RESOLVED DUPLICATE of bug 106224 107223
ASSERTION FAILED: parent->inDocument() loading playboy.com 
https://bugs.webkit.org/show_bug.cgi?id=107223
Summary ASSERTION FAILED: parent->inDocument() loading playboy.com
Simon Fraser (smfr)
Reported 2013-01-17 21:50:56 PST
Loading http://www.playboy.com (which is in the Alexa 1000) hits: ASSERTION FAILED: parent->inDocument() /Volumes/DataSSD/Development/apple/webkit/WebKit.git/Source/WebCore/dom/PseudoElement.cpp(47) : WebCore::PseudoElement::PseudoElement(WebCore::Element *, WebCore::PseudoId) 1 0x1046ce23b WebCore::PseudoElement::PseudoElement(WebCore::Element*, WebCore::PseudoId) 2 0x1046ce143 WebCore::PseudoElement::PseudoElement(WebCore::Element*, WebCore::PseudoId) 3 0x103a5f1d1 WebCore::PseudoElement::create(WebCore::Element*, WebCore::PseudoId) 4 0x103a5a7ac WebCore::Element::createPseudoElementIfNeeded(WebCore::PseudoId) 5 0x103a56493 WebCore::Element::updatePseudoElement(WebCore::PseudoId, WebCore::Node::StyleChange) 6 0x103a56221 WebCore::Element::attach() 7 0x1036206e3 WebCore::ContainerNode::attachChildren() 8 0x10361dd49 WebCore::ContainerNode::attach() 9 0x103a5620e WebCore::Element::attach() 10 0x103a5e746 WebCore::Node::reattach() 11 0x103a56e2d WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 12 0x103a572bd WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 13 0x10383bf3e WebCore::Document::recalcStyle(WebCore::Node::StyleChange) 14 0x1038392ad WebCore::Document::styleResolverChanged(WebCore::StyleResolverUpdateFlag) 15 0x10383fca5 WebCore::Document::didRemoveAllPendingStylesheet() 16 0x1038c3210 WebCore::DocumentStyleSheetCollection::removePendingSheet(WebCore::DocumentStyleSheetCollection::RemovePendingSheetNotificationType) 17 0x104bb767b WebCore::StyleElement::sheetLoaded(WebCore::Document*) 18 0x103d45b7e WebCore::HTMLStyleElement::sheetLoaded() 19 0x104c2d3e7 WebCore::StyleSheetContents::checkLoaded() 20 0x104bb74ba WebCore::StyleElement::createSheet(WebCore::Element*, WTF::OrdinalNumber, WTF::String const&) 21 0x104bb6b00 WebCore::StyleElement::process(WebCore::Element*) 22 0x104bb6872 WebCore::StyleElement::insertedIntoDocument(WebCore::Document*, WebCore::Element*) 23 0x103d45030 WebCore::HTMLStyleElement::insertedInto(WebCore::ContainerNode*) 24 0x103623f32 WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument(WebCore::Node*) 25 0x1036244b3 WebCore::ChildNodeInsertionNotifier::notifyDescendantInsertedIntoDocument(WebCore::ContainerNode*) 26 0x103623f80 WebCore::ChildNodeInsertionNotifier::notifyNodeInsertedIntoDocument(WebCore::Node*) 27 0x10361fe0a WebCore::ChildNodeInsertionNotifier::notify(WebCore::Node*) 28 0x10361c0a5 WebCore::updateTreeAfterInsertion(WebCore::ContainerNode*, WebCore::Node*, bool) 29 0x10361b8d2 WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, int&, bool) 30 0x1045fdf8a WebCore::Node::appendChild(WTF::PassRefPtr<WebCore::Node>, int&, bool) 31 0x104237e21 WebCore::JSNode::appendChild(JSC::ExecState*)
Attachments
Add attachment proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1 2013-01-17 21:54:34 PST
WebKit r140093
Hajime Morrita
Comment 2 2013-01-17 22:38:02 PST
ccing esprehn Looks like same as https://code.google.com/p/chromium/issues/detail?id=170225 (not visible outside chromium...), which says http://stuffandnonsense.co.uk/blog/about/home-screen-icons-and-startup-screens crashes and show similar stack trace.
Elliott Sprehn
Comment 3 2013-01-18 02:56:49 PST
I believe I've figured this out: When you appendChild a node with a <style> in it we recursively notify all the children with Node::insertedInto which hits the HTMLStyleElement::insertedInto which then calls StyleElement::insertedIntoDocument if the insertionPoint is inDocument. This kicks off a bunch of style machinery and we end up in Document::styleResolverChanged where we do a recalcStyle(Forced) on the Document which may cause a reattach() which would then recursively walk the tree creating renderers. At this point we're still inside the HTMLStyleElement::insertedInto so none of the siblings of that style element know they're inDocument yet, even though they're going through recalcStyle, being attached, and creating renderers. Something like: var div = document.createElement('div'); var style = document.createElement('style'); style.textContent = 'body { display: inline; } span:before { content: "x"; }'; div.appendChild(style); div.appendChild(document.createElement('span')); document.body.appendChild(div); Here we end up reattach()'ing <body> because now it's inline, which then attach()'s the <span>, which creates a PseudoElement, but the <span> still hasn't been notified it's inDocument since this all was triggered inside HTMLStyleElement::insertedInto. This feels really wrong, but it's always been this way so the fix is to just remove that assertion and then make Element::insertedInto call insertedInto on the PseudoElements. Eventually we should fix this though since it appears if you appendChild a <div> that contains three <style> elements, each of which changes the display of the <body>, we'll destroy and recreate the entire document three times even though we really only needed to do it once!
Elliott Sprehn
Comment 4 2013-01-18 02:59:48 PST
(In reply to comment #3) > I believe I've figured this out: > ... @eseidel I think the above should be of particular interest to you as it seems bad for perf to create/destroy the render tree repeatedly when inserting style elements. :)
Elliott Sprehn
Comment 5 2013-01-18 03:00:20 PST
*** Bug 106224 has been marked as a duplicate of this bug. ***
Alexey Proskuryakov
Comment 6 2013-01-18 08:23:10 PST
Why forward dupe? It is generally advisable to dupe to oldest bugs, unless there are specific reasons to do otherwise.
Elliott Sprehn
Comment 7 2013-01-18 16:55:39 PST
(In reply to comment #6) > Why forward dupe? It is generally advisable to dupe to oldest bugs, unless there are specific reasons to do otherwise. Because I had already posted the whole explanation of what's going on here. I can paste it into the other bug if you want and reverse the dupes?
Elliott Sprehn
Comment 8 2013-01-18 16:59:42 PST
*** This bug has been marked as a duplicate of bug 106224 ***
Note You need to log in before you can comment on or make changes to this bug.