The following test fails on the above ASSERT_ARG condition: <html> <table > <tfoot style="-webkit-backface-visibility: hidden;"> <tr background="dummy.gif"></tr> </table> </html> Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff56b409e in WTFCrash () at /home/reni/Data/REPOS/webkit/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff56b409e in WTFCrash () at /home/reni/Data/REPOS/webkit/Source/WTF/wtf/Assertions.cpp:339 #1 0x00007ffff49a851d in WebCore::RenderView::computeRectForRepaint (this=0x84c578, repaintContainer=0x865ca8, rect=..., fixed=false) at /home/reni/Data/REPOS/webkit/Source/WebCore/rendering/RenderView.cpp:565 #2 0x00007ffff485d4a7 in WebCore::RenderBox::computeRectForRepaint (this=0x73a2c8, repaintContainer=0x865ca8, rect=..., fixed=false) at /home/reni/Data/REPOS/webkit/Source/WebCore/rendering/RenderBox.cpp:2038 #3 0x00007ffff485d4a7 in WebCore::RenderBox::computeRectForRepaint (this=0x7371b8, repaintContainer=0x865ca8, rect=..., fixed=false) at /home/reni/Data/REPOS/webkit/Source/WebCore/rendering/RenderBox.cpp:2038 #4 0x00007ffff485d4a7 in WebCore::RenderBox::computeRectForRepaint (this=0x843348, repaintContainer=0x865ca8, rect=..., fixed=false) at /home/reni/Data/REPOS/webkit/Source/WebCore/rendering/RenderBox.cpp:2038 #5 0x00007ffff485cc6c in WebCore::RenderBox::clippedOverflowRectForRepaint (this=0x843348, repaintContainer=0x865ca8) at /home/reni/Data/REPOS/webkit/Source/WebCore/rendering/RenderBox.cpp:1937 #6 0x00007ffff497e3e7 in WebCore::RenderTableRow::clippedOverflowRectForRepaint (this=0x842ad8, repaintContainer=0x865ca8) at /home/reni/Data/REPOS/webkit/Source/WebCore/rendering/RenderTableRow.cpp:208 #7 0x00007ffff494a56a in WebCore::RenderObject::repaint (this=0x842ad8, immediate=false) at /home/reni/Data/REPOS/webkit/Source/WebCore/rendering/RenderObject.cpp:1372 #8 0x00007ffff497e7a9 in WebCore::RenderTableRow::imageChanged (this=0x842ad8) at /home/reni/Data/REPOS/webkit/Source/WebCore/rendering/RenderTableRow.cpp:264 #9 0x00007ffff49514b3 in WebCore::RenderObject::imageChanged (this=0x842ad8, image=0x86f8e0, rect=0x0) at /home/reni/Data/REPOS/webkit/Source/WebCore/rendering/RenderObject.cpp:3041 #10 0x00007ffff4558a57 in WebCore::CachedImage::notifyObservers (this=0x86f8e0, changeRect=0x0) at /home/reni/Data/REPOS/webkit/Source/WebCore/loader/cache/CachedImage.cpp:290 #11 0x00007ffff4559299 in WebCore::CachedImage::error (this=0x86f8e0, status=WebCore::CachedResource::DecodeError) at /home/reni/Data/REPOS/webkit/Source/WebCore/loader/cache/CachedImage.cpp:404 #12 0x00007ffff4559164 in WebCore::CachedImage::data (this=0x86f8e0, data=0x7165c0, allDataReceived=true) at /home/reni/Data/REPOS/webkit/Source/WebCore/loader/cache/CachedImage.cpp:379 #13 0x00007ffff45c0b44 in WebCore::SubresourceLoader::didFinishLoading (this=0x846f60, finishTime=0) at /home/reni/Data/REPOS/webkit/Source/WebCore/loader/SubresourceLoader.cpp:288 #14 0x00007ffff45b74c7 in WebCore::ResourceLoader::didFinishLoading (this=0x846f60, finishTime=0) at /home/reni/Data/REPOS/webkit/Source/WebCore/loader/ResourceLoader.cpp:488 #15 0x00007ffff4a4f3a8 in WebCore::QNetworkReplyHandler::finish (this=0x7035f0) at /home/reni/Data/REPOS/webkit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516 #16 0x00007ffff4a4dfc5 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x703628) at /home/reni/Data/REPOS/webkit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #17 0x00007ffff4a4dd16 in WebCore::QNetworkReplyHandlerCallQueue::unlock (this=0x703628) at /home/reni/Data/REPOS/webkit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:230 #18 0x00007ffff4a4e05f in WebCore::QueueLocker::~QueueLocker (this=0x7fffffffcf60, __in_chrg=<optimized out>) at /home/reni/Data/REPOS/webkit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:258 #19 0x00007ffff4a4ebd6 in WebCore::QNetworkReplyWrapper::emitMetaDataChanged (this=0x8423b0) at /home/reni/Data/REPOS/webkit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:395 #20 0x00007ffff4a4e98c in WebCore::QNetworkReplyWrapper::receiveSniffedMIMEType (this=0x8423b0) at /home/reni/Data/REPOS/webkit/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:359 #21 0x00007ffff4a51638 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x8423b0, _c=QMetaObject::InvokeMetaMethod, _id=3, _a=0x7fffffffd120) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:177 #22 0x00007ffff20f60e1 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #23 0x00007ffff527fd25 in QtMIMETypeSniffer::finished (this=0x7b3f10) at .moc/release-shared/moc_QtMIMETypeSniffer.cpp:130 #24 0x00007ffff4a4d058 in QtMIMETypeSniffer::trySniffing (this=0x7b3f10) at /home/reni/Data/REPOS/webkit/Source/WebCore/platform/network/qt/QtMIMETypeSniffer.cpp:65 #25 0x00007ffff527fb89 in QtMIMETypeSniffer::qt_static_metacall (_o=0x7b3f10, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffd310) at .moc/release-shared/moc_QtMIMETypeSniffer.cpp:75 #26 0x00007ffff20f60e1 in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #27 0x00007ffff2b444bc in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Network.so.5 #28 0x00007ffff2bcb10d in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Network.so.5 ---Type <return> to continue, or q <return> to quit--- #29 0x00007ffff20f773e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #30 0x00007ffff2f4d1f4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5 #31 0x00007ffff2f505d1 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5 #32 0x00007ffff20d0a24 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #33 0x00007ffff20d2961 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #34 0x00007ffff21181f3 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #35 0x00007fffeee3ed53 in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #36 0x00007fffeee3f0a0 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #37 0x00007fffeee3f164 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #38 0x00007ffff2118634 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #39 0x00007ffff20cf8fb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #40 0x00007ffff20d2e9e in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #41 0x0000000000421e4c in launcherMain (app=...) at /home/reni/Data/REPOS/webkit/Tools/QtTestBrowser/qttestbrowser.cpp:49 #42 0x0000000000423b93 in main (argc=2, argv=0x7fffffffe208) at /home/reni/Data/REPOS/webkit/Tools/QtTestBrowser/qttestbrowser.cpp:318
<rdar://problem/14988666>
Another repro: <body onload="test()"> <table> <tbody style="position: -webkit-sticky;"> <tr id="tr"></tr> </tbody> </table> <script> function test() { document.getElementById("tr").style.backgroundColor = "red"; } </script> </body>
This bug was fixed in Blink. https://code.google.com/p/chromium/issues/detail?id=377536 I'm going to backport the fix to WebKit.
Cannot repro this issue anymore.