120308 – ASSERTION FAILED: m_repaintRect == renderer()->clippedOverflowRectForRepaint(renderer()->containerForRepaint()) in WebCore::RenderLayer::updateLayerPositionsAfterScroll

Bug 120308 - ASSERTION FAILED: m_repaintRect == renderer()->clippedOverflowRectForRepaint(renderer()->containerForRepaint()) in WebCore::RenderLayer::updateLayerPositionsAfterScroll

Summary: ASSERTION FAILED: m_repaintRect == renderer()->clippedOverflowRectForRepaint(...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2013-08-26 06:24 PDT by Renata Hodovan
Modified:	2016-08-03 12:33 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Test case (1.25 KB, text/html) 2013-08-26 06:26 PDT, Renata Hodovan	no flags	Details
Test case (253 bytes, text/html) 2015-06-26 10:27 PDT, Renata Hodovan	no flags	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2013-08-26 06:24:23 PDT

The following test hits the above assertion (it's likely related to r147759 and https://bugs.webkit.org/show_bug.cgi?id=103432):


<html>
     <table> 
        <td style="position: fixed;"></td>abcin
        <td width="1"/>   
TABLE Testing Section    This element has a class of zero.   This element should have a top padding of half an inch, which will require extra text in order to test.  Both the content background and the padding should be aqua (light blue).   This element should have a top padding of 25 pixels, which will require extra text in order to test.  Both the content background and the padding should be aqua (light blue).   This element should have a top padding of 5 em, which will require extra text in order to test.  Both the content background and the padding should be aqua (light blue).   This element should have a top padding of 25%, which is calculated with respect to the width of the parent element.  Both the content background and the padding should be aqua (light blue).  This will require extra text in order to test.   This element should have no top padding, since negative padding values are not allowed.  Both the content background and the normal padding should be aqua (light blue).    
        <input /> 
        <input autofocus /> 
        <input /> 
        <input type="button" value="[Step 2] Set cell width to 20px (garbage seen)" >   
     </table> 
</html>



The backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff56f42bc in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
342	    *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff56f42bc in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff4905091 in WebCore::RenderLayer::updateLayerPositionsAfterScroll (this=0x7d23e8, geometryMap=0x7fffffffbf30, flags=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:809
#2  0x00007ffff4905155 in WebCore::RenderLayer::updateLayerPositionsAfterScroll (this=0x7d1018, geometryMap=0x7fffffffbf30, flags=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:814
#3  0x00007ffff4904dda in WebCore::RenderLayer::updateLayerPositionsAfterDocumentScroll (this=0x7d1018)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderLayer.cpp:760
#4  0x00007ffff4679afc in WebCore::FrameView::repaintFixedElementsAfterScrolling (this=0x794ab0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:2047
#5  0x00007ffff479163d in WebCore::ScrollView::scrollTo (this=0x794ab0, newOffset=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollView.cpp:392
#6  0x00007ffff467d680 in WebCore::FrameView::scrollTo (this=0x794ab0, newOffset=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:3100
#7  0x00007ffff479153e in WebCore::ScrollView::setScrollOffset (this=0x794ab0, offset=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollView.cpp:373
#8  0x00007ffff4789428 in WebCore::ScrollableArea::scrollPositionChanged (this=0x794af8, position=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollableArea.cpp:145
#9  0x00007ffff4789715 in WebCore::ScrollableArea::setScrollOffsetFromAnimation (this=0x794af8, offset=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollableArea.cpp:190
#10 0x00007ffff478b265 in WebCore::ScrollAnimator::notifyPositionChanged (this=0x8dadf0, delta=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollAnimator.cpp:142
#11 0x00007ffff478ac47 in WebCore::ScrollAnimator::scrollToOffsetWithoutAnimation (this=0x8dadf0, offset=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollAnimator.cpp:81
#12 0x00007ffff4789296 in WebCore::ScrollableArea::scrollToOffsetWithoutAnimation (this=0x794af8, offset=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollableArea.cpp:124
#13 0x00007ffff4792f1b in WebCore::ScrollView::updateScrollbars (this=0x794ab0, desiredOffset=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollView.cpp:631
#14 0x00007ffff4790f2f in WebCore::ScrollView::setContentsSize (this=0x794ab0, newSize=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/ScrollView.cpp:305
#15 0x00007ffff46746bd in WebCore::FrameView::setContentsSize (this=0x794ab0, size=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:595
#16 0x00007ffff46748fa in WebCore::FrameView::adjustViewSize (this=0x794ab0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:624
#17 0x00007ffff4676bae in WebCore::FrameView::layout (this=0x794ab0, allowSubtree=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1345
#18 0x00007ffff41af833 in WebCore::Document::implicitClose (this=0x89f9c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2418
#19 0x00007ffff45af90d in WebCore::FrameLoader::checkCallImplicitClose (this=0x7d4018)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:850
#20 0x00007ffff45af67e in WebCore::FrameLoader::checkCompleted (this=0x7d4018) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:793
#21 0x00007ffff45af3b3 in WebCore::FrameLoader::finishedParsing (this=0x7d4018) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:726
#22 0x00007ffff41b67d9 in WebCore::Document::finishedParsing (this=0x89f9c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4393
#23 0x00007ffff4407b0d in WebCore::HTMLConstructionSite::finishedParsing (this=0x815ad8)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:348
#24 0x00007ffff443c1a5 in WebCore::HTMLTreeBuilder::finished (this=0x815ac0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2926
#25 0x00007ffff440f182 in WebCore::HTMLDocumentParser::end (this=0x7d26d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:763
#26 0x00007ffff440f26d in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7d26d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:774
#27 0x00007ffff440dddc in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7d26d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:211
#28 0x00007ffff440f2b2 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7d26d0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:786
#29 0x00007ffff440f36b in WebCore::HTMLDocumentParser::finish (this=0x7d26d0)
---Type <return> to continue, or q <return> to quit---
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:835
#30 0x00007ffff45a7213 in WebCore::DocumentWriter::end (this=0x694180) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:248
#31 0x00007ffff4599d52 in WebCore::DocumentLoader::finishedLoading (this=0x6940e0, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:402
#32 0x00007ffff4599ac0 in WebCore::DocumentLoader::notifyFinished (this=0x6940e0, resource=0x76d360)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:344
#33 0x00007ffff4580db6 in WebCore::CachedResource::checkNotify (this=0x76d360)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369
#34 0x00007ffff4580e8c in WebCore::CachedResource::finishLoading (this=0x76d360)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385
#35 0x00007ffff457d5de in WebCore::CachedRawResource::finishLoading (this=0x76d360, data=0x7ab070)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94
#36 0x00007ffff45e3c41 in WebCore::SubresourceLoader::didFinishLoading (this=0x7bcc40, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:282
#37 0x00007ffff45da52b in WebCore::ResourceLoader::didFinishLoading (this=0x7bcc40, finishTime=0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:488
#38 0x00007ffff4a85729 in WebCore::QNetworkReplyHandler::finish (this=0x7ccc30)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:516
#39 0x00007ffff4a84448 in WebCore::QNetworkReplyHandlerCallQueue::flush (this=0x7ccc68)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:250
#40 0x00007ffff4a84145 in WebCore::QNetworkReplyHandlerCallQueue::push (this=0x7ccc68, 
    method=(void (WebCore::QNetworkReplyHandler::*)(WebCore::QNetworkReplyHandler * const)) 0x7ffff4a8556e <WebCore::QNetworkReplyHandler::finish()>)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:216
#41 0x00007ffff4a85092 in WebCore::QNetworkReplyWrapper::didReceiveFinished (this=0x775eb0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/qt/QNetworkReplyHandler.cpp:409
#42 0x00007ffff4a87a24 in WebCore::QNetworkReplyWrapper::qt_static_metacall (_o=0x775eb0, _c=QMetaObject::InvokeMetaMethod, _id=1, _a=0x7fffffffcf80)
    at .moc/release-shared/moc_QNetworkReplyHandler.cpp:176
#43 0x00007ffff220f5cb in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#44 0x00007ffff221084e in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#45 0x00007ffff3056dbc in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#46 0x00007ffff305a075 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Widgets.so.5
#47 0x00007ffff21eadbe in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#48 0x00007ffff21eca76 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#49 0x00007ffff2232333 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#50 0x00007fffee3732d6 in g_main_dispatch (context=0x6632f0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3065
#51 g_main_context_dispatch (context=context@entry=0x6632f0) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3641
#52 0x00007fffee373628 in g_main_context_iterate (context=context@entry=0x6632f0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>)
    at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3712
#53 0x00007fffee3736cc in g_main_context_iteration (context=0x6632f0, may_block=1) at /build/buildd/glib2.0-2.37.6/./glib/gmain.c:3773
#54 0x00007ffff22324bc in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) ()
   from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#55 0x00007ffff21e9d3b in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#56 0x00007ffff21ed120 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.0-r40/lib/libQt5Core.so.5
#57 0x0000000000421ba0 in launcherMain (app=...) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:49
#58 0x0000000000423680 in main (argc=2, argv=0x7fffffffdc58) at /home/reni/Data/REPOS/webkit_sec/Tools/QtTestBrowser/qttestbrowser.cpp:318

Comment 1 Renata Hodovan 2013-08-26 06:26:13 PDT

Created attachment 209643 [details]
Test case

Comment 2 Renata Hodovan 2015-06-26 10:27:58 PDT

Created attachment 255646 [details]
Test case

The old test case doesn't repro the issue anymore, but the new one still does.

Comment 3 Brent Fulgham 2016-08-03 12:33:27 PDT

This assertion does not reproduce for me in r204037 under GuardMalloc or ASAN. If you feel like this is still an issue, could you please reopen the bug with a revised test case?