WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
174559
ASSERTION FAILURE: LayoutDisallowedScope::isLayoutAllowed() in Document::updateLayout()
https://bugs.webkit.org/show_bug.cgi?id=174559
Summary
ASSERTION FAILURE: LayoutDisallowedScope::isLayoutAllowed() in Document::upda...
Daniel Bates
Reported
2017-07-15 20:50:00 PDT
Created
attachment 315584
[details]
Test case When using WebKit1 MiniBrowser with a debug build of WebKit
r219539
I hit ASSERT(LayoutDisallowedScope::isLayoutAllowed()) by performing the following: 1. Enable VoiceOver. (You can do this by pressing Command-F5 or by opening System Preferences > Accessibility, click Voice Over and then click Enable VoiceOver). 2. Open the attached test case. 3. Click anywhere in the HTML body element. Then WebKit will crash because ASSERT(LayoutDisallowedScope::isLayoutAllowed()) fails in Document::updateLayout(). For completeness, this assertion was added in the patch for
bug #173912
.
Attachments
Test case
(352 bytes, text/html)
2017-07-15 20:50 PDT
,
Daniel Bates
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2017-07-15 20:50:30 PDT
<
rdar://problem/33337919
>
Daniel Bates
Comment 2
2017-07-15 20:50:54 PDT
(lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: 0x0000000111bb5d54 JavaScriptCore`::WTFCrash() at Assertions.cpp:278 frame #1: 0x0000000104d68315 WebCore`WebCore::Document::updateLayout(this=0x000000011aea3000) at Document.cpp:1914 frame #2: 0x0000000104d6cf7e WebCore`WebCore::Document::updateLayoutIgnorePendingStylesheets(this=0x000000011aea3000, runPostLayoutTasks=Asynchronously) at Document.cpp:1949 frame #3: 0x00000001046336b7 WebCore`WebCore::AccessibilityObject::updateBackingStore(this=0x000000011aeed5a0) at AccessibilityObject.cpp:1771 frame #4: 0x0000000107204f91 WebCore`::-[WebAccessibilityObjectWrapperBase updateObjectBackingStore](self=0x0000618000002240, _cmd="updateObjectBackingStore") at WebAccessibilityObjectWrapperBase.mm:294 frame #5: 0x000000010721c23b WebCore`::-[WebAccessibilityObjectWrapper accessibilityIsIgnored](self=0x0000618000002240, _cmd="accessibilityIsIgnored") at WebAccessibilityObjectWrapperMac.mm:3303 frame #6: 0x00007fffbc337704 AppKit`__NSAccessibilityEntryPointIsAccessibilityElement_block_invoke + 192 frame #7: 0x00007fffbc3375e8 AppKit`NSAccessibilityPerformEntryPointBOOL + 19 frame #8: 0x00007fffbbd6b35c AppKit`NSAccessibilityEntryPointIsAccessibilityElement + 96 frame #9: 0x00007fffbbdd48d9 AppKit`NSAccessibilityPostNotificationForObservedElementWithUserInfo + 215 frame #10: 0x00000001048174f5 WebCore`WebCore::AXPostNotificationWithUserInfo(object=0x0000618000002240, notification="AXValueChanged", userInfo=3 key/value pairs) at AXObjectCacheMac.mm:258 frame #11: 0x0000000104818104 WebCore`WebCore::postUserInfoForChanges(rootWebArea=0x000000011aeed5a0, object=0x00000001208b7000, changes=1 element) at AXObjectCacheMac.mm:460 frame #12: 0x0000000104818283 WebCore`WebCore::AXObjectCache::postTextReplacementPlatformNotificationForTextControl(this=0x000000011aed0700, object=0x00000001208b7000, deletedText={ length = 0, contents = '' }, insertedText={ length = 1, contents = '1' }, textControl=0x000000011aedc380) at AXObjectCacheMac.mm:497 frame #13: 0x00000001047ed623 WebCore`WebCore::AXObjectCache::postTextReplacementNotificationForTextControl(this=0x000000011aed0700, textControl=0x000000011aedc380, deletedText={ length = 0, contents = '' }, insertedText={ length = 1, contents = '1' }) at AXObjectCache.cpp:1308 frame #14: 0x0000000105415803 WebCore`WebCore::HTMLTextFormControlElement::setInnerTextValue(this=0x000000011aedc380, value={ length = 1, contents = '1' }) at HTMLTextFormControlElement.cpp:582 frame #15: 0x00000001070804dc WebCore`WebCore::TextFieldInputType::updateInnerTextValue(this=0x000000011ae52f78) at TextFieldInputType.cpp:576 frame #16: 0x0000000107081e6c WebCore`WebCore::TextFieldInputType::attributeChanged(this=0x000000011ae52f78, attributeName=0x00007fff5fbfda28) at TextFieldInputType.cpp:352 frame #17: 0x000000010535fa92 WebCore`WebCore::HTMLInputElement::parseAttribute(this=0x000000011aedc380, name=0x00007fff5fbfda28, value={ length = 1, contents = '1' }) at HTMLInputElement.cpp:777 frame #18: 0x0000000104f0cbc9 WebCore`WebCore::Element::attributeChanged(this=0x000000011aedc380, name=0x00007fff5fbfda28, oldValue={ length = 0, contents = '' }, newValue={ length = 1, contents = '1' }, (null)=ModifiedDirectly) at Element.cpp:1333 frame #19: 0x0000000106e79ddf WebCore`WebCore::StyledElement::attributeChanged(this=0x000000011aedc380, name=0x00007fff5fbfda28, oldValue={ length = 0, contents = '' }, newValue={ length = 1, contents = '1' }, reason=ModifiedDirectly) at StyledElement.cpp:90 frame #20: 0x0000000104f18e84 WebCore`WebCore::Element::didModifyAttribute(this=0x000000011aedc380, name=0x00007fff5fbfda28, oldValue={ length = 0, contents = '' }, newValue={ length = 1, contents = '1' }) at Element.cpp:3376 frame #21: 0x0000000104f0c789 WebCore`WebCore::Element::setAttributeInternal(this=0x000000011aedc380, index=2, name=0x00007fff5fbfda98, newValue={ length = 1, contents = '1' }, inSynchronizationOfLazyAttribute=NotInSynchronizationOfLazyAttribute) at Element.cpp:1290 frame #22: 0x0000000104f0c461 WebCore`WebCore::Element::setAttribute(this=0x000000011aedc380, localName={ length = 5, contents = 'value' }, value={ length = 1, contents = '1' }) at Element.cpp:1237 frame #23: 0x0000000105a7e2c7 WebCore`WebCore::jsElementPrototypeFunctionSetAttributeBody(state=0x00007fff5fbfdcb0, castedThis=0x000000012066c0e0, throwScope=0x00007fff5fbfdc38) at JSElement.cpp:1893 frame #24: 0x0000000105a7321e WebCore`long long WebCore::IDLOperation<WebCore::JSElement>::call<&(state=0x00007fff5fbfdcb0, operationName="setAttribute")), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) at JSDOMOperation.h:53 frame #25: 0x0000000105a72fac WebCore`WebCore::jsElementPrototypeFunctionSetAttribute(state=0x00007fff5fbfdcb0) at JSElement.cpp:1899 frame #26: 0x00004dc87ae01028 frame #27: 0x000000011173d183 JavaScriptCore`llint_entry at LowLevelInterpreter.asm:795 frame #28: 0x00000001117357e7 JavaScriptCore`llintPCRangeStart at LowLevelInterpreter64.asm:256 frame #29: 0x00000001115229fe JavaScriptCore`JSC::JITCode::execute(this=0x000000011ae18d20, vm=0x0000000120500000, protoCallFrame=0x00007fff5fbfdf08) at JITCode.cpp:81 frame #30: 0x00000001114d2af5 JavaScriptCore`JSC::Interpreter::executeCall(this=0x000000011aefcc68, callFrame=0x00000001206e00e8, function=0x00000001206794b0, callType=JS, callData=0x00007fff5fbfe520, thisValue=JSValue @ 0x00007fff5fbfe020, args=0x00007fff5fbfe408) at Interpreter.cpp:971 frame #31: 0x0000000110c9f7f8 JavaScriptCore`JSC::call(exec=0x00000001206e00e8, functionObject=JSValue @ 0x00007fff5fbfe0a0, callType=JS, callData=0x00007fff5fbfe520, thisValue=JSValue @ 0x00007fff5fbfe098, args=0x00007fff5fbfe408) at CallData.cpp:40 frame #32: 0x0000000110c9f909 JavaScriptCore`JSC::call(exec=0x00000001206e00e8, functionObject=JSValue @ 0x00007fff5fbfe190, callType=JS, callData=0x00007fff5fbfe520, thisValue=JSValue @ 0x00007fff5fbfe188, args=0x00007fff5fbfe408, returnedException=0x00007fff5fbfe430) at CallData.cpp:47 frame #33: 0x0000000110c9fb8d JavaScriptCore`JSC::profiledCall(exec=0x00000001206e00e8, reason=Other, functionObject=JSValue @ 0x00007fff5fbfe220, callType=JS, callData=0x00007fff5fbfe520, thisValue=JSValue @ 0x00007fff5fbfe218, args=0x00007fff5fbfe408, returnedException=0x00007fff5fbfe430) at CallData.cpp:66 frame #34: 0x00000001057d0b2b WebCore`WebCore::JSMainThreadExecState::profiledCall(exec=0x00000001206e00e8, reason=Other, functionObject=JSValue @ 0x00007fff5fbfe2b0, callType=JS, callData=0x00007fff5fbfe520, thisValue=JSValue @ 0x00007fff5fbfe2a8, args=0x00007fff5fbfe408, returnedException=0x00007fff5fbfe430) at JSMainThreadExecState.h:72 frame #35: 0x0000000105aa6ee9 WebCore`WebCore::JSEventListener::handleEvent(this=0x00000001208dd3f0, scriptExecutionContext=0x000000011aea3000, event=0x000000011ae81ed8) at JSEventListener.cpp:155 frame #36: 0x0000000104f73a96 WebCore`WebCore::EventTarget::fireEventListeners(this=0x000000011ae065b0, event=0x000000011ae81ed8, listeners={ size = 1, capacity = 0 }) at EventTarget.cpp:264 frame #37: 0x0000000104f7365e WebCore`WebCore::EventTarget::fireEventListeners(this=0x000000011ae065b0, event=0x000000011ae81ed8) at EventTarget.cpp:209 frame #38: 0x0000000106620981 WebCore`WebCore::Node::handleLocalEvents(this=0x000000011ae065b0, event=0x000000011ae81ed8) at Node.cpp:2368 frame #39: 0x0000000104f416cb WebCore`WebCore::EventContext::handleLocalEvents(this=0x000000011ae18c58, event=0x000000011ae81ed8) const at EventContext.cpp:54 frame #40: 0x0000000104f4199a WebCore`WebCore::MouseOrFocusEventContext::handleLocalEvents(this=0x000000011ae18c58, event=0x000000011ae81ed8) const at EventContext.cpp:85 frame #41: 0x0000000104f423c8 WebCore`WebCore::dispatchEventInDOM(event=0x000000011ae81ed8, path=0x00007fff5fbfe928) at EventDispatcher.cpp:105 frame #42: 0x0000000104f41e67 WebCore`WebCore::EventDispatcher::dispatchEvent(node=0x000000011ae06618, event=0x000000011ae81ed8) at EventDispatcher.cpp:163 frame #43: 0x00000001066209dd WebCore`WebCore::Node::dispatchEvent(this=0x000000011ae06618, event=0x000000011ae81ed8) at Node.cpp:2382 frame #44: 0x0000000104f0628f WebCore`WebCore::Element::dispatchMouseEvent(this=0x000000011ae06618, platformEvent=0x00007fff5fbfeed0, eventType={ length = 7, contents = 'mouseup' }, detail=1, relatedTarget=0x0000000000000000) at Element.cpp:285 frame #45: 0x0000000104f4b1ec WebCore`WebCore::EventHandler::dispatchMouseEvent(this=0x000000011aef1600, eventType={ length = 7, contents = 'mouseup' }, targetNode=0x000000011aef4af0, (null)=true, clickCount=1, platformMouseEvent=0x00007fff5fbfeed0, setUnder=false) at EventHandler.cpp:2553 frame #46: 0x0000000104f4dbb3 WebCore`WebCore::EventHandler::handleMouseReleaseEvent(this=0x000000011aef1600, platformMouseEvent=0x00007fff5fbfeed0) at EventHandler.cpp:2077 frame #47: 0x0000000104f5cd88 WebCore`WebCore::EventHandler::mouseUp(this=0x000000011aef1600, event=0x0000608000121720, correspondingPressureEvent=0x0000000000000000) at EventHandlerMac.mm:547 frame #48: 0x0000000103c8b507 WebKitLegacy`::-[WebHTMLView mouseUp:](self=0x00006100001612c0, _cmd="mouseUp:", event=0x0000608000121720) at WebHTMLView.mm:4777 frame #49: 0x00007fffbc60fb0a AppKit`-[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 1544 frame #50: 0x00007fffbc60f136 AppKit`-[NSWindow(NSEventRouting) sendEvent:] + 541 frame #51: 0x00007fffbc493835 AppKit`-[NSApplication(NSEvent) sendEvent:] + 1145 frame #52: 0x00007fffbbd0e98b AppKit`-[NSApplication run] + 1002 frame #53: 0x00007fffbbcd9372 AppKit`NSApplicationMain + 1237 frame #54: 0x0000000100008e09 MiniBrowser`main(argc=5, argv=0x00007fff5fbff808) at main.m:32 frame #55: 0x00007fffd4034235 libdyld.dylib`start + 1 frame #56: 0x00007fffd4034235 libdyld.dylib`start + 1
Ryosuke Niwa
Comment 3
2017-07-16 18:37:16 PDT
Why is AccessibilityObject::updateBackingStore updating layout!?
zalan
Comment 4
2017-07-16 18:44:48 PDT
(In reply to Ryosuke Niwa from
comment #3
)
> Why is AccessibilityObject::updateBackingStore updating layout!?
Because it's designed to be eager -which I am incrementally changing to be post-layout.
Ryosuke Niwa
Comment 5
2017-07-16 18:49:08 PDT
(In reply to zalan from
comment #4
)
> (In reply to Ryosuke Niwa from
comment #3
) > > Why is AccessibilityObject::updateBackingStore updating layout!? > > Because it's designed to be eager -which I am incrementally changing to be > post-layout.
Okay. We really need to finish this work. Otherwise, we would be triggering sync layout whenever input.value is changed with AX tree turned on. It's a serious performance degradation.
Ryosuke Niwa
Comment 6
2017-07-16 19:06:26 PDT
Does the assertion happen in WK2?
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug