136326 2014-08-27 18:13:05 -0700 Crash in new multicolumn code when interacting with position: absolute 2017-11-14 02:21:45 -0800 1 1 1 Unclassified WebKit MathML 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 jeffrey+webkit hyatt alex fred.wang oldest_to_newest 1031868 0 237277 jeffrey+webkit 2014-08-27 18:13:05 -0700 Created attachment 237277 Repro The attached simple test case will cause ToT to crash with a null deref. The test case appears to involve creating a MathML element with position: absolute that interacts poorly with the new multicolumn code. A debug build spits out the following backtrace when it hits an assertion: ASSERTION FAILED: isRenderView() || (region && flowThread) /Volumes/Share/Safari/Staging/Source/WebCore/rendering/RenderBox.cpp(140) : WebCore::RenderRegion *WebCore::RenderBox::clampToStartAndEndRegions(WebCore::RenderRegion *) const 1 0x10f1ef790 WTFCrash 2 0x113fc693f WebCore::RenderBox::clampToStartAndEndRegions(WebCore::RenderRegion*) const 3 0x113fdb199 WebCore::computeInlineStaticDistance(WebCore::Length&, WebCore::Length&, WebCore::RenderBox const*, WebCore::RenderBoxModelObject const*, WebCore::LayoutUnit, WebCore::RenderRegion*) 4 0x113fd3ffa WebCore::RenderBox::computePositionedLogicalWidth(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderRegion*) const 5 0x113fd3176 WebCore::RenderBox::computeLogicalWidthInRegion(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderRegion*) const 6 0x113fc72f2 WebCore::RenderBox::renderBoxRegionInfo(WebCore::RenderRegion*, WebCore::RenderBox::RenderBoxRegionInfoFlags) const 7 0x113fc732e WebCore::RenderBox::renderBoxRegionInfo(WebCore::RenderRegion*, WebCore::RenderBox::RenderBoxRegionInfoFlags) const 8 0x113fc6e89 WebCore::RenderBox::borderBoxRectInRegion(WebCore::RenderRegion*, WebCore::RenderBox::RenderBoxRegionInfoFlags) const 9 0x1141668bc WebCore::RenderRegion::layoutOverflowRectForBoxForPropagation(WebCore::RenderBox const*) 10 0x1140458bf WebCore::RenderFlowThread::addRegionsOverflowFromChild(WebCore::RenderBox const*, WebCore::RenderBox const*, WebCore::LayoutSize const&) 11 0x113fdfff6 WebCore::RenderBox::addOverflowFromChild(WebCore::RenderBox*, WebCore::LayoutSize const&) 12 0x113f73601 WebCore::RenderBox::addOverflowFromChild(WebCore::RenderBox*) 13 0x113f5f165 WebCore::RenderBlock::addOverflowFromBlockChildren() 14 0x113f5f07a WebCore::RenderBlock::addOverflowFromChildren() 15 0x113f5f1ed WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool) 16 0x114035783 WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit) 17 0x113f5edad WebCore::RenderBlock::layout() 18 0x1141239b3 WebCore::RenderMathMLRow::layout() 19 0x114123446 WebCore::RenderMathMLRow::layout() 20 0x1130a58dc WebCore::RenderElement::layoutIfNeeded() 21 0x113fb8e3f WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 22 0x113f94823 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 23 0x113f9380a WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 24 0x113f5edad WebCore::RenderBlock::layout() 25 0x11403f72b WebCore::RenderFlowThread::layout() 26 0x11412de25 WebCore::RenderMultiColumnFlowThread::layout() 27 0x113fa750f WebCore::RenderBlockFlow::layoutSpecialExcludedChild(bool) 28 0x113f9494f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 29 0x113f9382d WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 30 0x113f5edad WebCore::RenderBlock::layout() 31 0x113f9711c WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) <rdar://problem/18143573> 1174381 1 fred.wang 2016-03-14 03:30:26 -0700 Is it still a problem? (I also wonder whether it will disappear after the MathML refactoring) 1371346 2 fred.wang 2017-11-14 02:21:45 -0800 The testcase does not exhibit any crash for me on trunk. Also, after https://trac.webkit.org/wiki/MathML/Early_2016_Refactoring#Phase1 MathML is no longer implemented with flexbox (so WebCore::RenderFlexibleBox::layoutBlock won't be called) and is much stricter with invalid markup (as in the testcase). So I'm resolving this as FIXED. 237277 2014-08-27 18:13:05 -0700 2014-08-27 18:13:05 -0700 Repro multicol-pos-absolute-crash.html text/html 170 jeffrey+webkit PCFET0NUWVBFIGh0bWw+PGh0bWw+Cjxib2R5Pgo8ZGl2IHN0eWxlPSItd2Via2l0LWNvbHVtbi1h eGlzOiB2ZXJ0aWNhbDsiPgo8bWF0aD4KPG1yb3cgc3R5bGU9InBvc2l0aW9uOiBhYnNvbHV0ZTsi Pgo8bXN1cD4KPC9tc3VwPgo8L21yb3c+CjwvbWF0aD4KPC9kaXY+CjwvYm9keT4KPC9odG1sPgo=