Bug 163585

Summary: REGRESSION: LayoutTest crashes in WebCore::InlineBox::InlineBoxBitfields::isHorizontal() const + 8
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: New BugsAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: ap, bfulgham, graouts, jbedard, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=163703
Attachments:
Description Flags
Crashlog none

Ryan Haddad
Reported 2016-10-17 22:59:23 PDT
Created attachment 291920 [details] Crashlog I've seen a few different tests crashing in WebCore::InlineBox::InlineBoxBitfields::isHorizontal() const + 8 imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/activeCues.html is the test that I've seen in results most often, but it is not the test that is referenced in the crashlog. https://build.webkit.org/results/Apple%20El%20Capitan%20Debug%20WK2%20(Tests)/r207453%20(8889)/results.html https://webkit-test-results.webkit.org/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=imported%2Fw3c%2Fweb-platform-tests%2Fhtml%2Fsemantics%2Fembedded-content%2Fmedia-elements%2Finterfaces%2FTextTrack%2FactiveCues.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000010b8c53e8 WebCore::InlineBox::InlineBoxBitfields::isHorizontal() const + 8 (InlineBox.h:341) 1 com.apple.WebCore 0x000000010b8c4ecc WebCore::InlineBox::isHorizontal() const + 28 (InlineBox.h:104) 2 com.apple.WebCore 0x000000010b8c4e09 WebCore::InlineBox::height() const + 25 (InlineBox.h:176) 3 com.apple.WebCore 0x000000010cc26bd8 WebCore::RenderVTTCue::initializeLayoutParameters(WebCore::InlineFlowBox*&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 296 (RenderVTTCue.cpp:89) 4 com.apple.WebCore 0x000000010cc267ce WebCore::RenderVTTCue::repositionCueSnapToLinesSet() + 62 (RenderVTTCue.cpp:314) 5 com.apple.WebCore 0x000000010cc26756 WebCore::RenderVTTCue::layout() + 358 (RenderVTTCue.cpp:61) 6 com.apple.WebCore 0x000000010b342a0c WebCore::RenderElement::layoutIfNeeded() + 60 (RenderElement.h:131) 7 com.apple.WebCore 0x000000010c880af4 WebCore::RenderBlock::layoutPositionedObject(WebCore::RenderBox&, bool, bool) + 548 (RenderBlock.cpp:1486) 8 com.apple.WebCore 0x000000010c880569 WebCore::RenderBlock::layoutPositionedObjects(bool, bool) + 185 (RenderBlock.cpp:1506) 9 com.apple.WebCore 0x000000010c8bb7e1 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2305 (RenderBlockFlow.cpp:526) 10 com.apple.WebCore 0x000000010c87ed49 WebCore::RenderBlock::layout() + 105 (RenderBlock.cpp:1079) 11 com.apple.WebCore 0x000000010cc09291 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) + 97 (RenderView.cpp:245) 12 com.apple.WebCore 0x000000010cc0a331 WebCore::RenderView::layout() + 2097 (RenderView.cpp:372) 13 com.apple.WebCore 0x000000010b4a7194 WebCore::FrameView::layout(bool) + 3812 (FrameView.cpp:1464) 14 com.apple.WebCore 0x000000010b4b3dd9 WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() + 121 (FrameView.cpp:4288) 15 com.apple.WebKit 0x00000001041bf19b WebKit::WebPage::layoutIfNeeded() + 107 (WebPage.cpp:1358) 16 com.apple.WebKit 0x0000000103f7528c WebKit::TiledCoreAnimationDrawingArea::flushLayers() + 124 (TiledCoreAnimationDrawingArea.mm:406) 17 com.apple.WebKit 0x0000000103f75aec non-virtual thunk to WebKit::TiledCoreAnimationDrawingArea::flushLayers() + 28 (TiledCoreAnimationDrawingArea.mm:397) 18 com.apple.WebCore 0x000000010c4899b5 WebCore::LayerFlushScheduler::layerFlushCallback() + 101 (LayerFlushSchedulerMac.cpp:77) 19 com.apple.WebCore 0x000000010c48acbb WebCore::LayerFlushScheduler::LayerFlushScheduler(WebCore::LayerFlushSchedulerClient*)::$_0::operator()() const + 59 (LayerFlushSchedulerMac.cpp:65) 20 com.apple.WebCore 0x000000010c48ac6d _ZNSt3__128__invoke_void_return_wrapperIvE6__callIJRZN7WebCore19LayerFlushSchedulerC1EPNS3_25LayerFlushSchedulerClientEE3$_0EEEvDpOT_ + 45 (__functional_base:441) 21 com.apple.WebCore 0x000000010c48ac0c std::__1::__function::__func<WebCore::LayerFlushScheduler::LayerFlushScheduler(WebCore::LayerFlushSchedulerClient*)::$_0, std::__1::allocator<WebCore::LayerFlushScheduler::LayerFlushScheduler(WebCore::LayerFlushSchedulerClient*)::$_0>, void ()>::operator()() + 44 (functional:1407) 22 com.apple.WebCore 0x000000010aa10b3a std::__1::function<void ()>::operator()() const + 26 (functional:1793) 23 com.apple.WebCore 0x000000010ccb279e WebCore::RunLoopObserver::runLoopObserverFired() + 110 (RunLoopObserver.cpp:45) 24 com.apple.WebCore 0x000000010ccb2720 WebCore::RunLoopObserver::runLoopObserverFired(__CFRunLoopObserver*, unsigned long, void*) + 32 (RunLoopObserver.cpp:39) 25 com.apple.CoreFoundation 0x00007fff92705067 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23 26 com.apple.CoreFoundation 0x00007fff92704fd7 __CFRunLoopDoObservers + 391 27 com.apple.CoreFoundation 0x00007fff926e3ef8 CFRunLoopRunSpecific + 328 28 com.apple.HIToolbox 0x00007fff9402c935 RunCurrentEventLoopInMode + 235 29 com.apple.HIToolbox 0x00007fff9402c76f ReceiveNextEventCommon + 432 30 com.apple.HIToolbox 0x00007fff9402c5af _BlockUntilNextEventMatchingListInModeWithFilter + 71 31 com.apple.AppKit 0x00007fff98ef4df6 _DPSNextEvent + 1067 32 com.apple.AppKit 0x00007fff98ef4226 -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454 33 com.apple.AppKit 0x00007fff98ee8d80 -[NSApplication run] + 682 34 com.apple.AppKit 0x00007fff98eb2368 NSApplicationMain + 1176 35 libxpc.dylib 0x00007fff9d97a194 _xpc_objc_main + 795 36 libxpc.dylib 0x00007fff9d978bbe xpc_main + 494 37 com.apple.WebKit.WebContent 0x0000000103a58080 main + 800 38 libdyld.dylib 0x00007fff8b2445ad start + 1
Attachments
Crashlog (104.19 KB, text/plain)
2016-10-17 22:59 PDT, Ryan Haddad 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ryan Haddad
Comment 1 2016-10-17 23:01:03 PDT
CRASHING TEST: imported/w3c/IndexedDB-private-browsing/writer-starvation.html (3x) CRASHING TEST: imported/w3c/csswg-test/css-scoping-1/shadow-cascade-order-001.html CRASHING TEST: imported/w3c/css/css-multicol-1/multicol-zero-height-001-expected.xht
Ryan Haddad
Comment 2 2016-10-18 11:04:48 PDT
Another instance seen with media/track/media-element-enqueue-event-crash.html https://build.webkit.org/results/Apple%20Sierra%20Debug%20WK2%20(Tests)/r207464%20(387)/results.html
Ryan Haddad
Comment 3 2016-10-19 17:00:48 PDT
*** Bug 163703 has been marked as a duplicate of this bug. ***
Ryan Haddad
Comment 4 2016-10-19 17:03:05 PDT
Earliest crash I can see on the flakiness dashboard with the media-elements/interfaces/TextTrack/activeCues.html test is: 10/17/2016 4:02:01 PM ~r207428
Ryan Haddad
Comment 5 2016-10-20 09:42:37 PDT
This is happening very frequently on the bots. I am trying to find steps to reproduce, but any help narrowing down the cause would be appreciated.
Jonathan Bedard
Comment 6 2016-10-20 10:16:13 PDT
Doing some flakiness analysis, when imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/activeCues.html fails, the following test sequence is always run first (at least, in all 8 of 8 cases tested): imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/HTMLElement/HTMLMediaElement/addTextTrack.html imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/HTMLElement/HTMLMediaElement/textTracks.html imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/HTMLElement/HTMLTrackElement/default.html imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/HTMLElement/HTMLTrackElement/kind.html imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/HTMLElement/HTMLTrackElement/label.html imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/HTMLElement/HTMLTrackElement/readyState.html imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/HTMLElement/HTMLTrackElement/src.html imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/HTMLElement/HTMLTrackElement/srclang.html imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/HTMLElement/HTMLTrackElement/track.html imported/w3c/web-platform-tests/html/semantics/embedded-content/media-elements/interfaces/TextTrack/activeCues.html
Jonathan Bedard
Comment 7 2016-10-20 10:26:38 PDT
Less conclusive results for media/track/media-element-enqueue-event-crash.html. The shared failure sequence follows. More examples of test failures would help narrow down this list. js/slow-stress/ArrayBuffer-Int8Array-alloc-huge-long-lived.html js/slow-stress/ArrayBuffer-Int8Array-alloc-large-long-lived-fragmented.html js/slow-stress/Int32Array-alloc-huge-long-lived.html js/slow-stress/Int32Array-alloc-huge.html js/slow-stress/Int32Array-alloc-large-long-lived.html js/slow-stress/array-prototype-filter.html js/slow-stress/call-spread.html js/slow-stress/chain-custom-getter.html js/slow-stress/destructuring-arguments-length.html js/slow-stress/fold-strict-eq.html js/slow-stress/marsaglia.html js/slow-stress/nested-function-parsing-random.html js/slow-stress/new-spread.html js/slow-stress/proto-custom-getter.html js/slow-stress/simple-custom-getter.html js/slow-stress/variadic-closure-call.html media/W3C/video/canPlayType/canPlayType_application_octet_stream.html media/W3C/video/canPlayType/canPlayType_application_octet_stream_with_codecs_1.html media/W3C/video/canPlayType/canPlayType_application_octet_stream_with_codecs_2.html media/W3C/video/canPlayType/canPlayType_application_octet_stream_with_codecs_3.html media/W3C/video/canPlayType/canPlayType_bogus_type.html media/W3C/video/canPlayType/canPlayType_codecs_order_1.html media/W3C/video/canPlayType/canPlayType_codecs_order_2.html media/W3C/video/canPlayType/canPlayType_codecs_order_3.html media/W3C/video/canPlayType/canPlayType_method_exists.html media/W3C/video/canPlayType/canPlayType_supported_but_no_codecs_parameter_1.html media/W3C/video/canPlayType/canPlayType_supported_but_no_codecs_parameter_2.html media/W3C/video/canPlayType/canPlayType_supported_but_no_codecs_parameter_3.html media/W3C/video/canPlayType/canPlayType_two_implies_one_1.html media/W3C/video/canPlayType/canPlayType_two_implies_one_2.html media/W3C/video/canPlayType/canPlayType_two_implies_one_3.html media/W3C/video/canPlayType/canPlayType_two_implies_one_4.html media/W3C/video/canPlayType/canPlayType_two_implies_one_5.html media/W3C/video/canPlayType/canPlayType_two_implies_one_6.html media/modern-media-controls/airplay-placard/airplay-placard.html media/modern-media-controls/aspect-ratio-button/aspect-ratio-button.html media/modern-media-controls/button/button.html media/modern-media-controls/buttons-container/buttons-container-buttons-property.html media/modern-media-controls/buttons-container/buttons-container-constructor.html media/modern-media-controls/buttons-container/buttons-container-layout.html media/modern-media-controls/icon-button/icon-button-active-state.html media/modern-media-controls/icon-button/icon-button.html media/modern-media-controls/macos-media-controls/macos-media-controls.html media/modern-media-controls/media-controller/media-controller-constructor.html media/modern-media-controls/media-controller/media-controller-resize.html media/track/add-and-remove-track.html media/track/audio-track.html media/track/getCueAsHTMLCrash.html media/track/media-element-enqueue-event-crash.html
Alexey Proskuryakov
Comment 8 2016-10-24 18:00:20 PDT
Is this still happening?
Ryan Haddad
Comment 9 2016-10-24 18:16:21 PDT
(In reply to comment #8) > Is this still happening? Yes, but I haven't been able to reproduce the crash locally.
Ryan Haddad
Comment 10 2016-11-01 16:54:02 PDT
This is still occurring intermittently on the bots, but I can't get it to report on demand locally.
Radar WebKit Bug Importer
Comment 11 2016-11-01 17:05:10 PDT
<rdar://problem/29055623>
Note You need to log in before you can comment on or make changes to this bug.