117025 – ASSERTION FAILED: this in WebCore::Node::document()

Bug 117025 - ASSERTION FAILED: this in WebCore::Node::document()

Summary: ASSERTION FAILED: this in WebCore::Node::document()

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2013-05-30 04:40 PDT by Renata Hodovan
Modified:	2014-09-08 02:44 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Test case (138 bytes, text/html) 2013-05-30 04:41 PDT, Renata Hodovan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2013-05-30 04:40:39 PDT

The following test crashes in debug webkit:

<html>
<body>
	<applet code="lc3.class">
		<embed type="video/webm">
		<video width="28" controls="1"></video>
	</applet>
</body>
</html>

Hint: don't try to run it with nouveau driver on the latest kernel (3.8.0.19) because it will kill your X (nvidia can handle it)!!!

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56abebe in WTFCrash () at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WTF/wtf/Assertions.cpp:339
339	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56abebe in WTFCrash () at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WTF/wtf/Assertions.cpp:339
#1  0x00007ffff3b40005 in WebCore::Node::document (this=0x0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/dom/Node.h:422
#2  0x00007ffff3d3ebe6 in WebCore::RenderObject::document (this=0x9bb518)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderObject.h:650
#3  0x00007ffff463f170 in WebCore::RenderObject::renderArena (this=0x9bb518)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderObject.h:319
#4  0x00007ffff463f4a1 in WebCore::RenderWidget::ref (this=0x9bb518)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderWidget.h:72
#5  0x00007ffff4648b3c in WebCore::FrameView::updateWidgets (this=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2671
#6  0x00007ffff4648fa6 in WebCore::FrameView::performPostLayoutTasks (this=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2752
#7  0x00007ffff4644018 in WebCore::FrameView::layout (this=0x76b0b0, allowSubtree=true)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:1379
#8  0x00007ffff4186316 in WebCore::Document::updateLayout (this=0x7fcb10)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/dom/Document.cpp:1912
#9  0x00007ffff41863e7 in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x7fcb10)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/dom/Document.cpp:1944
#10 0x00007ffff4368070 in WebCore::HTMLEmbedElement::renderWidgetForJSBindings (this=0x84e440)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/html/HTMLEmbedElement.cpp:73
#11 0x00007ffff43930ca in WebCore::HTMLPlugInElement::pluginWidget (this=0x84e440)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/html/HTMLPlugInElement.cpp:161
#12 0x00007ffff3f5d46a in WebCore::pluginScriptObjectFromPluginViewBase (pluginElement=0x84e440, globalObject=0x7fffe405f470)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:60
#13 0x00007ffff3f5d594 in WebCore::pluginScriptObject (exec=0x7fffe405f678, jsHTMLElement=0x7fff9c08fe90)
---Type <return> to continue, or q <return> to quit---
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:90
#14 0x00007ffff3f5d6ad in WebCore::runtimeObjectCustomGetOwnPropertySlot (exec=0x7fffe405f678, propertyName=..., slot=..., element=0x7fff9c08fe90)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:115
#15 0x00007ffff3f499ed in WebCore::pluginElementCustomGetOwnPropertySlot<WebCore::JSHTMLEmbedElement, WebCore::JSHTMLElement> (exec=0x7fffe405f678, 
    propertyName=..., slot=..., element=0x7fff9c08fe90)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bindings/js/JSPluginElementFunctions.h:58
#16 0x00007ffff3f49864 in WebCore::JSHTMLEmbedElement::getOwnPropertySlotDelegate (this=0x7fff9c08fe90, exec=0x7fffe405f678, propertyName=..., 
    slot=...) at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bindings/js/JSHTMLEmbedElementCustom.cpp:38
#17 0x00007ffff4fadd68 in WebCore::JSHTMLEmbedElement::getOwnPropertySlot (cell=0x7fff9c08fe90, exec=0x7fffe405f678, propertyName=..., slot=...)
    at generated/JSHTMLEmbedElement.cpp:138
#18 0x00007ffff3d809ab in JSC::JSCell::fastGetOwnPropertySlot (this=0x7fff9c08fe90, exec=0x7fffe405f678, propertyName=..., slot=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/JavaScriptCore/runtime/JSCellInlines.h:169
#19 0x00007ffff3d80766 in JSC::JSObject::getPropertySlot (this=0x7fff9c08fe90, exec=0x7fffe405f678, propertyName=..., slot=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/JavaScriptCore/runtime/JSObject.h:1186
#20 0x00007ffff3d80890 in JSC::JSObject::get (this=0x7fff9c08fe90, exec=0x7fffe405f678, propertyName=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/JavaScriptCore/runtime/JSObject.h:1211
#21 0x00007ffff3fa0056 in _NPN_GetProperty (o=0x9f15f0, propertyName=0x9d6d90, variant=0x7fffffffc6d0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/bridge/NP_jsobject.cpp:295
#22 0x00007fff9638ebd0 in totemPlugin::Init(char*, unsigned short, short, char**, char**, _NPSavedData*) ()
   from /usr/lib/mozilla/plugins/libtotem-cone-plugin.so
#23 0x00007fff9638c0f7 in ?? () from /usr/lib/mozilla/plugins/libtotem-cone-plugin.so
#24 0x00007ffff478ad09 in WebCore::PluginView::start (this=0x7fd730)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/plugins/PluginView.cpp:251
#25 0x00007ffff478ab21 in WebCore::PluginView::startOrAddToUnstartedList (this=0x7fd730)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/plugins/PluginView.cpp:231
#26 0x00007ffff478aa28 in WebCore::PluginView::init (this=0x7fd730)
---Type <return> to continue, or q <return> to quit---
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/plugins/PluginView.cpp:209
#27 0x00007ffff4a7a43a in WebCore::PluginView::setParent (this=0x7fd730, parent=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/plugins/qt/PluginViewQt.cpp:499
#28 0x00007ffff47555ab in WebCore::ScrollView::addChild (this=0x76b0b0, prpChild=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/platform/ScrollView.cpp:72
#29 0x00007ffff49a2c15 in WebCore::moveWidgetToParentSoon (child=0x7fd730, parent=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderWidget.cpp:81
#30 0x00007ffff49a3693 in WebCore::RenderWidget::setWidget (this=0x9bb518, widget=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderWidget.cpp:213
#31 0x00007ffff4943acc in WebCore::RenderPart::setWidget (this=0x9bb518, widget=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/rendering/RenderPart.cpp:57
#32 0x00007ffff45b3607 in WebCore::SubframeLoader::loadPlugin (this=0x76a970, pluginElement=0x84e440, url=..., mimeType=..., paramNames=..., 
    paramValues=..., useFallback=false) at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/loader/SubframeLoader.cpp:465
#33 0x00007ffff45b1e7b in WebCore::SubframeLoader::requestPlugin (this=0x76a970, ownerElement=0x84e440, url=..., mimeType=..., paramNames=..., 
    paramValues=..., useFallback=false) at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/loader/SubframeLoader.cpp:160
#34 0x00007ffff45b24f6 in WebCore::SubframeLoader::requestObject (this=0x76a970, ownerElement=0x84e440, url=..., frameName=..., mimeType=..., 
    paramNames=..., paramValues=...) at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/loader/SubframeLoader.cpp:235
#35 0x00007ffff4368782 in WebCore::HTMLEmbedElement::updateWidget (this=0x84e440, pluginCreationOption=WebCore::CreateAnyWidgetType)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/html/HTMLEmbedElement.cpp:173
#36 0x00007ffff464895e in WebCore::FrameView::updateWidget (this=0x76b0b0, object=0x9bb518)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2637
#37 0x00007ffff4648bb5 in WebCore::FrameView::updateWidgets (this=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2677
#38 0x00007ffff4648fa6 in WebCore::FrameView::performPostLayoutTasks (this=0x76b0b0)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2752
#39 0x00007ffff4649570 in WebCore::FrameView::postLayoutTimerFired (this=0x76b0b0)
---Type <return> to continue, or q <return> to quit---
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/page/FrameView.cpp:2831
#40 0x00007ffff4654068 in WebCore::Timer<WebCore::FrameView>::fired (this=0x76b258)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/platform/Timer.h:113
#41 0x00007ffff4774767 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x6c3440)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/platform/ThreadTimers.cpp:129
#42 0x00007ffff477467b in WebCore::ThreadTimers::sharedTimerFired ()
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/platform/ThreadTimers.cpp:105
#43 0x00007ffff4a63ffc in WebCore::SharedTimerQt::timerEvent (this=0x6c3470, ev=0x7fffffffd790)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Source/WebCore/platform/qt/SharedTimerQt.cpp:113
#44 0x00007ffff20ec459 in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#45 0x00007ffff2f421f4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#46 0x00007ffff2f455d1 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#47 0x00007ffff20c5a24 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#48 0x00007ffff210c6bc in QTimerInfoList::activateTimers() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#49 0x00007ffff210cf4d in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#50 0x00007fffeee34d53 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#51 0x00007fffeee350a0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#52 0x00007fffeee35164 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#53 0x00007ffff210d634 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#54 0x00007ffff20c48fb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#55 0x00007ffff20c7e9e in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#56 0x0000000000421e4c in launcherMain (app=...)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Tools/QtTestBrowser/qttestbrowser.cpp:49
#57 0x0000000000423b93 in main (argc=2, argv=0x7fffffffdd98)
    at /media/1582f533-8346-4e9f-9cab-f0916240c446/REPOS/webkit/Tools/QtTestBrowser/qttestbrowser.cpp:318

Comment 1 Renata Hodovan 2013-05-30 04:41:41 PDT

Created attachment 203343 [details]
Test case

Comment 2 Rob Buis 2013-08-15 09:42:33 PDT

Can't reproduce in trunk.

Comment 3 Renata Hodovan 2014-09-08 02:44:00 PDT

I cannot reproduce this issue anymore.