[Webkit-unassigned] [Bug 224471] Release assert in Document::updateLayout() via HTMLTextAreaElement::childrenChanged

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 20 19:37:12 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=224471

--- Comment #3 from Ryosuke Niwa <rniwa at webkit.org> ---
e.g.
ASSERTION FAILED: isSafeToUpdateStyleOrLayout(*this)
./dom/Document.cpp(2174) : void WebCore::Document::updateLayout()
1   0x6a2323d49 WTFCrash
2   0x6a2323d69 WTFCrashWithSecurityImplication
3   0x699daa33d WebCore::Document::updateLayout()
4   0x699dabc4e WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks)
5   0x69a02e2ee WebCore::VisiblePosition::canonicalPosition(WebCore::Position const&)
6   0x69a02e966 WebCore::VisiblePosition::VisiblePosition(WebCore::Position const&, WebCore::Affinity)
7   0x699fbd864 WebCore::FrameSelection::recomputeCaretRect()
8   0x699fb79b2 WebCore::FrameSelection::updateAppearance()
9   0x699fb76fc WebCore::FrameSelection::updateAndRevealSelection(WebCore::AXTextStateChangeIntent const&)
10  0x699f8c3fd WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity)
11  0x699fb4f06 WebCore::FrameSelection::moveWithoutValidationTo(WebCore::Position const&, WebCore::Position const&, bool, bool, WebCore::SelectionRevealMode, WebCore::AXTextStateChangeIntent const&)
12  0x69a1ca3c0 WebCore::HTMLTextFormControlElement::setSelectionRange(int, int, WebCore::TextFieldSelectionDirection, WebCore::SelectionRevealMode, WebCore::AXTextStateChangeIntent const&)
13  0x69a1cb9c5 WebCore::HTMLTextAreaElement::setValueCommon(WTF::String const&)
14  0x69a1c84b0 WebCore::HTMLTextAreaElement::childrenChanged(WebCore::ContainerNode::ChildChange const&)
15  0x699d6b201 WebCore::ContainerNode::removeAllChildrenWithScriptAssertion(WebCore::ContainerNode::ChildChange::Source, WebCore::ContainerNode::DeferChildrenChanged)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210421/82caa1a4/attachment.htm>

More information about the webkit-unassigned mailing list