70678 – Crash in WebCore::RenderTableSection::addChild due to assert failure

Bug 70678 - Crash in WebCore::RenderTableSection::addChild due to assert failure

Summary: Crash in WebCore::RenderTableSection::addChild due to assert failure

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Mac (Intel) OS X 10.7

Importance:	P1 Critical
Assignee:	Fady Samuel

URL:	http://dictionary.reference.com/brows...
Keywords:

Depends on:
Blocks:

Reported:	2011-10-22 05:05 PDT by Dimitris Apostolou
Modified:	2011-10-25 12:10 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Crash log. (45.26 KB, text/plain) 2011-10-22 05:05 PDT, Dimitris Apostolou	no flags	Details
Reduction: Inserting span between two rows triggers an ASSERT failure (905 bytes, text/html) 2011-10-24 11:58 PDT, Fady Samuel	no flags	Details
Improved Reduction (975 bytes, text/html) 2011-10-24 12:17 PDT, Fady Samuel	no flags	Details
Patch (12.13 KB, patch) 2011-10-24 15:49 PDT, Fady Samuel	no flags	Details \| Formatted Diff \| Diff
Patch (12.14 KB, patch) 2011-10-24 16:01 PDT, Fady Samuel	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dimitris Apostolou 2011-10-22 05:05:10 PDT

Created attachment 112086 [details]
Crash log.

r

Reproducibility: always

Steps:
Go to http://dictionary.reference.com/browse/hem

What happened:
Infinite loop, assert failure and crash.

ASSERTION FAILED: row->isAnonymous()
/Users/rex/WebKit/Source/WebCore/rendering/RenderTableSection.cpp(123) : virtual void WebCore::RenderTableSection::addChild(WebCore::RenderObject *, WebCore::RenderObject *)
1   0x1054c81e8 WebCore::RenderTableSection::addChild(WebCore::RenderObject*, WebCore::RenderObject*)
2   0x105247e20 WebCore::NodeRendererFactory::createRendererIfNeeded()
3   0x10522cad9 WebCore::Node::createRendererIfNeeded()
4   0x104885a78 WebCore::Element::attach()
5   0x1044867d6 WebCore::Node::reattach()
6   0x1048863f3 WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
7   0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
8   0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
9   0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
10  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
11  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
12  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
13  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
14  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
15  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
16  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
17  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
18  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
19  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
20  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
21  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
22  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
23  0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange)
24  0x1046b74e1 WebCore::Document::recalcStyle(WebCore::Node::StyleChange)
25  0x1046b8559 WebCore::Document::updateStyleIfNeeded()
26  0x1046c2cff WebCore::Document::finishedParsing()
27  0x104af8eff WebCore::HTMLTreeBuilder::finished()
28  0x104a449e9 WebCore::HTMLDocumentParser::end()
29  0x104a4398c WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
30  0x104a43787 WebCore::HTMLDocumentParser::prepareToStopParsing()
31  0x104a441a1 WebCore::HTMLDocumentParser::endIfDelayed()

Expected result:
No infinite loop, no assert failure, no crash.

Comment 1 Dimitris Apostolou 2011-10-22 05:05:38 PDT

r98157

Comment 2 Fady Samuel 2011-10-24 07:45:58 PDT

I'm seeing this bug in Chromium on Linux as well.

Comment 3 Abhishek Arya 2011-10-24 11:13:04 PDT

(In reply to comment #2)
> I'm seeing this bug in Chromium on Linux as well.

We would need a reduction to see what is going on. But as i understand, we should probably need to change that assert into a hard check, and not adding it as a child when previous sibling is not anonymous. We should just continue forward in that function and let it get shoved into a new anonymous block. note that you would need fixes in rendertable, rendertablesection, rendertablerow and rendertablecell. (same code exists there, check out bug 69536.)

Comment 4 Fady Samuel 2011-10-24 11:58:24 PDT

Created attachment 112224 [details]
Reduction: Inserting span between two rows triggers an ASSERT failure

Comment 5 Abhishek Arya 2011-10-24 12:01:26 PDT

Nice, so now you need to see whether the span has to go in its own new anonymous block or it has to go as a last child of row-1. Please compare with firefox, opera renderings.

Comment 6 Abhishek Arya 2011-10-24 12:10:04 PDT

(In reply to comment #5)
> Nice, so now you need to see whether the span has to go in its own new anonymous block or it has to go as a last child of row-1. Please compare with firefox, opera renderings.

Add this to testcase. 	  spanElement.appendChild(document.createTextNode("Some text.")); 

You will see the wrong rendering. You need to change that assert into a hard check. We need to add the child into its own new anonymous row.

Comment 7 Fady Samuel 2011-10-24 12:17:00 PDT

(In reply to comment #6)
> (In reply to comment #5)
> > Nice, so now you need to see whether the span has to go in its own new anonymous block or it has to go as a last child of row-1. Please compare with firefox, opera renderings.
> 
> Add this to testcase.       spanElement.appendChild(document.createTextNode("Some text.")); 
> 
> You will see the wrong rendering. You need to change that assert into a hard check. We need to add the child into its own new anonymous row.

Yup, Firefox inserts the text as a row between row-1, and row-2.

Comment 8 Fady Samuel 2011-10-24 12:17:27 PDT

Created attachment 112230 [details]
Improved Reduction

Comment 9 Abhishek Arya 2011-10-24 12:20:03 PDT

(In reply to comment #8)
> Created an attachment (id=112230) [details]
> Improved Reduction

Perfect, do remember to fix all the three places

Source/WebCore/rendering/RenderTable.cpp (view diffs)
Source/WebCore/rendering/RenderTableRow.cpp (view diffs)
Source/WebCore/rendering/RenderTableSection.cpp (view diffs)

Comment 10 Fady Samuel 2011-10-24 13:13:43 PDT

(In reply to comment #9)
> (In reply to comment #8)
> > Created an attachment (id=112230) [details] [details]
> > Improved Reduction
> 
> Perfect, do remember to fix all the three places
> 
> Source/WebCore/rendering/RenderTable.cpp (view diffs)
> Source/WebCore/rendering/RenderTableRow.cpp (view diffs)
> Source/WebCore/rendering/RenderTableSection.cpp (view diffs)

Yup, will do, I probably needs tests for all three cases right? Three layout tests.

Comment 11 Abhishek Arya 2011-10-24 13:16:23 PDT

(In reply to comment #10)
> (In reply to comment #9)
> > (In reply to comment #8)
> > > Created an attachment (id=112230) [details] [details] [details]
> > > Improved Reduction
> > 
> > Perfect, do remember to fix all the three places
> > 
> > Source/WebCore/rendering/RenderTable.cpp (view diffs)
> > Source/WebCore/rendering/RenderTableRow.cpp (view diffs)
> > Source/WebCore/rendering/RenderTableSection.cpp (view diffs)
> 
> Yup, will do, I probably needs tests for all three cases right? Three layout tests.

Yeah. You can add all the cases in one test too.

Comment 12 Fady Samuel 2011-10-24 15:49:09 PDT

Created attachment 112265 [details]
Patch

Comment 13 Simon Fraser (smfr) 2011-10-24 15:55:51 PDT

Comment on attachment 112265 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=112265&action=review

> Source/WebCore/ChangeLog:13
> +        we need to create a new anonymous Section/Row/Cell respectively, insteading failing an

"insteading" -> instead of

Comment 14 Fady Samuel 2011-10-24 16:01:11 PDT

Created attachment 112267 [details]
Patch

Comment 15 Fady Samuel 2011-10-24 16:01:30 PDT

(In reply to comment #13)
> (From update of attachment 112265 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=112265&action=review
> 
> > Source/WebCore/ChangeLog:13
> > +        we need to create a new anonymous Section/Row/Cell respectively, insteading failing an
> 
> "insteading" -> instead of

Oops, fixed.

Comment 16 Dave Hyatt 2011-10-25 11:12:33 PDT

Comment on attachment 112267 [details]
Patch

r=me

Comment 17 WebKit Review Bot 2011-10-25 12:10:07 PDT

Comment on attachment 112267 [details]
Patch

Clearing flags on attachment: 112267

Committed r98372: <http://trac.webkit.org/changeset/98372>

Comment 18 WebKit Review Bot 2011-10-25 12:10:13 PDT

All reviewed patches have been landed.  Closing bug.