Layout never starts from RenderText.
Created attachment 221019 [details] Patch
Attachment 221019 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/WebCore/ChangeLog', u'Source/WebCore/page/FrameView.cpp', u'Source/WebCore/rendering/LayoutState.cpp', u'Source/WebCore/rendering/LayoutState.h', u'Source/WebCore/rendering/RenderView.cpp', u'Source/WebCore/rendering/RenderView.h', '--commit-queue']" exit_code: 1 ERROR: Source/WebCore/rendering/RenderView.cpp:1078: Missing space before ( in while( [whitespace/parens] [5] Total errors found: 1 in 6 files If any of these errors are false positives, please file a bug against check-webkit-style.
Created attachment 221022 [details] Patch
Comment on attachment 221022 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=221022&action=review > Source/WebCore/rendering/RenderElement.cpp:1036 > + if (!documentBeingDestroyed() && view().frameView().layoutRoot() == this) { > + ASSERT_NOT_REACHED(); > + // This indicates a failure to layout the child, which is why > + // the layout root is still set to |this|. Make sure to clear it > + // since we are getting destroyed. > + view().frameView().clearLayoutRoot(); > + } Wonder if this could just be an assert.
Created attachment 244932 [details] Patch for landing
Comment on attachment 244932 [details] Patch for landing Clearing flags on attachment: 244932 Committed r178683: <http://trac.webkit.org/changeset/178683>
All reviewed patches have been landed. Closing bug.
Looks like this may have caused a lot of crashes on the bots: https://build.webkit.org/builders/Apple%20MountainLion%20Debug%20WK1%20%28Tests%29/builds/17391 https://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r178685%20(17391)/results.html > Exception Type: EXC_BAD_ACCESS (SIGSEGV) > Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef > > Application Specific Information: > CRASHING TEST: scrollbars/scrollbar-selectors.html > > Thread 0 Crashed:: Dispatch queue: com.apple.main-thread > 0 WTFCrash + 42 (Assertions.cpp:321) > 1 WebCore::RenderElement::willBeDestroyed() + 193 (RenderElement.cpp:1075) > 2 WebCore::RenderBoxModelObject::willBeDestroyed() + 184 (RenderBoxModelObject.cpp:205) > 3 WebCore::RenderBlockFlow::willBeDestroyed() + 414 (RenderBlockFlow.cpp:176) > 4 WebCore::RenderObject::destroy() + 66 (RenderObject.cpp:2001) > 5 WebCore::RenderObject::destroyAndCleanupAnonymousWrappers() + 274 (RenderObject.cpp:1989) > 6 WebCore::Style::detachRenderTree(WebCore::Element&, WebCore::Style::DetachType) + 197 (StyleResolveTree.cpp:700) > 7 WebCore::Style::detachRenderTree(WebCore::Element&) + 26 (StyleResolveTree.cpp:1001) > 8 WebCore::destroyRenderTreeIfNeeded(WebCore::Node&) + 94 (ContainerNode.cpp:100) > 9 WebCore::ContainerNode::removeBetween(WebCore::Node*, WebCore::Node*, WebCore::Node&) + 134 (ContainerNode.cpp:588) > 10 WebCore::ContainerNode::removeChild(WebCore::Node*, int&) + 593 (ContainerNode.cpp:559) > 11 WebCore::ContainerNode::replaceChild(WTF::PassRefPtr<WebCore::Node>, WebCore::Node*, int&) + 429 (ContainerNode.cpp:416) > 12 WebCore::Element::setOuterHTML(WTF::String const&, int&) + 302 (Element.cpp:2072) > 13 WebCore::setJSElementOuterHTML(JSC::ExecState*, JSC::JSObject*, long long, long long) + 315 (JSElement.cpp:2362) > 14 JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 162 (CustomGetterSetter.cpp:45) > 15 JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1648 (JSObject.cpp:383) > ... Should I rollout?
Re-opened since this is blocked by bug 140657
Comment on attachment 221022 [details] Patch Cleared Antti Koivisto's review+ from obsolete attachment 221022 [details] so that this bug does not appear in http://webkit.org/pending-commit.