[Webkit-unassigned] [Bug 127096] New: ASSERTION FAILED: ownerElement.contentFrame() == frame || !ownerElement.contentFrame() in WebCore::SubframeLoader::loadOrRedirectSubframe

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Jan 16 03:20:40 PST 2014 

https://bugs.webkit.org/show_bug.cgi?id=127096

           Summary: ASSERTION FAILED: ownerElement.contentFrame() == frame
                    || !ownerElement.contentFrame() in
                    WebCore::SubframeLoader::loadOrRedirectSubframe
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Page Loading
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: reni at webkit.org
                CC: andersca at apple.com, sam at webkit.org
            Blocks: 116980


Created an attachment (id=221355)
 --> (https://bugs.webkit.org/attachment.cgi?id=221355&action=review)
Test case

Test case:

<embed code="foo1">
<iframe onload="document.designMode='on';
                document.execCommand('selectall');
                document.execCommand('italic');"></iframe>


This test is quite similar to the test case of https://bugs.webkit.org/show_bug.cgi?id=127092, it just lefts an <embed> tag from the beginning, however the problem seems different.

Backtrace:

ASSERTION FAILED: ownerElement.contentFrame() == frame || !ownerElement.contentFrame()
/home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubframeLoader.cpp(331) : WebCore::Frame* WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, const WebCore::URL&, const WTF::AtomicString&, bool, bool)
1   0x7ffff5c35e44 WTFCrash
2   0x7ffff13df226 WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::AtomicString const&, bool, bool)
3   0x7ffff13ddea3 WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomicString const&, bool, bool)
4   0x7ffff1128762 WebCore::HTMLFrameElementBase::openURL(bool, bool)
5   0x7ffff1128bd6 WebCore::HTMLFrameElementBase::setNameAndOpenURL()
6   0x7ffff1128ca1 WebCore::HTMLFrameElementBase::didNotifySubtreeInsertions(WebCore::ContainerNode*)
7   0x7ffff0ef7f1a WebCore::ChildNodeInsertionNotifier::notify(WebCore::Node&)
8   0x7ffff0ef6cae WebCore::ContainerNode::updateTreeAfterInsertion(WebCore::Node&)
9   0x7ffff0ef50bc WebCore::ContainerNode::appendChild(WTF::PassRefPtr<WebCore::Node>, int&)
10  0x7ffff100bb77 WebCore::AppendNodeCommand::doApply()
11  0x7ffff101eaf8 WebCore::CompositeEditCommand::applyCommandToComposite(WTF::PassRefPtr<WebCore::EditCommand>)
12  0x7ffff101f81e WebCore::CompositeEditCommand::appendNode(WTF::PassRefPtr<WebCore::Node>, WTF::PassRefPtr<WebCore::ContainerNode>)
13  0x7ffff10165cb WebCore::ApplyStyleCommand::surroundNodeRangeWithElement(WTF::PassRefPtr<WebCore::Node>, WTF::PassRefPtr<WebCore::Node>, WTF::PassRefPtr<WebCore::Element>)
14  0x7ffff1017b3a WebCore::ApplyStyleCommand::applyInlineStyleChange(WTF::PassRefPtr<WebCore::Node>, WTF::PassRefPtr<WebCore::Node>, WebCore::StyleChange&, WebCore::ApplyStyleCommand::EAddStyledElement)
15  0x7ffff1013042 WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange(WebCore::EditingStyle*, WTF::PassRefPtr<WebCore::Node>, WTF::PassRefPtr<WebCore::Node>)
16  0x7ffff10125d6 WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle(WebCore::EditingStyle*, WebCore::Position const&, WebCore::Position const&)
17  0x7ffff10121e8 WebCore::ApplyStyleCommand::applyInlineStyle(WebCore::EditingStyle*)
18  0x7ffff100f123 WebCore::ApplyStyleCommand::doApply()
19  0x7ffff101e8b8 WebCore::CompositeEditCommand::apply()
20  0x7ffff101e6b0 WebCore::applyCommand(WTF::PassRefPtr<WebCore::CompositeEditCommand>)
21  0x7ffff104277a WebCore::Editor::applyStyle(WebCore::StyleProperties*, WebCore::EditAction)
22  0x7ffff1052e98
23  0x7ffff1053540
24  0x7ffff1056da3
25  0x7ffff1058205 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const
26  0x7ffff0f1afaa WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&)
27  0x7ffff1dc34f3 WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*)
28  0x7fff9dc5c0e5

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
333        *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff5c35e49 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333
#1  0x00007ffff13df226 in WebCore::SubframeLoader::loadOrRedirectSubframe (this=0x8bc7f0, ownerElement=..., url=..., frameName=..., lockHistory=true, 
    lockBackForwardList=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubframeLoader.cpp:331
#2  0x00007ffff13ddea3 in WebCore::SubframeLoader::requestFrame (this=0x8bc7f0, ownerElement=..., urlString=..., frameName=..., lockHistory=true, 
    lockBackForwardList=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubframeLoader.cpp:90
#3  0x00007ffff1128762 in WebCore::HTMLFrameElementBase::openURL (this=0x11c91b0, lockHistory=true, lockBackForwardList=true)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameElementBase.cpp:89
#4  0x00007ffff1128bd6 in WebCore::HTMLFrameElementBase::setNameAndOpenURL (this=0x11c91b0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameElementBase.cpp:142
#5  0x00007ffff1128ca1 in WebCore::HTMLFrameElementBase::didNotifySubtreeInsertions (this=0x11c91b0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/HTMLFrameElementBase.cpp:167
#6  0x00007ffff0ef7f1a in WebCore::ChildNodeInsertionNotifier::notify (this=0x7fffff823810, node=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNodeAlgorithms.h:234
#7  0x00007ffff0ef6cae in WebCore::ContainerNode::updateTreeAfterInsertion (this=0x2e7e070, child=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:1058
#8  0x00007ffff0ef50bc in WebCore::ContainerNode::appendChild (this=0x2e7e070, newChild=..., ec=@0x7fffff823960: 0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/ContainerNode.cpp:720
#9  0x00007ffff100bb77 in WebCore::AppendNodeCommand::doApply (this=0x2eabd50)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/AppendNodeCommand.cpp:65
#10 0x00007ffff101eaf8 in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x2ea8e20, prpCommand=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:278
#11 0x00007ffff101f81e in WebCore::CompositeEditCommand::appendNode (this=0x2ea8e20, node=..., parent=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:397
#12 0x00007ffff10165cb in WebCore::ApplyStyleCommand::surroundNodeRangeWithElement (this=0x2ea8e20, passedStartNode=..., endNode=..., elementToInsert=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:1362
#13 0x00007ffff1017b3a in WebCore::ApplyStyleCommand::applyInlineStyleChange (this=0x2ea8e20, passedStart=..., passedEnd=..., styleChange=..., 
    addStyledElement=WebCore::ApplyStyleCommand::AddStyledElement) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:1498
#14 0x00007ffff1013042 in WebCore::ApplyStyleCommand::applyInlineStyleToNodeRange (this=0x2ea8e20, style=0x2ea99a0, startNode=..., pastEndNode=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:832
#15 0x00007ffff10125d6 in WebCore::ApplyStyleCommand::fixRangeAndApplyInlineStyle (this=0x2ea8e20, style=0x2ea99a0, start=..., end=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:717
#16 0x00007ffff10121e8 in WebCore::ApplyStyleCommand::applyInlineStyle (this=0x2ea8e20, style=0x2ea99a0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:680
#17 0x00007ffff100f123 in WebCore::ApplyStyleCommand::doApply (this=0x2ea8e20)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/ApplyStyleCommand.cpp:220
#18 0x00007ffff101e8b8 in WebCore::CompositeEditCommand::apply (this=0x2ea8e20)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:227
#19 0x00007ffff101e6b0 in WebCore::applyCommand (command=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/CompositeEditCommand.cpp:182
#20 0x00007ffff104277a in WebCore::Editor::applyStyle (this=0x7c8620, style=0x2eac240, editingAction=WebCore::EditActionUnspecified)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/Editor.cpp:982
#21 0x00007ffff1052e98 in WebCore::applyCommandToFrame (frame=..., source=WebCore::CommandFromDOM, action=WebCore::EditActionItalics, style=0x2eac240)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:110
#22 0x00007ffff1053540 in WebCore::executeToggleStyle (frame=..., source=WebCore::CommandFromDOM, action=WebCore::EditActionItalics, 
    propertyID=WebCore::CSSPropertyFontStyle, offValue=0x7ffff25e5a84 "normal", onValue=0x7ffff25e5a8b "italic")
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:171
#23 0x00007ffff1056da3 in WebCore::executeToggleItalic (frame=..., source=WebCore::CommandFromDOM)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1119
#24 0x00007ffff1058205 in WebCore::Editor::Command::execute (this=0x7fffff824720, parameter=..., triggeringEvent=0x0)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/editing/EditorCommand.cpp:1744
#25 0x00007ffff0f1afaa in WebCore::Document::execCommand (this=0x11c2860, commandName=..., userInterface=false, value=...)
    at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4215
#26 0x00007ffff1dc34f3 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fff8ffe6ec0)
    at /home/reni/Data/REPOS/webkit_sec/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:3369
#27 0x00007fff9dc5c0e5 in ?? ()
---Type <return> to continue, or q <return> to quit---
#28 0x00007fff8ffe6f10 in ?? ()
#29 0x00007fff9dc5cbc5 in ?? ()
#30 0x00007fff9dc5ca00 in ?? ()
#31 0x0000000001141898 in ?? ()
#32 0x0000000000000001 in ?? ()
#33 0x0000000000000001 in ?? ()
#34 0x00000000011c9230 in ?? ()
#35 0x0000000000000000 in ?? ()

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list