Created attachment 238305 [details] Test-case The attached test-case causes Webkit Nightly to crash. iOS8 Safari is also affected. The assertion is in RenderFlowThread::cachedRegionForCompositedLayer: ASSERT(m_layerToRegionMap); RenderNamedFlowFragment* namedFlowFragment = m_layerToRegionMap->get(&childLayer); In this scenario, m_layerToRegionMap is null.
The fix for https://bugs.webkit.org/show_bug.cgi?id=129371 remove the check for m_layerToRegionMap causing the reported crash with the stack trace: ASSERTION FAILED: m_layerToRegionMap /Users/mihnea/WebKit/Source/WebCore/rendering/RenderFlowThread.cpp(254) : WebCore::RenderNamedFlowFragment *WebCore::RenderFlowThread::cachedRegionForCompositedLayer(WebCore::RenderLayer &) const 1 0x10ffacc50 WTFCrash 2 0x112a6148b WebCore::RenderFlowThread::cachedRegionForCompositedLayer(WebCore::RenderLayer&) const 3 0x112af8fe3 WebCore::RenderLayerBacking::adjustAncestorCompositingBoundsForFlowThread(WebCore::LayoutRect&, WebCore::RenderLayer const*) const 4 0x112af433f WebCore::RenderLayerBacking::updateGeometry() 5 0x112adc1b1 WebCore::RenderLayer::styleChanged(WebCore::StyleDifference, WebCore::RenderStyle const*) 6 0x112b26264 WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) 7 0x1129e8986 WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) 8 0x112b9250d WebCore::RenderReplaced::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) 9 0x112aa4e0d WebCore::RenderImage::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) 10 0x112a41da1 WebCore::RenderElement::setStyle(WTF::PassRef<WebCore::RenderStyle>) 11 0x112f37b3e WebCore::RenderElement::setAnimatableStyle(WTF::PassRef<WebCore::RenderStyle>) 12 0x112f349ef WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) 13 0x112f32250 WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) 14 0x112f324ae WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) 15 0x112f324ae WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) 16 0x112f32108 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) 17 0x11189f2b6 WebCore::Document::recalcStyle(WebCore::Style::Change) 18 0x11189b84f WebCore::Document::updateStyleIfNeeded() 19 0x1113c1e04 WebCore::AnimationControllerPrivate::fireEventsAndUpdateStyle() 20 0x1113c1406 WebCore::AnimationControllerPrivate::animationTimerFired(WebCore::Timer<WebCore::AnimationControllerPrivate>&)
RenderLayer::styleChanged has a FIXME along the code path followed in this case: .... else if (isComposited()) { // FIXME: updating geometry here is potentially harmful, because layout is not up-to-date. backing()->updateGeometry(); backing()->updateAfterDescendents(); } .... In our case, since we did not update the layout, the maps between the regions and the layers are not up-to-date (null), which causes the crash.
(In reply to comment #2) > backing()->updateAfterDescendents(); A side note: That code also has a spelling error since descendants is spelled with an a, not with three eās.
Created attachment 238355 [details] Patch
Comment on attachment 238355 [details] Patch r=me
Comment on attachment 238355 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=238355&action=review > Source/WebCore/rendering/RenderFlowThread.cpp:257 > + return 0; This should return nullptr. > Source/WebCore/rendering/RenderLayer.cpp:6542 > - backing()->updateAfterDescendents(); > + backing()->updateAfterDescendants(); Thank you!
Created attachment 238453 [details] Patch for landing
Comment on attachment 238453 [details] Patch for landing Clearing flags on attachment: 238453 Committed r173806: <http://trac.webkit.org/changeset/173806>
All reviewed patches have been landed. Closing bug.
<rdar://problem/19835953>