119781 – [WK2] Assertion failure in WebCore::Page::checkSubframeCountConsistency when going back

Bug 119781 - [WK2] Assertion failure in WebCore::Page::checkSubframeCountConsistency when going back

Summary: [WK2] Assertion failure in WebCore::Page::checkSubframeCountConsistency when ...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	History (show other bugs)
Version:	528+ (Nightly build)
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	ChangSeok Oh

URL:
Keywords:

Depends on:	127476
Blocks:
	Show dependency tree / graph

Reported:	2013-08-13 19:40 PDT by ChangSeok Oh
Modified:	2014-02-10 03:42 PST (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (5.44 KB, patch) 2013-08-14 10:50 PDT, ChangSeok Oh	no flags	Details \| Formatted Diff \| Diff
Patch (5.50 KB, patch) 2013-08-14 11:01 PDT, ChangSeok Oh	no flags	Details \| Formatted Diff \| Diff
Crash on mac (224.47 KB, image/png) 2013-08-15 07:36 PDT, ChangSeok Oh	no flags	Details
Archive of layout-test-results from webkit-ews-02 for mac-mountainlion (976.14 KB, application/zip) 2013-08-15 10:26 PDT, Build Bot	no flags	Details
Patch (5.94 KB, patch) 2013-08-16 00:53 PDT, ChangSeok Oh	no flags	Details \| Formatted Diff \| Diff
Patch (5.55 KB, patch) 2013-08-16 01:08 PDT, ChangSeok Oh	no flags	Details \| Formatted Diff \| Diff
Patch (5.60 KB, patch) 2013-08-18 04:43 PDT, ChangSeok Oh	no flags	Details \| Formatted Diff \| Diff
Patch (5.40 KB, patch) 2013-09-06 20:51 PDT, ChangSeok Oh	no flags	Details \| Formatted Diff \| Diff
Patch (5.44 KB, patch) 2013-09-06 21:18 PDT, ChangSeok Oh	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from webkit-ews-16 for mac-mountainlion-wk2 (1.09 MB, application/zip) 2013-09-07 00:05 PDT, Build Bot	no flags	Details
Patch (5.98 KB, patch) 2013-09-08 20:59 PDT, ChangSeok Oh	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (7) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ChangSeok Oh 2013-08-13 19:40:33 PDT

I faced this assertion failure when going back to a page which has multiple frames.

The backtrace is ...
Program received signal SIGSEGV, Segmentation fault.
0x00007ff42b9e9ee5 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:342
342	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ff42b9e9ee5 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ff42d7757f2 in WebCore::Page::checkSubframeCountConsistency (
    this=0x1afc210) at ../../Source/WebCore/page/Page.cpp:1255
#2  0x00007ff42d3c9d02 in WebCore::Page::subframeCount (this=0x1afc210)
    at ../../Source/WebCore/page/Page.h:185
#3  0x00007ff42d74e152 in WebCore::Frame::isURLAllowed (this=0x3445710, url=...)
    at ../../Source/WebCore/page/Frame.cpp:1022
#4  0x00007ff42d489639 in WebCore::HTMLPlugInImageElement::allowedToLoadFrameURL (
    this=0x374a410, url=...)
    at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:177
#5  0x00007ff42d44e09e in WebCore::HTMLEmbedElement::updateWidget (this=0x374a410, 
    pluginCreationOption=WebCore::CreateOnlyNonNetscapePlugins)
    at ../../Source/WebCore/html/HTMLEmbedElement.cpp:137
#6  0x00007ff42d489d03 in WebCore::HTMLPlugInImageElement::updateWidgetIfNecessary (
    this=0x374a410) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:274
#7  0x00007ff42d489fc5 in WebCore::HTMLPlugInImageElement::updateWidgetCallback (n=
    0x374a410) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:331
#8  0x00007ff42d207b2a in WebCore::ContainerNode::dispatchPostAttachCallbacks ()
    at ../../Source/WebCore/dom/ContainerNode.cpp:772
#9  0x00007ff42d207981 in WebCore::ContainerNode::resumePostAttachCallbacks (
    this=0x3748570) at ../../Source/WebCore/dom/ContainerNode.cpp:739
#10 0x00007ff42d229d79 in WebCore::PostAttachCallbackDisabler::~PostAttachCallbackDisabler (this=0x7fffaa656620, __in_chrg=<optimized out>)
    at ../../Source/WebCore/dom/ContainerNode.h:345
#11 0x00007ff42d489bac in WebCore::HTMLPlugInImageElement::attach (this=0x3748570, 
    context=...) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:250
#12 0x00007ff42d2ff799 in WebCore::Node::reattach (this=0x3748570, context=...)
    at ../../Source/WebCore/dom/Node.h:811
#13 0x00007ff42da295d7 in WebCore::Style::resolveLocal (current=0x3748570, 
    inheritedChange=WebCore::Style::Force)
    at ../../Source/WebCore/style/StyleResolveTree.cpp:152
#14 0x00007ff42da29b4b in WebCore::Style::resolveTree (current=0x3748570, 
    change=WebCore::Style::Force)
    at ../../Source/WebCore/style/StyleResolveTree.cpp:236
#15 0x00007ff42d489f09 in WebCore::HTMLPlugInImageElement::documentDidResumeFromPageCache (this=0x3748570) at ../../Source/WebCore/html/HTMLPlugInImageElement.cpp:316
#16 0x00007ff42d2222b0 in WebCore::Document::documentDidResumeFromPageCache (
    this=0x2be2f90) at ../../Source/WebCore/dom/Document.cpp:4023
#17 0x00007ff42d3c7d18 in WebCore::CachedFrameBase::restore (this=0x32ea688)
    at ../../Source/WebCore/history/CachedFrame.cpp:149
#18 0x00007ff42d6888b3 in WebCore::FrameLoader::open (this=0x3445790, cachedFrame=...)
    at ../../Source/WebCore/loader/FrameLoader.cpp:2023
---Type <return> to continue, or q <return> to quit---
#19 0x00007ff42d3c82b8 in WebCore::CachedFrame::open (this=0x32ea680)
    at ../../Source/WebCore/history/CachedFrame.cpp:220
#20 0x00007ff42d3c7c1c in WebCore::CachedFrameBase::restore (this=0x21da638)
    at ../../Source/WebCore/history/CachedFrame.cpp:134
#21 0x00007ff42d6888b3 in WebCore::FrameLoader::open (this=0x1a39d20, cachedFrame=...)
    at ../../Source/WebCore/loader/FrameLoader.cpp:2023
#22 0x00007ff42d3c82b8 in WebCore::CachedFrame::open (this=0x21da630)
    at ../../Source/WebCore/history/CachedFrame.cpp:220
#23 0x00007ff42d3c9a75 in WebCore::CachedPage::restore (this=0x2ea4d40, 
    page=0x1afc210) at ../../Source/WebCore/history/CachedPage.cpp:83
#24 0x00007ff42d687623 in WebCore::FrameLoader::commitProvisionalLoad (this=0x1a39d20)
    at ../../Source/WebCore/loader/FrameLoader.cpp:1742
#25 0x00007ff42d68d0ba in WebCore::FrameLoader::loadProvisionalItemFromCachedPage (
    this=0x1a39d20) at ../../Source/WebCore/loader/FrameLoader.cpp:3040
#26 0x00007ff42d68bfdf in WebCore::FrameLoader::continueLoadAfterNavigationPolicy (
    this=0x1a39d20, formState=..., shouldContinue=true)
    at ../../Source/WebCore/loader/FrameLoader.cpp:2882
#27 0x00007ff42d68b575 in WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy
    (argument=0x1a39d20, request=..., formState=..., shouldContinue=true)
    at ../../Source/WebCore/loader/FrameLoader.cpp:2718
#28 0x00007ff42d6b8029 in WebCore::PolicyCallback::call (this=0x7fffaa657010, 
    shouldContinue=true) at ../../Source/WebCore/loader/PolicyCallback.cpp:103
#29 0x00007ff42d6b8f98 in WebCore::PolicyChecker::continueAfterNavigationPolicy (
    this=0x1a39fa0, policy=WebCore::PolicyUse)
    at ../../Source/WebCore/loader/PolicyChecker.cpp:180
#30 0x00007ff42cecbc6a in WebKit::WebFrame::didReceivePolicyDecision (this=0x19f7230, 
    listenerID=48, action=WebCore::PolicyUse, downloadID=0)
    at ../../Source/WebKit2/WebProcess/WebPage/WebFrame.cpp:234
#31 0x00007ff42cea321d in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction (this=0x19f7268, function=
    (void (WebCore::PolicyChecker::*)(WebCore::PolicyChecker * const, WebCore::PolicyAction)) 0x7ff42d6b8d2e <WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction)>, navigationAction=..., request=..., formState=...)
    at ../../Source/WebKit2/WebProcess/WebCoreSupport/WebFrameLoaderClient.cpp:708
#32 0x00007ff42d6b8951 in WebCore::PolicyChecker::checkNavigationPolicy (
    this=0x1a39fa0, request=..., loader=0x3111780, formState=..., 
    function=0x7ff42d68b526 <WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool)>, argument=0x1a39d20) at ../../Source/WebCore/loader/PolicyChecker.cpp:99
#33 0x00007ff42d685d40 in WebCore::FrameLoader::loadWithDocumentLoader (
    this=0x1a39d20, loader=0x3111780, type=WebCore::FrameLoadTypeBack, 
    prpFormState=...) at ../../Source/WebCore/loader/FrameLoader.cpp:1422
---Type <return> to continue, or q <return> to quit---
#34 0x00007ff42d68d699 in WebCore::FrameLoader::loadDifferentDocumentItem (
    this=0x1a39d20, item=0x1c58a50, loadType=WebCore::FrameLoadTypeBack, 
    cacheLoadPolicy=WebCore::FrameLoader::MayAttemptCacheOnlyLoadForFormSubmissionItem) at ../../Source/WebCore/loader/FrameLoader.cpp:3135
#35 0x00007ff42d68dd17 in WebCore::FrameLoader::loadItem (this=0x1a39d20, 
    item=0x1c58a50, loadType=WebCore::FrameLoadTypeBack)
    at ../../Source/WebCore/loader/FrameLoader.cpp:3223
#36 0x00007ff42d696f10 in WebCore::HistoryController::recursiveGoToItem (
    this=0x1a3a240, item=0x1c58a50, fromItem=0x36dc950, 
    type=WebCore::FrameLoadTypeBack)
    at ../../Source/WebCore/loader/HistoryController.cpp:765
#37 0x00007ff42d694fb2 in WebCore::HistoryController::goToItem (this=0x1a3a240, 
    targetItem=0x1c58a50, type=WebCore::FrameLoadTypeBack)
    at ../../Source/WebCore/loader/HistoryController.cpp:306
#38 0x00007ff42d77245a in WebCore::Page::goToItem (this=0x1afc210, item=0x1c58a50, 
    type=WebCore::FrameLoadTypeBack) at ../../Source/WebCore/page/Page.cpp:432
#39 0x00007ff42ced5db9 in WebKit::WebPage::goBack (this=0x1afbb60, 
    backForwardItemID=3) at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:1036
#40 0x00007ff42cf3b903 in CoreIPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long), unsigned long> (args=..., object=0x1afbb60, function=
    (void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ff42ced5d28 <WebKit::WebPage::goBack(unsigned long)>)
    at ../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:21
#41 0x00007ff42cf38905 in CoreIPC::handleMessage<Messages::WebPage::GoBack, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long)> (decoder=..., object=0x1afbb60, 
    function=
    (void (WebKit::WebPage::*)(WebKit::WebPage * const, unsigned long)) 0x7ff42ced5d28 <WebKit::WebPage::goBack(unsigned long)>)
    at ../../Source/WebKit2/Platform/CoreIPC/HandleMessage.h:376
#42 0x00007ff42cf335be in WebKit::WebPage::didReceiveWebPageMessage (this=0x1afbb60, 
    decoder=...) at DerivedSources/WebKit2/WebPageMessageReceiver.cpp:172
#43 0x00007ff42cedcaca in WebKit::WebPage::didReceiveMessage (this=0x1afbb60, 
    connection=0x19934c0, decoder=...)
    at ../../Source/WebKit2/WebProcess/WebPage/WebPage.cpp:3179

#44 0x00007ff42e43450e in CoreIPC::MessageReceiverMap::dispatchMessage (
    this=0x19c3df0, connection=0x19934c0, decoder=...)
    at ../../Source/WebKit2/Platform/CoreIPC/MessageReceiverMap.cpp:86
#45 0x00007ff42cef376d in WebKit::WebProcess::didReceiveMessage (this=0x19c3d90, 
    connection=0x19934c0, decoder=...)
    at ../../Source/WebKit2/WebProcess/WebProcess.cpp:638
#46 0x00007ff42e423ea4 in CoreIPC::Connection::dispatchMessage (this=0x19934c0, 
    decoder=...) at ../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:793
---Type <return> to continue, or q <return> to quit---
#47 0x00007ff42e423f84 in CoreIPC::Connection::dispatchMessage (this=0x19934c0, 
    incomingMessage=...) at ../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:816
#48 0x00007ff42e424195 in CoreIPC::Connection::dispatchOneMessage (this=0x19934c0)
    at ../../Source/WebKit2/Platform/CoreIPC/Connection.cpp:842
#49 0x00007ff42e43391f in WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>::operator() (this=0x7ff3d0001f90, c=0x19934c0) at ../../Source/WTF/wtf/Functional.h:218
#50 0x00007ff42e4334a4 in WTF::BoundFunctionImpl<WTF::FunctionWrapper<void (CoreIPC::Connection::*)()>, void (CoreIPC::Connection*)>::operator()() (this=0x7ff3d0001f80)
    at ../../Source/WTF/wtf/Functional.h:496
#51 0x00007ff42ceb4aed in WTF::Function<void ()>::operator()() const (
    this=0x7fffaa658830) at ../../Source/WTF/wtf/Functional.h:704
#52 0x00007ff42e2f924f in WebCore::RunLoop::performWork (this=0x19c3c10)
    at ../../Source/WebCore/platform/RunLoop.cpp:104
#53 0x00007ff42e3198cc in WebCore::RunLoop::queueWork (runLoop=0x19c3c10)
    at ../../Source/WebCore/platform/gtk/RunLoopGtk.cpp:104
#54 0x00007ff426483fd5 in g_main_dispatch (context=0x19538c0) at gmain.c:3058
#55 g_main_context_dispatch (context=context@entry=0x19538c0) at gmain.c:3634
#56 0x00007ff426484318 in g_main_context_iterate (context=0x19538c0, 
    block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at gmain.c:3705
#57 0x00007ff42648478a in g_main_loop_run (loop=0x19c3c90) at gmain.c:3899
#58 0x00007ff42e319692 in WebCore::RunLoop::run ()
    at ../../Source/WebCore/platform/gtk/RunLoopGtk.cpp:61
#59 0x00007ff42ce11d64 in WebKit::WebProcessMainGtk (argc=2, argv=0x7fffaa658b58)
    at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:78
#60 0x000000000040080c in main (argc=2, argv=0x7fffaa658b58)
    at ../../Source/WebKit2/gtk/MainGtk.cpp:31

Comment 1 ChangSeok Oh 2013-08-14 10:50:35 PDT

Created attachment 208745 [details]
Patch

Comment 2 ChangSeok Oh 2013-08-14 11:01:49 PDT

Created attachment 208746 [details]
Patch

Comment 3 Brady Eidson 2013-08-14 11:18:35 PDT

Does your layout test reproduce in the main Mac port?  We haven't seen this there.

Comment 4 Brady Eidson 2013-08-14 11:20:08 PDT

Comment on attachment 208746 [details]
Patch

This is a fundamental change for the page cache and I'm definitely not convinced this is the right fix without knowing more about the problem or how you arrived at this fix.

Comment 5 ChangSeok Oh 2013-08-14 22:22:16 PDT

(In reply to comment #4)
> (From update of attachment 208746 [details])
> This is a fundamental change for the page cache and I'm definitely not convinced this is the right fix without knowing more about the problem or how you arrived at this fix.

I've seen this in Gtk port now. Let me check other ports including mac port.

Comment 6 ChangSeok Oh 2013-08-15 07:36:17 PDT

Created attachment 208807 [details]
Crash on mac

(In reply to comment #3)
> Does your layout test reproduce in the main Mac port?  We haven't seen this there.

Yes. it does. I confirmed mac port has the crash. Run go-back-to-iframe-with-plugin.html with debug build.
EFL port seems not supporting flash plugin properly so I could not test it. I don't see the qt port  yet. But very sure the crash is still there.

Comment 7 Build Bot 2013-08-15 10:26:38 PDT

Comment on attachment 208746 [details]
Patch

Attachment 208746 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.appspot.com/results/1469248

New failing tests:
fast/events/pageshow-pagehide-on-back-cached-with-frames.html

Comment 8 Build Bot 2013-08-15 10:26:40 PDT

Created attachment 208819 [details]
Archive of layout-test-results from webkit-ews-02 for mac-mountainlion

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: webkit-ews-02  Port: mac-mountainlion  Platform: Mac OS X 10.8.4

Comment 9 ChangSeok Oh 2013-08-16 00:53:38 PDT

Created attachment 208888 [details]
Patch

Comment 10 ChangSeok Oh 2013-08-16 01:08:24 PDT

Created attachment 208890 [details]
Patch

Comment 11 ChangSeok Oh 2013-08-18 04:43:11 PDT

Created attachment 209026 [details]
Patch

Comment 12 ChangSeok Oh 2013-08-19 20:59:37 PDT

Review please?

Comment 13 ChangSeok Oh 2013-09-06 20:51:58 PDT

Created attachment 210834 [details]
Patch

Comment 14 ChangSeok Oh 2013-09-06 21:18:31 PDT

Created attachment 210835 [details]
Patch

Comment 15 Build Bot 2013-09-07 00:05:02 PDT

Comment on attachment 210835 [details]
Patch

Attachment 210835 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.appspot.com/results/1706668

New failing tests:
fast/history/go-back-to-iframe-with-plugin.html
inspector/storage-panel-dom-storage-update.html
compositing/iframes/page-cache-layer-tree.html
fast/events/pagehide-xhr-open.html
platform/mac-wk2/tiled-drawing/null-parent-back-crash.html
fast/events/suspend-timers.html

Comment 16 Build Bot 2013-09-07 00:05:05 PDT

Created attachment 210899 [details]
Archive of layout-test-results from webkit-ews-16 for mac-mountainlion-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: webkit-ews-16  Port: mac-mountainlion-wk2  Platform: Mac OS X 10.8.4

Comment 17 ChangSeok Oh 2013-09-08 20:59:28 PDT

Created attachment 211005 [details]
Patch

Comment 18 WebKit Commit Bot 2013-09-09 10:40:17 PDT

Comment on attachment 211005 [details]
Patch

Clearing flags on attachment: 211005

Committed r155361: <http://trac.webkit.org/changeset/155361>

Comment 19 WebKit Commit Bot 2013-09-09 10:40:20 PDT

All reviewed patches have been landed.  Closing bug.

Comment 20 Beth Dakin 2013-09-09 13:24:49 PDT

This test appears to be crashing on the debug bots.

Comment 21 Beth Dakin 2013-09-09 14:58:52 PDT

(In reply to comment #20)
> This test appears to be crashing on the debug bots.

I confirmed that the test will crash even if the patch is rolled out, so at least this change did not introduce the crash. I will skip the test for now.

Comment 22 Beth Dakin 2013-09-09 15:15:19 PDT

I skipped the test with http://trac.webkit.org/changeset/155389 and filed https://bugs.webkit.org/show_bug.cgi?id=121053 to track fixing the test or the assertion.