ASSERTION FAILED: frame().view() == this in WebCore::FrameView::layout
This happens with frame flattening enabled. Test case generated by Fuzzinator: <html> <big> <object> </big> <iframe height="50%"></iframe> <iframe srcdoc="foo" onload="document.designMode='on'; document.execCommand('selectall'); document.execCommand('RemoveFormat');"></iframe> <iframe srcdoc="dummy"></iframe> </html> Stack trace on the EFL port: STDERR: ASSERTION FAILED: frame().view() == this STDERR: /home/sergio/projects/webkit/Source/WebCore/page/FrameView.cpp(1108) : void WebCore::FrameView::layout(bool) STDERR: 1 0x7f496a0e7fdb WTFCrash STDERR: 2 0x7f4965e4e9d6 WebCore::FrameView::layout(bool) STDERR: 3 0x7f496619c256 WebCore::RenderFrameBase::layoutWithFlattening(bool, bool) STDERR: 4 0x7f49661b047f WebCore::RenderIFrame::layout() STDERR: 5 0x7f496609ac3f WebCore::RenderElement::layoutIfNeeded() STDERR: 6 0x7f496611730f WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) STDERR: 7 0x7f49660faf6e WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) STDERR: 8 0x7f49660fa2bf WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) STDERR: 9 0x7f49660cca55 WebCore::RenderBlock::layout() STDERR: 10 0x7f49660fb341 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) STDERR: 11 0x7f49660fae77 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) STDERR: 12 0x7f49660fa2e3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) STDERR: 13 0x7f49660cca55 WebCore::RenderBlock::layout() STDERR: 14 0x7f49660fb341 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) STDERR: 15 0x7f49660fae77 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) STDERR: 16 0x7f49660fa2e3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) STDERR: 17 0x7f49660cca55 WebCore::RenderBlock::layout() STDERR: 18 0x7f49660fb341 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) STDERR: 19 0x7f49660fae77 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) STDERR: 20 0x7f49660fa2e3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) STDERR: 21 0x7f49660cca55 WebCore::RenderBlock::layout() STDERR: 22 0x7f496628afb1 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) STDERR: 23 0x7f496628bc16 WebCore::RenderView::layout() STDERR: 24 0x7f4965e4f363 WebCore::FrameView::layout(bool) STDERR: 25 0x7f49658dc34c WebCore::Document::implicitClose() STDERR: 26 0x7f4965d3e56f WebCore::FrameLoader::checkCallImplicitClose() STDERR: 27 0x7f4965d3e2da WebCore::FrameLoader::checkCompleted() STDERR: 28 0x7f4965d3f50b WebCore::FrameLoader::completed() STDERR: 29 0x7f4965d3e2fd WebCore::FrameLoader::checkCompleted() STDERR: 30 0x7f4965d467ac WebCore::FrameLoader::receivedMainResourceError(WebCore::ResourceError const&) STDERR: 31 0x7f4965d1d296 WebCore::DocumentLoader::mainReceivedError(WebCore::ResourceError const&)
Created attachment 215960 [details] proposed patch
Comment on attachment 215960 [details] proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=215960&action=review > Source/WebCore/ChangeLog:15 > + (WebCore::RenderFrameBase::layoutWithFlattening): Don't call layout() > + if FrameView has no view. This is strange wording. FrameView is a view, so it’s never true that it “has no view“, but I guess it’s sometimes true that the Frame is not pointing back to the FrameView. > Source/WebCore/rendering/RenderFrameBase.cpp:63 > - if (childFrameView) > + if (childFrameView && childFrameView->frame().view()) > childFrameView->layout(); This doesn’t seem like the right level to do this check. Why is this different from other calls to layout()? If it’s not, then why isn’t this check inside layout() instead?
Comment on attachment 215960 [details] proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=215960&action=review > Source/WebCore/rendering/RenderFrameBase.cpp:62 > + if (childFrameView && childFrameView->frame().view()) By looking at this check, what probably happens here is that childFrameView gets wiped out in updateWidgetPosition(), but since someone, somewhere down in the callstack is retaining it, it is only detached at this point (-missing it from Changelog) While layouting a detached FrameView is absolutely unnecessary, I am wondering where we actually segfault on this. Knowing that, we might find a better place/way to fix it. This check itself is just odd and confuses me when I read the code. if you can't find a better way to fix it, I'd rather not cache the view instead.
Comment on attachment 215960 [details] proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=215960&action=review >> Source/WebCore/rendering/RenderFrameBase.cpp:62 >> + if (childFrameView && childFrameView->frame().view()) > > By looking at this check, what probably happens here is that childFrameView gets wiped out in updateWidgetPosition(), but since someone, somewhere down in the callstack is retaining it, it is only detached at this point (-missing it from Changelog) > While layouting a detached FrameView is absolutely unnecessary, I am wondering where we actually segfault on this. Knowing that, we might find a better place/way to fix it. > This check itself is just odd and confuses me when I read the code. if you can't find a better way to fix it, I'd rather not cache the view instead. Actually I uploaded an earlier version of the patch. I am using childFrameView->needsLayout() to check if we should call layout(), as we do in other places. Tomorrow I can look again to see if we can find a better place to fix it. Thanks for the review.
This issue no longer occurs under GuardMalloc or ASAN. If you believe there is still a bug, please reopen this issue with a revised test case.