Bug 155364

Summary:

ASSERTION FAILED: layoutState->m_renderer == this in WebCore::RenderBlock::offsetFromLogicalTopOfFirstPage

Product:

WebKit

Reporter:

Renata Hodovan <rhodovan.u-szeged>

Component:

Layout and Rendering

Assignee:

alan <zalan>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, commit-queue, esprehn+autocc, glenn, hyatt, kondapallykalyan, rhudea, simon.fraser, webkit-bug-importer, WebkitBugTracker

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

116980

Attachments:

Description	Flags
Test case	none
Test reduction	none
Patch	none

Renata Hodovan

Reported 2016-03-11 09:13:44 PST

Created attachment 273736 [details] Test case Load the attached test with minibrowser: <!DOCTYPE html> <dl> <canvas>a</canvas> </dl> <style> * { -webkit-grid-column: grid_18 span/4 span grid_3; width: +40%; position:fixed; letter-spacing:-webkit-calc(373*73% /-webkit-calc(609)*650%)px; -webkit-flow-into:flow_3; } dl { -webkit-writing-mode:vertical-lr; } </style> OS: Mac OS X 10.11.1 (x86_64), x86_64 Checked build: ASAN debug Checked version: ecad464 Backtrace: ASSERTION FAILED: layoutState->m_renderer == this /Users/reni/work/WebKit/Source/WebCore/rendering/RenderBlock.cpp(3493) : virtual WebCore::LayoutUnit WebCore::RenderBlock::offsetFromLogicalTopOfFirstPage() const 1 0x10bc20aa4 WTFCrash 2 0x11415e8e2 WebCore::RenderBlock::offsetFromLogicalTopOfFirstPage() const 3 0x1142ca3f5 WebCore::RenderBox::containingBlockLogicalWidthForPositioned(WebCore::RenderBoxModelObject const*, WebCore::RenderRegion*, bool) const 4 0x1142cd48d WebCore::RenderBox::containingBlockLogicalHeightForPositioned(WebCore::RenderBoxModelObject const*, bool) const 5 0x1142cc60b WebCore::RenderBox::computeReplacedLogicalHeightUsing(WebCore::SizeType, WebCore::Length) const 6 0x1147fd6bb WebCore::RenderReplaced::computeReplacedLogicalHeight() const 7 0x1147fc39a WebCore::RenderReplaced::computeReplacedLogicalWidth(WebCore::ShouldComputePreferred) const 8 0x1142d073f WebCore::RenderBox::computePositionedLogicalWidthReplaced(WebCore::RenderBox::LogicalExtentComputedValues&) const 9 0x1142bb37c WebCore::RenderBox::computePositionedLogicalWidth(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderRegion*) const 10 0x1142b891f WebCore::RenderBox::computeLogicalWidthInRegion(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderRegion*) const 11 0x11412adb8 WebCore::RenderBlock::markFixedPositionObjectForLayoutIfNeeded(WebCore::RenderObject&) 12 0x11412b520 WebCore::RenderBlock::layoutPositionedObject(WebCore::RenderBox&, bool, bool) 13 0x11412aa02 WebCore::RenderBlock::layoutPositionedObjects(bool, bool) 14 0x1141ce4a5 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 15 0x114123828 WebCore::RenderBlock::layout() 16 0x114432e1f WebCore::RenderFlowThread::layout() 17 0x114780eef WebCore::RenderNamedFlowThread::layout() 18 0x11113d16c WebCore::RenderElement::layoutIfNeeded() 19 0x111133c96 WebCore::FlowThreadController::layoutRenderNamedFlowThreads() 20 0x114b3321d WebCore::RenderView::layoutContent(WebCore::LayoutState const&) 21 0x114b352b9 WebCore::RenderView::layout() 22 0x1114c7ca9 WebCore::FrameView::layout(bool) 23 0x110a13dd6 WebCore::Document::implicitClose() 24 0x111431019 WebCore::FrameLoader::checkCallImplicitClose() 25 0x111430afc WebCore::FrameLoader::checkCompleted() 26 0x11142d0c8 WebCore::FrameLoader::finishedParsing() 27 0x110a3705a WebCore::Document::finishedParsing() 28 0x1117eea66 WebCore::HTMLConstructionSite::finishedParsing() 29 0x111b1c29c WebCore::HTMLTreeBuilder::finished() 30 0x111866adc WebCore::HTMLDocumentParser::end() 31 0x111862cea WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() ASAN:SIGSEGV ================================================================= ==74681==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010bc20adc bp 0x7fff5d020c50 sp 0x7fff5d020c40 T0) #0 0x10bc20adb in WTFCrash (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2b16adb) #1 0x11415e8e1 in WebCore::RenderBlock::offsetFromLogicalTopOfFirstPage() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x48488e1) #2 0x1142ca3f4 in WebCore::RenderBox::containingBlockLogicalWidthForPositioned(WebCore::RenderBoxModelObject const*, WebCore::RenderRegion*, bool) const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x49b43f4) #3 0x1142cd48c in WebCore::RenderBox::containingBlockLogicalHeightForPositioned(WebCore::RenderBoxModelObject const*, bool) const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x49b748c) #4 0x1142cc60a in WebCore::RenderBox::computeReplacedLogicalHeightUsing(WebCore::SizeType, WebCore::Length) const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x49b660a) #5 0x1147fd6ba in WebCore::RenderReplaced::computeReplacedLogicalHeight() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4ee76ba) #6 0x1147fc399 in WebCore::RenderReplaced::computeReplacedLogicalWidth(WebCore::ShouldComputePreferred) const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4ee6399) #7 0x1142d073e in WebCore::RenderBox::computePositionedLogicalWidthReplaced(WebCore::RenderBox::LogicalExtentComputedValues&) const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x49ba73e) #8 0x1142bb37b in WebCore::RenderBox::computePositionedLogicalWidth(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderRegion*) const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x49a537b) #9 0x1142b891e in WebCore::RenderBox::computeLogicalWidthInRegion(WebCore::RenderBox::LogicalExtentComputedValues&, WebCore::RenderRegion*) const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x49a291e) #10 0x11412adb7 in WebCore::RenderBlock::markFixedPositionObjectForLayoutIfNeeded(WebCore::RenderObject&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4814db7) #11 0x11412b51f in WebCore::RenderBlock::layoutPositionedObject(WebCore::RenderBox&, bool, bool) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x481551f) #12 0x11412aa01 in WebCore::RenderBlock::layoutPositionedObjects(bool, bool) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4814a01) #13 0x1141ce4a4 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x48b84a4) #14 0x114123827 in WebCore::RenderBlock::layout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x480d827) #15 0x114432e1e in WebCore::RenderFlowThread::layout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4b1ce1e) #16 0x114780eee in WebCore::RenderNamedFlowThread::layout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4e6aeee) #17 0x11113d16b in WebCore::RenderElement::layoutIfNeeded() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x182716b) #18 0x111133c95 in WebCore::FlowThreadController::layoutRenderNamedFlowThreads() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x181dc95) #19 0x114b3321c in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x521d21c) #20 0x114b352b8 in WebCore::RenderView::layout() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x521f2b8) #21 0x1114c7ca8 in WebCore::FrameView::layout(bool) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1bb1ca8) #22 0x110a13dd5 in WebCore::Document::implicitClose() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x10fddd5) #23 0x111431018 in WebCore::FrameLoader::checkCallImplicitClose() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b1b018) #24 0x111430afb in WebCore::FrameLoader::checkCompleted() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b1aafb) #25 0x11142d0c7 in WebCore::FrameLoader::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b170c7) #26 0x110a37059 in WebCore::Document::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1121059) #27 0x1117eea65 in WebCore::HTMLConstructionSite::finishedParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ed8a65) #28 0x111b1c29b in WebCore::HTMLTreeBuilder::finished() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x220629b) #29 0x111866adb in WebCore::HTMLDocumentParser::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f50adb) #30 0x111862ce9 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f4cce9) #31 0x111862958 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f4c958) #32 0x111866b7d in WebCore::HTMLDocumentParser::attemptToEnd() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f50b7d) #33 0x111866bd7 in WebCore::HTMLDocumentParser::finish() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f50bd7) #34 0x110bf28af in WebCore::DocumentWriter::end() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12dc8af) #35 0x110b4515c in WebCore::DocumentLoader::finishedLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x122f15c) #36 0x110b44c6a in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x122ec6a) #37 0x10ff22856 in WebCore::CachedResource::checkNotify() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60c856) #38 0x10ff22a43 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60ca43) #39 0x10ff18ddc in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x602ddc) #40 0x1155a68f0 in WebCore::SubresourceLoader::didFinishLoading(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5c908f0) #41 0x1047029ac in WebKit::WebResourceLoader::didFinishResourceLoad(double) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b159ac) #42 0x104716d42 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::index_sequence<0ul>) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b29d42) #43 0x1047169c1 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::make_index_sequence<1ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b299c1) #44 0x104712d7e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::MessageDecoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b25d7e) #45 0x10470fdfd in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1b22dfd) #46 0x103484912 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x897912) #47 0x102dc10d0 in IPC::Connection::dispatchMessage(IPC::MessageDecoder&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d40d0) #48 0x102da8631 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1bb631) #49 0x102dc1ec0 in IPC::Connection::dispatchOneMessage() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d4ec0) #50 0x102df160c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x20460c) #51 0x102df15dc in void std::__1::__invoke_void_return_wrapper<void>::__call<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&>(IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10&&&) (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2045dc) #52 0x102df13fb in std::__1::__function::__func<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10, std::__1::allocator<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >)::$_10>, void ()>::operator()() (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2043fb) #53 0x10aa6544a in std::__1::function<void ()>::operator()() const (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x195b44a) #54 0x10bcf92dd in WTF::RunLoop::performWork() (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2bef2dd) #55 0x10bcfa249 in WTF::RunLoop::performWork(void*) (/Users/reni/work/WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2bf0249) #56 0x7fff888498b0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa8b0) #57 0x7fff888290ab in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x8a0ab) #58 0x7fff888285ce in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x895ce) #59 0x7fff88827fc7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88fc7) #60 0x7fff86540d54 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30d54) #61 0x7fff86540b8e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30b8e) #62 0x7fff865409ce in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x309ce) #63 0x7fff97bc6d95 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x49d95) #64 0x7fff97bc61c4 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x491c4) #65 0x7fff97bbad27 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3dd27) #66 0x7fff97b83fbd in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6fbd) #67 0x7fff9408b4f1 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x114f1) #68 0x7fff94089f1d in xpc_main (/usr/lib/system/libxpc.dylib+0xff1d) #69 0x102bd61cb in main (/Users/reni/work/WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000021cb) #70 0x7fff908b05ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #71 0x0 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 WTFCrash ==74681==ABORTING #CRASHED - com.apple.WebKit.WebContent.Development (pid 74681) LEAK: 1 WebProcessPool LEAK: 1 WebPageProxy

Attachments
Test case (306 bytes, text/html) 2016-03-11 09:13 PST, Renata Hodovan	no flags	Details
Test reduction (180 bytes, text/html) 2016-11-30 09:33 PST, alan	no flags	Details
Patch (7.72 KB, patch) 2016-11-30 14:35 PST, alan	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2016-08-05 09:33:35 PDT

This reproduces in r204037.

Radar WebKit Bug Importer

Comment 2 2016-08-05 09:34:04 PDT

<rdar://problem/27720461>

alan

Comment 3 2016-11-30 09:33:38 PST

Created attachment 295725 [details] Test reduction

alan

Comment 4 2016-11-30 14:35:45 PST

Created attachment 295773 [details] Patch

Brent Fulgham

Comment 5 2016-11-30 14:56:32 PST

Comment on attachment 295773 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=295773&action=review > Source/WebCore/rendering/RenderBox.cpp:3148 > + break; So these two lines are the only meaningful difference in this patch! :-)

Dave Hyatt

Comment 6 2016-11-30 14:57:56 PST

Comment on attachment 295773 [details] Patch r=me

WebKit Commit Bot

Comment 7 2016-11-30 15:13:05 PST

Comment on attachment 295773 [details] Patch Clearing flags on attachment: 295773 Committed r209158: <http://trac.webkit.org/changeset/209158>

WebKit Commit Bot

Comment 8 2016-11-30 15:13:11 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.