[Webkit-unassigned] [Bug 73250] REGRESSION(r101268): Intermittent assertion failure in fast/block/child-not-removed-from-parent-lineboxes-crash.html

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Dec 1 14:19:38 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=73250





--- Comment #9 from Ryosuke Niwa <rniwa at webkit.org>  2011-12-01 14:19:38 PST ---
This is actually different assertion:
ASSERTION FAILED: !m_nestedIsolateCount
/Volumes/Data/webkit3/Source/WebCore/platform/text/BidiResolver.h(278) : WebCore::BidiResolver<Iterator, Run>::~BidiResolver() [with Iterator = WebCore::InlineIterator, Run = WebCore::BidiRun]
1   0x102ac166d WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::~BidiResolver()
2   0x102ab9027 WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool)
3   0x102ab952b WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&)
4   0x102a8e116 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass)
5   0x102a82087 WebCore::RenderBlock::layout()
6   0x102a8bbba WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&)
7   0x102a8cb6a WebCore::RenderBlock::layoutBlockChildren(bool, int&)
8   0x102a8e12f WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass)
9   0x102a82087 WebCore::RenderBlock::layout()

The problem is that layoutRunsAndFloatsInRange could bail out early without exiting all inlines at:

        if (checkForEndLineMatch) {
            layoutState.setEndLineMatched(matchedEndLine(layoutState, resolver, cleanLineStart, cleanLineBidiStatus));
            if (layoutState.endLineMatched()) {
               break;

and

        end = lineBreaker.nextLineBreak(resolver, layoutState.lineInfo(), lineBreakIteratorInfo, lastFloatFromPreviousLine, consecutiveHyphenatedLines);
        if (resolver.position().atEnd()) {
            // FIXME: We shouldn't be creating any runs in findNextLineBreak to begin with!
            // Once BidiRunList is separated from BidiResolver this will not be needed.
            resolver.runs().deleteRuns();
            resolver.markCurrentRunEmpty(); // FIXME: This can probably be replaced by an ASSERT (or just removed).
            layoutState.setCheckForFloatsFromLastLine(true);
            break;

When this happens, the count hasn't been reset to 0 and we hit the assertion. I could either reset the counter before breaking in those two places or remove the assertion.

Eric & Mitz, do you have a preference?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list