[Webkit-unassigned] [Bug 77154] New: Assertion in FrameView::scheduleRelayoutOfSubtree

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 26 15:25:21 PST 2012 

https://bugs.webkit.org/show_bug.cgi?id=77154

           Summary: Assertion in FrameView::scheduleRelayoutOfSubtree
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: dominicc at chromium.org
                CC: hyatt at apple.com, dglazkov at chromium.org


Specifically:

ASSERTION FAILED: !m_layoutRoot->container() || !m_layoutRoot->container()->needsLayout()
/WebKit/Source/WebCore/page/FrameView.cpp(2010) : void WebCore::FrameView::scheduleRelayoutOfSubtree(WebCore::RenderObject*)
1   0x102d52550 WebCore::FrameView::scheduleRelayoutOfSubtree(WebCore::RenderObject*)
2   0x103587140 WebCore::RenderObject::scheduleRelayout()
3   0x1035874f3 WebCore::RenderObject::markContainingBlocksForLayout(bool, WebCore::RenderObject*)
4   0x102b83146 WebCore::RenderObject::setNeedsLayout(bool, bool)
5   0x1034c6c4b WebCore::RenderObject::setNeedsLayoutAndPrefWidthsRecalc()
6   0x1035927db WebCore::RenderObjectChildList::removeChildNode(WebCore::RenderObject*, WebCore::RenderObject*, bool)
11  0x1034fc034 WebCore::RenderBoxModelObject::willBeDestroyed()
12  0x1034ee590 WebCore::RenderBox::willBeDestroyed()
13  0x10349e162 WebCore::RenderBlock::willBeDestroyed()
14  0x1035878f6 WebCore::RenderObject::destroy()
15  0x103592d36 WebCore::RenderObjectChildList::destroyLeftoverChildren()
16  0x10349e011 WebCore::RenderBlock::willBeDestroyed()
17  0x1035878f6 WebCore::RenderObject::destroy()
18  0x1033fab55 WebCore::Node::detach()
19  0x1029c7950 WebCore::ContainerNode::detach()
20  0x102ca72b9 WebCore::Element::detach()
21  0x102e12308 WebCore::HTMLFormControlElement::detach()
22  0x1029c792a WebCore::ContainerNode::detach()
23  0x102ca72b9 WebCore::Element::detach()
…

This repro is based on a fuzzer, posting it until I come up with a better one.

The repro constructs this DOM:

.afterSpan:after { content: counter(section); }
.afterDiv:after { content: counter(section); }
.nthChildSpan:nth-child(0) {}

<div id=”container”>
  <td>
    <textarea></textarea>
  </td>
  <div style=”counter-reset: section 0;”></div>
  <div style=”content: counter(section, decimal);”>
    <td style=”counter-reset: section 0;”></td>
  </div>
  <div class=”afterDiv”>
    <div style=”position: fixed”>
      <span class=”afterSpan”></span>
    </div>
  </div>
  <span class=”nthChildSpan”></span>
  <div></div>
</div>

The element traffic up to inserting <span class="afterSpan"> causes the first TD to be marked for layout. Then it removes the TEXTAREA. As the TEXTAREA is removed, it marks the shadow DIV as needing layout as part of the generic operation off RenderObjectChildList::removeChildNode. RenderObject::markContainingBlocksForLayout walks back up the tree to the TEXTAREA and marks it for layout, but stops there, because the TEXTAREA is a layout boundary (objectIsLayoutBoundary) and schedules the TEXTAREA for layout. The assertion fires because the TEXTAREA is scheduled for layout but the TD has needsLayout.

It looks like this assertion has been firing for some time (at least since mid last year.)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list