ASSERTION FAILED: frame().view() == this in WebCore::FrameView::layout

[renatahodovan]

The following test fails on the assert above (however it doesn't crash on the trunk EFL build):

<html>
    <big>
        <object>
    </big>
    <iframe height="50%"></iframe>
    <iframe srcdoc="foo" 
            onload="document.designMode='on';
                    document.execCommand('selectall');      
                    document.execCommand('RemoveFormat');"></iframe>
    <iframe srcdoc="dummy"></iframe>
</html>

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffa6be0700 (LWP 31244)]
0x00007ffff4af0ac1 in WTFCrash () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Assertions.cpp:342
342     *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb) bt
#0  0x00007ffff4af0ac1 in WTFCrash () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Assertions.cpp:342
#1  0x00007ffff3732a5b in WebCore::FrameView::layout (this=0x7ef220, allowSubtree=true)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/page/FrameView.cpp:1109
#2  0x00007ffff3a9515d in WebCore::RenderFrameBase::layoutWithFlattening (this=0x84f2a0, hasFixedWidth=false, hasFixedHeight=false)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderFrameBase.cpp:63
#3  0x00007ffff3aa8a59 in WebCore::RenderIFrame::layout (this=0x84f2a0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderIFrame.cpp:169
#4  0x00007ffff399219d in WebCore::RenderElement::layoutIfNeeded (this=0x84f2a0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderElement.h:99
#5  0x00007ffff3a0efa5 in WebCore::RenderBlockFlow::layoutLineBoxes (this=0x7fc150, relayoutChildren=false, repaintLogicalTop=..., repaintLogicalBottom=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockLineLayout.cpp:1910
#6  0x00007ffff39f25a4 in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x7fc150, relayoutChildren=false, repaintLogicalTop=..., 
    repaintLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:532
#7  0x00007ffff39f18d5 in WebCore::RenderBlockFlow::layoutBlock (this=0x7fc150, relayoutChildren=false, pageLogicalHeight=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:357
#8  0x00007ffff39c422f in WebCore::RenderBlock::layout (this=0x7fc150) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1292
#9  0x00007ffff39f2986 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7fc540, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:593
#10 0x00007ffff39f24a2 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7fc540, relayoutChildren=false, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:512
#11 0x00007ffff39f18f9 in WebCore::RenderBlockFlow::layoutBlock (this=0x7fc540, relayoutChildren=false, pageLogicalHeight=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:359
#12 0x00007ffff39c422f in WebCore::RenderBlock::layout (this=0x7fc540) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1292
#13 0x00007ffff39f2986 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x6ba590, child=..., marginInfo=..., previousFloatLogicalBottom=..., 
    maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:593
#14 0x00007ffff39f24a2 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x6ba590, relayoutChildren=false, maxFloatLogicalBottom=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:512
#15 0x00007ffff39f18f9 in WebCore::RenderBlockFlow::layoutBlock (this=0x6ba590, relayoutChildren=false, pageLogicalHeight=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlockFlow.cpp:359
#16 0x00007ffff39c422f in WebCore::RenderBlock::layout (this=0x6ba590) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderBlock.cpp:1292
#17 0x00007ffff3b89f27 in WebCore::RenderView::layoutContent (this=0x6ba590, state=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderView.cpp:152
#18 0x00007ffff3b8aae2 in WebCore::RenderView::layout (this=0x6ba590) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/rendering/RenderView.cpp:338
#19 0x00007ffff37333bd in WebCore::FrameView::layout (this=0x7faaf0, allowSubtree=true)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/page/FrameView.cpp:1255
#20 0x00007ffff320a588 in WebCore::Document::implicitClose (this=0x8a1470) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/Document.cpp:2415
#21 0x00007ffff3632b01 in WebCore::FrameLoader::checkCallImplicitClose (this=0x7a1778)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:850
#22 0x00007ffff3632895 in WebCore::FrameLoader::checkCompleted (this=0x7a1778) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:793
#23 0x00007ffff3633766 in WebCore::FrameLoader::completed (this=0x83a9e8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:1100
#24 0x00007ffff36328b8 in WebCore::FrameLoader::checkCompleted (this=0x83a9e8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:797
#25 0x00007ffff363a908 in WebCore::FrameLoader::receivedMainResourceError (this=0x83a9e8, error=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:2638
#26 0x00007ffff3613970 in WebCore::DocumentLoader::mainReceivedError (this=0x775cb0, error=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:243
#27 0x00007ffff3618263 in WebCore::DocumentLoader::cancelMainResourceLoad (this=0x775cb0, resourceError=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:1436
#28 0x00007ffff3613b51 in WebCore::DocumentLoader::stopLoading (this=0x775cb0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:298
#29 0x00007ffff3636315 in WebCore::FrameLoader::stopAllLoaders (this=0x83a9e8, clearProvisionalItemPolicy=WebCore::ShouldClearProvisionalItem)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:1583
#30 0x00007ffff363972d in WebCore::FrameLoader::frameDetached (this=0x83a9e8) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/FrameLoader.cpp:2386
#31 0x00007ffff3413676 in WebCore::HTMLFrameOwnerElement::disconnectContentFrame (this=0x85de00)
---Type <return> to continue, or q <return> to quit---
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/html/HTMLFrameOwnerElement.cpp:86
#32 0x00007ffff31f35c6 in WebCore::ChildFrameDisconnector::disconnectCollectedFrameOwners (this=0x7fffffffbee0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/ContainerNodeAlgorithms.h:318
#33 0x00007ffff31f369e in WebCore::ChildFrameDisconnector::disconnect (this=0x7fffffffbee0, policy=WebCore::ChildFrameDisconnector::RootAndDescendants)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/ContainerNodeAlgorithms.h:338
#34 0x00007ffff31ef96e in WebCore::willRemoveChild (child=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/ContainerNode.cpp:503
#35 0x00007ffff31efc55 in WebCore::ContainerNode::removeChild (this=0x7fbf70, oldChild=0x7ef7d0, ec=@0x7fffffffc040: 0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/ContainerNode.cpp:568
#36 0x00007ffff329efa4 in WebCore::Node::remove (this=0x7ef7d0, ec=@0x7fffffffc040: 0) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/Node.cpp:487
#37 0x00007ffff336b330 in WebCore::RemoveNodeCommand::doApply (this=0x87ba20)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/RemoveNodeCommand.cpp:55
#38 0x00007ffff330fb3c in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x87b5b0, prpCommand=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:262
#39 0x00007ffff3310a55 in WebCore::CompositeEditCommand::removeNode (this=0x87b5b0, node=<incomplete type>, 
    shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:400
#40 0x00007ffff336b7b3 in WebCore::RemoveNodePreservingChildrenCommand::doApply (this=0x87b5b0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/RemoveNodePreservingChildrenCommand.cpp:51
#41 0x00007ffff330fb3c in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x87af60, prpCommand=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:262
#42 0x00007ffff3310ae0 in WebCore::CompositeEditCommand::removeNodePreservingChildren (this=0x87af60, node=<incomplete type>, 
    shouldAssumeContentIsAlwaysEditable=WebCore::DoNotAssumeContentIsAlwaysEditable)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:405
#43 0x00007ffff33044d5 in WebCore::ApplyStyleCommand::removeInlineStyleFromElement (this=0x87af60, style=0x7fc350, element=<incomplete type>, 
    mode=WebCore::ApplyStyleCommand::RemoveIfNeeded, extractedStyle=0x87b590)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/ApplyStyleCommand.cpp:890
#44 0x00007ffff3305175 in WebCore::ApplyStyleCommand::pushDownInlineStyleAroundNode (this=0x87af60, style=0x7fc350, targetNode=0x7ee800)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/ApplyStyleCommand.cpp:1051
#45 0x00007ffff33057c3 in WebCore::ApplyStyleCommand::removeInlineStyle (this=0x87af60, style=0x7fc350, start=..., end=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/ApplyStyleCommand.cpp:1104
#46 0x00007ffff3302a12 in WebCore::ApplyStyleCommand::applyInlineStyle (this=0x87af60, style=0x7fc350)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/ApplyStyleCommand.cpp:630
#47 0x00007ffff32ffe57 in WebCore::ApplyStyleCommand::doApply (this=0x87af60)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/ApplyStyleCommand.cpp:220
#48 0x00007ffff330fb3c in WebCore::CompositeEditCommand::applyCommandToComposite (this=0x838700, prpCommand=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:262
#49 0x00007ffff336afc5 in WebCore::RemoveFormatCommand::doApply (this=0x838700)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/RemoveFormatCommand.cpp:92
#50 0x00007ffff330f8fc in WebCore::CompositeEditCommand::apply (this=0x838700)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:211
#51 0x00007ffff330f6fc in WebCore::applyCommand (command=<incomplete type>)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/CompositeEditCommand.cpp:170
#52 0x00007ffff3333335 in WebCore::Editor::removeFormattingAndStyle (this=0x7a1e90) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/Editor.cpp:700
#53 0x00007ffff3347652 in WebCore::executeRemoveFormat (frame=...) at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/EditorCommand.cpp:977
#54 0x00007ffff33491af in WebCore::Editor::Command::execute (this=0x7fffffffc9d0, parameter=..., triggeringEvent=0x0)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/editing/EditorCommand.cpp:1713
#55 0x00007ffff32106ac in WebCore::Document::execCommand (this=0x8a1470, commandName=..., userInterface=false, value=...)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/dom/Document.cpp:4110
#56 0x00007ffff3fab309 in WebCore::jsDocumentPrototypeFunctionExecCommand (exec=0x7fffa37fef50)
    at /home/reni/Data/REPOS/webkitnix/WebKitBuild/Debug/DerivedSources/WebCore/JSDocument.cpp:2705
#57 0x00007fffaa282105 in ?? ()
#58 0x00007fffffffcb10 in ?? ()
---Type <return> to continue, or q <return> to quit---
#59 0x00007ffff4875638 in llint_op_call () from /home/reni/Data/REPOS/webkitnix/WebKitBuild/Debug/lib/libWebKitNix.so.0
#60 0x00007fffaa282940 in ?? ()
#61 0x000000000068a4e8 in ?? ()
#62 0x0000000000611920 in ?? ()
#63 0x00007ffff081b9a0 in thread_context_stack () from /home/reni/Data/REPOS/webkitnix/WebKitBuild/Dependencies/Root/lib64/libglib-2.0.so.0
#64 0x00000000008cc700 in ?? ()
#65 0x00007ffff3615de2 in WebCore::DocumentLoader::commitData (this=0x7fffaa2820c0, bytes=0x7fffa37fef98 "\001", length=140737488341616)
    at /home/reni/Data/REPOS/webkitnix/Source/WebCore/loader/DocumentLoader.cpp:816
#66 0x00007fffffffcb60 in ?? ()
#67 0x00007ffff45f340e in JSC::JITCode::execute (this=0x458b48014dacdfe8, stack=0x14da99de801b0bf, callFrame=0x4b3d8d480000032e, vm=0xbe01b15497158d48)
    at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/jit/JITCode.cpp:46
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

[qrwteyrutiyoup]

It doesn't happen on EFL because their Minibrowser doesn't enable frame flattening, as we do with ours. I have reported it upstream at https://bugs.webkit.org/show_bug.cgi?id=123759 and added it to your Fuzzinator meta bug.

[renatahodovan]

Alright, thanks :)