Created attachment 132739 [details] Test case When a <marquee> tag (possibly any scrollable area) is in a subframe with frame flattening enabled, the following assertion in RenderBox::mapAbsoluteToLocalPoint() is triggered during layout: ASSERT(!view() || !view()->layoutStateEnabled()); It looks like frame flattening causes the subframe to be laid out recursively, which results in updateLayerPositions() being called on the subframe while the parent frame has the layoutState optimization enabled. A test case that triggers this assertion is attached. Note that it must be run from DumpRenderTree or from a port that has frame flattening enabled. Here is the full backtrace from DumpRenderTree: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000011005cd16 WebCore::RenderBox::mapAbsoluteToLocalPoint(bool, bool, WebCore::TransformState&) const + 150 (RenderBox.cpp:1463) 1 com.apple.WebCore 0x000000011013c1a5 WebCore::RenderObject::absoluteToLocal(WebCore::FloatPoint const&, bool, bool) const + 117 (RenderObject.cpp:2017) 2 com.apple.WebCore 0x000000010f6009c3 WebCore::FrameView::convertToRenderer(WebCore::RenderObject const*, WebCore::IntPoint const&) const + 163 (FrameView.cpp:3193) 3 com.apple.WebCore 0x000000010f600f89 WebCore::FrameView::convertFromContainingView(WebCore::IntPoint const&) const + 201 (FrameView.cpp:3279) 4 com.apple.WebCore 0x00000001105ec592 WebCore::Widget::convertFromContainingWindow(WebCore::IntPoint const&) const + 98 (Widget.cpp:130) 5 com.apple.WebCore 0x00000001102e5766 WebCore::ScrollView::windowToContents(WebCore::IntPoint const&) const + 86 (ScrollView.cpp:714) 6 com.apple.WebCore 0x000000010f529d29 WebCore::EventHandler::dispatchFakeMouseMoveEventSoonInQuad(WebCore::FloatQuad const&) + 89 (EventHandler.cpp:2578) 7 com.apple.WebCore 0x00000001100e11e2 WebCore::RenderLayer::scrollTo(int, int) + 866 (RenderLayer.cpp:1512) 8 com.apple.WebCore 0x00000001100e368e WebCore::RenderLayer::setScrollOffset(WebCore::IntPoint const&) + 62 (RenderLayer.cpp:1788) 9 com.apple.WebCore 0x00000001102c7366 WebCore::ScrollableArea::scrollPositionChanged(WebCore::IntPoint const&) + 54 (ScrollableArea.cpp:138) 10 com.apple.WebCore 0x00000001102c7601 WebCore::ScrollableArea::setScrollOffsetFromAnimation(WebCore::IntPoint const&) + 81 (ScrollableArea.cpp:181) 11 com.apple.WebCore 0x00000001102c90ab WebCore::ScrollAnimator::notifyPositionChanged() + 59 (ScrollAnimator.cpp:144) 12 com.apple.WebCore 0x00000001102cd049 WebCore::ScrollAnimatorMac::notifyPositionChanged() + 41 (ScrollAnimatorMac.mm:667) 13 com.apple.WebCore 0x00000001102ccbe3 WebCore::ScrollAnimatorMac::immediateScrollTo(WebCore::FloatPoint const&) + 211 (ScrollAnimatorMac.mm:646) 14 com.apple.WebCore 0x00000001102ccb03 WebCore::ScrollAnimatorMac::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) + 67 (ScrollAnimatorMac.mm:622) 15 com.apple.WebCore 0x00000001102c71dc WebCore::ScrollableArea::scrollToOffsetWithoutAnimation(WebCore::FloatPoint const&) + 60 (ScrollableArea.cpp:117) 16 com.apple.WebCore 0x00000001100e0dad WebCore::RenderLayer::scrollToOffset(int, int, WebCore::RenderLayer::ScrollOffsetClamping) + 941 (RenderLayer.cpp:1441) 17 com.apple.WebCore 0x0000000110121fdd WebCore::RenderMarquee::start() + 301 (RenderMarquee.cpp:170) 18 com.apple.WebCore 0x00000001101221e7 WebCore::RenderMarquee::updateMarqueePosition() + 247 (RenderMarquee.cpp:207) 19 com.apple.WebCore 0x00000001100dc627 WebCore::RenderLayer::updateLayerPositions(WebCore::IntPoint*, unsigned int) + 1815 (RenderLayer.cpp:424) 20 com.apple.WebCore 0x00000001100dc593 WebCore::RenderLayer::updateLayerPositions(WebCore::IntPoint*, unsigned int) + 1667 (RenderLayer.cpp:412) 21 com.apple.WebCore 0x00000001100dc593 WebCore::RenderLayer::updateLayerPositions(WebCore::IntPoint*, unsigned int) + 1667 (RenderLayer.cpp:412) 22 com.apple.WebCore 0x000000010f5f7b40 WebCore::FrameView::layout(bool) + 3680 (FrameView.cpp:1101) 23 com.apple.WebCore 0x000000010f5ffdc5 WebCore::FrameView::forceLayout(bool) + 37 (FrameView.cpp:3079) 24 com.apple.WebKit 0x000000010e91cf06 -[WebHTMLView layoutToMinimumPageWidth:height:originalPageWidth:originalPageHeight:maximumShrinkRatio:adjustingViewSize:] + 470 (WebHTMLView.mm:3057) 25 com.apple.WebKit 0x000000010e91cf6d -[WebHTMLView layout] + 77 (WebHTMLView.mm:3071) 26 com.apple.WebKit 0x000000010e8bb7cc -[WebDynamicScrollBarsView(WebInternal) updateScrollers] + 2940 (WebDynamicScrollBarsView.mm:377) 27 com.apple.WebKit 0x000000010e8bb9c4 -[WebDynamicScrollBarsView(WebInternal) reflectScrolledClipView:] + 228 (WebDynamicScrollBarsView.mm:408) 28 com.apple.AppKit 0x00007fff94a6fa45 -[NSClipView _reflectDocumentViewFrameChange] + 175 29 com.apple.AppKit 0x00007fff94a5cc92 -[NSView _postFrameChangeNotification] + 211 30 com.apple.AppKit 0x00007fff949822d9 -[NSView setFrameSize:] + 1114 31 com.apple.AppKit 0x00007fff94a5cde7 -[NSControl setFrameSize:] + 83 32 com.apple.WebCore 0x00000001102eb473 WebCore::ScrollView::platformSetContentsSize() + 723 (ScrollViewMac.mm:127) 33 com.apple.WebCore 0x00000001102e3f46 WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) + 134 (ScrollView.cpp:302) 34 com.apple.WebCore 0x000000010f5f587c WebCore::FrameView::setContentsSize(WebCore::IntSize const&) + 124 (FrameView.cpp:501) 35 com.apple.WebCore 0x000000010f5f5b19 WebCore::FrameView::adjustViewSize() + 457 (FrameView.cpp:528) 36 com.apple.WebCore 0x000000010f5f7a68 WebCore::FrameView::layout(bool) + 3464 (FrameView.cpp:1091) 37 com.apple.WebCore 0x000000010f5ffdc5 WebCore::FrameView::forceLayout(bool) + 37 (FrameView.cpp:3079) 38 com.apple.WebKit 0x000000010e91cf06 -[WebHTMLView layoutToMinimumPageWidth:height:originalPageWidth:originalPageHeight:maximumShrinkRatio:adjustingViewSize:] + 470 (WebHTMLView.mm:3057) 39 com.apple.WebKit 0x000000010e91cf6d -[WebHTMLView layout] + 77 (WebHTMLView.mm:3071) 40 com.apple.WebKit 0x000000010e8bad58 -[WebDynamicScrollBarsView(WebInternal) updateScrollers] + 264 (WebDynamicScrollBarsView.mm:266) 41 com.apple.WebKit 0x000000010e8bb9c4 -[WebDynamicScrollBarsView(WebInternal) reflectScrolledClipView:] + 228 (WebDynamicScrollBarsView.mm:408) 42 com.apple.AppKit 0x00007fff94a6e4bf -[NSClipView _selfBoundsChanged] + 713 43 com.apple.AppKit 0x00007fff94a6bb75 -[NSClipView setFrameSize:] + 247 44 com.apple.AppKit 0x00007fff94981aef -[NSView setFrame:] + 268 45 com.apple.AppKit 0x00007fff94a6b61a -[NSScrollView _applyContentAreaLayout:] + 136 46 com.apple.AppKit 0x00007fff94a6a750 -[NSScrollView tile] + 2154 47 com.apple.WebKit 0x000000010e8ba909 -[WebDynamicScrollBarsView(WebInternal) tile] + 57 (WebDynamicScrollBarsView.mm:212) 48 com.apple.AppKit 0x00007fff94a69e58 -[NSScrollView _tileWithoutRecursing] + 42 49 com.apple.AppKit 0x00007fff94a69e10 -[NSScrollView _update] + 27 50 com.apple.AppKit 0x00007fff94a6f942 -[NSScrollView resizeSubviewsWithOldSize:] + 107 51 com.apple.AppKit 0x00007fff9498223a -[NSView setFrameSize:] + 955 52 com.apple.AppKit 0x00007fff94a6f5f8 -[NSScrollView setFrameSize:] + 506 53 com.apple.AppKit 0x00007fff94981aef -[NSView setFrame:] + 268 54 com.apple.AppKit 0x00007fff94a5c514 -[NSView resizeWithOldSuperviewSize:] + 1324 55 com.apple.AppKit 0x00007fff94a5bf6d -[NSView resizeSubviewsWithOldSize:] + 200 56 com.apple.AppKit 0x00007fff9498223a -[NSView setFrameSize:] + 955 57 com.apple.WebKit 0x000000010e8ea84b -[WebFrameView setFrameSize:] + 267 (WebFrameView.mm:511) 58 com.apple.AppKit 0x00007fff94981aef -[NSView setFrame:] + 268 59 com.apple.WebCore 0x00000001105ed51f WebCore::Widget::setFrameRect(WebCore::IntRect const&) + 607 (WidgetMac.mm:178) 60 com.apple.WebCore 0x00000001102e612f WebCore::ScrollView::setFrameRect(WebCore::IntRect const&) + 95 (ScrollView.cpp:848) 61 com.apple.WebCore 0x000000010f5f52af WebCore::FrameView::setFrameRect(WebCore::IntRect const&) + 95 (FrameView.cpp:405) 62 com.apple.WebCore 0x000000011023cf5f WebCore::RenderWidget::setWidgetGeometry(WebCore::IntRect const&) + 287 (RenderWidget.cpp:162) 63 com.apple.WebCore 0x000000011023d17f WebCore::RenderWidget::updateWidgetGeometry() + 399 (RenderWidget.cpp:178) 64 com.apple.WebCore 0x000000011023e193 WebCore::RenderWidget::updateWidgetPosition() + 83 (RenderWidget.cpp:333) 65 com.apple.WebCore 0x00000001100c4f2b WebCore::RenderFrameBase::layoutWithFlattening(bool, bool) + 315 (RenderFrameBase.cpp:57) 66 com.apple.WebCore 0x00000001100c80d1 WebCore::RenderFrameSet::positionFramesWithFlattening() + 833 (RenderFrameSet.cpp:595) 67 com.apple.WebCore 0x00000001100c7bb2 WebCore::RenderFrameSet::layout() + 770 (RenderFrameSet.cpp:488) 68 com.apple.WebCore 0x000000010fffadba WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 1274 (RenderBlock.cpp:2337) 69 com.apple.WebCore 0x000000010fff36de WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1502 (RenderBlock.cpp:2271) 70 com.apple.WebCore 0x000000010fff0e70 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 2192 (RenderBlock.cpp:1538) 71 com.apple.WebCore 0x000000010fff037c WebCore::RenderBlock::layout() + 92 (RenderBlock.cpp:1401) 72 com.apple.WebCore 0x000000010fffadba WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 1274 (RenderBlock.cpp:2337) 73 com.apple.WebCore 0x000000010fff36de WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 1502 (RenderBlock.cpp:2271) 74 com.apple.WebCore 0x000000010fff0e70 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 2192 (RenderBlock.cpp:1538) 75 com.apple.WebCore 0x000000010fff037c WebCore::RenderBlock::layout() + 92 (RenderBlock.cpp:1401) 76 com.apple.WebCore 0x000000011022ec9c WebCore::RenderView::layout() + 860 (RenderView.cpp:137) 77 com.apple.WebCore 0x000000010f5f79d6 WebCore::FrameView::layout(bool) + 3318 (FrameView.cpp:1078) 78 com.apple.WebCore 0x000000010f3082a4 WebCore::Document::implicitClose() + 980 (Document.cpp:2349) 79 com.apple.WebCore 0x000000010f5cf67b WebCore::FrameLoader::checkCallImplicitClose() + 155 (FrameLoader.cpp:800) 80 com.apple.WebCore 0x000000010f5cf473 WebCore::FrameLoader::checkCompleted() + 323 (FrameLoader.cpp:747) 81 com.apple.WebCore 0x000000010f5cf74e WebCore::FrameLoader::completed() + 190 (FrameLoader.cpp:1088) 82 com.apple.WebCore 0x000000010f5cf490 WebCore::FrameLoader::checkCompleted() + 352 (FrameLoader.cpp:750) 83 com.apple.WebCore 0x000000010f5ce333 WebCore::FrameLoader::finishedParsing() + 179 (FrameLoader.cpp:680) 84 com.apple.WebCore 0x000000010f313114 WebCore::Document::finishedParsing() + 532 (Document.cpp:4487) 85 com.apple.WebCore 0x000000010f79fcac WebCore::HTMLTreeBuilder::finished() + 140 (HTMLTreeBuilder.cpp:2819) 86 com.apple.WebCore 0x000000010f6dbd83 WebCore::HTMLDocumentParser::end() + 211 (HTMLDocumentParser.cpp:382) 87 com.apple.WebCore 0x000000010f6dae26 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 262 (HTMLDocumentParser.cpp:391) 88 com.apple.WebCore 0x000000010f6dac22 WebCore::HTMLDocumentParser::prepareToStopParsing() + 242 (HTMLDocumentParser.cpp:154) 89 com.apple.WebCore 0x000000010f6dbdd3 WebCore::HTMLDocumentParser::attemptToEnd() + 67 (HTMLDocumentParser.cpp:403) 90 com.apple.WebCore 0x000000010f6dbe28 WebCore::HTMLDocumentParser::finish() + 72 (HTMLDocumentParser.cpp:430) 91 com.apple.WebCore 0x000000010f36eed9 WebCore::DocumentWriter::endIfNotLoadingMainResource() + 297 (DocumentWriter.cpp:250) 92 com.apple.WebCore 0x000000010f36e540 WebCore::DocumentWriter::end() + 48 (DocumentWriter.cpp:225) 93 com.apple.WebCore 0x000000010f34ee5b WebCore::DocumentLoader::finishedLoading() + 91 (DocumentLoader.cpp:296) 94 com.apple.WebCore 0x000000010f5d7609 WebCore::FrameLoader::finishedLoading() + 73 (FrameLoader.cpp:2074) 95 com.apple.WebCore 0x000000010fe91766 WebCore::MainResourceLoader::didFinishLoading(double) + 278 (MainResourceLoader.cpp:485) 96 com.apple.WebCore 0x000000011025bb76 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 182 (ResourceLoader.cpp:453) 97 com.apple.WebCore 0x00000001102584bb -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 251 (ResourceHandleMac.mm:887) 98 com.apple.Foundation 0x00007fff95d30662 ___NSURLConnectionDidFinishLoading_block_invoke_1 + 122 99 com.apple.Foundation 0x00007fff95d305e2 _NSURLConnectionDidFinishLoading + 81 100 com.apple.CFNetwork 0x00007fff97ce64fe URLConnectionClient::_clientDidFinishLoading(URLConnectionClient::ClientConnectionEventQueue*) + 296 101 com.apple.CFNetwork 0x00007fff97d9691e URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 862 102 com.apple.CFNetwork 0x00007fff97d96b0a URLConnectionClient::ClientConnectionEventQueue::processAllEventsAndConsumePayload(XConnectionEventInfo<XClientEvent, XClientEventParams>*, long) + 1354 103 com.apple.CFNetwork 0x00007fff97cc1389 URLConnectionClient::processEvents() + 185 104 com.apple.CFNetwork 0x00007fff97cc122e MultiplexerSource::perform() + 212 105 com.apple.CoreFoundation 0x00007fff9138f511 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 106 com.apple.CoreFoundation 0x00007fff9138ed7d __CFRunLoopDoSources0 + 253 107 com.apple.CoreFoundation 0x00007fff913b5b69 __CFRunLoopRun + 905 108 com.apple.CoreFoundation 0x00007fff913b54a6 CFRunLoopRunSpecific + 230 109 com.apple.Foundation 0x00007fff95cd3f9f -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 267 110 DumpRenderTree 0x000000010daef699 _ZL7runTestRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE + 5657 (DumpRenderTree.mm:1354) 111 DumpRenderTree 0x000000010daedfda _ZL20runTestingServerLoopv + 282 (DumpRenderTree.mm:817) 112 DumpRenderTree 0x000000010daed86a dumpRenderTree(int, char const**) + 394 (DumpRenderTree.mm:866) 113 DumpRenderTree 0x000000010daefed9 main + 105 (DumpRenderTree.mm:903) 114 DumpRenderTree 0x000000010dad9184 start + 52