RenderObject*, WebCore::RenderObject*, bool)
3   0x103cf5974 WebCore::RenderObject::removeChild(WebCore::RenderObject*)
4   0x103c63336 WebCore::RenderObject::remove()
5   0x103d043ca WebCore::RenderObject::willBeDestroyed()
6   0x103de87cd WebCore::RenderText::willBeDestroyed()
7   0x103df9ea8 WebCore::RenderTextFragment::willBeDestroyed()
8   0x103d04b3d WebCore::RenderObject::destroy()
9   0x103d08339 WebCore::RenderObjectChildList::destroyLeftoverChildren()
10  0x103c6e048 WebCore::RenderInline::willBeDestroyed()
11  0x103d04b3d WebCore::RenderObject::destroy()
12  0x103df9e9c WebCore::RenderTextFragment::willBeDestroyed()
13  0x103d04b3d WebCore::RenderObject::destroy()
14  0x103d08339 WebCore::RenderObjectChildList::destroyLeftoverChildren()
15  0x103b6b7f7 WebCore::RenderBlock::willBeDestroyed()
16  0x103ccd4ba WebCore::RenderListItem::willBeDestroyed()
17  0x103d04b3d WebCore::RenderObject::destroy()
18  0x103d04b0c WebCore::RenderObject::destroyAndCleanupAnonymousWrappers()
19  0x103a87ff5 WebCore::Node::detach()
20  0x102af0f6f WebCore::ContainerNode::detach()
21  0x102f0ebee WebCore::Element::detach()
22  0x102a852a6 WebCore::Node::reattach()
23  0x102f0f38f WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
24  0x102f0f9bf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
25  0x102f0f9bf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
26  0x102f0f9bf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
27  0x102d03874 WebCore::Document::recalcStyle(WebCore::Node::StyleChange)
28  0x102cff95c WebCore::Document::updateStyleIfNeeded()
29  0x102d085f8 WebCore::Document::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::LayoutPoint const&, WebCore::PlatformMouseEvent const&)
30  0x102f42d51 WebCore::EventHandler::prepareMouseEvent(WebCore::HitTestRequest const&, WebCore::PlatformMouseEvent const&)
31  0x102f432ca WebCore::EventHandler::handleMouseMoveEvent(WebCore::PlatformMouseEvent const&, WebCore::HitTestResult*, bool)
Comment 1 Alexandru Chiculita 2012-11-21 10:29:08 PST 
Created attachment 175479 [details]
test case
Comment 2 Andrei Bucur 2012-11-27 04:47:54 PST 
Created attachment 176236 [details]
Patch
Comment 3 Build Bot 2012-11-27 13:59:22 PST 
Comment on attachment 176236 [details]
Patch

Attachment 176236 [details] did not pass mac-ews (mac):
Output: http://queues.webkit.org/results/15025126
Comment 4 Alexandru Chiculita 2012-11-27 15:14:08 PST 
The issue is easier than that. RenderObjectChildList::destroyLeftoverChildren has a case where it only removes the elements, but lets the object be destroyed by its owner.

Because of that it will call remove() on the child objects after the parent is going to be removed already. I have a patch locally where I remove the children objects from the flow thread when the first remove() happens, so that by the time they get destroyed they are already removed and there's no need to lookup the flow thread anymore.
Comment 5 Alexandru Chiculita 2012-11-28 11:16:36 PST 
Created attachment 176528 [details]
Patch V1
Comment 6 Dave Hyatt 2012-11-28 12:02:19 PST 
Comment on attachment 176528 [details]
Patch V1

r=me
Comment 7 WebKit Review Bot 2012-11-28 12:40:41 PST 
Comment on attachment 176528 [details]
Patch V1

Clearing flags on attachment: 176528

Committed r136045: <http://trac.webkit.org/changeset/136045>
Comment 8 WebKit Review Bot 2012-11-28 12:40:45 PST 
All reviewed patches have been landed.  Closing bug.