Bug 69275 - Crash in IsolateTracker::addFakeRunIfNecessary(), preceded by assertion failure (m_nestedIsolateCount >= 1) in IsolateTracker::exitIsolate()
: Crash in IsolateTracker::addFakeRunIfNecessary(), preceded by assertion failu...
Status: RESOLVED FIXED
: WebKit
Layout and Rendering
: 528+ (Nightly build)
: Unspecified Unspecified
: P1 Normal
Assigned To:
: data:text/html,%3Cspan%20style=%22uni...
: InRadar
:
: 69267
  Show dependency treegraph
 
Reported: 2011-10-03 11:54 PST by
Modified: 2011-11-29 12:37 PST (History)


Attachments
fixes the bug (4.77 KB, patch)
2011-11-28 16:07 PST, Ryosuke Niwa
eric: review+
Review Patch | Details | Formatted Diff | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2011-10-03 11:54:24 PST
To reproduce, navigate to the URL.

Results:

ASSERTION FAILED: m_nestedIsolateCount >= 1
Source/WebCore/rendering/InlineIterator.h(430) : void WebCore::IsolateTracker::exitIsolate()
1   WebCore::IsolateTracker::exitIsolate()
2   _ZN7WebCoreL28notifyObserverWillExitObjectINS_14IsolateTrackerEEEvPT_PNS_12RenderObjectE
3   _ZN7WebCoreL14bidiNextSharedINS_14IsolateTrackerEEEPNS_12RenderObjectES3_S3_PT_NS_19EmptyInlineBehaviorEPb
4   _ZN7WebCoreL28bidiNextSkippingEmptyInlinesINS_14IsolateTrackerEEEPNS_12RenderObjectES3_S3_PT_
5   WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::appendRun()
6   WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::createBidiRunsForLine(WebCore::InlineIterator const&, WebCore::VisualDirectionOverride, bool)
7   _ZN7WebCoreL17constructBidiRunsERNS_12BidiResolverINS_14InlineIteratorENS_7BidiRunEEERNS_11BidiRunListIS2_EERKS1_NS_23VisualDirectionOverrideEb
8   WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int)
9   WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool)
10  WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&)
11  WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass)
12  WebCore::RenderBlock::layout()
13  WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&)
14  WebCore::RenderBlock::layoutBlockChildren(bool, int&)
15  WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass)
16  WebCore::RenderBlock::layout()
17  WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&)
18  WebCore::RenderBlock::layoutBlockChildren(bool, int&)
19  WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass)
20  WebCore::RenderBlock::layout()
21  WebCore::RenderView::layout()
22  WebCore::FrameView::layout(bool)
23  WebCore::Document::implicitClose()
24  WebCore::FrameLoader::checkCallImplicitClose()
25  WebCore::FrameLoader::checkCompleted()
26  WebCore::FrameLoader::finishedParsing()
27  WebCore::Document::finishedParsing()
28  WebCore::HTMLTreeBuilder::finished()
29  WebCore::HTMLDocumentParser::end()
30  WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
31  WebCore::HTMLDocumentParser::prepareToStopParsing()
------- Comment #1 From 2011-10-03 12:03:16 PST -------
It’s not clear to me why IsolateTracker initializes m_nestedIsolateCount to 1 regardless of the number of enclosing isolating inlines.
------- Comment #2 From 2011-10-03 12:07:29 PST -------
In release builds, this ends up crashing in IsolateTracker::addFakeRunIfNecessary():

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000010

0   com.apple.WebCore                 0x0000000107adc69d WebCore::IsolateTracker::addFakeRunIfNecessary(WebCore::RenderObject*, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&) + 113
1   com.apple.WebCore                 0x00000001071a7536 WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::appendRun() + 724
2   com.apple.WebCore                 0x00000001071a701e WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::createBidiRunsForLine(WebCore::InlineIterator const&, WebCore::VisualDirectionOverride, bool) + 3626
3   com.apple.WebCore                 0x0000000107adae75 WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 1271
4   com.apple.WebCore                 0x0000000107adbdde WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1238
5   com.apple.WebCore                 0x00000001071a1391 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 425
6   com.apple.WebCore                 0x0000000107ad25d7 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 1655
7   com.apple.WebCore                 0x000000010719cab8 WebCore::RenderBlock::layout() + 42
8   com.apple.WebCore                 0x000000010719f5f2 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 838
9   com.apple.WebCore                 0x000000010719e60a WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 668
10  com.apple.WebCore                 0x0000000107ad25f5 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 1685
11  com.apple.WebCore                 0x000000010719cab8 WebCore::RenderBlock::layout() + 42
12  com.apple.WebCore                 0x000000010719f5f2 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 838
13  com.apple.WebCore                 0x000000010719e60a WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 668
14  com.apple.WebCore                 0x0000000107ad25f5 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 1685
15  com.apple.WebCore                 0x000000010719cab8 WebCore::RenderBlock::layout() + 42
16  com.apple.WebCore                 0x000000010719ca1f WebCore::RenderView::layout() + 579
------- Comment #3 From 2011-10-03 12:09:03 PST -------
<rdar://problem/10212881>
------- Comment #4 From 2011-10-03 13:17:32 PST -------
Thank you.
------- Comment #5 From 2011-10-04 04:10:43 PST -------
(In reply to comment #1)
> It’s not clear to me why IsolateTracker initializes m_nestedIsolateCount to 1 regardless of the number of enclosing isolating inlines.

It's probably wrong.

We simply don't have enough isolate test cases yet.
------- Comment #6 From 2011-11-28 11:44:30 PST -------
Hm... I can't reproduce this crash on ToT.
------- Comment #7 From 2011-11-28 16:02:07 PST -------
(In reply to comment #6)
> Hm... I can't reproduce this crash on ToT.

Apparently, I was doing it wrong. A patch coming in a minute.
------- Comment #8 From 2011-11-28 16:07:47 PST -------
Created an attachment (id=116847) [details]
fixes the bug
------- Comment #9 From 2011-11-28 16:08:30 PST -------
(From update of attachment 116847 [details])
View in context: https://bugs.webkit.org/attachment.cgi?id=116847&action=review

> Source/WebCore/ChangeLog:9
> +        The crash was caused by our false assumption that at most one isolated container exits between the start

s/exits/exists/
------- Comment #10 From 2011-11-28 16:12:18 PST -------
(From update of attachment 116847 [details])
Looks right to me :)
------- Comment #11 From 2011-11-28 18:47:25 PST -------
(From update of attachment 116847 [details])
Seems fine to me.  I'm not sure I remember why I had that assumption.  Clearly I designed the system to accommodate more than one.  More test coverage will tell us if this is the right code design or not. :)
------- Comment #12 From 2011-11-29 12:37:30 PST -------
Committed r101406: <http://trac.webkit.org/changeset/101406>