Bug 191824

Summary:

Should never be reached failure in WebCore::RenderElement::visibleInViewportStateChanged

Product:

WebKit

Reporter:

Renata Hodovan <hodovan>

Component:

Layout and Rendering

Assignee:

Rob Buis <rbuis>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ajuma, ap, bfulgham, changseok, eric.carlson, esprehn+autocc, ews-watchlist, glenn, jer.noble, jfernandez, kondapallykalyan, pdr, philipj, rbuis, rego, rhodovan.u-szeged, sergio, simon.fraser, svillar, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

116980

Attachments:

Description	Flags
Test	none
Patch	none
Patch	none

Renata Hodovan

Reported 2018-11-18 01:17:52 PST

Created attachment 355234 [details] Test Load the attached test with debug WebKitTestRunner / MiniBrowser: <audio controls style="padding: 119vh 71vh 33vh"> The failure can be triggered both with Mac and GTK builds. Checked revision: bd74428d9fb Backtrace: SHOULD NEVER BE REACHED ./rendering/RenderElement.cpp(1267) : virtual void WebCore::RenderElement::visibleInViewportStateChanged() 1 0x1388e0d39 WTFCrash 2 0x117ac00b0 WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul>::Vector() 3 0x1200b3cc4 WebCore::RenderElement::visibleInViewportStateChanged() 4 0x1200b3c5b WebCore::RenderElement::setVisibleInViewportState(WebCore::VisibleInViewportState) 5 0x12070df94 WebCore::RenderView::updateVisibleViewportRect(WebCore::IntRect const&) 6 0x11ec13c4b WebCore::FrameView::viewportContentsChanged()::$_2::operator()(WebCore::FrameView&, WebCore::IntRect const&) const 7 0x11ec13b54 WTF::Function<void (WebCore::FrameView&, WebCore::IntRect const&)>::CallableWrapper<WebCore::FrameView::viewportContentsChanged()::$_2>::call(WebCore::FrameView&, WebCore::IntRect const&) 8 0x11eb93efc WTF::Function<void (WebCore::FrameView&, WebCore::IntRect const&)>::operator()(WebCore::FrameView&, WebCore::IntRect const&) const 9 0x11eb8ae8a WebCore::FrameView::applyRecursivelyWithVisibleRect(WTF::Function<void (WebCore::FrameView&, WebCore::IntRect const&)> const&) 10 0x11eb670d4 WebCore::FrameView::viewportContentsChanged() 11 0x11eb9a465 WebCore::FrameView::performPostLayoutTasks() 12 0x11ebc1cbb WebCore::FrameViewLayoutContext::runAsynchronousTasks() 13 0x11ebc2ce2 WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() 14 0x11eb57a2c WebCore::FrameViewLayoutContext::layout() 15 0x11eb95e8d WebCore::FrameView::updateContentsSize() 16 0x11f078c23 WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) 17 0x11f07f74c WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) 18 0x11eb64d6e WebCore::FrameView::setContentsSize(WebCore::IntSize const&) 19 0x11eb50822 WebCore::FrameView::adjustViewSize() 20 0x11eb577ab WebCore::FrameViewLayoutContext::layout() 21 0x11d163663 WebCore::Document::updateLayout() 22 0x11d166fda WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) 23 0x11ca39c0f WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) 24 0x11ca3957e WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const 25 0x11ca77c7a WebCore::CSSComputedStyleDeclaration::getPropertyCSSValueInternal(WebCore::CSSPropertyID) 26 0x11cc3f6b5 WebCore::CSSStyleDeclaration::namedItem(WTF::AtomicString const&) 27 0x1186e628d std::optional<WTF::Variant<WTF::String, double> > WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0::operator()<WebCore::JSCSSStyleDeclaration, JSC::PropertyName>(WebCore::JSCSSStyleDeclaration&, JSC::PropertyName) const 28 0x1186b7ed9 decltype(fp2(fp0, fp1)) WebCore::accessVisibleNamedProperty<(WebCore::OverrideBuiltins)0, WebCore::JSCSSStyleDeclaration, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&>(JSC::ExecState&, WebCore::JSCSSStyleDeclaration&, JSC::PropertyName, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&&&) 29 0x1186b4e88 WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 30 0x1398fde3c JSC::JSObject::getNonIndexPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 31 0x1398fb93f bool JSC::JSObject::getPropertySlot<false>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)

Attachments
Test (50 bytes, text/html) 2018-11-18 01:17 PST, Renata Hodovan	no flags	Details
Patch (3.13 KB, patch) 2022-04-02 01:22 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Patch (2.76 KB, patch) 2022-04-06 02:03 PDT, Rob Buis	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Simon Fraser (smfr)

Comment 1 2018-11-20 09:52:54 PST

An audio element's renderer can call registerForVisibleInViewportCallback() via HTMLMediaElement::layoutSizeChanged(), but only RenderVideo implements visibleInViewportStateChanged().

Rob Buis

Comment 2 2022-04-02 01:22:51 PDT

Created attachment 456454 [details] Patch

Rob Buis

Comment 3 2022-04-06 02:03:49 PDT

Created attachment 456794 [details] Patch

EWS

Comment 4 2022-04-22 23:28:24 PDT

Committed r293287 (249912@main): <https://commits.webkit.org/249912@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 456794 [details].

Radar WebKit Bug Importer

Comment 5 2022-04-22 23:29:15 PDT

<rdar://problem/92207010>

Note You need to log in before you can comment on or make changes to this bug.