Added to test_expectations.txt in r101282

Seems like this is a dup of 69275 or 69267. http://test-results.appspot.com/dashboards/flakiness_dashboard.html#showExpectations=true&tests=fast%2Fblock%2Fchild-not-removed-from-parent-lineboxes-crash.html ASSERTION FAILED: m_nestedIsolateCount >= 1 third_party/WebKit/Source/WebCore/platform/text/BidiResolver.h(203) : void WebCore::BidiResolver<Iterator, Run>::exitIsolate() [with Iterator = WebCore::InlineIterator, Run = WebCore::BidiRun] 1 0x159b84e 2 0x15b849b 3 0x15b81cb 4 0x15b80b6 5 0x15b9a46 6 0x15b9c79 7 0x15b3f2c 8 0x15b4cce 9 0x15b071f 10 0x15b03e9 11 0x15b2172 12 0x15735e2 13 0x1572dee 14 0x157686e 15 0x1576490 16 0x1573600 17 0x1572dee 18 0x157686e 19 0x1576490 20 0x1573600 21 0x1572dee 22 0x157686e 23 0x1576490 24 0x1573600 25 0x1572dee 26 0x16ab2be 27 0x12f52de 28 0xc85df7 29 0xc85ecb 30 0xcc9ec3 31 0x1741a41 [6729:6729:8033864725538:ERROR:process_util_posix.cc(134)] Received signal 11 base::debug::StackTrace::StackTrace() [0x711356] base::(anonymous namespace)::StackDumpSignalHandler() [0x6ce0b9] 0x7f40f34eaaf0 WebCore::BidiResolver<>::exitIsolate() [0x159b853] WebCore::notifyObserverWillExitObject<>() [0x15b849b] WebCore::bidiNextShared<>() [0x15b81cb] WebCore::bidiNextSkippingEmptyInlines<>() [0x15b80b6] WebCore::InlineIterator::increment() [0x15b9a46] WebCore::BidiResolver<>::increment() [0x15b9c79] WebCore::RenderBlock::LineBreaker::skipLeadingWhitespace() [0x15b3f2c] WebCore::RenderBlock::LineBreaker::nextLineBreak() [0x15b4cce] WebCore::RenderBlock::layoutRunsAndFloatsInRange() [0x15b071f] WebCore::RenderBlock::layoutRunsAndFloats() [0x15b03e9] WebCore::RenderBlock::layoutInlineChildren() [0x15b2172] WebCore::RenderBlock::layoutBlock() [0x15735e2] WebCore::RenderBlock::layout() [0x1572dee] WebCore::RenderBlock::layoutBlockChild() [0x157686e] WebCore::RenderBlock::layoutBlockChildren() [0x1576490] WebCore::RenderBlock::layoutBlock() [0x1573600] WebCore::RenderBlock::layout() [0x1572dee] WebCore::RenderBlock::layoutBlockChild() [0x157686e] WebCore::RenderBlock::layoutBlockChildren() [0x1576490] WebCore::RenderBlock::layoutBlock() [0x1573600] WebCore::RenderBlock::layout() [0x1572dee] WebCore::RenderBlock::layoutBlockChild() [0x157686e] WebCore::RenderBlock::layoutBlockChildren() [0x1576490] WebCore::RenderBlock::layoutBlock() [0x1573600] WebCore::RenderBlock::layout() [0x1572dee] WebCore::RenderView::layout() [0x16ab2be] WebCore::FrameView::layout() [0x12f52de] WebCore::Document::updateLayout() [0xc85df7] WebCore::Document::updateLayoutIgnorePendingStylesheets() [0xc85ecb] WebCore::Element::offsetTop() [0xcc9ec3] WebCore::ElementInternal::offsetTopAttrGetter() [0x1741a41] 0x6deacd2f240

Same assertion on Qt platform: ASSERTION FAILED: m_nestedIsolateCount >= 1 ../../../../Source/WebCore/platform/text/BidiResolver.h(203) : void WebCore::BidiResolver<Iterator, Run>::exitIsolate() [with Iterator = WebCore::InlineIterator, Run = WebCore::BidiRun]

Created attachment 116968 [details] QtWebKit gdb backtrace

It is P1/critical bug, because it is a crash.

I added this test to the Qt Skipped list: http://trac.webkit.org/changeset/101389 Please unskip it with the proper fix. Thanks in advance.

*** This bug has been marked as a duplicate of bug 69267 ***

It appears that the assertion failure is still happening at least on Chromium bots: http://test-results.appspot.com/dashboards/flakiness_dashboard.html#showExpectations=true&tests=fast%2Fblock%2Fchild-not-removed-from-parent-lineboxes-crash.html

This is actually different assertion: ASSERTION FAILED: !m_nestedIsolateCount /Volumes/Data/webkit3/Source/WebCore/platform/text/BidiResolver.h(278) : WebCore::BidiResolver<Iterator, Run>::~BidiResolver() [with Iterator = WebCore::InlineIterator, Run = WebCore::BidiRun] 1 0x102ac166d WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::~BidiResolver() 2 0x102ab9027 WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) 3 0x102ab952b WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) 4 0x102a8e116 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 5 0x102a82087 WebCore::RenderBlock::layout() 6 0x102a8bbba WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) 7 0x102a8cb6a WebCore::RenderBlock::layoutBlockChildren(bool, int&) 8 0x102a8e12f WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 9 0x102a82087 WebCore::RenderBlock::layout() The problem is that layoutRunsAndFloatsInRange could bail out early without exiting all inlines at: if (checkForEndLineMatch) { layoutState.setEndLineMatched(matchedEndLine(layoutState, resolver, cleanLineStart, cleanLineBidiStatus)); if (layoutState.endLineMatched()) { break; and end = lineBreaker.nextLineBreak(resolver, layoutState.lineInfo(), lineBreakIteratorInfo, lastFloatFromPreviousLine, consecutiveHyphenatedLines); if (resolver.position().atEnd()) { // FIXME: We shouldn't be creating any runs in findNextLineBreak to begin with! // Once BidiRunList is separated from BidiResolver this will not be needed. resolver.runs().deleteRuns(); resolver.markCurrentRunEmpty(); // FIXME: This can probably be replaced by an ASSERT (or just removed). layoutState.setCheckForFloatsFromLastLine(true); break; When this happens, the count hasn't been reset to 0 and we hit the assertion. I could either reset the counter before breaking in those two places or remove the assertion. Eric & Mitz, do you have a preference?

It seems this assertion has been useful and we should keep it if possible.

(In reply to comment #10) > It seems this assertion has been useful and we should keep it if possible. The assertion that has been useful is "m_nestedIsolateCount >= 1" in exitIsolate. The one we're hitting now is "!m_nestedIsolateCount" in ~BidiResolver.

Created attachment 117536 [details] fixes the bug

Here's a patch to keep the assertion and reset the position.

Comment on attachment 117536 [details] fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=117536&action=review > Source/WebCore/rendering/RenderBlockLineLayout.cpp:1212 > + resolver.setPosition(InlineIterator(resolver.position().root(), 0, 0), 0); Tragically verbose!

Comment on attachment 117536 [details] fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=117536&action=review >> Source/WebCore/rendering/RenderBlockLineLayout.cpp:1212 >> + resolver.setPosition(InlineIterator(resolver.position().root(), 0, 0), 0); > > Tragically verbose! I know :( I'm hoping to get back to refactoring BidiResolver / InlineIterator in Q1 though.

Committed r101733: <http://trac.webkit.org/changeset/101733>