Bug 125781

Summary:

ASSERT_NOT_REACHED() is fired in WebCore::minimumValueForLength

Product:

WebKit

Reporter:

Renata Hodovan <rhodovan.u-szeged>

Component:

CSS

Assignee:

zalan <zalan>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, commit-queue, eae, esprehn+autocc, glenn, joethomas, koivisto, kondapallykalyan, simon.fraser, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=155516

Bug Depends on:

Bug Blocks:

116980

Attachments:

Description	Flags
Test case	none
Patch	none
Patch	none

Renata Hodovan

Reported 2013-12-16 07:38:33 PST

Created attachment 219318 [details] Test case Minimalized test case: <table style="-webkit-writing-mode: vertical-rl;"> <tr style="width: -webkit-min-content;"></tr> </table> Backtrace: SHOULD NEVER BE REACHED /home/reni/Data/REPOS/webkit_sec/Source/WebCore/css/LengthFunctions.cpp(85) : WebCore::LayoutUnit WebCore::minimumValueForLength(const WebCore::Length&, WebCore::LayoutUnit, WebCore::RenderView*, bool) 1 0x7ffff5c61178 WTFCrash 2 0x7ffff0fe313f WebCore::minimumValueForLength(WebCore::Length const&, WebCore::LayoutUnit, WebCore::RenderView*, bool) 3 0x7ffff18b43dd WebCore::RenderElement::minimumValueForLength(WebCore::Length const&, WebCore::LayoutUnit, bool) const 4 0x7ffff1a3f3d8 WebCore::RenderTableSection::calcRowLogicalHeight() 5 0x7ffff1a2b862 WebCore::RenderTable::layout() 6 0x7ffff18ceba9 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 7 0x7ffff18ce6a0 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 8 0x7ffff18cdaf7 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 9 0x7ffff189cb05 WebCore::RenderBlock::layout() 10 0x7ffff18ceba9 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 11 0x7ffff18ce6a0 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 12 0x7ffff18cdaf7 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 13 0x7ffff189cb05 WebCore::RenderBlock::layout() 14 0x7ffff18ceba9 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 15 0x7ffff18ce6a0 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 16 0x7ffff18cdaf7 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 17 0x7ffff189cb05 WebCore::RenderBlock::layout() 18 0x7ffff1a6ed75 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) 19 0x7ffff1a6f9f1 WebCore::RenderView::layout() 20 0x7ffff1618686 WebCore::FrameView::layout(bool) 21 0x7ffff108ca23 WebCore::Document::implicitClose() 22 0x7ffff1502357 WebCore::FrameLoader::checkCallImplicitClose() 23 0x7ffff15020eb WebCore::FrameLoader::checkCompleted() 24 0x7ffff1501e46 WebCore::FrameLoader::finishedParsing() 25 0x7ffff109410d WebCore::Document::finishedParsing() 26 0x7ffff137ad91 WebCore::HTMLConstructionSite::finishedParsing() 27 0x7ffff13b365a WebCore::HTMLTreeBuilder::finished() 28 0x7ffff13820a6 WebCore::HTMLDocumentParser::end() 29 0x7ffff1382191 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 30 0x7ffff1380dd9 WebCore::HTMLDocumentParser::prepareToStopParsing() 31 0x7ffff13821d6 WebCore::HTMLDocumentParser::attemptToEnd() Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5c6117d in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:341 341 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5c6117d in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:341 #1 0x00007ffff0fe313f in WebCore::minimumValueForLength (length=..., maximumValue=..., renderView=0x959fc0, roundPercentages=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/css/LengthFunctions.cpp:85 #2 0x00007ffff18b43dd in WebCore::RenderElement::minimumValueForLength (this=0x1244250, length=..., maximumValue=..., roundPercentages=false) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderElement.h:246 #3 0x00007ffff1a3f3d8 in WebCore::RenderTableSection::calcRowLogicalHeight (this=0x1244250) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderTableSection.cpp:296 #4 0x00007ffff1a2b862 in WebCore::RenderTable::layout (this=0x11f57f0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderTable.cpp:457 #5 0x00007ffff18ceba9 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x11eeab0, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:597 #6 0x00007ffff18ce6a0 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x11eeab0, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:516 #7 0x00007ffff18cdaf7 in WebCore::RenderBlockFlow::layoutBlock (this=0x11eeab0, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:363 #8 0x00007ffff189cb05 in WebCore::RenderBlock::layout (this=0x11eeab0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323 #9 0x00007ffff18ceba9 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x11ecdf0, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:597 #10 0x00007ffff18ce6a0 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x11ecdf0, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:516 #11 0x00007ffff18cdaf7 in WebCore::RenderBlockFlow::layoutBlock (this=0x11ecdf0, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:363 #12 0x00007ffff189cb05 in WebCore::RenderBlock::layout (this=0x11ecdf0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323 #13 0x00007ffff18ceba9 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x959fc0, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:597 #14 0x00007ffff18ce6a0 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x959fc0, relayoutChildren=true, maxFloatLogicalBottom=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:516 #15 0x00007ffff18cdaf7 in WebCore::RenderBlockFlow::layoutBlock (this=0x959fc0, relayoutChildren=true, pageLogicalHeight=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlockFlow.cpp:363 #16 0x00007ffff189cb05 in WebCore::RenderBlock::layout (this=0x959fc0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderBlock.cpp:1323 #17 0x00007ffff1a6ed75 in WebCore::RenderView::layoutContent (this=0x959fc0, state=...) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:158 #18 0x00007ffff1a6f9f1 in WebCore::RenderView::layout (this=0x959fc0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/rendering/RenderView.cpp:342 #19 0x00007ffff1618686 in WebCore::FrameView::layout (this=0x90fbb0, allowSubtree=true) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/page/FrameView.cpp:1261 #20 0x00007ffff108ca23 in WebCore::Document::implicitClose (this=0x12088b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:2389 #21 0x00007ffff1502357 in WebCore::FrameLoader::checkCallImplicitClose (this=0x9538b8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:849 #22 0x00007ffff15020eb in WebCore::FrameLoader::checkCompleted (this=0x9538b8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:792 #23 0x00007ffff1501e46 in WebCore::FrameLoader::finishedParsing (this=0x9538b8) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/FrameLoader.cpp:725 #24 0x00007ffff109410d in WebCore::Document::finishedParsing (this=0x12088b0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/dom/Document.cpp:4375 #25 0x00007ffff137ad91 in WebCore::HTMLConstructionSite::finishedParsing (this=0x953278) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLConstructionSite.cpp:347 #26 0x00007ffff13b365a in WebCore::HTMLTreeBuilder::finished (this=0x953260) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2933 #27 0x00007ffff13820a6 in WebCore::HTMLDocumentParser::end (this=0x10db0c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:749 #28 0x00007ffff1382191 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x10db0c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:760 #29 0x00007ffff1380dd9 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x10db0c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:203 #30 0x00007ffff13821d6 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x10db0c0) ---Type <return> to continue, or q <return> to quit--- at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:772 #31 0x00007ffff138228f in WebCore::HTMLDocumentParser::finish (this=0x10db0c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/html/parser/HTMLDocumentParser.cpp:821 #32 0x00007ffff14f4c74 in WebCore::DocumentWriter::end (this=0x117b6d0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentWriter.cpp:245 #33 0x00007ffff14e1d42 in WebCore::DocumentLoader::finishedLoading (this=0x117b630, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:408 #34 0x00007ffff14e1ab0 in WebCore::DocumentLoader::notifyFinished (this=0x117b630, resource=0x11918c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/DocumentLoader.cpp:345 #35 0x00007ffff157b92a in WebCore::CachedResource::checkNotify (this=0x11918c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:369 #36 0x00007ffff157ba04 in WebCore::CachedResource::finishLoading (this=0x11918c0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedResource.cpp:385 #37 0x00007ffff1578506 in WebCore::CachedRawResource::finishLoading (this=0x11918c0, data=0x924690) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/cache/CachedRawResource.cpp:94 #38 0x00007ffff1535cb5 in WebCore::SubresourceLoader::didFinishLoading (this=0x1191e30, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/SubresourceLoader.cpp:279 #39 0x00007ffff1531f89 in WebCore::ResourceLoader::didFinishLoading (this=0x1191e30, finishTime=0) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/loader/ResourceLoader.cpp:487 #40 0x00007ffff226a582 in WebCore::readCallback (asyncResult=0x11971b0, data=0x118a200) at /home/reni/Data/REPOS/webkit_sec/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1345 #41 0x00007fffe846bbc9 in async_ready_callback_wrapper (source_object=0x69f180, res=0x11971b0, user_data=0x118a200) at ginputstream.c:530 #42 0x00007fffe848dccb in g_task_return_now (task=0x11971b0) at gtask.c:1105 #43 complete_in_idle_cb (task=<optimized out>) at gtask.c:1114 #44 0x00007fffedb7b473 in g_main_dispatch (context=0x1196980) at gmain.c:3054 #45 g_main_context_dispatch (context=0x1196980) at gmain.c:3630 #46 0x00007ffff7575aee in _ecore_glib_select__locked (ecore_timeout=0x7fffffffcc30, efds=<optimized out>, wfds=<optimized out>, rfds=<optimized out>, ecore_fds=11, ctx=<optimized out>) at ecore_glib.c:171 #47 _ecore_glib_select (ecore_fds=11, rfds=<optimized out>, wfds=<optimized out>, efds=<optimized out>, ecore_timeout=0x7fffffffcc30) at ecore_glib.c:205 #48 0x00007ffff756fcb9 in _ecore_main_select (timeout=<optimized out>) at ecore_main.c:1466 #49 0x00007ffff7570789 in _ecore_main_loop_iterate_internal (once_only=0) at ecore_main.c:1860 #50 0x00007ffff7570b47 in ecore_main_loop_begin () at ecore_main.c:956 #51 0x0000000000406dfa in main (argc=2, argv=0x7fffffffde48) at /home/reni/Data/REPOS/webkit_sec/Tools/EWebLauncher/main.c:1044

Attachments
Test case (108 bytes, text/html) 2013-12-16 07:38 PST, Renata Hodovan	no flags	Details
Patch (3.70 KB, patch) 2016-08-26 14:41 PDT, zalan	no flags	Details Formatted Diff Diff
Patch (4.30 KB, patch) 2016-08-26 15:48 PDT, zalan	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2016-08-03 13:24:41 PDT

This still occurs in r204037.

Radar WebKit Bug Importer

Comment 2 2016-08-03 13:25:34 PDT

<rdar://problem/27684457>

zalan

Comment 3 2016-08-26 14:41:14 PDT

Created attachment 287150 [details] Patch

Simon Fraser (smfr)

Comment 4 2016-08-26 14:46:17 PDT

Comment on attachment 287150 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=287150&action=review > Source/WebCore/rendering/RenderTableSection.cpp:282 > + LayoutUnit rowLogicalHeight = m_grid[r].logicalHeight.isFixed() ? m_grid[r].logicalHeight.value() : 0; I think this breaks calc(). Please test and add a testcase if so.

zalan

Comment 5 2016-08-26 15:48:08 PDT

Created attachment 287163 [details] Patch

WebKit Commit Bot

Comment 6 2016-08-26 16:27:29 PDT

Comment on attachment 287163 [details] Patch Clearing flags on attachment: 287163 Committed r205056: <http://trac.webkit.org/changeset/205056>

WebKit Commit Bot

Comment 7 2016-08-26 16:27:34 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.