RESOLVED FIXED Bug 68686
Crash on editing/pasteboard/drag-drop-input-in-svg.svg 
https://bugs.webkit.org/show_bug.cgi?id=68686
Summary Crash on editing/pasteboard/drag-drop-input-in-svg.svg
Xan Lopez
Reported 2011-09-23 03:33:03 PDT
Happens in GTK+ debug bot, trace as follows: Thread 1 (Thread 0x2b09e1f26e40 (LWP 15228)): #0 0x00002b09d4aaa1f0 in WebCore::deleteLineRange (layoutState=..., arena=0x2e27a520, startLine=0x2e2c3068, stopLine=0x0) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:984 #1 0x00002b09d4aab7ed in WebCore::RenderBlock::linkToEndLineIfNeeded (this=0x2e2b7498, layoutState=...) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1220 #2 0x00002b09d4aaa6d2 in WebCore::RenderBlock::layoutRunsAndFloats (this=0x2e2b7498, layoutState=..., hasInlineChild=true) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1050 #3 0x00002b09d4aac27a in WebCore::RenderBlock::layoutInlineChildren (this=0x2e2b7498, relayoutChildren=false, repaintLogicalTop=@0x7fffff1b311c, repaintLogicalBottom=@0x7fffff1b3118) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1336 #4 0x00002b09d4a6d85e in WebCore::RenderBlock::layoutBlock (this=0x2e2b7498, relayoutChildren=false, pageLogicalHeight=0, layoutPass=WebCore::RenderBlock::NormalLayoutPass) at ../../Source/WebCore/rendering/RenderBlock.cpp:1266 #5 0x00002b09d4a6d09e in WebCore::RenderBlock::layout (this=0x2e2b7498) at ../../Source/WebCore/rendering/RenderBlock.cpp:1154 #6 0x00002b09d4a70d6e in WebCore::RenderBlock::layoutBlockChild (this=0x2e2b70c8, child=0x2e2b7498, marginInfo=..., previousFloatLogicalBottom=@0x7fffff1b33fc, maxFloatLogicalBottom=@0x7fffff1b3544) at ../../Source/WebCore/rendering/RenderBlock.cpp:2024 #7 0x00002b09d4a70990 in WebCore::RenderBlock::layoutBlockChildren (this=0x2e2b70c8, relayoutChildren=false, maxFloatLogicalBottom=@0x7fffff1b3544) at ../../Source/WebCore/rendering/RenderBlock.cpp:1961 #8 0x00002b09d4a6d87f in WebCore::RenderBlock::layoutBlock (this=0x2e2b70c8, relayoutChildren=false, pageLogicalHeight=0, layoutPass=WebCore::RenderBlock::NormalLayoutPass) at ../../Source/WebCore/rendering/RenderBlock.cpp:1268 #9 0x00002b09d4a6d09e in WebCore::RenderBlock::layout (this=0x2e2b70c8) at ../../Source/WebCore/rendering/RenderBlock.cpp:1154 #10 0x00002b09d4bd415c in WebCore::RenderSVGForeignObject::layout (this=0x2e2b70c8) at ../../Source/WebCore/rendering/svg/RenderSVGForeignObject.cpp:132 #11 0x00002b09d4c05a71 in WebCore::SVGRenderSupport::layoutChildren (start=0x2e2b5678, selfNeedsLayout=false) at ../../Source/WebCore/rendering/svg/SVGRenderSupport.cpp:242 #12 0x00002b09d4bf941c in WebCore::RenderSVGRoot::layout (this=0x2e2b5678) at ../../Source/WebCore/rendering/svg/RenderSVGRoot.cpp:227 #13 0x00002b09d48c98ba in WebCore::FrameView::layout (this=0x2df45420, allowSubtree=true) at ../../Source/WebCore/page/FrameView.cpp:1086 #14 0x00002b09d447ca6b in WebCore::Document::updateLayout (this=0x2e1fc6f0) at ../../Source/WebCore/dom/Document.cpp:1653 #15 0x00002b09d45e5d37 in WebCore::VisibleSelection::toNormalizedRange (this=0x7fffff1b40f0) at ../../Source/WebCore/editing/VisibleSelection.cpp:144 #16 0x00002b09d456e47d in WebCore::enclosingDeletableElement (selection=...) at ../../Source/WebCore/editing/DeleteButtonController.cpp:153 #17 0x00002b09d456e61d in WebCore::DeleteButtonController::respondToChangedSelection (this=0xcdeed0, oldSelection=...) at ../../Source/WebCore/editing/DeleteButtonController.cpp:176 #18 0x00002b09d458b28f in WebCore::Editor::respondToChangedSelection (this=0xceb910, oldSelection=...) at ../../Source/WebCore/editing/Editor.cpp:493 #19 0x00002b09d4598248 in WebCore::Editor::respondToChangedSelection (this=0xceb910, oldSelection=..., options=0) at ../../Source/WebCore/editing/Editor.cpp:3161 #20 0x00002b09d459c1f0 in WebCore::FrameSelection::setSelection (this=0xceb9d0, newSelection=..., options=0, align=WebCore::FrameSelection::AlignCursorOnScrollIfNeeded, granularity=WebCore::CharacterGranularity) at ../../Source/WebCore/editing/FrameSelection.cpp:233 #21 0x00002b09d459c975 in WebCore::FrameSelection::respondToNodeModification (this=0xceb9d0, node=0x2e2ba5d0, baseRemoved=true, extentRemoved=true, startRemoved=true, endRemoved=true) at ../../Source/WebCore/editing/FrameSelection.cpp:329 #22 0x00002b09d459c674 in WebCore::FrameSelection::nodeWillBeRemoved (this=0xceb9d0, node=0x2e2ba5d0) at ../../Source/WebCore/editing/FrameSelection.cpp:292 #23 0x00002b09d44830c4 in WebCore::Document::nodeWillBeRemoved (this=0x2e1fc6f0, n=0x2e2ba5d0) at ../../Source/WebCore/dom/Document.cpp:3370 #24 0x00002b09d446264f in WebCore::willRemoveChild (child=0x2e2ba5d0) at ../../Source/WebCore/dom/ContainerNode.cpp:387 #25 0x00002b09d4462868 in WebCore::ContainerNode::removeChild (this=0x2e2b7360, oldChild=0x2e2ba5d0, ec=@0x7fffff1b452c) at ../../Source/WebCore/dom/ContainerNode.cpp:432 #26 0x00002b09d44f2e77 in WebCore::Node::removeChild (this=0x2e2b7360, oldChild=0x2e2ba5d0, ec=@0x7fffff1b452c) at ../../Source/WebCore/dom/Node.cpp:674 #27 0x00002b09d42acd72 in WebCore::JSNode::removeChild (this=0x2b0a23be3320, exec=0x2b0a237d70e8) at ../../Source/WebCore/bindings/js/JSNodeCustom.cpp:172 #28 0x00002b09d4fdd483 in WebCore::jsNodePrototypeFunctionRemoveChild (exec=0x2b0a237d70e8) at DerivedSources/WebCore/JSNode.cpp:529 #29 0x00002b09e239d1f8 in ?? () #30 0x00007fffff1b4640 in ?? () #31 0x00002b09e23a6a8f in ?? () #32 0x00007fffff1b45c0 in ?? () #33 0x00002b0a23be3320 in ?? () #34 0x000000002e276538 in ?? () #35 0x00002b0a00000001 in ?? ()
Attachments
Add attachment proposed patch, testcase, etc.
Martin Robinson
Comment 1 2011-09-23 06:58:03 PDT
CCing some people who have touched this file recently. Do either of you know what might be causing this new crash?
Zan Dobersek
Comment 2 2012-07-15 10:37:51 PDT
The crash no longer occurs so the expectation was removed in http://trac.webkit.org/changeset/118474. Closing the bug.
Note You need to log in before you can comment on or make changes to this bug.