Bug 155363

Summary: ASSERTION FAILED: !view().layoutStateEnabled() || style().styleType() == FIRST_LETTER in WebCore::RenderInline::clippedOverflowRectForRepaint
Product: WebKit Reporter: Renata Hodovan <rhodovan.u-szeged>
Component: Layout and RenderingAssignee: alan <zalan>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, commit-queue, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: OS X 10.11   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test case
none
Patch
none
Patch
none
Patch none

Renata Hodovan
Reported 2016-03-11 08:27:32 PST
Created attachment 273735 [details] Test case Load the attached test with minibrowser: <!DOCTYPE html> <style> * { overflow-x: scroll; will-change:transform; } .class_0 { mix-blend-mode:exclusion; } </style> </head> <command class="class_0"> OS: Mac OS X 10.11.1 (x86_64), x86_64 Checked build: ASAN debug Checked version: ecad464 Backtrace: ASSERTION FAILED: !view().layoutStateEnabled() || style().styleType() == FIRST_LETTER /Users/reni/work/WebKit/Source/WebCore/rendering/RenderInline.cpp(1208) : virtual WebCore::LayoutRect WebCore::RenderInline::clippedOverflowRectForRepaint(const WebCore::RenderLayerModelObject *) const 1 0x10dea1aa4 WTFCrash 2 0x1167a1ff3 WebCore::RenderInline::clippedOverflowRectForRepaint(WebCore::RenderLayerModelObject const*) const 3 0x1168376ea WebCore::RenderLayer::repaintIncludingNonCompositingDescendants(WebCore::RenderLayerModelObject*) 4 0x1168378c9 WebCore::RenderLayer::repaintIncludingNonCompositingDescendants(WebCore::RenderLayerModelObject*) 5 0x1168da47f WebCore::RenderLayerCompositor::repaintOnCompositingChange(WebCore::RenderLayer&) 6 0x1168d80e3 WebCore::RenderLayerCompositor::updateBacking(WebCore::RenderLayer&, WebCore::RenderLayerCompositor::CompositingChangeRepaint, WebCore::RenderLayerCompositor::BackingRequired) 7 0x1168d79d8 WebCore::RenderLayerCompositor::updateLayerCompositingState(WebCore::RenderLayer&, WebCore::RenderLayerCompositor::CompositingChangeRepaint) 8 0x1167fd1f9 WebCore::RenderLayer::updateScrollInfoAfterLayout() 9 0x1163aa50c WebCore::RenderBlock::updateScrollInfoAfterLayout() 10 0x11645582a WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 11 0x1163aa828 WebCore::RenderBlock::layout() 12 0x11645f7c3 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 13 0x116457f2f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 14 0x116454445 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 15 0x1163aa828 WebCore::RenderBlock::layout() 16 0x11645f7c3 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 17 0x116457f2f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 18 0x116454445 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 19 0x1163aa828 WebCore::RenderBlock::layout() 20 0x116dba1f6 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) 21 0x116dbc2b9 WebCore::RenderView::layout() 22 0x11374eca9 WebCore::FrameView::layout(bool) 23 0x112c9add6 WebCore::Document::implicitClose() 24 0x1136b8019 WebCore::FrameLoader::checkCallImplicitClose() 25 0x1136b7afc WebCore::FrameLoader::checkCompleted() 26 0x1136b40c8 WebCore::FrameLoader::finishedParsing() 27 0x112cbe05a WebCore::Document::finishedParsing() 28 0x113a75a66 WebCore::HTMLConstructionSite::finishedParsing() 29 0x113da329c WebCore::HTMLTreeBuilder::finished() 30 0x113aedadc WebCore::HTMLDocumentParser::end() 31 0x113ae9cea WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() ASAN:SIGSEGV ================================================================= ==88424==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010dea1adc bp 0x7fff5ada9a50 sp 0x7fff5ada9a40 T0) #0 0x10dea1adb in WTFCrash (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2b16adb) #1 0x1167a1ff2 in WebCore::RenderInline::clippedOverflowRectForRepaint(WebCore::RenderLayerModelObject const*) const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4c04ff2) #2 0x1168376e9 in WebCore::RenderLayer::repaintIncludingNonCompositingDescendants(WebCore::RenderLayerModelObject*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4c9a6e9) #3 0x1168378c8 in WebCore::RenderLayer::repaintIncludingNonCompositingDescendants(WebCore::RenderLayerModelObject*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4c9a8c8) #4 0x1168da47e in WebCore::RenderLayerCompositor::repaintOnCompositingChange(WebCore::RenderLayer&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d3d47e) #5 0x1168d80e2 in WebCore::RenderLayerCompositor::updateBacking(WebCore::RenderLayer&, WebCore::RenderLayerCompositor::CompositingChangeRepaint, WebCore::RenderLayerCompositor::BackingRequired) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d3b0e2) #6 0x1168d79d7 in WebCore::RenderLayerCompositor::updateLayerCompositingState(WebCore::RenderLayer&, WebCore::RenderLayerCompositor::CompositingChangeRepaint) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d3a9d7) #7 0x1167fd1f8 in WebCore::RenderLayer::updateScrollInfoAfterLayout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4c601f8) #8 0x1163aa50b in WebCore::RenderBlock::updateScrollInfoAfterLayout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x480d50b) #9 0x116455829 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x48b8829) #10 0x1163aa827 in WebCore::RenderBlock::layout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x480d827) #11 0x11645f7c2 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x48c27c2) #12 0x116457f2e in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x48baf2e) #13 0x116454444 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x48b7444) #14 0x1163aa827 in WebCore::RenderBlock::layout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x480d827) #15 0x11645f7c2 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x48c27c2) #16 0x116457f2e in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x48baf2e) #17 0x116454444 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x48b7444) #18 0x1163aa827 in WebCore::RenderBlock::layout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x480d827) #19 0x116dba1f5 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x521d1f5) #20 0x116dbc2b8 in WebCore::RenderView::layout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x521f2b8) #21 0x11374eca8 in WebCore::FrameView::layout(bool) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1bb1ca8) #22 0x112c9add5 in WebCore::Document::implicitClose() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x10fddd5) #23 0x1136b8018 in WebCore::FrameLoader::checkCallImplicitClose() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b1b018) #24 0x1136b7afb in WebCore::FrameLoader::checkCompleted() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b1aafb) #25 0x1136b40c7 in WebCore::FrameLoader::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b170c7) #26 0x112cbe059 in WebCore::Document::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1121059) #27 0x113a75a65 in WebCore::HTMLConstructionSite::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ed8a65) #28 0x113da329b in WebCore::HTMLTreeBuilder::finished() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x220629b) #29 0x113aedadb in WebCore::HTMLDocumentParser::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f50adb) #30 0x113ae9ce9 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f4cce9) #31 0x113ae9958 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f4c958) #32 0x113aedb7d in WebCore::HTMLDocumentParser::attemptToEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f50b7d) #33 0x113aedbd7 in WebCore::HTMLDocumentParser::finish() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f50bd7) #34 0x112e798af in WebCore::DocumentWriter::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12dc8af) #35 0x112dcc15c in WebCore::DocumentLoader::finishedLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x122f15c) #36 0x112dcbc6a in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x122ec6a) #37 0x1121a9856 in WebCore::CachedResource::checkNotify() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60c856) #38 0x1121a9a43 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60ca43) #39 0x11219fddc in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x602ddc) #40 0x11782d8f0 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5c908f0) #41 0x10697b9ac in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b159ac) #42 0x10698fd42 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b29d42) #43 0x10698f9c1 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b299c1) #44 0x10698bd7e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b25d7e) #45 0x106988dfd in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b22dfd) #46 0x1056fd912 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x897912) #47 0x10503a0d0 in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d40d0) #48 0x105021631 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1bb631) #49 0x10503aec0 in IPC::Connection::dispatchOneMessage() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d4ec0) #50 0x10506a60c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20460c) #51 0x10506a5dc in void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2045dc) #52 0x10506a3fb in std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2043fb) #53 0x10cce644a in std::__1::function<void ()>::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x195b44a) #54 0x10df7a2dd in WTF::RunLoop::performWork() (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2bef2dd) #55 0x10df7b249 in WTF::RunLoop::performWork(void*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2bf0249) #56 0x7fff888498b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0) #57 0x7fff888290ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab) #58 0x7fff888285ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce) #59 0x7fff88827fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #60 0x7fff86540d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54) #61 0x7fff86540b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e) #62 0x7fff865409ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce) #63 0x7fff97bc6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95) #64 0x7fff97bc61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4) #65 0x7fff97bbad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27) #66 0x7fff97b83fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd) #67 0x7fff9408b4f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1) #68 0x7fff94089f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d) #69 0x104e4d1cb in main (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000021cb) #70 0x7fff908b05ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #71 0x0 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 WTFCrash ==88424==ABORTING #CRASHED - com.apple.WebKit.WebContent.Development (pid 88424) LEAK: 1 WebProcessPool LEAK: 1 WebPageProxy
Attachments
Test case (168 bytes, text/html)
2016-03-11 08:27 PST, Renata Hodovan 		no flags
Details
Patch (3.97 KB, patch)
2016-08-23 16:27 PDT, alan 		no flags
DetailsFormatted DiffDiff
Patch (3.94 KB, patch)
2016-08-23 18:51 PDT, alan 		no flags
DetailsFormatted DiffDiff
Patch (3.94 KB, patch)
2016-08-23 18:52 PDT, alan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2016-08-05 09:32:14 PDT
This reproduces in r204037.
Radar WebKit Bug Importer
Comment 2 2016-08-05 09:32:39 PDT
<rdar://problem/27720434>
alan
Comment 3 2016-08-23 16:27:38 PDT
Created attachment 286805 [details] Patch
Dave Hyatt
Comment 4 2016-08-23 16:29:42 PDT
Comment on attachment 286805 [details] Patch r=me
alan
Comment 5 2016-08-23 18:51:05 PDT
Created attachment 286816 [details] Patch
alan
Comment 6 2016-08-23 18:52:26 PDT
Created attachment 286817 [details] Patch
WebKit Commit Bot
Comment 7 2016-08-23 19:25:10 PDT
Comment on attachment 286817 [details] Patch Clearing flags on attachment: 286817 Committed r204880: <http://trac.webkit.org/changeset/204880>
WebKit Commit Bot
Comment 8 2016-08-23 19:25:12 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.