Bug 178857

Summary:

Crash in WebCore::RenderStyle::overflowX with display:contents

Product:

WebKit

Reporter:

Renata Hodovan <hodovan>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, buildbot, commit-queue, koivisto, rniwa, simon.fraser, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

116980, 157477

Attachments:

Description	Flags
Test	none
patch	buildbot: commit-queue-
Archive of layout-test-results from ews102 for mac-elcapitan	none
Archive of layout-test-results from ews107 for mac-elcapitan-wk2	none
Archive of layout-test-results from ews113 for mac-elcapitan	none
Archive of layout-test-results from ews123 for ios-simulator-wk2	none
patch	none

Renata Hodovan

Reported 2017-10-26 05:02:28 PDT

Created attachment 324990 [details] Test Load the attached test with debug WebKitTestRunner: Checked version: 9e82982 OS: macOS Sierra (10.12.6) <html style="display:contents;"> <style> * { overflow-x:auto; } </style> Backtrace: ASAN:DEADLYSIGNAL ================================================================= ==65062==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000078 (pc 0x000115e046a2 bp 0x7fff5790c450 sp 0x7fff5790c440 T0) ==65062==The signal is caused by a READ memory access. ==65062==Hint: address points to the zero page. ==65062==WARNING: invalid path to external symbolizer! ==65062==WARNING: Failed to use and restart external symbolizer! #0 0x115e046a1 in WebCore::RenderStyle::overflowX() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x91b6a1) #1 0x117765b3b in WebCore::RenderBox::updateFromStyle() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x227cb3b) #2 0x117ba41a6 in WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x26bb1a6) #3 0x117763704 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x227a704) #4 0x1175bb196 in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x20d2196) #5 0x1176c2863 in WebCore::RenderBlockFlow::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x21d9863) #6 0x1178b4026 in WebCore::RenderElement::initializeStyle() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x23cb026) #7 0x11805558b in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b6c58b) #8 0x118053964 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b6a964) #9 0x1180527c7 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b697c7) #10 0x118051260 in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b68260) #11 0x11c7bbfea in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x72d2fea) #12 0x11c7bebf2 in WebCore::Document::updateStyleIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x72d5bf2) #13 0x11c7f1692 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7308692) #14 0x11668b235 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x11a2235) #15 0x116a572c8 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x156e2c8) #16 0x116713eac in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x122aeac) #17 0x11670dfe8 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1224fe8) #18 0x11670db09 in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1224b09) #19 0x116713fcc in WebCore::HTMLDocumentParser::attemptToEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x122afcc) #20 0x116714107 in WebCore::HTMLDocumentParser::finish() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x122b107) #21 0x11d1d02d7 in WebCore::DocumentWriter::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce72d7) #22 0x11d1ce793 in WebCore::DocumentLoader::finishedLoading() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce5793) #23 0x11d1ce163 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce5163) #24 0x11d1cea8b in non-virtual thunk to WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce5a8b) #25 0x11d45eee8 in WebCore::CachedResource::checkNotify() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7f75ee8) #26 0x11d457003 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7f6e003) #27 0x11d458f92 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7f6ff92) #28 0x11d389f9f in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ea0f9f) #29 0x110bd8f59 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23a6f59) #30 0x110be59df in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23b39df) #31 0x110be55f8 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23b35f8) #32 0x110be281f in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23b081f) #33 0x110be084a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23ae84a) #34 0x10f1d9571 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x9a7571) #35 0x10eb5488a in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x32288a) #36 0x10eb38198 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x306198) #37 0x10eb555b7 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x3235b7) #38 0x10eb944bc in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x3624bc) #39 0x10eb943e8 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x3623e8) #40 0x1352df7e2 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3a987e2) #41 0x135336cec in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3aefcec) #42 0x135337d78 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3af0d78) #43 0x7fffa6c5e320 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa7320) #44 0x7fffa6c3f21c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8821c) #45 0x7fffa6c3e715 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87715) #46 0x7fffa6c3e113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113) #47 0x7fffa619eebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb) #48 0x7fffa619ecf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0) #49 0x7fffa619eb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25) #50 0x7fffa4737a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53) #51 0x7fffa4eb37ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed) #52 0x7fffa472c3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da) #53 0x7fffa46f6e0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d) #54 0x7fffbc61f8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6) #55 0x7fffbc61e2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3) #56 0x1082eadc0 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x100001dc0) #57 0x7fffbc3c6234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234) ==65062==Register values: rax = 0x0000000000000078 rbx = 0x00007fff5790c4c0 rcx = 0x000010000000000f rdx = 0x00001c160001dcc2 rdi = 0x0000000000000078 rsi = 0x0000000000000800 rbp = 0x00007fff5790c450 rsp = 0x00007fff5790c440 r8 = 0x00007fff5790c2a0 r9 = 0x000000000000002e r10 = 0x00000001090be701 r11 = 0x0000000000000180 r12 = 0x00007fff5790cc80 r13 = 0x0000000000000009 r14 = 0x00006120000d6e40 r15 = 0x00007fff5790cc60 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x91b6a1) in WebCore::RenderStyle::overflowX() const ==65062==ABORTING #CRASHED - com.apple.WebKit.WebContent.Development (pid 65062) LEAK: 1 WebProcessPool LEAK: 1 WebPageProxy

Attachments
Test (73 bytes, text/html) 2017-10-26 05:02 PDT, Renata Hodovan	no flags	Details
patch (3.83 KB, patch) 2017-11-03 05:00 PDT, Antti Koivisto	buildbot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from ews102 for mac-elcapitan (1006.72 KB, application/zip) 2017-11-03 05:55 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews107 for mac-elcapitan-wk2 (1.16 MB, application/zip) 2017-11-03 06:04 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews113 for mac-elcapitan (1.79 MB, application/zip) 2017-11-03 06:16 PDT, Build Bot	no flags	Details
Archive of layout-test-results from ews123 for ios-simulator-wk2 (1006.48 KB, application/zip) 2017-11-03 06:22 PDT, Build Bot	no flags	Details
patch (6.94 KB, patch) 2017-11-03 06:31 PDT, Antti Koivisto	no flags	Details Formatted Diff Diff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.

Simon Fraser (smfr)

Comment 1 2017-10-26 10:49:26 PDT

Cc antti for "display:contents"

Radar WebKit Bug Importer

Comment 2 2017-10-26 10:50:42 PDT

<rdar://problem/35201120>

Antti Koivisto

Comment 3 2017-11-03 05:00:56 PDT

Created attachment 325883 [details] patch

Antti Koivisto

Comment 4 2017-11-03 05:01:22 PDT

*** Bug 178858 has been marked as a duplicate of this bug. ***

Build Bot

Comment 5 2017-11-03 05:55:28 PDT

Comment on attachment 325883 [details] patch Attachment 325883 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/5089236 New failing tests: imported/w3c/web-platform-tests/css/css-display-3/display-contents-computed-style.html

Build Bot

Comment 6 2017-11-03 05:55:29 PDT

Created attachment 325885 [details] Archive of layout-test-results from ews102 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews102 Port: mac-elcapitan Platform: Mac OS X 10.11.6

Build Bot

Comment 7 2017-11-03 06:04:50 PDT

Comment on attachment 325883 [details] patch Attachment 325883 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/5089267 New failing tests: imported/w3c/web-platform-tests/css/css-display-3/display-contents-computed-style.html

Build Bot

Comment 8 2017-11-03 06:04:51 PDT

Created attachment 325886 [details] Archive of layout-test-results from ews107 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews107 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6

Build Bot

Comment 9 2017-11-03 06:16:28 PDT

Comment on attachment 325883 [details] patch Attachment 325883 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/5089263 New failing tests: imported/w3c/web-platform-tests/css/css-display-3/display-contents-computed-style.html

Build Bot

Comment 10 2017-11-03 06:16:30 PDT

Created attachment 325887 [details] Archive of layout-test-results from ews113 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews113 Port: mac-elcapitan Platform: Mac OS X 10.11.6

Build Bot

Comment 11 2017-11-03 06:22:01 PDT

Comment on attachment 325883 [details] patch Attachment 325883 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/5089286 New failing tests: imported/w3c/web-platform-tests/css/css-display-3/display-contents-computed-style.html

Build Bot

Comment 12 2017-11-03 06:22:02 PDT

Created attachment 325888 [details] Archive of layout-test-results from ews123 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews123 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.6

Antti Koivisto

Comment 13 2017-11-03 06:31:20 PDT

Created attachment 325889 [details] patch

WebKit Commit Bot

Comment 14 2017-11-03 07:46:21 PDT

Comment on attachment 325889 [details] patch Clearing flags on attachment: 325889 Committed r224394: <https://trac.webkit.org/changeset/224394>

WebKit Commit Bot

Comment 15 2017-11-03 07:46:23 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.