115386 – REGRESSION(r149287): Assertion failure in fast/frames/flattening/iframe-flattening-crash.html

Bug 115386 - REGRESSION(r149287): Assertion failure in fast/frames/flattening/iframe-flattening-crash.html

Summary: REGRESSION(r149287): Assertion failure in fast/frames/flattening/iframe-flatt...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Frames (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Andreas Kling

URL:
Keywords:	InRadar, LayoutTestFailure

Depends on:	115476
Blocks:
	Show dependency tree / graph

Reported:	2013-04-29 16:46 PDT by Alexey Proskuryakov
Modified:	2013-05-22 00:39 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Proposed patch (4.44 KB, patch) 2013-04-30 11:03 PDT, Andreas Kling	darin: review+	Details \| Formatted Diff \| Diff
Follow-up patch (2.39 KB, patch) 2013-05-01 09:44 PDT, Andreas Kling	koivisto: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexey Proskuryakov 2013-04-29 16:46:45 PDT

Looks like an assertion started to happen on all WK2 testers reproducibly:

0   com.apple.WebCore             	0x000000010e768a98 WebCore::Document::updateLayout() + 200 (Document.cpp:1881)
1   com.apple.WebCore             	0x000000010e768ad4 WebCore::Document::updateLayout() + 260 (Document.cpp:1888)
2   com.apple.WebCore             	0x000000010e76bf35 WebCore::Document::updateLayoutIgnorePendingStylesheets() + 197 (Document.cpp:1928)
3   com.apple.WebCore             	0x000000010e8c8f37 WebCore::Element::clientWidth() + 39 (Element.cpp:579)
4   com.apple.WebCore             	0x000000010ef8e427 WebCore::jsElementClientWidth(JSC::ExecState*, JSC::JSValue, JSC::PropertyName) + 71 (JSElement.cpp:384)
5   com.apple.JavaScriptCore      	0x000000010d253a99 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 249 (PropertySlot.h:76)
6   com.apple.JavaScriptCore      	0x000000010d26c312 JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 242 (JSCJSValueInlines.h:639)
7   com.apple.JavaScriptCore      	0x000000010d5c7cd1 llint_slow_path_get_by_id + 241 (LLIntSlowPaths.cpp:910)
8   com.apple.JavaScriptCore      	0x000000010d5d1555 llint_op_get_by_id + 122
9   com.apple.JavaScriptCore      	0x000000010d4ae4b4 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 84 (JITCode.h:135)
10  com.apple.JavaScriptCore      	0x000000010d4ab224 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1620 (Interpreter.cpp:1061)
11  com.apple.JavaScriptCore      	0x000000010d2bc7b2 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 306 (CallData.cpp:40)
12  com.apple.WebCore             	0x000000010ee5e682 WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 146 (JSMainThreadExecState.h:56)
13  com.apple.WebCore             	0x000000010efb6491 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1217 (JSEventListener.cpp:129)
14  com.apple.WebCore             	0x000000010e9219b2 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 498 (EventTarget.cpp:259)
15  com.apple.WebCore             	0x000000010e9215cc WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 380 (EventTarget.cpp:204)
16  com.apple.WebCore             	0x000000010e865cf0 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 272 (DOMWindow.cpp:1711)
17  com.apple.WebCore             	0x000000010e773ee1 WebCore::Document::dispatchWindowEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 193 (Document.cpp:3656)
18  com.apple.WebCore             	0x000000010e906336 WebCore::EventHandler::dispatchResizeEvent() + 150 (EventHandler.cpp:3790)
19  com.apple.WebCore             	0x000000010ea16614 WebCore::FrameView::dispatchResizeEvent() + 148 (FrameView.cpp:2791)
20  com.apple.WebCore             	0x000000010ea164f6 WebCore::FrameView::setFrameRect(WebCore::IntRect const&) + 678 (FrameView.cpp:500)
21  com.apple.WebCore             	0x000000010f92452d WebCore::RenderWidget::setWidgetGeometry(WebCore::LayoutRect const&) + 381 (RenderWidget.cpp:160)
22  com.apple.WebCore             	0x000000010f924848 WebCore::RenderWidget::updateWidgetGeometry() + 456 (RenderWidget.cpp:180)
23  com.apple.WebCore             	0x000000010f925c33 WebCore::RenderWidget::updateWidgetPosition() + 83 (RenderWidget.cpp:348)
24  com.apple.WebCore             	0x000000010f745250 WebCore::RenderFrameBase::layoutWithFlattening(bool, bool) + 1568 (RenderFrameBase.cpp:98)
25  com.apple.WebCore             	0x000000010f75c555 WebCore::RenderIFrame::layout() + 325 (RenderIFrame.cpp:168)

Comment 1 Alexey Proskuryakov 2013-04-29 16:53:10 PDT

Actually, maybe all Mac ones, wk1 or wk2. E.g.<http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK2%20(Tests)/r149322%20(9330)/fast/frames/flattening/iframe-flattening-crash-crash-log.txt>.

Comment 2 Alexey Proskuryakov 2013-04-29 16:57:36 PDT

Skipped on Mac in http://trac.webkit.org/r149333

Comment 3 Geoffrey Garen 2013-04-29 20:18:35 PDT

Re-entrant layout is definitely a no-no. This could cause lots of serious problems.

Comment 4 Geoffrey Garen 2013-04-29 20:19:48 PDT

<rdar://problem/13769995>

Comment 5 Andreas Kling 2013-04-30 11:03:26 PDT

Created attachment 200132 [details]
Proposed patch

Comment 6 WebKit Commit Bot 2013-04-30 11:05:06 PDT

Attachment 200132 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/platform/mac/TestExpectations', u'Source/WebCore/ChangeLog', u'Source/WebCore/page/EventHandler.cpp', u'Source/WebCore/page/EventHandler.h', u'Source/WebCore/page/FrameView.cpp']" exit_code: 1
Source/WebCore/page/FrameView.cpp:38:  Alphabetical sorting problem.  [build/include_order] [4]
Total errors found: 1 in 3 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 7 Andreas Kling 2013-04-30 11:08:52 PDT

Committed r149382: <http://trac.webkit.org/changeset/149382>

Comment 8 WebKit Commit Bot 2013-05-01 09:31:00 PDT

Re-opened since this is blocked by bug 115476

Comment 9 Andreas Kling 2013-05-01 09:44:27 PDT

Created attachment 200217 [details]
Follow-up patch

Because I am a muppet who only tested the previous patch with a release build, it kept on failing in debug.
This patch changes limits synchronous resize events to the main frame.

Comment 10 Antti Koivisto 2013-05-01 09:47:58 PDT

Comment on attachment 200217 [details]
Follow-up patch

View in context: https://bugs.webkit.org/attachment.cgi?id=200217&action=review

r=me

> Source/WebCore/page/FrameView.cpp:2792
> +    bool isMainFrame = page ? page->mainFrame() == m_frame : false;

page && page->mainFrame() == m_frame ?

Comment 11 Alexey Proskuryakov 2013-05-01 09:51:04 PDT

Is the test still skipped in TestExpectations?

Comment 12 Andreas Kling 2013-05-01 09:52:20 PDT

(In reply to comment #11)
> Is the test still skipped in TestExpectations?

It is not skipped.

Comment 13 Andreas Kling 2013-05-01 09:55:01 PDT

Committed r149435: <http://trac.webkit.org/changeset/149435>