29966 – Assertion failure in RenderBlock::positionForPointWithInlineChildren when running fast/inline/relative-positioned-overflow.html

RESOLVED FIXED Bug 29966

Assertion failure in RenderBlock::positionForPointWithInlineChildren when running fast/inline/relative-positioned-overflow.html

https://bugs.webkit.org/show_bug.cgi?id=29966

Summary Assertion failure in RenderBlock::positionForPointWithInlineChildren when run...

Adam Roben (:aroben)

Reported 2009-10-01 09:17:42 PDT

Debug builds on Windows are hitting an assertion in RenderBlock::positionForPointWithInlineChildren when running fast/inline/relative-positioned-overflow.html To reproduce: 1. run-webkit-tests fast/inline/relative-positioned-overflow.html You'll hit this assertion: ASSERT(!useWindowsBehavior); <http://trac.webkit.org/browser/trunk/WebCore/rendering/RenderBlock.cpp?rev=48679#L3437> Here's the backtrace: > WebKit_debug.dll!WebCore::RenderBlock::positionForPointWithInlineChildren(const WebCore::IntPoint & pointInContents={...}) Line 3437 + 0x24 bytes C++ WebKit_debug.dll!WebCore::RenderBlock::positionForPoint(const WebCore::IntPoint & point={...}) Line 3470 + 0x10 bytes C++ WebKit_debug.dll!WebCore::RenderInline::positionForPoint(const WebCore::IntPoint & point={...}) Line 503 + 0x1a bytes C++ WebKit_debug.dll!WebCore::EventHandler::handleMousePressEventSingleClick(const WebCore::MouseEventWithHitTestResults & event={...}) Line 323 + 0x3a bytes C++ WebKit_debug.dll!WebCore::EventHandler::handleMousePressEvent(const WebCore::MouseEventWithHitTestResults & event={...}) Line 418 + 0xc bytes C++ WebKit_debug.dll!WebCore::EventHandler::handleMousePressEvent(const WebCore::PlatformMouseEvent & mouseEvent={...}) Line 1265 + 0xf bytes C++ WebKit_debug.dll!WebView::handleMouseEvent(unsigned int message=513, unsigned int wParam=0, long lParam=3276850) Line 1302 + 0x1d bytes C++ WebKit_debug.dll!WebViewWndProc(HWND__ * hWnd=0x0005058e, unsigned int message=513, unsigned int wParam=0, long lParam=3276850) Line 1908 + 0x14 bytes C++ user32.dll!_InternalCallWinProc@20() + 0x28 bytes user32.dll!_UserCallWinProcCheckWow@32() + 0xb7 bytes user32.dll!_DispatchMessageWorker@8() + 0xdc bytes user32.dll!_DispatchMessageW@4() + 0xf bytes DumpRenderTree_debug.exe!dispatchMessage(const tagMSG * msg=0x0012e158) Line 128 + 0xc bytes C++ DumpRenderTree_debug.exe!mouseDownCallback(const OpaqueJSContext * context=0x06400098, OpaqueJSValue * function=0x06843100, OpaqueJSValue * thisObject=0x06842b80, unsigned int argumentCount=0, const OpaqueJSValue * const * arguments=0x0012e1f8, const OpaqueJSValue * * exception=0x0012e1dc) Line 179 + 0x9 bytes C++ JavaScriptCore_debug.dll!JSC::JSCallbackFunction::call(JSC::ExecState * exec=0x06400098, JSC::JSObject * functionObject=0x06843100, JSC::JSValue thisValue={...}, const JSC::ArgList & args={...}) Line 65 + 0x27 bytes C++ JavaScriptCore_debug.dll!cti_op_call_NotJSFunction(void * * args=0x0012e350) Line 1607 + 0x31 bytes C++ JavaScriptCore_debug.dll!@cti_op_convert_this@4() + 0x10f bytes C++ JavaScriptCore_debug.dll!JSC::JITCode::execute(JSC::RegisterFile * registerFile=0x04f31eac, JSC::ExecState * callFrame=0x06400048, JSC::JSGlobalData * globalData=0x04f16608, JSC::JSValue * exception=0x0012e4a0) Line 79 + 0x24 bytes C++ JavaScriptCore_debug.dll!JSC::Interpreter::execute(JSC::ProgramExecutable * program=0x04f62dc8, JSC::ExecState * callFrame=0x04f323e0, JSC::ScopeChainNode * scopeChain=0x04f32598, JSC::JSObject * thisObj=0x06840000, JSC::JSValue * exception=0x0012e4a0) Line 658 + 0x31 bytes C++ JavaScriptCore_debug.dll!JSC::evaluate(JSC::ExecState * exec=0x04f323e0, JSC::ScopeChain & scopeChain={...}, const JSC::SourceCode & source={...}, JSC::JSValue thisValue={...}) Line 62 C++ WebKit_debug.dll!WebCore::ScriptController::evaluate(const WebCore::ScriptSourceCode & sourceCode={...}) Line 110 + 0x34 bytes C++ WebKit_debug.dll!WebCore::FrameLoader::executeScript(const WebCore::ScriptSourceCode & sourceCode={...}) Line 807 C++ WebKit_debug.dll!WebCore::HTMLTokenizer::scriptExecution(const WebCore::ScriptSourceCode & sourceCode={...}, WebCore::HTMLTokenizer::State state={...}) Line 563 + 0x27 bytes C++ WebKit_debug.dll!WebCore::HTMLTokenizer::scriptHandler(WebCore::HTMLTokenizer::State state={...}) Line 505 + 0x88 bytes C++ WebKit_debug.dll!WebCore::HTMLTokenizer::parseNonHTMLText(WebCore::SegmentedString & src={...}, WebCore::HTMLTokenizer::State state={...}) Line 352 + 0x10 bytes C++ WebKit_debug.dll!WebCore::HTMLTokenizer::parseTag(WebCore::SegmentedString & src={...}, WebCore::HTMLTokenizer::State state={...}) Line 1522 + 0x17 bytes C++ WebKit_debug.dll!WebCore::HTMLTokenizer::write(const WebCore::SegmentedString & str={...}, bool appendData=true) Line 1756 + 0x1c bytes C++ WebKit_debug.dll!WebCore::FrameLoader::write(const char * str=0x00000000, int len=0, bool flush=true) Line 1054 + 0x27 bytes C++ WebKit_debug.dll!WebCore::FrameLoader::endIfNotLoadingMainResource() Line 1090 C++ WebKit_debug.dll!WebCore::FrameLoader::end() Line 1076 C++ WebKit_debug.dll!WebCore::DocumentLoader::finishedLoading() Line 332 C++ WebKit_debug.dll!WebCore::FrameLoader::finishedLoading() Line 3264 C++ WebKit_debug.dll!WebCore::MainResourceLoader::didFinishLoading() Line 376 C++ WebKit_debug.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x04e9eba0) Line 403 + 0xf bytes C++ WebKit_debug.dll!WebCore::didFinishLoading(_CFURLConnection * conn=0x04eff160, const void * clientInfo=0x04e9eba0) Line 228 + 0x1e bytes C++

Attachments
Patch v1 (5.34 KB, patch) 2009-11-26 05:02 PST, Shinichiro Hamaji	no flags	Details Formatted Diff Diff
test case (1.11 KB, text/html) 2009-11-26 05:05 PST, Shinichiro Hamaji	no flags	Details
Patch v2 (5.34 KB, patch) 2009-11-26 05:11 PST, Shinichiro Hamaji	no flags	Details Formatted Diff Diff
Patch v3 (4.74 KB, patch) 2009-11-26 10:20 PST, Shinichiro Hamaji	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Adam Roben (:aroben)

Comment 1 2009-10-01 09:18:10 PDT

This test seems to pass in Release builds.

Adam Roben (:aroben)

Comment 2 2009-10-01 09:18:17 PDT

<rdar://problem/7267988>

Eric Seidel (no email)

Comment 3 2009-10-02 15:03:55 PDT

Was this a regression? Do we know yet from which revision?

Shinichiro Hamaji

Comment 4 2009-11-26 05:02:06 PST

Created attachment 43914 [details] Patch v1

Shinichiro Hamaji

Comment 5 2009-11-26 05:05:35 PST

Created attachment 43915 [details] test case

Shinichiro Hamaji

Comment 6 2009-11-26 05:11:29 PST

Created attachment 43916 [details] Patch v2

Shinichiro Hamaji

Comment 7 2009-11-26 05:12:32 PST

Comment on attachment 43914 [details] Patch v1 This was a bit older patch.

Shinichiro Hamaji

Comment 8 2009-11-26 05:13:47 PST

This issue happens when an empty inline element (which has size because of paddings) is clicked. In this case, the root inline box has no leaf children and closestBox can be NULL even if we are using windows behavior. We may need to use lastChild instead of lastLeafChild when lastLeafChild is NULL so that the mouse press starts from the empty inline element correctly. See the attached test case, which is the same HTML as the layout test I added, to see how dragging from an empty inline element is handled now. Chromium has the same issue: http://code.google.com/p/chromium/issues/detail?id=23751

mitz

Comment 9 2009-11-26 10:02:33 PST

Comment on attachment 43916 [details] Patch v2 Thanks for working on this bug! > + eventSender.mouseMoveTo(x, y + 50); > + eventSender.mouseDown(); > + eventSender.mouseMoveTo(x, y + 40); > + eventSender.mouseMoveTo(x, y + 30); > + eventSender.mouseMoveTo(x, y + 20); > + eventSender.mouseMoveTo(x, y + 10); > + eventSender.mouseMoveTo(x, y); > + eventSender.mouseUp(); Is there a reason to visit all the intermediate positions? I think you need just two mouseMoveTo()s, and even that is only because the selection start position is determined not on mouse down but on the first mouse move after that (which is arguably a bug). I think mouseMoveTo(x, y + 50); mouseDown(); mouseMoveTo(x, y + 50); mouseMoveTo(x, y); mouseUp(); will work. I don’t understand why this fix is correct. Just using a non-leaf child (which is not even necessarily a left in the line box tree, it may have nested inline boxes) in this case seems inconsistent. What if there is a line in the middle that has no leaf boxes. What if the first line that has children has no leaf boxes? It seems like we may end up calling positionForBox(null, …) in such cases because we consider lines that have no leaf boxes and then call {first,last,closest}LeafChild on them. Perhaps the right thing to do is in the initial vertical scan loop, change if (!root->firstChild()) continue; to if (!root->firstLeafChild()) continue; so that only lines with leaf child boxes are considered. Did you try that?

mitz

Comment 10 2009-11-26 10:03:49 PST

(In reply to comment #9) > is not even necessarily a left in the line box tree, it may have nested inline typo: s/left/leaf/

Shinichiro Hamaji

Comment 11 2009-11-26 10:20:07 PST

Created attachment 43926 [details] Patch v3

Shinichiro Hamaji

Comment 12 2009-11-26 10:35:44 PST

Thanks for your quick review! > Is there a reason to visit all the intermediate positions? I think you need > just two mouseMoveTo()s, and even that is only because the selection start > position is determined not on mouse down but on the first mouse move after that > (which is arguably a bug). I think mouseMoveTo(x, y + 50); mouseDown(); > mouseMoveTo(x, y + 50); mouseMoveTo(x, y); mouseUp(); will work. Ah, it works. As this was my first patch around selection and inline flows, I've just emulated other tests in the same directory after I noticed mouseMoveTo(x, y+50); mouseDown(); mouseMoveTo(x, y); mouseUp(); doesn't work due to the bug you mentioned. > I don’t understand why this fix is correct. Just using a non-leaf child (which > is not even necessarily a left in the line box tree, it may have nested inline > boxes) in this case seems inconsistent. What if there is a line in the middle > that has no leaf boxes. What if the first line that has children has no leaf > boxes? It seems like we may end up calling positionForBox(null, …) in such > cases because we consider lines that have no leaf boxes and then call > {first,last,closest}LeafChild on them. Perhaps the right thing to do is in the > initial vertical scan loop, change > if (!root->firstChild()) > continue; > to > if (!root->firstLeafChild()) > continue; > > so that only lines with leaf child boxes are considered. Did you try that? Yeah, you are right. I studied the code of inline box for a while... it was insufficient :( My understanding about the structure of inline boxes were completely wrong. Now I think I have a better understanding thanks to your comment. Thanks! I'll commit this patch tomorrow after I re-check the patch destroys nothing.

Shinichiro Hamaji

Comment 13 2009-11-30 08:10:29 PST

Committed as http://trac.webkit.org/changeset/51429

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS Windows XP

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2009-10-01 09:17 PDT

Modified

2009-11-30 08:10 PST History

CC List

5 users Show

URL

Keywords InRadar, LayoutTestFailure, PlatformOnly

Depends on

Blocks