Bug 152115 - ASSERTION FAILED: !simpleLineLayout() in WebCore::RenderText::collectSelectionRectsForLineBoxes
Summary: ASSERTION FAILED: !simpleLineLayout() in WebCore::RenderText::collectSelectio...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: zalan
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2015-12-10 02:35 PST by Renata Hodovan
Modified: 2015-12-10 23:31 PST (History)
8 users (show)

See Also:

Attachments
Test (196 bytes, text/html)
2015-12-10 02:35 PST, Renata Hodovan 		no flags Details
Patch (5.13 KB, patch)
2015-12-10 20:12 PST, zalan 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2015-12-10 02:35:23 PST 
Created attachment 267085 [details]
Test

Load the attached test with debug MiniBrowser:

<script>
window.onload = function() {
    document.designMode = 'on';
    document.execCommand('selectAll');
    document.execCommand('indent');
}
</script>
<ol>
    <li></li>
</ol>
a
<div>a</div>


OS: Ubuntu 15.10 x86_64
Checked build: debug EFL
Checked version: 2559fac


Backtrace:

ASSERTION FAILED: !simpleLineLayout()
../../Source/WebCore/rendering/RenderText.cpp(1286) : WebCore::LayoutRect WebCore::RenderText::collectSelectionRectsForLineBoxes(const WebCore::RenderLayerModelObject*, bool, WTF::Vector<WebCore::LayoutRect>*)
1   0x7fc65c45074e WTFCrash
2   0x7fc65b39c1fa WebCore::RenderText::collectSelectionRectsForLineBoxes(WebCore::RenderLayerModelObject const*, bool, WTF::Vector<WebCore::LayoutRect, 0ul, WTF::CrashOnOverflow, 16ul>*)
3   0x7fc65b39c5f7 WebCore::RenderText::collectSelectionRectsForLineBoxes(WebCore::RenderLayerModelObject const*, bool, WTF::Vector<WebCore::LayoutRect, 0ul, WTF::CrashOnOverflow, 16ul>&)
4   0x7fc65be98429 WebCore::RenderSelectionInfo::RenderSelectionInfo(WebCore::RenderObject&, bool)
5   0x7fc65b3c3c1b std::_Unique_if<WebCore::RenderSelectionInfo>::_Single_object std::make_unique<WebCore::RenderSelectionInfo, WebCore::RenderObject&, bool>(WebCore::RenderObject&, bool&&)
6   0x7fc65b3bec73 WebCore::RenderView::clearSubtreeSelection(WebCore::SelectionSubtreeRoot const&, WebCore::RenderView::SelectionRepaintMode, WebCore::SelectionSubtreeRoot::OldSelectionData&) const
7   0x7fc65b3be7db WebCore::RenderView::updateSelectionForSubtrees(WTF::HashMap<WebCore::SelectionSubtreeRoot*, WebCore::SelectionSubtreeRoot::SelectionSubtreeData, WTF::PtrHash<WebCore::SelectionSubtreeRoot*>, WTF::HashTraits<WebCore::SelectionSubtreeRoot*>, WTF::HashTraits<WebCore::SelectionSubtreeRoot::SelectionSubtreeData> >&, WebCore::RenderView::SelectionRepaintMode)
8   0x7fc65b3be1f4 WebCore::RenderView::setSelection(WebCore::RenderObject*, int, WebCore::RenderObject*, int, WebCore::RenderView::SelectionRepaintMode)
9   0x7fc65b3bfd09 WebCore::RenderView::clearSelection()
10  0x7fc65ab41057 WebCore::FrameSelection::setNeedsSelectionUpdate()
11  0x7fc65b253397 WebCore::RenderElement::removeChildInternal(WebCore::RenderObject&, WebCore::RenderElement::NotifyChildrenType)
12  0x7fc65b252d36 WebCore::RenderElement::removeChild(WebCore::RenderObject&)
13  0x7fc65b1a3b14 WebCore::RenderBlock::removeChild(WebCore::RenderObject&)
14  0x7fc65b1e3193 WebCore::RenderBlockFlow::removeChild(WebCore::RenderObject&)
15  0x7fc65b347857 WebCore::RenderObject::removeFromParent()
16  0x7fc65b34be53 WebCore::RenderObject::willBeDestroyed()
17  0x7fc65b398064 WebCore::RenderText::willBeDestroyed()
18  0x7fc65b34c5ae WebCore::RenderObject::destroy()
19  0x7fc65b34c571 WebCore::RenderObject::destroyAndCleanupAnonymousWrappers()
20  0x7fc65b48682d WebCore::Style::detachTextRenderer(WebCore::Text&)
21  0x7fc65b4881b7
22  0x7fc65b4868f5 WebCore::Style::updateTextRendererAfterContentChange(WebCore::Text&, unsigned int, unsigned int)
23  0x7fc65bcbc053 WebCore::CharacterData::setDataAndUpdate(WTF::String const&, unsigned int, unsigned int, unsigned int)
24  0x7fc65bcbbd1a WebCore::CharacterData::deleteData(unsigned int, unsigned int, int&)
25  0x7fc65bd10504 WebCore::DeleteFromTextNodeCommand::doApply()
26  0x7fc65bcff676 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>)
27  0x7fc65bd021d0 WebCore::CompositeEditCommand::deleteTextFromNode(WTF::PassRefPtr<WebCore::Text>, unsigned int, unsigned int)
28  0x7fc65bd13b33 WebCore::DeleteSelectionCommand::deleteTextFromNode(WTF::PassRefPtr<WebCore::Text>, unsigned int, unsigned int)
29  0x7fc65bd1422b WebCore::DeleteSelectionCommand::handleGeneralDelete()
30  0x7fc65bd17147 WebCore::DeleteSelectionCommand::doApply()
31  0x7fc65bcff676 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>)
Aborted (core dumped)

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007fc65c450753 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321     *(int *)(uintptr_t)0xbbadbeef = 0;
[Current thread is 1 (Thread 0x7fc65ff9ea80 (LWP 3584))]
#0  0x00007fc65c450753 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007fc65b39c1fa in WebCore::RenderText::collectSelectionRectsForLineBoxes (this=0x7fc637b899c0, repaintContainer=0x7fc637adc228, clipToVisibleContent=true, rects=0x7fc637b6e718) at ../../Source/WebCore/rendering/RenderText.cpp:1286
#2  0x00007fc65b39c5f7 in WebCore::RenderText::collectSelectionRectsForLineBoxes (this=0x7fc637b899c0, repaintContainer=0x7fc637adc228, clipToVisibleContent=true, rects=...) at ../../Source/WebCore/rendering/RenderText.cpp:1330
#3  0x00007fc65be98429 in WebCore::RenderSelectionInfo::RenderSelectionInfo (this=0x7fc637b6e700, renderer=..., clipToVisibleContent=true) at ../../Source/WebCore/rendering/RenderSelectionInfo.cpp:50
#4  0x00007fc65b3c3c1b in std::make_unique<WebCore::RenderSelectionInfo, WebCore::RenderObject&, bool>(WebCore::RenderObject&, bool&&) () at ../../Source/WTF/wtf/StdLibExtras.h:319
#5  0x00007fc65b3bec73 in WebCore::RenderView::clearSubtreeSelection (this=0x7fc637adc228, root=..., blockRepaintMode=WebCore::RenderView::RepaintNewMinusOld, oldSelectionData=...) at ../../Source/WebCore/rendering/RenderView.cpp:965
#6  0x00007fc65b3be7db in WebCore::RenderView::updateSelectionForSubtrees (this=0x7fc637adc228, renderSubtreesMap=..., blockRepaintMode=WebCore::RenderView::RepaintNewMinusOld) at ../../Source/WebCore/rendering/RenderView.cpp:925
#7  0x00007fc65b3be1f4 in WebCore::RenderView::setSelection (this=0x7fc637adc228, start=0x0, startPos=-1, end=0x0, endPos=-1, blockRepaintMode=WebCore::RenderView::RepaintNewMinusOld) at ../../Source/WebCore/rendering/RenderView.cpp:870
#8  0x00007fc65b3bfd09 in WebCore::RenderView::clearSelection (this=0x7fc637adc228) at ../../Source/WebCore/rendering/RenderView.cpp:1100
#9  0x00007fc65ab41057 in WebCore::FrameSelection::setNeedsSelectionUpdate (this=0x7fc637ae8230) at ../../Source/WebCore/editing/FrameSelection.cpp:368
#10 0x00007fc65b253397 in WebCore::RenderElement::removeChildInternal (this=0x7fc637bb85c0, oldChild=..., notifyChildren=WebCore::RenderElement::NotifyChildren) at ../../Source/WebCore/rendering/RenderElement.cpp:647
#11 0x00007fc65b252d36 in WebCore::RenderElement::removeChild (this=0x7fc637bb85c0, oldChild=...) at ../../Source/WebCore/rendering/RenderElement.cpp:547
#12 0x00007fc65b1a3b14 in WebCore::RenderBlock::removeChild (this=0x7fc637bb85c0, oldChild=...) at ../../Source/WebCore/rendering/RenderBlock.cpp:745
#13 0x00007fc65b1e3193 in WebCore::RenderBlockFlow::removeChild (this=0x7fc637bb85c0, oldChild=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:3806
#14 0x00007fc65b347857 in WebCore::RenderObject::removeFromParent (this=0x7fc637bf2120) at ../../Source/WebCore/rendering/RenderObject.cpp:199
#15 0x00007fc65b34be53 in WebCore::RenderObject::willBeDestroyed (this=0x7fc637bf2120) at ../../Source/WebCore/rendering/RenderObject.cpp:1527
#16 0x00007fc65b398064 in WebCore::RenderText::willBeDestroyed (this=0x7fc637bf2120) at ../../Source/WebCore/rendering/RenderText.cpp:287
#17 0x00007fc65b34c5ae in WebCore::RenderObject::destroy (this=0x7fc637bf2120) at ../../Source/WebCore/rendering/RenderObject.cpp:1702
#18 0x00007fc65b34c571 in WebCore::RenderObject::destroyAndCleanupAnonymousWrappers (this=0x7fc637bf2120) at ../../Source/WebCore/rendering/RenderObject.cpp:1689
#19 0x00007fc65b48682d in WebCore::Style::detachTextRenderer (textNode=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:324
#20 0x00007fc65b4881b7 in WebCore::Style::resolveTextNode (text=..., renderTreePosition=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:670
#21 0x00007fc65b4868f5 in WebCore::Style::updateTextRendererAfterContentChange (textNode=..., offsetOfReplacedData=0, lengthOfReplacedData=3) at ../../Source/WebCore/style/StyleResolveTree.cpp:337
#22 0x00007fc65bcbc053 in WebCore::CharacterData::setDataAndUpdate (this=0x7fc637b8f000, newData=..., offsetOfReplacedData=0, oldLength=3, newLength=0) at ../../Source/WebCore/dom/CharacterData.cpp:191
#23 0x00007fc65bcbbd1a in WebCore::CharacterData::deleteData (this=0x7fc637b8f000, offset=0, count=3, ec=@0x7fffc50ce32c: 0) at ../../Source/WebCore/dom/CharacterData.cpp:145
#24 0x00007fc65bd10504 in WebCore::DeleteFromTextNodeCommand::doApply (this=0x7fc637b6b2a0) at ../../Source/WebCore/editing/DeleteFromTextNodeCommand.cpp:63
#25 0x00007fc65bcff676 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x7fc637a94dc8, prpCommand=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:278
#26 0x00007fc65bd021d0 in WebCore::CompositeEditCommand::deleteTextFromNode (this=0x7fc637a94dc8, node=..., offset=0, count=3) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:555
#27 0x00007fc65bd13b33 in WebCore::DeleteSelectionCommand::deleteTextFromNode (this=0x7fc637a94dc8, node=..., offset=0, count=3) at ../../Source/WebCore/editing/DeleteSelectionCommand.cpp:428
#28 0x00007fc65bd1422b in WebCore::DeleteSelectionCommand::handleGeneralDelete (this=0x7fc637a94dc8) at ../../Source/WebCore/editing/DeleteSelectionCommand.cpp:487
#29 0x00007fc65bd17147 in WebCore::DeleteSelectionCommand::doApply (this=0x7fc637a94dc8) at ../../Source/WebCore/editing/DeleteSelectionCommand.cpp:847
#30 0x00007fc65bcff676 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x7fc637a97108, prpCommand=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:278
#31 0x00007fc65bd02f95 in WebCore::CompositeEditCommand::deleteSelection (this=0x7fc637a97108, smartDelete=false, mergeBlocksAfterDelete=false, replace=false, expandForSpecialElements=false, sanitizeMarkup=true) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:644
#32 0x00007fc65bd06d40 in WebCore::CompositeEditCommand::moveParagraphWithClones (this=0x7fc637a97108, startOfParagraphToMove=..., endOfParagraphToMove=..., blockElement=0x7fc637beb138, outerNode=0x7fc637beb000) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:1184
#33 0x00007fc65ab4f568 in WebCore::IndentOutdentCommand::indentIntoBlockquote (this=0x7fc637a97108, start=..., end=..., targetBlockquote=...) at ../../Source/WebCore/editing/IndentOutdentCommand.cpp:117
#34 0x00007fc65ab50e0a in WebCore::IndentOutdentCommand::formatRange (this=0x7fc637a97108, start=..., end=..., blockquoteForNextIndent=...) at ../../Source/WebCore/editing/IndentOutdentCommand.cpp:236
#35 0x00007fc65bce9fa7 in WebCore::ApplyBlockElementCommand::formatSelection (this=0x7fc637a97108, startOfSelection=..., endOfSelection=...) at ../../Source/WebCore/editing/ApplyBlockElementCommand.cpp:145
#36 0x00007fc65ab50d8b in WebCore::IndentOutdentCommand::formatSelection (this=0x7fc637a97108, startOfSelection=..., endOfSelection=...) at ../../Source/WebCore/editing/IndentOutdentCommand.cpp:226
#37 0x00007fc65bce9216 in WebCore::ApplyBlockElementCommand::doApply (this=0x7fc637a97108) at ../../Source/WebCore/editing/ApplyBlockElementCommand.cpp:90
#38 0x00007fc65bcff3a0 in WebCore::CompositeEditCommand::apply (this=0x7fc637a97108) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:227
#39 0x00007fc65bcff167 in WebCore::applyCommand (command=...) at ../../Source/WebCore/editing/CompositeEditCommand.cpp:186
#40 0x00007fc65ab36e22 in WebCore::executeIndent (frame=...) at ../../Source/WebCore/editing/EditorCommand.cpp:456
#41 0x00007fc65ab3b0ca in WebCore::Editor::Command::execute (this=0x7fffc50cf400, parameter=..., triggeringEvent=0x0) at ../../Source/WebCore/editing/EditorCommand.cpp:1703
#42 0x00007fc65a9dc88d in WebCore::Document::execCommand (this=0x7fc63781d900, commandName=..., userInterface=false, value=...) at ../../Source/WebCore/dom/Document.cpp:4657
#43 0x00007fc65c13f0c9 in WebCore::jsDocumentPrototypeFunctionExecCommand (state=0x7fffc50cf4d0) at DerivedSources/WebCore/JSDocument.cpp:5066
#44 0x00007fc5f77ff0c8 in ?? ()
#45 0x00007fffc50cf550 in ?? ()
#46 0x00007fc64fc2dd98 in llint_entry () from webkit/WebKitBuild/Debug/lib/libjavascriptcore_efl.so.1
Comment 1 zalan 2015-12-10 19:33:51 PST 
Looks like we've got a renderer with selection state inside a SLL block.
Comment 2 zalan 2015-12-10 20:12:12 PST 
Created attachment 267156 [details]
Patch
Comment 3 WebKit Commit Bot 2015-12-10 23:31:49 PST 
Comment on attachment 267156 [details]
Patch

Clearing flags on attachment: 267156

Committed r193947: <http://trac.webkit.org/changeset/193947>
Comment 4 WebKit Commit Bot 2015-12-10 23:31:54 PST 
All reviewed patches have been landed.  Closing bug.