Bug 119626 - ASSERTION FAILED: roundedIntPoint(rendererMappedResult) == roundedIntPoint(result) in WebCore::RenderGeometryMap::mapToContainer
Summary: ASSERTION FAILED: roundedIntPoint(rendererMappedResult) == roundedIntPoint(re...
Status: RESOLVED DUPLICATE of bug 138439
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Linux
: P2 Normal
Assignee: Said Abou-Hallawa
URL:
Keywords: BlinkMergeCandidate, InRadar
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2013-08-09 05:58 PDT by Renata Hodovan
Modified: 2015-02-13 22:01 PST (History)
18 users (show)

See Also:

Attachments
Test case (191 bytes, text/html)
2013-08-09 06:00 PDT, Renata Hodovan 		no flags Details
New test case (188 bytes, text/html)
2014-01-16 05:13 PST, Renata Hodovan 		no flags Details
Proposed patch (5.69 KB, patch)
2014-02-27 06:36 PST, Martin Hodovan 		buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from webkit-ews-12 for mac-mountainlion-wk2 (2.77 MB, application/zip)
2014-02-27 07:36 PST, Build Bot 		no flags Details
Archive of layout-test-results from webkit-ews-08 for mac-mountainlion (2.82 MB, application/zip)
2014-02-27 07:59 PST, Build Bot 		no flags Details
Archive of layout-test-results from webkit-ews-05 for mac-mountainlion (2.82 MB, application/zip)
2014-02-27 08:58 PST, Build Bot 		no flags Details
Proposed patch (7.77 KB, patch)
2014-02-27 09:39 PST, Martin Hodovan 		no flags Details | Formatted Diff | Diff
Proposed patch (16.23 KB, patch)
2014-02-27 10:15 PST, Martin Hodovan 		simon.fraser: review+
simon.fraser: commit-queue-
Details | Formatted Diff | Diff
Proposed patch (4.81 KB, patch)
2014-02-28 07:16 PST, Martin Hodovan 		ossy: review-
ossy: commit-queue-
Details | Formatted Diff | Diff
Proposed patch (4.80 KB, patch)
2014-02-28 07:56 PST, Martin Hodovan 		no flags Details | Formatted Diff | Diff
Patch (4.33 KB, patch)
2014-11-06 18:12 PST, Said Abou-Hallawa 		no flags Details | Formatted Diff | Diff
Show Obsolete (6) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2013-08-09 05:58:53 PDT 
The crash happens on the following test:

<html>
   <tr>
      <div contenteditable="plaintext-only"></div>
      <h2></h2>
   </tr>
   <br><br>
   <textarea cols="150,*" rows="100000000"></textarea>
   <textarea></textarea>
</html>


Note: if you decrease the value of "rows" property of textarea then the crash disappears.


The backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56f53e4 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56f53e4 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff48e8b16 in WebCore::RenderGeometryMap::mapToContainer (this=0x7fffffffc010, p=..., container=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderGeometryMap.cpp:117
#2  0x00007ffff4905b62 in WebCore::RenderGeometryMap::absolutePoint (this=0x7fffffffc010, p=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderGeometryMap.h:84
#3  0x00007ffff4907144 in WebCore::RenderLayer::updateLayerPositions (this=0x8aaef8, geometryMap=0x7fffffffc010, flags=14)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:431
#4  0x00007ffff4907563 in WebCore::RenderLayer::updateLayerPositions (this=0x7b13a8, geometryMap=0x7fffffffc010, flags=14)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:499
#5  0x00007ffff4907563 in WebCore::RenderLayer::updateLayerPositions (this=0x76fe58, geometryMap=0x7fffffffc010, flags=14)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:499
#6  0x00007ffff490708b in WebCore::RenderLayer::updateLayerPositionsAfterLayout (this=0x76fe58, rootLayer=0x76fe58, flags=14)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:414
#7  0x00007ffff467a7a9 in WebCore::FrameView::layout (this=0x774890, allowSubtree=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1354
#8  0x00007ffff467dd40 in WebCore::FrameView::visibleContentsResized (this=0x774890)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:2218
#9  0x00007ffff4795ef8 in WebCore::ScrollView::updateScrollbars (this=0x774890, desiredOffset=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollView.cpp:556
#10 0x00007ffff479497d in WebCore::ScrollView::setContentsSize (this=0x774890, newSize=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollView.cpp:305
#11 0x00007ffff4678219 in WebCore::FrameView::setContentsSize (this=0x774890, size=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:595
#12 0x00007ffff4678456 in WebCore::FrameView::adjustViewSize (this=0x774890) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:624
#13 0x00007ffff467a70a in WebCore::FrameView::layout (this=0x774890, allowSubtree=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1345
#14 0x00007ffff41b2e8f in WebCore::Document::implicitClose (this=0x87c150) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2452
#15 0x00007ffff45b349f in WebCore::FrameLoader::checkCallImplicitClose (this=0x7b0bd8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:844
#16 0x00007ffff45b3210 in WebCore::FrameLoader::checkCompleted (this=0x7b0bd8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:787
#17 0x00007ffff45b2f45 in WebCore::FrameLoader::finishedParsing (this=0x7b0bd8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:720
#18 0x00007ffff41b9e35 in WebCore::Document::finishedParsing (this=0x87c150) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4427
#19 0x00007ffff440ce97 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7f3338)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:348
#20 0x00007ffff44415b9 in WebCore::HTMLTreeBuilder::finished (this=0x7f3320)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2926
#21 0x00007ffff4414596 in WebCore::HTMLDocumentParser::end (this=0x775160)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:763
#22 0x00007ffff4414681 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x775160)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:774
#23 0x00007ffff44131f0 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x775160)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:211
#24 0x00007ffff44146c6 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x775160)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:786
#25 0x00007ffff441477f in WebCore::HTMLDocumentParser::finish (this=0x775160)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:835
#26 0x00007ffff45aada5 in WebCore::DocumentWriter::end (this=0x6942f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:248
#27 0x00007ffff459d8e4 in WebCore::DocumentLoader::finishedLoading (this=0x694250, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:402
#28 0x00007ffff459d652 in WebCore::DocumentLoader::notifyFinished (this=0x694250, resource=0x7a9840)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344
#29 0x00007ffff4584948 in WebCore::CachedResource::checkNotify (this=0x7a9840)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369
---Type <return> to continue, or q <return> to quit---
#30 0x00007ffff4584a1e in WebCore::CachedResource::finishLoading (this=0x7a9840)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385
#31 0x00007ffff4581170 in WebCore::CachedRawResource::finishLoading (this=0x7a9840, data=0x8668e0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94
#32 0x00007ffff45e7765 in WebCore::SubresourceLoader::didFinishLoading (this=0x78d780, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:282
#33 0x00007ffff45de04f in WebCore::ResourceLoader::didFinishLoading (this=0x78d780, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488
#34 0x00007ffff4a878e3 in WebCore::QNetworkReplyHandler::finish (this=0x7a9690)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516
#35 0x00007ffff4a86602 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7a96c8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250
#36 0x00007ffff4a862ff in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7a96c8, 
    method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4a87728 <WebCore::QNetworkReplyHandler::finish()>)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216
#37 0x00007ffff4a8724c in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x7aa3f0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409
#38 0x00007ffff4a89bde in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x7aa3f0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffcf80)
    at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176
#39 0x00007ffff22115cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#40 0x00007ffff221284e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#41 0x00007ffff3058dbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#42 0x00007ffff305c075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#43 0x00007ffff21ecdbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#44 0x00007ffff21eea76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#45 0x00007ffff2234333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#46 0x00007fffee3790a6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3058
#47 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3634
#48 0x00007fffee3793f8 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3705
#49 0x00007fffee37949c in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.3/./glib/gmain.c:3766
#50 0x00007ffff22344bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#51 0x00007ffff21ebd3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#52 0x00007ffff21ef120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#53 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49
#54 0x0000000000423680 in main (argc=2, argv=0x7fffffffdc58) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318
Comment 1 Renata Hodovan 2013-08-09 06:00:35 PDT 
Created attachment 208424 [details]
Test case
Comment 2 Renata Hodovan 2014-01-16 05:13:26 PST 
Created attachment 221367 [details]
New test case

The previous test doesn't produce the assertion above anymore, but we can achieve it with this new one.
Comment 3 Renata Hodovan 2014-01-16 06:37:07 PST 
As a side note, I have also tested it with the newest EFL debug build in EWebLauncher and MiniBrowser on r161958 (and not in QtTestBrowser as the backtrace suggest).
Comment 4 Martin Hodovan 2014-02-27 06:36:49 PST 
Created attachment 225363 [details]
Proposed patch

Backported from Blink: https://codereview.chromium.org/143363004
Comment 5 Build Bot 2014-02-27 07:36:23 PST 
Comment on attachment 225363 [details]
Proposed patch

Attachment 225363 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/6233206076473344

New failing tests:
svg/transforms/svg-geometry-crash.html
Comment 6 Build Bot 2014-02-27 07:36:27 PST 
Created attachment 225368 [details]
Archive of layout-test-results from webkit-ews-12 for mac-mountainlion-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-12  Port: mac-mountainlion-wk2  Platform: Mac OS X 10.8.5
Comment 7 Build Bot 2014-02-27 07:59:45 PST 
Comment on attachment 225363 [details]
Proposed patch

Attachment 225363 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/4864332353503232

New failing tests:
svg/transforms/svg-geometry-crash.html
Comment 8 Build Bot 2014-02-27 07:59:49 PST 
Created attachment 225371 [details]
Archive of layout-test-results from webkit-ews-08 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-08  Port: mac-mountainlion  Platform: Mac OS X 10.8.5
Comment 9 Build Bot 2014-02-27 08:58:28 PST 
Comment on attachment 225363 [details]
Proposed patch

Attachment 225363 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/4896495216099328

New failing tests:
svg/transforms/svg-geometry-crash.html
Comment 10 Build Bot 2014-02-27 08:58:32 PST 
Created attachment 225373 [details]
Archive of layout-test-results from webkit-ews-05 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-05  Port: mac-mountainlion  Platform: Mac OS X 10.8.5
Comment 11 Martin Hodovan 2014-02-27 09:39:15 PST 
Created attachment 225382 [details]
Proposed patch
Comment 12 Martin Hodovan 2014-02-27 10:15:46 PST 
Created attachment 225389 [details]
Proposed patch
Comment 13 Simon Fraser (smfr) 2014-02-27 10:18:45 PST 
Comment on attachment 225389 [details]
Proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=225389&action=review

r=me but the tests should not need to dump pixel results.

> LayoutTests/ChangeLog:14
> +        * platform/efl/svg/transforms/svg-geometry-crash-expected.png: Added.
> +        * platform/efl/svg/transforms/svg-geometry-crash-expected.txt: Added.
> +        * platform/mac/svg/transforms/svg-geometry-crash-expected.png: Added.
> +        * platform/mac/svg/transforms/svg-geometry-crash-expected.txt: Added.
> +        * svg/transforms/svg-geometry-crash.html: Added.

Why can't these be dumpAsText() tests?
Comment 14 Martin Hodovan 2014-02-28 07:16:05 PST 
Created attachment 225460 [details]
Proposed patch
Comment 15 Csaba Osztrogonác 2014-02-28 07:20:04 PST 
Comment on attachment 225460 [details]
Proposed patch

You shouldn't set r+ yourself, but add "Reviewed by Simon Fraser." to the changelog and set only cq?
Comment 16 Martin Hodovan 2014-02-28 07:56:10 PST 
Created attachment 225464 [details]
Proposed patch
Comment 17 WebKit Commit Bot 2014-02-28 08:29:54 PST 
Comment on attachment 225464 [details]
Proposed patch

Clearing flags on attachment: 225464

Committed r164861: <http://trac.webkit.org/changeset/164861>
Comment 18 WebKit Commit Bot 2014-02-28 08:29:59 PST 
All reviewed patches have been landed.  Closing bug.
Comment 19 Said Abou-Hallawa 2014-11-05 21:30:35 PST 
The fix committed for this bug was wrong.  It was reverted by Blink because it broke their SVG display.  It also broke the WebKit SVG search.  Bug https://bugs.webkit.org/show_bug.cgi?id=138439 was logged to track reverting this change.  The same assertion is still firing with or without this change and it is tracked by bug https://bugs.webkit.org/show_bug.cgi?id=122027.
Comment 20 Said Abou-Hallawa 2014-11-06 11:34:58 PST 
(In reply to comment #19)
> The same assertion is still firing with or without this change
> and it is tracked by bug https://bugs.webkit.org/show_bug.cgi?id=122027.
I was wrong about the relationship between the assertion here and the assertion filed in the https://bugs.webkit.org/show_bug.cgi?id=122027.  The assertion are different and actually they are in different overloaded functions.
Comment 21 Said Abou-Hallawa 2014-11-06 18:12:15 PST 
Reopening to attach new patch.
Comment 22 Said Abou-Hallawa 2014-11-06 18:12:20 PST 
Created attachment 241152 [details]
Patch
Comment 23 Said Abou-Hallawa 2014-11-06 18:22:05 PST 
Comment on attachment 241152 [details]
Patch

By mistake the patch of https://bugs.webkit.org/show_bug.cgi?id=138439 got into this one and reopened it.  I am obsoleting it and closing the bug again.
Comment 24 Said Abou-Hallawa 2014-11-06 18:23:03 PST 

*** This bug has been marked as a duplicate of bug 138439 ***
Comment 25 Radar WebKit Bug Importer 2015-02-13 22:01:05 PST 
<rdar://problem/19837156>