Bug 151590 - Should never be reached failure in WebCore::RenderElement::clearLayoutRootIfNeeded
Summary: Should never be reached failure in WebCore::RenderElement::clearLayoutRootIfN...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: zalan
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2015-11-24 10:18 PST by Renata Hodovan
Modified: 2015-12-27 14:57 PST (History)
2 users (show)

See Also:

Attachments
Test (246 bytes, text/html)
2015-11-24 10:18 PST, Renata Hodovan 		no flags Details
Patch (4.05 KB, patch)
2015-12-25 20:42 PST, zalan 		simon.fraser: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2015-11-24 10:18:44 PST 
Created attachment 266139 [details]
Test

Load the attached test with debug MiniBrowser:

<script>
window.onload = function() {
    document.designMode = 'on';
    document.execCommand('selectAll');
    document.execCommand('indent');
}
</script>
<style>
* {
    overflow-x: auto;
    -webkit-appearance: checkbox;
}
</style>
<nav>&rpar


OS: Ubuntu 15.10 x86_64
Checked build: debug EFL
Checked version: 79922a5


Backtrace:

SHOULD NEVER BE REACHED
../../Source/WebCore/rendering/RenderElement.cpp(1097) : void WebCore::RenderElement::clearLayoutRootIfNeeded() const
1   0x7fb5d543f82c WTFCrash
2   0x7fb5d424cdb3 WebCore::RenderElement::clearLayoutRootIfNeeded() const
3   0x7fb5d4244fc2 WebCore::RenderElement::willBeDestroyed()
4   0x7fb5d421f5f9 WebCore::RenderBoxModelObject::willBeDestroyed()
5   0x7fb5d41c0b0d WebCore::RenderBlockFlow::willBeDestroyed()
6   0x7fb5d433c4ac WebCore::RenderObject::destroy()
7   0x7fb5d433c46f WebCore::RenderObject::destroyAndCleanupAnonymousWrappers()
8   0x7fb5d4477817
9   0x7fb5d4478c98 WebCore::Style::detachRenderTree(WebCore::Element&)
10  0x7fb5d399accf
11  0x7fb5d399cfe4 WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&)
12  0x7fb5d399ce19 WebCore::ContainerNode::removeChild(WebCore::Node&, int&)
13  0x7fb5d3a7d390 WebCore::Node::remove(int&)
14  0x7fb5d4d179bb WebCore::RemoveNodeCommand::doApply()
15  0x7fb5d4cee1fe WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>)
16  0x7fb5d4cef698 WebCore::CompositeEditCommand::removeNode(WTF::PassRefPtr<WebCore::Node>, WebCore::ShouldAssumeContentIsAlwaysEditable)
17  0x7fb5d4cefe6d WebCore::CompositeEditCommand::prune(WTF::PassRefPtr<WebCore::Node>)
18  0x7fb5d4cef8d5 WebCore::CompositeEditCommand::removeNodeAndPruneAncestors(WTF::PassRefPtr<WebCore::Node>)
19  0x7fb5d4cf5370 WebCore::CompositeEditCommand::cleanupAfterDeletion(WebCore::VisiblePosition)
20  0x7fb5d4cf58ea WebCore::CompositeEditCommand::moveParagraphWithClones(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&, WebCore::Element*, WebCore::Node*)
21  0x7fb5d3b3f4e6 WebCore::IndentOutdentCommand::indentIntoBlockquote(WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element>&)
22  0x7fb5d3b40d88 WebCore::IndentOutdentCommand::formatRange(WebCore::Position const&, WebCore::Position const&, WebCore::Position const&, WTF::RefPtr<WebCore::Element>&)
23  0x7fb5d4cd8b2f WebCore::ApplyBlockElementCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&)
24  0x7fb5d3b40d09 WebCore::IndentOutdentCommand::formatSelection(WebCore::VisiblePosition const&, WebCore::VisiblePosition const&)
25  0x7fb5d4cd7d9e WebCore::ApplyBlockElementCommand::doApply()
26  0x7fb5d4cedf28 WebCore::CompositeEditCommand::apply()
27  0x7fb5d4cedcef WebCore::applyCommand(WTF::PassRefPtr<WebCore::CompositeEditCommand>)
28  0x7fb5d3b26da0
29  0x7fb5d3b2b048 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
30  0x7fb5d39cc88d WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
31  0x7fb5d512e583 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*)
Aborted (core dumped)

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fb5d543f831 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321     *(int *)(uintptr_t)0xbbadbeef = 0;
#0  0x00007fb5d543f831 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007fb5d424cdb3 in WebCore::RenderElement::clearLayoutRootIfNeeded (this=0x7fb5b4bb8450) at ../../Source/WebCore/rendering/RenderElement.cpp:1097
#2  0x00007fb5d4244fc2 in WebCore::RenderElement::willBeDestroyed (this=0x7fb5b4bb8450) at ../../Source/WebCore/rendering/RenderElement.cpp:1125
#3  0x00007fb5d421f5f9 in WebCore::RenderBoxModelObject::willBeDestroyed (this=0x7fb5b4bb8450) at ../../Source/WebCore/rendering/RenderBoxModelObject.cpp:198
#4  0x00007fb5d41c0b0d in WebCore::RenderBlockFlow::willBeDestroyed (this=0x7fb5b4bb8450) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:178
#5  0x00007fb5d433c4ac in WebCore::RenderObject::destroy (this=0x7fb5b4bb8450) at ../../Source/WebCore/rendering/RenderObject.cpp:1702
#6  0x00007fb5d433c46f in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers (this=0x7fb5b4bb8450)
    at ../../Source/WebCore/rendering/RenderObject.cpp:1689
#7  0x00007fb5d4477817 in WebCore::Style::detachRenderTree (current=..., detachType=WebCore::Style::NormalDetach)
    at ../../Source/WebCore/style/StyleResolveTree.cpp:574
#8  0x00007fb5d4478c98 in WebCore::Style::detachRenderTree (element=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:911
#9  0x00007fb5d399accf in WebCore::destroyRenderTreeIfNeeded (child=...) at ../../Source/WebCore/dom/ContainerNode.cpp:105
#10 0x00007fb5d399cfe4 in WebCore::ContainerNode::removeBetween (this=0x7fb5b4be48f0, previousChild=0x7fb5b4be4af8, nextChild=0x0, oldChild=...)
    at ../../Source/WebCore/dom/ContainerNode.cpp:576
#11 0x00007fb5d399ce19 in WebCore::ContainerNode::removeChild (this=0x7fb5b4be48f0, oldChild=..., ec=@0x7ffe727f9bc0: 0)
    at ../../Source/WebCore/dom/ContainerNode.cpp:551
#12 0x00007fb5d3a7d390 in WebCore::Node::remove (this=0x7fb5b4be4958, ec=@0x7ffe727f9bc0: 0) at ../../Source/WebCore/dom/Node.cpp:548
#13 0x00007fb5d4d179bb in WebCore::RemoveNodeCommand::doApply (this=0x7fb5b4bce910) at ../../Source/WebCore/editing/RemoveNodeCommand.cpp:56
#14 0x00007fb5d4cee1fe in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x7fb5b4adc000, prpCommand=...)
    at ../../Source/WebCore/editing/CompositeEditCommand.cpp:278
#15 0x00007fb5d4cef698 in WebCore::CompositeEditCommand::removeNode (this=0x7fb5b4adc000, node=..., 
    shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:417
#16 0x00007fb5d4cefe6d in WebCore::CompositeEditCommand::prune (this=0x7fb5b4adc000, node=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:471
#17 0x00007fb5d4cef8d5 in WebCore::CompositeEditCommand::removeNodeAndPruneAncestors (this=0x7fb5b4adc000, node=...)
    at ../../Source/WebCore/editing/CompositeEditCommand.cpp:429
#18 0x00007fb5d4cf5370 in WebCore::CompositeEditCommand::cleanupAfterDeletion (this=0x7fb5b4adc000, destination=...)
    at ../../Source/WebCore/editing/CompositeEditCommand.cpp:1133
#19 0x00007fb5d4cf58ea in WebCore::CompositeEditCommand::moveParagraphWithClones (this=0x7fb5b4adc000, startOfParagraphToMove=..., endOfParagraphToMove=..., 
    blockElement=0x7fb5b4be4af8, outerNode=0x7fb5b4be4958) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:1190
#20 0x00007fb5d3b3f4e6 in WebCore::IndentOutdentCommand::indentIntoBlockquote (this=0x7fb5b4adc000, start=..., end=..., targetBlockquote=...)
    at ../../Source/WebCore/editing/IndentOutdentCommand.cpp:117
#21 0x00007fb5d3b40d88 in WebCore::IndentOutdentCommand::formatRange (this=0x7fb5b4adc000, start=..., end=..., blockquoteForNextIndent=...)
    at ../../Source/WebCore/editing/IndentOutdentCommand.cpp:236
#22 0x00007fb5d4cd8b2f in WebCore::ApplyBlockElementCommand::formatSelection (this=0x7fb5b4adc000, startOfSelection=..., endOfSelection=...)
    at ../../Source/WebCore/editing/ApplyBlockElementCommand.cpp:145
#23 0x00007fb5d3b40d09 in WebCore::IndentOutdentCommand::formatSelection (this=0x7fb5b4adc000, startOfSelection=..., endOfSelection=...)
    at ../../Source/WebCore/editing/IndentOutdentCommand.cpp:226
#24 0x00007fb5d4cd7d9e in WebCore::ApplyBlockElementCommand::doApply (this=0x7fb5b4adc000) at ../../Source/WebCore/editing/ApplyBlockElementCommand.cpp:90
#25 0x00007fb5d4cedf28 in WebCore::CompositeEditCommand::apply (this=0x7fb5b4adc000) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:227
#26 0x00007fb5d4cedcef in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:186
#27 0x00007fb5d3b26da0 in WebCore::executeIndent (frame=...) at ../../Source/WebCore/editing/EditorCommand.cpp:456
#28 0x00007fb5d3b2b048 in WebCore::Editor::Command::execute (this=0x7ffe727fa950, parameter=..., triggeringEvent=0x0)
    at ../../Source/WebCore/editing/EditorCommand.cpp:1703
#29 0x00007fb5d39cc88d in WebCore::Document::execCommand (this=0x7fb5b481d900, commandName=..., userInterface=false, value=...)
    at ../../Source/WebCore/dom/Document.cpp:4657
#30 0x00007fb5d512e583 in WebCore::jsDocumentPrototypeFunctionExecCommand (state=0x7ffe727faa20) at DerivedSources/WebCore/JSDocument.cpp:5066
#31 0x00007fb56ffff0c8 in ?? ()
#32 0x00007ffe727faaa0 in ?? ()
#33 0x00007fb5c8c1c636 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
Comment 1 zalan 2015-12-25 20:42:16 PST 
Created attachment 267924 [details]
Patch
Comment 2 Simon Fraser (smfr) 2015-12-27 14:27:49 PST 
Comment on attachment 267924 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=267924&action=review

> Source/WebCore/ChangeLog:8
> +        We should always set the layoutroot when a new subtree layout is requested(and convert it

space before (

> LayoutTests/ChangeLog:8
> +        We should always set the layoutroot when a new subtree layout is requested(and convert it

ditto
Comment 3 zalan 2015-12-27 14:57:20 PST 
Committed r194426: <http://trac.webkit.org/changeset/194426>