RESOLVED WORKSFORME 117923
ASSERTION FAILED: !beforeChild || beforeChild->parent()->isRenderBlock() || beforeChild->parent()->isRenderInline() in WebCore::RenderInline::addChildToContinuation 
https://bugs.webkit.org/show_bug.cgi?id=117923
Summary ASSERTION FAILED: !beforeChild || beforeChild->parent()->isRenderBlock() || b...
Renata Hodovan
Reported 2013-06-24 01:09:13 PDT
The following test fails the assertion in the title: <html> <object> <applet code="dummy.class" align="Left"></applet> <applet code="dummy.class" style="display: table-cell;"></applet> </object> <keygen autofocus="autofocus"> <body link="#"></body> </keygen> </html> The backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5760ba5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5760ba5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 #1 0x00007ffff497f490 in WebCore::RenderInline::addChildToContinuation (this=0x8ce338, newChild=0x8cf5b8, beforeChild=0x8cf688) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderInline.cpp:496 #2 0x00007ffff497e8e9 in WebCore::RenderInline::addChild (this=0x8ce338, newChild=0x8cf5b8, beforeChild=0x8cf688) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderInline.cpp:267 #3 0x00007ffff42ed7a4 in WebCore::NodeRenderingContext::createRendererForElementIfNeeded (this=0x7fffffffc660) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/NodeRenderingContext.cpp:291 #4 0x00007ffff4299b1f in WebCore::Element::createRendererIfNeeded (this=0x8a1100, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1424 #5 0x00007ffff4299b83 in WebCore::Element::attach (this=0x8a1100, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1433 #6 0x00007ffff4450387 in WebCore::HTMLPlugInImageElement::attach (this=0x8a1100, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLPlugInImageElement.cpp:248 #7 0x00007ffff42929dd in WebCore::Node::reattach (this=0x8a1100, context=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Node.h:823 #8 0x00007ffff4450317 in WebCore::HTMLPlugInImageElement::willRecalcStyle (this=0x8a1100) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLPlugInImageElement.cpp:235 #9 0x00007ffff429a388 in WebCore::Element::recalcStyle (this=0x8a1100, change=WebCore::Node::Force) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1552 #10 0x00007ffff429a992 in WebCore::Element::recalcStyle (this=0x87bac0, change=WebCore::Node::Force) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1643 #11 0x00007ffff429a992 in WebCore::Element::recalcStyle (this=0x7cfbb0, change=WebCore::Node::Force) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1643 #12 0x00007ffff429a992 in WebCore::Element::recalcStyle (this=0x751220, change=WebCore::Node::NoChange) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Element.cpp:1643 #13 0x00007ffff4241e3d in WebCore::Document::recalcStyle (this=0x861e80, change=WebCore::Node::NoChange) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:1805 #14 0x00007ffff42420ee in WebCore::Document::updateStyleIfNeeded (this=0x861e80) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:1848 #15 0x00007ffff424b0d3 in WebCore::Document::finishedParsing (this=0x861e80) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4396 #16 0x00007ffff449aeeb in WebCore::HTMLConstructionSite::finishedParsing (this=0x74a6d8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:351 #17 0x00007ffff44cc8db in WebCore::HTMLTreeBuilder::finished (this=0x74a6c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2923 #18 0x00007ffff44a251c in WebCore::HTMLDocumentParser::end (this=0x78ccc0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:756 #19 0x00007ffff44a2607 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x78ccc0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:767 #20 0x00007ffff44a1242 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x78ccc0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:211 #21 0x00007ffff44a264c in WebCore::HTMLDocumentParser::attemptToEnd (this=0x78ccc0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:779 #22 0x00007ffff44a2705 in WebCore::HTMLDocumentParser::finish (this=0x78ccc0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:828 #23 0x00007ffff4634e9f in WebCore::DocumentWriter::end (this=0x7e59f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:248 #24 0x00007ffff4627a74 in WebCore::DocumentLoader::finishedLoading (this=0x7e5950, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:402 #25 0x00007ffff46277e2 in WebCore::DocumentLoader::notifyFinished (this=0x7e5950, resource=0x7191d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344 #26 0x00007ffff460ee00 in WebCore::CachedResource::checkNotify (this=0x7191d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:362 #27 0x00007ffff460eed6 in WebCore::CachedResource::finishLoading (this=0x7191d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:378 #28 0x00007ffff460b62e in WebCore::CachedRawResource::finishLoading (this=0x7191d0, data=0x77e470) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 ---Type <return> to continue, or q <return> to quit--- #29 0x00007ffff467140d in WebCore::SubresourceLoader::didFinishLoading (this=0x718940, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:277 #30 0x00007ffff4667e13 in WebCore::ResourceLoader::didFinishLoading (this=0x718940, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488 #31 0x00007ffff4b069d2 in WebCore::QNetworkReplyHandler::finish (this=0x76fc60) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516 #32 0x00007ffff4b056e6 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x76fc98) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250 #33 0x00007ffff4b053e3 in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x76fc98, method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4b06816 <WebCore::QNetworkReplyHandler::finish()>) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216 #34 0x00007ffff4b06336 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x742c40) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409 #35 0x00007ffff4b08cce in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x742c40, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffd010) at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176 #36 0x00007ffff229a5cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #37 0x00007ffff229b84e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #38 0x00007ffff30e1dbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #39 0x00007ffff30e5075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5 #40 0x00007ffff2275dbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #41 0x00007ffff2277a76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #42 0x00007ffff22bd333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #43 0x00007fffee40bf05 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3054 #44 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3630 #45 0x00007fffee40c248 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3701 #46 0x00007fffee40c304 in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.36.0/./glib/gmain.c:3762 #47 0x00007ffff22bd4bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #48 0x00007ffff2274d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #49 0x00007ffff2278120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5 #50 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49 #51 0x0000000000423680 in main (argc=2, argv=0x7fffffffdcc8) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318
Attachments
Add attachment proposed patch, testcase, etc.
Vicki Pfau
Comment 1 2013-10-08 13:24:40 PDT
<rdar://problem/14978857>
Brent Fulgham
Comment 2 2016-08-03 11:19:45 PDT
I cannot reproduce this problem with GuardMalloc or ASAN under r204037. If you believe this problem is still occurring, please reopen the bug with additional steps to reproduce.
David Kilzer (:ddkilzer)
Comment 3 2016-08-03 13:29:07 PDT
This was an ASSERT() found by a fuzzing test case, so a Debug build should be tested.
Note You need to log in before you can comment on or make changes to this bug.