235574 2022-01-25 04:25:52 -0800 ASSERTION FAILED: outer.contains(inner) ../../Source/WebCore/rendering/style/NinePieceImage.cpp(129) 2022-02-01 04:26:21 -0800 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build Unspecified Unspecified NEW InRadar P2 Normal --- 1 alset0326 webkit-unassigned simon.fraser webkit-bug-importer zalan oldest_to_newest 1833665 0 449915 alset0326 2022-01-25 04:25:52 -0800 Created attachment 449915 the html trigger crash 1. build a debug webkit 2. open html 3. crash ASSERTION FAILED: outer.contains(inner) ../../Source/WebCore/rendering/style/NinePieceImage.cpp(129) : static WTF::Vector<WebCore::FloatRect> WebCore::NinePieceImage::computeNineRects(const WebCore::FloatRect&, const LayoutB oxExtent&, float) 1 0x7fac915b0964 WTFReportBacktrace 2 0x7fac915b0c01 WTFCrash 3 0x7facab0a7ba1 WTF::CrashOnOverflow::overflowed() 4 0x7facb4f34707 WebCore::NinePieceImage::computeNineRects(WebCore::FloatRect const&, WebCore::RectEdges<WebCore::LayoutUnit> const&, float) 5 0x7facb4f379a7 WebCore::NinePieceImage::paint(WebCore::GraphicsContext&, WebCore::RenderElement*, WebCore::RenderStyle const&, WebCore::LayoutRect const&, WebCore::LayoutSize const &, float, WebCore::CompositeOperator) const 6 0x7facb494f122 WebCore::RenderBoxModelObject::paintNinePieceImage(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::NinePieceImage const& , WebCore::CompositeOperator) 7 0x7facb49562d6 WebCore::RenderBoxModelObject::paintBorder(WebCore::PaintInfo const&, WebCore::LayoutRect const&, WebCore::RenderStyle const&, WebCore::BackgroundBleedAvoidance, boo l, bool) 8 0x7facb48fb042 WebCore::RenderBox::paintBoxDecorations(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 9 0x7facb47e921d WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 10 0x7facb47e7563 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 11 0x7facb4b1099c WebCore::RenderLayer::paintBackgroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsCont ext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) 12 0x7facb4b0b541 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFl ag>) 13 0x7facb4b06b08 WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer: :PaintLayerFlag>) 14 0x7facb4b06517 WebCore::RenderLayer::paintLayerWithEffects(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLaye rFlag>) 15 0x7facb4b056f0 WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) 16 0x7facb4b0d7a4 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::R enderLayer::PaintLayerFlag>) 17 0x7facb4b0b915 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFl ag>) 18 0x7facb4b58b0f /home/lxc/fuzz/webkit/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x1e113b0f) [0x7facb4b58b0f] 19 0x7facb4b59539 WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior> , WebCore::EventRegionContext*) 20 0x7facb4b5b4d0 WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) 21 0x7facb4034f37 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) 22 0x7facae45a84a /home/lxc/fuzz/webkit/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x17a1584a) [0x7facae45a84a] 23 0x7facae45af58 /home/lxc/fuzz/webkit/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x17a15f58) [0x7facae45af58] 24 0x7facae45ad6e Nicosia::PaintingEngineBasic::paint(WebCore::GraphicsLayer&, WTF::Ref<Nicosia::Buffer, WTF::RawPtrTraits<Nicosia::Buffer> >&&, WebCore::IntRect const&, WebCore::IntR ect const&, WebCore::IntRect const&, float) 25 0x7facae43378f WebCore::CoordinatedGraphicsLayer::updateContentBuffers() 26 0x7facae4323e2 WebCore::CoordinatedGraphicsLayer::updateContentBuffersIncludingSubLayers() 1835912 1 webkit-bug-importer 2022-02-01 04:26:21 -0800 <rdar://problem/88322193> 449915 2022-01-25 04:25:52 -0800 2022-01-25 04:25:52 -0800 the html trigger crash index.html text/html 275 alset0326 PCFET0NUWVBFIGh0bWw+CjxodG1sIGlkPSJodG1sIj4KCjxzY3JpcHQ+CiAKICAgIG5vZGVfMD1k b2N1bWVudC5nZXRFbGVtZW50QnlJZCgnaHRtbCcpCiAgICBfOTUgPSAnbGluZWFyLWdyYWRpZW50 KHJlZCxcdXsyMH1ibHVlKVx1ezIwfTM0MTkxMDU1MDA5MzAwMTYwMDAwMFx1ezIwfS9cdXsyMH04 NjUxMDI3MjMyOTQzMjQ3MDAwMHB4Jztub2RlXzAuc3R5bGUuYm9yZGVySW1hZ2UgPSBfOTU7CiAg ICAvLyBhbGVydChub2RlXzAuY2xhc3NOYW1lKQo8L3NjcmlwdD4KCjwvaHRtbD4=