Bug 141328

Summary: ASSERTION FAILED: resolvedInitialPosition <= resolvedFinalPosition in WebCore::GridSpan::GridSpan
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: Layout and RenderingAssignee: Sergio Villar Senin <svillar>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, darin, dino, esprehn+autocc, glenn, jfernandez, kling, kondapallykalyan, mark.lam, oliver, rego, svillar
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case
none
Patch darin: review+

Description Renata Hodovan 2015-02-06 03:28:09 PST 
Created attachment 246157 [details]
Test case

Load this with debug WK:

<!DOCTYPE html>
<input/><input/><input/>
<style>
* {
    display:-webkit-inline-grid;
    -webkit-grid-row: span 400000;
}
</style>

Note: it's probably the same as crbug.com/422980.


Backtrace:

ASSERTION FAILED: resolvedInitialPosition <= resolvedFinalPosition
../../Source/WebCore/rendering/style/GridCoordinate.h(55) : WebCore::GridSpan::GridSpan(const WebCore::GridResolvedPosition&, const WebCore::GridResolvedPosition&)


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff8affd700 (LWP 17567)]
0x00007fffed72b70d in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321	    *(int *)(uintptr_t)0xbbadbeef = 0;
#0  0x00007fffed72b70d in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007ffff2d34e8d in WebCore::GridSpan::GridSpan (this=0x7fffffffbbd0, resolvedInitialPosition=..., resolvedFinalPosition=...) at ../../Source/WebCore/rendering/style/GridCoordinate.h:55
#2  0x00007ffff3a13afa in WebCore::GridResolvedPosition::resolveGridPositionsFromAutoPlacementPosition (gridContainerStyle=..., gridItem=..., direction=WebCore::ForRows, resolvedInitialPosition=...) at ../../Source/WebCore/rendering/style/GridResolvedPosition.cpp:85
#3  0x00007ffff3895279 in WebCore::RenderGrid::createEmptyGridAreaAtSpecifiedPositionsOutsideGrid (this=0x7ffff7f33240, gridItem=..., specifiedDirection=WebCore::ForColumns, specifiedPositions=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:814
#4  0x00007ffff3895b41 in WebCore::RenderGrid::placeAutoMajorAxisItemOnGrid (this=0x7ffff7f33240, gridItem=..., autoPlacementCursor=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:894
#5  0x00007ffff38955ce in WebCore::RenderGrid::placeAutoMajorAxisItemsOnGrid (this=0x7ffff7f33240, autoGridItems=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:838
#6  0x00007ffff3894d5a in WebCore::RenderGrid::placeItemsOnGrid (this=0x7ffff7f33240) at ../../Source/WebCore/rendering/RenderGrid.cpp:771
#7  0x00007ffff3891703 in WebCore::RenderGrid::computeIntrinsicLogicalWidths (this=0x7ffff7f33240, minLogicalWidth=..., maxLogicalWidth=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:248
#8  0x00007ffff389192e in WebCore::RenderGrid::computePreferredLogicalWidths (this=0x7ffff7f33240) at ../../Source/WebCore/rendering/RenderGrid.cpp:279
#9  0x00007ffff380be26 in WebCore::RenderBox::minPreferredLogicalWidth (this=0x7ffff7f33240) at ../../Source/WebCore/rendering/RenderBox.cpp:999
#10 0x00007ffff3893159 in WebCore::RenderGrid::minContentForChild (this=0x7ffff7e986c0, child=..., direction=WebCore::ForColumns, columnTracks=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:516
#11 0x00007ffff3893ed1 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems (this=0x7ffff7e986c0, direction=WebCore::ForColumns, sizingData=..., gridItemWithSpan=..., filterFunction=(bool (WebCore::GridTrackSize::*)(const WebCore::GridTrackSize * const)) 0x7ffff38976d4 <WebCore::GridTrackSize::hasMinOrMaxContentMinTrackBreadth() const>, sizingFunction=(WebCore::LayoutUnit (WebCore::RenderGrid::*)(WebCore::RenderGrid * const, WebCore::RenderBox &, WebCore::GridTrackSizingDirection, WTF::Vector<WebCore::GridTrack, 0ul, WTF::CrashOnOverflow> &)) 0x7ffff38930ce <WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WTF::Vector<WebCore::GridTrack, 0ul, WTF::CrashOnOverflow>&)>, trackGetter=(WebCore::LayoutUnit (WebCore::GridTrack::*)(const WebCore::GridTrack * const)) 0x7ffff3897c3e <WebCore::GridTrack::usedBreadth() const>, trackGrowthFunction=(void (WebCore::GridTrack::*)(WebCore::GridTrack * const, WebCore::LayoutUnit)) 0x7ffff3897bde <WebCore::GridTrack::growUsedBreadth(WebCore::LayoutUnit)>, growAboveMaxBreadthFilterFunction=(bool (WebCore::GridTrackSize::*)(const WebCore::GridTrackSize * const)) 0x7ffff389785c <WebCore::GridTrackSize::hasMinContentMinTrackBreadthAndMinOrMaxContentMaxTrackBreadth() const>) at ../../Source/WebCore/rendering/RenderGrid.cpp:634
#12 0x00007ffff38937a1 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions (this=0x7ffff7e986c0, direction=WebCore::ForColumns, sizingData=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:598
#13 0x00007ffff3891c9b in WebCore::RenderGrid::computeUsedBreadthOfGridTracks (this=0x7ffff7e986c0, direction=WebCore::ForColumns, sizingData=..., availableLogicalSpace=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:327
#14 0x00007ffff38919fd in WebCore::RenderGrid::computeUsedBreadthOfGridTracks (this=0x7ffff7e986c0, direction=WebCore::ForColumns, sizingData=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:291
#15 0x00007ffff3895d4a in WebCore::RenderGrid::layoutGridItems (this=0x7ffff7e986c0) at ../../Source/WebCore/rendering/RenderGrid.cpp:923
#16 0x00007ffff3891556 in WebCore::RenderGrid::layoutBlock (this=0x7ffff7e986c0, relayoutChildren=false) at ../../Source/WebCore/rendering/RenderGrid.cpp:220
#17 0x00007ffff37ae24b in WebCore::RenderBlock::layout (this=0x7ffff7e986c0) at ../../Source/WebCore/rendering/RenderBlock.cpp:927
#18 0x00007ffff37d970c in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7ffff7f18b40, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:703
#19 0x00007ffff37d9253 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7ffff7f18b40, relayoutChildren=true, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:626
#20 0x00007ffff37d8680 in WebCore::RenderBlockFlow::layoutBlock (this=0x7ffff7f18b40, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:479
#21 0x00007ffff37ae24b in WebCore::RenderBlock::layout (this=0x7ffff7f18b40) at ../../Source/WebCore/rendering/RenderBlock.cpp:927
#22 0x00007ffff39acb11 in WebCore::RenderView::layoutContent (this=0x7ffff7f18b40, state=...) at ../../Source/WebCore/rendering/RenderView.cpp:232
#23 0x00007ffff39ad1e1 in WebCore::RenderView::layout (this=0x7ffff7f18b40) at ../../Source/WebCore/rendering/RenderView.cpp:357
#24 0x00007ffff351306c in WebCore::FrameView::layout (this=0x7ffff7ec6b00, allowSubtree=true) at ../../Source/WebCore/page/FrameView.cpp:1317
#25 0x00007ffff2eb99ab in WebCore::Document::implicitClose (this=0x7fff5723a000) at ../../Source/WebCore/dom/Document.cpp:2497
#26 0x00007ffff33b7f4b in WebCore::FrameLoader::checkCallImplicitClose (this=0x7ffff7f39a98) at ../../Source/WebCore/loader/FrameLoader.cpp:901
#27 0x00007ffff33b7cb7 in WebCore::FrameLoader::checkCompleted (this=0x7ffff7f39a98) at ../../Source/WebCore/loader/FrameLoader.cpp:847
#28 0x00007ffff33b7a20 in WebCore::FrameLoader::finishedParsing (this=0x7ffff7f39a98) at ../../Source/WebCore/loader/FrameLoader.cpp:767
#29 0x00007ffff2ec28a0 in WebCore::Document::finishedParsing (this=0x7fff5723a000) at ../../Source/WebCore/dom/Document.cpp:4629
#30 0x00007ffff32302b7 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7ffff7f33380) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:404
#31 0x00007ffff326cd3e in WebCore::HTMLTreeBuilder::finished (this=0x7ffff7f33360) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2941
#32 0x00007ffff3238c2e in WebCore::HTMLDocumentParser::end (this=0x7ffff7ece100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:402
#33 0x00007ffff3238cfc in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7ffff7ece100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:411
#34 0x00007ffff32379ac in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7ffff7ece100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:132
#35 0x00007ffff3238d33 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7ffff7ece100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:423
#36 0x00007ffff3238de1 in WebCore::HTMLDocumentParser::finish (this=0x7ffff7ece100) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:451
#37 0x00007ffff33a806f in WebCore::DocumentWriter::end (this=0x7ffff7eba4a0) at ../../Source/WebCore/loader/DocumentWriter.cpp:247
#38 0x00007ffff3393699 in WebCore::DocumentLoader::finishedLoading (this=0x7ffff7eba400, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:440
#39 0x00007ffff3393402 in WebCore::DocumentLoader::notifyFinished (this=0x7ffff7eba400, resource=0x7ffff7ec6200) at ../../Source/WebCore/loader/DocumentLoader.cpp:374
#40 0x00007ffff3447aa6 in WebCore::CachedResource::checkNotify (this=0x7ffff7ec6200) at ../../Source/WebCore/loader/cache/CachedResource.cpp:293
#41 0x00007ffff3447ba4 in WebCore::CachedResource::finishLoading (this=0x7ffff7ec6200) at ../../Source/WebCore/loader/cache/CachedResource.cpp:309
#42 0x00007ffff3444201 in WebCore::CachedRawResource::finishLoading (this=0x7ffff7ec6200, data=0x7ffff7eb8750) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:104
#43 0x00007ffff33f686f in WebCore::SubresourceLoader::didFinishLoading (this=0x7fff41049b00, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:364
#44 0x00007ffff33f21a9 in WebCore::ResourceLoader::didFinishLoading (this=0x7fff41049b00, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:542
#45 0x00007ffff3da6401 in WebCore::readCallback (asyncResult=0x6e4460, data=0x7ffff7e7bb20) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1295
#46 0x00007fffeb2707e6 in async_ready_callback_wrapper (source_object=0x7c7270, res=0x6e4460, user_data=user_data@entry=0x7ffff7e7bb20) at ginputstream.c:523
#47 0x00007fffeb2960e5 in g_task_return_now (task=0x6e4460) at gtask.c:1077
#48 0x00007fffeb296109 in complete_in_idle_cb (task=0x6e4460) at gtask.c:1086
#49 0x00007fffea54ea1d in g_main_dispatch (context=0x478b00) at gmain.c:3064
#50 g_main_context_dispatch (context=context@entry=0x478b00) at gmain.c:3663
#51 0x00007fffea54ed88 in g_main_context_iterate (context=0x478b00, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734
#52 0x00007fffea54f04a in g_main_loop_run (loop=0x901bd0) at gmain.c:3928
#53 0x00007ffff44a7fb0 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#54 0x00007ffff29946cc in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd988) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#55 0x00007ffff2994531 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd988) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:77
#56 0x00000000004008d1 in main (argc=2, argv=0x7fffffffd988) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44
Comment 1 Sergio Villar Senin 2015-02-06 06:12:23 PST 
Yeah it requires the same fix.
Comment 2 Sergio Villar Senin 2015-02-09 02:08:23 PST 
Created attachment 246260 [details]
Patch
Comment 3 Darin Adler 2015-02-09 02:29:17 PST 
Comment on attachment 246260 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=246260&action=review

> Source/WebCore/ChangeLog:9
> +        was trying to place an item with span, it was completelly ignoring the

completely

> Source/WebCore/ChangeLog:12
> +        using the finalResolvedPosition. This works with an unlimitted grid which can

unlimited

> Source/WebCore/ChangeLog:13
> +        indefinitelly grow. But if the item spans over the grid track limits, then it

indefinitely

> Source/WebCore/ChangeLog:24
> +        No new test provided as the test case would involve a huge grid
> +        allocation that performs very slow on Debug bots.

There is no really no practical way to test this? We have to find some way to test the limits.
Comment 4 Sergio Villar Senin 2015-02-09 03:24:37 PST 
(In reply to comment #3)
> Comment on attachment 246260 [details]

> > Source/WebCore/ChangeLog:24
> > +        No new test provided as the test case would involve a huge grid
> > +        allocation that performs very slow on Debug bots.
> 
> There is no really no practical way to test this? We have to find some way
> to test the limits.

I thought about creating an unit test but we lack a lot of stuff to create one 
the renderers, the styles, the named grid lines, etc...

What I'm going to do is to add the test case to ManualTests.
Comment 5 Sergio Villar Senin 2015-02-09 06:06:00 PST 
Committed r179826: <http://trac.webkit.org/changeset/179826>