115386 – REGRESSION(r149287): Assertion failure in fast/frames/flattening/iframe-flattening-crash.html

RESOLVED FIXED 115386

REGRESSION(r149287): Assertion failure in fast/frames/flattening/iframe-flattening-crash.html

https://bugs.webkit.org/show_bug.cgi?id=115386

Summary REGRESSION(r149287): Assertion failure in fast/frames/flattening/iframe-flatt...

Alexey Proskuryakov

Reported 2013-04-29 16:46:45 PDT

Looks like an assertion started to happen on all WK2 testers reproducibly: 0 com.apple.WebCore 0x000000010e768a98 WebCore::Document::updateLayout() + 200 (Document.cpp:1881) 1 com.apple.WebCore 0x000000010e768ad4 WebCore::Document::updateLayout() + 260 (Document.cpp:1888) 2 com.apple.WebCore 0x000000010e76bf35 WebCore::Document::updateLayoutIgnorePendingStylesheets() + 197 (Document.cpp:1928) 3 com.apple.WebCore 0x000000010e8c8f37 WebCore::Element::clientWidth() + 39 (Element.cpp:579) 4 com.apple.WebCore 0x000000010ef8e427 WebCore::jsElementClientWidth(JSC::ExecState*, JSC::JSValue, JSC::PropertyName) + 71 (JSElement.cpp:384) 5 com.apple.JavaScriptCore 0x000000010d253a99 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 249 (PropertySlot.h:76) 6 com.apple.JavaScriptCore 0x000000010d26c312 JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 242 (JSCJSValueInlines.h:639) 7 com.apple.JavaScriptCore 0x000000010d5c7cd1 llint_slow_path_get_by_id + 241 (LLIntSlowPaths.cpp:910) 8 com.apple.JavaScriptCore 0x000000010d5d1555 llint_op_get_by_id + 122 9 com.apple.JavaScriptCore 0x000000010d4ae4b4 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 84 (JITCode.h:135) 10 com.apple.JavaScriptCore 0x000000010d4ab224 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1620 (Interpreter.cpp:1061) 11 com.apple.JavaScriptCore 0x000000010d2bc7b2 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 306 (CallData.cpp:40) 12 com.apple.WebCore 0x000000010ee5e682 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 146 (JSMainThreadExecState.h:56) 13 com.apple.WebCore 0x000000010efb6491 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1217 (JSEventListener.cpp:129) 14 com.apple.WebCore 0x000000010e9219b2 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 498 (EventTarget.cpp:259) 15 com.apple.WebCore 0x000000010e9215cc WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 380 (EventTarget.cpp:204) 16 com.apple.WebCore 0x000000010e865cf0 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 272 (DOMWindow.cpp:1711) 17 com.apple.WebCore 0x000000010e773ee1 WebCore::Document::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 193 (Document.cpp:3656) 18 com.apple.WebCore 0x000000010e906336 WebCore::EventHandler::dispatchResizeEvent() + 150 (EventHandler.cpp:3790) 19 com.apple.WebCore 0x000000010ea16614 WebCore::FrameView::dispatchResizeEvent() + 148 (FrameView.cpp:2791) 20 com.apple.WebCore 0x000000010ea164f6 WebCore::FrameView::setFrameRect(WebCore::IntRect const&) + 678 (FrameView.cpp:500) 21 com.apple.WebCore 0x000000010f92452d WebCore::RenderWidget::setWidgetGeometry(WebCore::LayoutRect const&) + 381 (RenderWidget.cpp:160) 22 com.apple.WebCore 0x000000010f924848 WebCore::RenderWidget::updateWidgetGeometry() + 456 (RenderWidget.cpp:180) 23 com.apple.WebCore 0x000000010f925c33 WebCore::RenderWidget::updateWidgetPosition() + 83 (RenderWidget.cpp:348) 24 com.apple.WebCore 0x000000010f745250 WebCore::RenderFrameBase::layoutWithFlattening(bool, bool) + 1568 (RenderFrameBase.cpp:98) 25 com.apple.WebCore 0x000000010f75c555 WebCore::RenderIFrame::layout() + 325 (RenderIFrame.cpp:168)

Attachments
Proposed patch (4.44 KB, patch) 2013-04-30 11:03 PDT, Andreas Kling	darin: review+	Details Formatted Diff Diff
Follow-up patch (2.39 KB, patch) 2013-05-01 09:44 PDT, Andreas Kling	koivisto: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2013-04-29 16:53:10 PDT

Actually, maybe all Mac ones, wk1 or wk2. E.g.<http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r149322%20(9330)/fast/frames/flattening/iframe-flattening-crash-crash-log.txt>.

Alexey Proskuryakov

Comment 2 2013-04-29 16:57:36 PDT

Skipped on Mac in http://trac.webkit.org/r149333

Geoffrey Garen

Comment 3 2013-04-29 20:18:35 PDT

Re-entrant layout is definitely a no-no. This could cause lots of serious problems.

Geoffrey Garen

Comment 4 2013-04-29 20:19:48 PDT

<rdar://problem/13769995>

Andreas Kling

Comment 5 2013-04-30 11:03:26 PDT

Created attachment 200132 [details] Proposed patch

WebKit Commit Bot

Comment 6 2013-04-30 11:05:06 PDT

Attachment 200132 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/platform/mac/TestExpectations', u'Source/WebCore/ChangeLog', u'Source/WebCore/page/EventHandler.cpp', u'Source/WebCore/page/EventHandler.h', u'Source/WebCore/page/FrameView.cpp']" exit_code: 1 Source/WebCore/page/FrameView.cpp:38: Alphabetical sorting problem. [build/include_order] [4] Total errors found: 1 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.

Andreas Kling

Comment 7 2013-04-30 11:08:52 PDT

Committed r149382: <http://trac.webkit.org/changeset/149382>

WebKit Commit Bot

Comment 8 2013-05-01 09:31:00 PDT

Re-opened since this is blocked by bug 115476

Andreas Kling

Comment 9 2013-05-01 09:44:27 PDT

Created attachment 200217 [details] Follow-up patch Because I am a muppet who only tested the previous patch with a release build, it kept on failing in debug. This patch changes limits synchronous resize events to the main frame.

Antti Koivisto

Comment 10 2013-05-01 09:47:58 PDT

Comment on attachment 200217 [details] Follow-up patch View in context: https://bugs.webkit.org/attachment.cgi?id=200217&action=review r=me > Source/WebCore/page/FrameView.cpp:2792 > + bool isMainFrame = page ? page->mainFrame() == m_frame : false; page && page->mainFrame() == m_frame ?

Alexey Proskuryakov

Comment 11 2013-05-01 09:51:04 PDT

Is the test still skipped in TestExpectations?

Andreas Kling

Comment 12 2013-05-01 09:52:20 PDT

(In reply to comment #11) > Is the test still skipped in TestExpectations? It is not skipped.

Andreas Kling

Comment 13 2013-05-01 09:55:01 PDT

Committed r149435: <http://trac.webkit.org/changeset/149435>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Frames

Assignee

Andreas Kling

Reported

2013-04-29 16:46 PDT

Modified

2013-05-22 00:39 PDT History

CC List

4 users Show

URL

Keywords InRadar, LayoutTestFailure

Depends on

115476

Blocks

Dependencies

tree graph