RESOLVED FIXED 54344
REGRESSION (r77834): Assertion failing in svg/custom/use-multiple-on-nested-disallowed-font.svg 
https://bugs.webkit.org/show_bug.cgi?id=54344
Summary REGRESSION (r77834): Assertion failing in svg/custom/use-multiple-on-nested-d...
Darin Adler
Reported Saturday, February 12, 2011 11:03:49 PM UTC
I am getting this assertion failure when running regression tests: ASSERTION FAILED: m_pushedStyleSelector == m_parent->document()->styleSelector() /Users/darin/Safari/OpenSource/Source/WebCore/dom/Element.cpp(90) : WebCore::StyleSelectorParentPusher::~StyleSelectorParentPusher() -> WebCore::StyleSelectorParentPusher::~StyleSelectorParentPusher() -> WebCore::Element::recalcStyle(WebCore::Node::StyleChange) -> WebCore::Element::recalcStyle(WebCore::Node::StyleChange) -> WebCore::Element::recalcStyle(WebCore::Node::StyleChange) -> WebCore::Document::recalcStyle(WebCore::Node::StyleChange) -> WebCore::Document::updateStyleIfNeeded() -> WebCore::Document::updateLayout() -> WebCore::Document::updateLayoutIgnorePendingStylesheets() -> WebCore::SVGElementInstance::invalidateAllInstancesOfElement(WebCore::SVGElement*) -> WebCore::SVGStyledElement::svgAttributeChanged(WebCore::QualifiedName const&) -> WebCore::SVGGradientElement::svgAttributeChanged(WebCore::QualifiedName const&) -> WebCore::SVGLinearGradientElement::svgAttributeChanged(WebCore::QualifiedName const&) -> WebCore::SVGElement::attributeChanged(WebCore::Attribute*, bool) -> WebCore::NamedNodeMap::addAttribute(WTF::PassRefPtr<WebCore::Attribute>) -> WebCore::Element::setAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&, int&) -> WebCore::Element::setAttribute(WebCore::QualifiedName const&, WTF::AtomicString const&) -> WebCore::SVGAnimateTransformElement::resetToBaseValue(WTF::String const&) -> WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime) -> WebCore::SMILTimeContainer::begin() -> WebCore::SVGDocumentExtensions::startAnimations() -> WebCore::Document::implicitClose() -> WebCore::FrameLoader::checkCallImplicitClose() -> WebCore::FrameLoader::checkCompleted() -> WebCore::FrameLoader::finishedParsing() -> WebCore::Document::finishedParsing() -> WebCore::HTMLTreeBuilder::finished() -> WebCore::HTMLDocumentParser::end() -> WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() -> WebCore::HTMLDocumentParser::prepareToStopParsing() -> WebCore::HTMLDocumentParser::attemptToEnd() -> WebCore::HTMLDocumentParser::finish() I’m not sure if this is also happening on buildbots.
Attachments
patch (2.59 KB, patch)
2011-02-14 03:39 PST, Antti Koivisto 		no flags
DetailsFormatted DiffDiff
more correct patch (2.77 KB, patch)
2011-02-14 03:49 PST, Antti Koivisto 		kling: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dirk Schulze
Comment 1 Saturday, February 12, 2011 11:21:02 PM UTC
*** Bug 53989 has been marked as a duplicate of this bug. ***
Darin Adler
Comment 2 Saturday, February 12, 2011 11:23:23 PM UTC
We could have marked this as a duplicate in the other direction. Sorry I didn’t find the duplicate!
Dirk Schulze
Comment 3 Saturday, February 12, 2011 11:35:24 PM UTC
(In reply to comment #2) > We could have marked this as a duplicate in the other direction. Sorry I didn’t find the duplicate! Sure, we can mark it the other way around, both bugs have the same information. But this one has 'regression' in the title. So I choose this bug as valid bug instead of renaming the other one. If you look at the bt on the other bug, you'll see that the location, where the test fails, is the same: StyleSelectorParentPusher.
Antti Koivisto
Comment 4 Sunday, February 13, 2011 11:44:05 AM UTC
This is not really a regression from r77834. Rather, the assert added there exposes an SVG bug (it is recomputing the style selector in the middle of a style recalc). Strangely, I have never seen this locally.
Antti Koivisto
Comment 5 Sunday, February 13, 2011 9:15:38 PM UTC
I can catch this by adding this assert: Index: Source/WebCore/dom/Document.cpp =================================================================== --- Source/WebCore/dom/Document.cpp (revision 78321) +++ Source/WebCore/dom/Document.cpp (working copy) @@ -2944,6 +2944,7 @@ void Document::recalcStyleSelector() { + ASSERT(!m_inStyleRecalc); if (!renderer() || !attached()) return;
Antti Koivisto
Comment 6 Sunday, February 13, 2011 9:16:50 PM UTC
It also fails svg/custom/use-invalid-style.svg
Antti Koivisto
Comment 7 Sunday, February 13, 2011 9:19:03 PM UTC
2947 ASSERT(!m_inStyleRecalc); (gdb) bt #0 0x000000010113a875 in WebCore::Document::recalcStyleSelector (this=0x1060cf000) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Document.cpp:2947 #1 0x000000010113af45 in WebCore::Document::styleSelectorChanged (this=0x1060cf000, updateFlag=WebCore::DeferRecalcStyle) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Document.cpp:2871 #2 0x0000000101b440ef in WebCore::SVGFontFaceElement::removeFromMappedElementSheet (this=0x107181720) at /Users/antti/webkit/OpenSource/Source/WebCore/svg/SVGFontFaceElement.cpp:351 #3 0x0000000101b4410b in WebCore::SVGFontFaceElement::removedFromDocument (this=0x107181720) at /Users/antti/webkit/OpenSource/Source/WebCore/svg/SVGFontFaceElement.cpp:329 #4 0x0000000100ff778d in WebCore::ContainerNode::removedFromDocument (this=0x107192260) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/ContainerNode.cpp:743 #5 0x000000010125b357 in WebCore::Element::removedFromDocument (this=0x107192260) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Element.cpp:919 #6 0x0000000101ba1c09 in WebCore::SVGStyledElement::removedFromDocument (this=0x107192260) at /Users/antti/webkit/OpenSource/Source/WebCore/svg/SVGStyledElement.cpp:362 #7 0x0000000100ff778d in WebCore::ContainerNode::removedFromDocument (this=0x107168960) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/ContainerNode.cpp:743 #8 0x000000010125b357 in WebCore::Element::removedFromDocument (this=0x107168960) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Element.cpp:919 #9 0x0000000101ba1c09 in WebCore::SVGStyledElement::removedFromDocument (this=0x107168960) at /Users/antti/webkit/OpenSource/Source/WebCore/svg/SVGStyledElement.cpp:362 #10 0x0000000100ff778d in WebCore::ContainerNode::removedFromDocument (this=0x10719cc10) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/ContainerNode.cpp:743 #11 0x000000010125b357 in WebCore::Element::removedFromDocument (this=0x10719cc10) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Element.cpp:919 #12 0x0000000101ba1c09 in WebCore::SVGStyledElement::removedFromDocument (this=0x10719cc10) at /Users/antti/webkit/OpenSource/Source/WebCore/svg/SVGStyledElement.cpp:362 #13 0x0000000100ff778d in WebCore::ContainerNode::removedFromDocument (this=0x107106c20) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/ContainerNode.cpp:743 #14 0x000000010125b357 in WebCore::Element::removedFromDocument (this=0x107106c20) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Element.cpp:919 #15 0x0000000101ba1c09 in WebCore::SVGStyledElement::removedFromDocument (this=0x107106c20) at /Users/antti/webkit/OpenSource/Source/WebCore/svg/SVGStyledElement.cpp:362 #16 0x0000000100ff778d in WebCore::ContainerNode::removedFromDocument (this=0x10716dd70) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/ContainerNode.cpp:743 #17 0x000000010125b357 in WebCore::Element::removedFromDocument (this=0x10716dd70) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Element.cpp:919 #18 0x0000000101ba1c09 in WebCore::SVGStyledElement::removedFromDocument (this=0x10716dd70) at /Users/antti/webkit/OpenSource/Source/WebCore/svg/SVGStyledElement.cpp:362 #19 0x0000000100ffae05 in WebCore::Private::NodeRemovalDispatcher<WebCore::Node, true>::dispatch (node=0x10716dd70) at ContainerNodeAlgorithms.h:99 #20 0x0000000100ffb4b1 in WebCore::Private::addChildNodesToDeletionQueue<WebCore::Node, WebCore::ContainerNode> (head=@0x7fff5fbfd4e8, tail=@0x7fff5fbfd4e0, container=0x1071298a0) at ContainerNodeAlgorithms.h:139 #21 0x0000000100ffb50f in WebCore::removeAllChildrenInContainer<WebCore::Node, WebCore::ContainerNode> (container=0x1071298a0) at ContainerNodeAlgorithms.h:47 #22 0x0000000100ff68a3 in WebCore::ContainerNode::removeAllChildren (this=0x1071298a0) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/ContainerNode.cpp:72 #23 0x00000001019c4831 in WebCore::RenderSVGShadowTreeRootContainer::updateFromElement (this=0x107186168) at /Users/antti/webkit/OpenSource/Source/WebCore/rendering/svg/RenderSVGShadowTreeRootContainer.cpp:71 #24 0x0000000101bc4985 in WebCore::SVGUseElement::recalcStyle (this=0x1196ecad0, change=WebCore::Node::NoChange) at /Users/antti/webkit/OpenSource/Source/WebCore/svg/SVGUseElement.cpp:372 #25 0x000000010125af00 in WebCore::Element::recalcStyle (this=0x1196e9d80, change=WebCore::Node::NoChange) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Element.cpp:1107 #26 0x000000010125af00 in WebCore::Element::recalcStyle (this=0x119533780, change=WebCore::Node::NoChange) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Element.cpp:1107 #27 0x000000010125af00 in WebCore::Element::recalcStyle (this=0x105b44ee0, change=WebCore::Node::NoChange) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Element.cpp:1107 #28 0x0000000101142f6a in WebCore::Document::recalcStyle (this=0x1060cf000, change=WebCore::Node::NoChange) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Document.cpp:1520 #29 0x000000010113a17f in WebCore::Document::updateStyleIfNeeded (this=0x1060cf000) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Document.cpp:1562 #30 0x0000000101139ed1 in WebCore::Document::updateLayout (this=0x1060cf000) at /Users/antti/webkit/OpenSource/Source/WebCore/dom/Document.cpp:1589
Antti Koivisto
Comment 8 Sunday, February 13, 2011 9:20:39 PM UTC
DOM mutation from recalcStyle is evil.
Antti Koivisto
Comment 9 Monday, February 14, 2011 11:39:55 AM UTC
Created attachment 82302 [details] patch Intead of recomputing, just mark style selector dirty if it is invalidated in the middle of a style recalc.
Antti Koivisto
Comment 10 Monday, February 14, 2011 11:49:02 AM UTC
Created attachment 82303 [details] more correct patch
Andreas Kling
Comment 11 Monday, February 14, 2011 12:50:34 PM UTC
Comment on attachment 82303 [details] more correct patch r=me (Niko/Dirk: heads up!)
Antti Koivisto
Comment 12 Monday, February 14, 2011 1:13:34 PM UTC
http://trac.webkit.org/changeset/78468
Csaba Osztrogonác
Comment 13 Monday, February 14, 2011 2:35:49 PM UTC
*** Bug 54086 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.