RESOLVED FIXED 70678
Crash in WebCore::RenderTableSection::addChild due to assert failure 
https://bugs.webkit.org/show_bug.cgi?id=70678
Summary Crash in WebCore::RenderTableSection::addChild due to assert failure
Dimitris Apostolou
Reported 2011-10-22 05:05:10 PDT
Created attachment 112086 [details] Crash log. r Reproducibility: always Steps: Go to http://dictionary.reference.com/browse/hem What happened: Infinite loop, assert failure and crash. ASSERTION FAILED: row->isAnonymous() /Users/rex/WebKit/Source/WebCore/rendering/RenderTableSection.cpp(123) : virtual void WebCore::RenderTableSection::addChild(WebCore::RenderObject *, WebCore::RenderObject *) 1 0x1054c81e8 WebCore::RenderTableSection::addChild(WebCore::RenderObject*, WebCore::RenderObject*) 2 0x105247e20 WebCore::NodeRendererFactory::createRendererIfNeeded() 3 0x10522cad9 WebCore::Node::createRendererIfNeeded() 4 0x104885a78 WebCore::Element::attach() 5 0x1044867d6 WebCore::Node::reattach() 6 0x1048863f3 WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 7 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 8 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 9 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 10 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 11 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 12 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 13 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 14 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 15 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 16 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 17 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 18 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 19 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 20 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 21 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 22 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 23 0x104886baf WebCore::Element::recalcStyle(WebCore::Node::StyleChange) 24 0x1046b74e1 WebCore::Document::recalcStyle(WebCore::Node::StyleChange) 25 0x1046b8559 WebCore::Document::updateStyleIfNeeded() 26 0x1046c2cff WebCore::Document::finishedParsing() 27 0x104af8eff WebCore::HTMLTreeBuilder::finished() 28 0x104a449e9 WebCore::HTMLDocumentParser::end() 29 0x104a4398c WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 30 0x104a43787 WebCore::HTMLDocumentParser::prepareToStopParsing() 31 0x104a441a1 WebCore::HTMLDocumentParser::endIfDelayed() Expected result: No infinite loop, no assert failure, no crash.
Attachments
Crash log. (45.26 KB, text/plain)
2011-10-22 05:05 PDT, Dimitris Apostolou 		no flags
Details
Reduction: Inserting span between two rows triggers an ASSERT failure (905 bytes, text/html)
2011-10-24 11:58 PDT, Fady Samuel 		no flags
Details
Improved Reduction (975 bytes, text/html)
2011-10-24 12:17 PDT, Fady Samuel 		no flags
Details
Patch (12.13 KB, patch)
2011-10-24 15:49 PDT, Fady Samuel 		no flags
DetailsFormatted DiffDiff
Patch (12.14 KB, patch)
2011-10-24 16:01 PDT, Fady Samuel 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Dimitris Apostolou
Comment 1 2011-10-22 05:05:38 PDT
r98157
Fady Samuel
Comment 2 2011-10-24 07:45:58 PDT
I'm seeing this bug in Chromium on Linux as well.
Abhishek Arya
Comment 3 2011-10-24 11:13:04 PDT
(In reply to comment #2) > I'm seeing this bug in Chromium on Linux as well. We would need a reduction to see what is going on. But as i understand, we should probably need to change that assert into a hard check, and not adding it as a child when previous sibling is not anonymous. We should just continue forward in that function and let it get shoved into a new anonymous block. note that you would need fixes in rendertable, rendertablesection, rendertablerow and rendertablecell. (same code exists there, check out bug 69536.)
Fady Samuel
Comment 4 2011-10-24 11:58:24 PDT
Created attachment 112224 [details] Reduction: Inserting span between two rows triggers an ASSERT failure
Abhishek Arya
Comment 5 2011-10-24 12:01:26 PDT
Nice, so now you need to see whether the span has to go in its own new anonymous block or it has to go as a last child of row-1. Please compare with firefox, opera renderings.
Abhishek Arya
Comment 6 2011-10-24 12:10:04 PDT
(In reply to comment #5) > Nice, so now you need to see whether the span has to go in its own new anonymous block or it has to go as a last child of row-1. Please compare with firefox, opera renderings. Add this to testcase. spanElement.appendChild(document.createTextNode("Some text.")); You will see the wrong rendering. You need to change that assert into a hard check. We need to add the child into its own new anonymous row.
Fady Samuel
Comment 7 2011-10-24 12:17:00 PDT
(In reply to comment #6) > (In reply to comment #5) > > Nice, so now you need to see whether the span has to go in its own new anonymous block or it has to go as a last child of row-1. Please compare with firefox, opera renderings. > > Add this to testcase. spanElement.appendChild(document.createTextNode("Some text.")); > > You will see the wrong rendering. You need to change that assert into a hard check. We need to add the child into its own new anonymous row. Yup, Firefox inserts the text as a row between row-1, and row-2.
Fady Samuel
Comment 8 2011-10-24 12:17:27 PDT
Created attachment 112230 [details] Improved Reduction
Abhishek Arya
Comment 9 2011-10-24 12:20:03 PDT
(In reply to comment #8) > Created an attachment (id=112230) [details] > Improved Reduction Perfect, do remember to fix all the three places Source/WebCore/rendering/RenderTable.cpp (view diffs) Source/WebCore/rendering/RenderTableRow.cpp (view diffs) Source/WebCore/rendering/RenderTableSection.cpp (view diffs)
Fady Samuel
Comment 10 2011-10-24 13:13:43 PDT
(In reply to comment #9) > (In reply to comment #8) > > Created an attachment (id=112230) [details] [details] > > Improved Reduction > > Perfect, do remember to fix all the three places > > Source/WebCore/rendering/RenderTable.cpp (view diffs) > Source/WebCore/rendering/RenderTableRow.cpp (view diffs) > Source/WebCore/rendering/RenderTableSection.cpp (view diffs) Yup, will do, I probably needs tests for all three cases right? Three layout tests.
Abhishek Arya
Comment 11 2011-10-24 13:16:23 PDT
(In reply to comment #10) > (In reply to comment #9) > > (In reply to comment #8) > > > Created an attachment (id=112230) [details] [details] [details] > > > Improved Reduction > > > > Perfect, do remember to fix all the three places > > > > Source/WebCore/rendering/RenderTable.cpp (view diffs) > > Source/WebCore/rendering/RenderTableRow.cpp (view diffs) > > Source/WebCore/rendering/RenderTableSection.cpp (view diffs) > > Yup, will do, I probably needs tests for all three cases right? Three layout tests. Yeah. You can add all the cases in one test too.
Fady Samuel
Comment 12 2011-10-24 15:49:09 PDT
Created attachment 112265 [details] Patch
Simon Fraser (smfr)
Comment 13 2011-10-24 15:55:51 PDT
Comment on attachment 112265 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=112265&action=review > Source/WebCore/ChangeLog:13 > + we need to create a new anonymous Section/Row/Cell respectively, insteading failing an "insteading" -> instead of
Fady Samuel
Comment 14 2011-10-24 16:01:11 PDT
Created attachment 112267 [details] Patch
Fady Samuel
Comment 15 2011-10-24 16:01:30 PDT
(In reply to comment #13) > (From update of attachment 112265 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=112265&action=review > > > Source/WebCore/ChangeLog:13 > > + we need to create a new anonymous Section/Row/Cell respectively, insteading failing an > > "insteading" -> instead of Oops, fixed.
Dave Hyatt
Comment 16 2011-10-25 11:12:33 PDT
Comment on attachment 112267 [details] Patch r=me
WebKit Review Bot
Comment 17 2011-10-25 12:10:07 PDT
Comment on attachment 112267 [details] Patch Clearing flags on attachment: 112267 Committed r98372: <http://trac.webkit.org/changeset/98372>
WebKit Review Bot
Comment 18 2011-10-25 12:10:13 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.