Bug 207296

Summary: Nullptr crash in RenderStyle::isFlippedBlocksWritingMode when fragment flow gains a new in-flow descendant
Product: WebKit Reporter: Jack <shihchieh_lee>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: aakash_jain, ajuma, bfulgham, ews-feeder, koivisto, product-security, rniwa, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch
none
Patch koivisto: review+, aakash_jain: commit-queue-

Jack
Reported 2020-02-05 14:30:06 PST
<rdar://56967115> #0 0x4b1c42ab1 in WebCore::RenderStyle::writingMode() const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1c40ab1) #1 0x4b405e128 in WebCore::RenderStyle::isFlippedBlocksWritingMode() const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x405c128) #2 0x4b495d0fa in WebCore::RenderBox::flipForWritingMode(WebCore::LayoutPoint const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x495b0fa) #3 0x4b4bd811f in WebCore::RenderMultiColumnFlow::physicalTranslationFromFragmentToFlow(WebCore::RenderMultiColumnSet const*, WebCore::LayoutPoint const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4bd611f) #4 0x4b4bd7df6 in WebCore::RenderMultiColumnFlow::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4bd5df6) #5 0x4b49c5521 in WebCore::RenderBoxModelObject::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x49c3521) #6 0x4b49c5521 in WebCore::RenderBoxModelObject::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x49c3521) #7 0x4b49c5521 in WebCore::RenderBoxModelObject::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x49c3521) #8 0x4b4bfda9a in WebCore::RenderObject::absoluteToLocal(WebCore::FloatPoint const&, unsigned int) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4bfba9a) #9 0x4b40670ea in WebCore::FrameView::convertFromContainingViewToRenderer(WebCore::RenderElement const*, WebCore::IntRect const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x40650ea) #10 0x4b4067ee8 in WebCore::FrameView::convertFromContainingView(WebCore::IntRect const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/
Attachments
Patch (4.58 KB, patch)
2020-02-05 15:57 PST, Jack 		no flags
DetailsFormatted DiffDiff
Patch (5.39 KB, patch)
2020-02-18 12:29 PST, Jack 		koivisto: review+
aakash_jain: commit-queue-
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Jack
Comment 1 2020-02-05 14:33:38 PST
Root cause analysis from Alan: Without the [outer.style.transition = "1s”] this is what we end up with: before [range.extractContents] call B-----L- -- DIV RenderBlock at (0,0) size 1222x0 renderer->(0x1360f9420) node->(0x12f59afc0) B---YGL- RenderMultiColumnFlowThread at (0,0) size 603x0 renderer->(0x1360f97b0) [Rs:0x0 Re:0x0] BA----L- -- DIV RenderBlock at (8,8) size 304x154 renderer->(0x1360f9550) node->(0x12f59b050) N------- -- IFRAME RenderIFrame at (0,0) size 304x154 renderer->(0x1360f9680) node->(0x12f59b0e0) after [range.extractContents] call B------- -+ DIV RenderBlock at (0,0) size 1222x0 renderer->(0x1360f9420) node->(0x12f59afc0) layout->[self][normal child] B------- -+ DIV RenderBlock at (8,8) size 304x154 renderer->(0x1360f9550) node->(0x12f59b050) layout->[self][normal child] N------- -+ IFRAME RenderIFrame at (0,0) size 304x154 renderer->(0x1360f9680) node->(0x12f59b0e0) layout->[self] ^^Note that missing RenderMultiColumnFlowThread and the inner <div> is no longer absolutely positioned. and when the [outer.style.transition = "1s”] is added back the after state is this -> B-----L- -+ DIV RenderBlock at (0,0) size 1222x0 renderer->(0x1360f9420) node->(0x1360fbd60) layout->[self][normal child] B---YGL- RenderMultiColumnFlowThread at (0,0) size 603x0 renderer->(0x1360f97b0) [Rs:0x0 Re:0x0] layout->[self][normal child] B------- -+ DIV RenderBlock at (8,8) size 304x154 renderer->(0x1360f9550) node->(0x1360fbdf0) [Rs:0x0 Re:0x0] layout->[self][normal child] N------- -+ IFRAME RenderIFrame at (0,0) size 304x154 renderer->(0x1360f9680) node->(0x1360fa2a0) layout->[self] ^^the inner <div> is no longer absolutely positioned but we’ve still have a fragmented flow. It looks like when the inner <div> goes from out-of-flow to in-flow, we don’t check if the enclosing fragmented flow needs a new set.
Jack
Comment 2 2020-02-05 15:57:54 PST
Created attachment 389894 [details] Patch
Jack
Comment 3 2020-02-06 10:55:30 PST
EWS test "Mac-debug-wk1" fails because of <rdar://46103517>. Pending on investigation.
Ryosuke Niwa
Comment 4 2020-02-06 13:11:00 PST
Comment on attachment 389894 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=389894&action=review > Source/WebCore/ChangeLog:10 > + Reviewed by NOBODY (OOPS!). This line should appear below URL but before the description (surrounded by blank lines as you did here).
Jack
Comment 5 2020-02-18 12:29:11 PST
Created attachment 391076 [details] Patch
Jack
Comment 6 2020-02-18 13:13:42 PST
Submit the change with expected crash in layout test due to bug 202805.
Ryosuke Niwa
Comment 7 2020-02-19 18:59:39 PST
<rdar://problem/49687828>
Aakash Jain
Comment 8 2020-02-20 07:42:18 PST
Comment on attachment 391076 [details] Patch commit-queue still doesn't support security bugs. Please land manually. See: https://bugs.webkit.org/show_bug.cgi?id=201939
Ryosuke Niwa
Comment 9 2020-02-21 00:22:26 PST
This is not a security bug.
Ryosuke Niwa
Comment 10 2020-02-21 00:26:19 PST
Committed r257129: <https://trac.webkit.org/changeset/257129>
Ryosuke Niwa
Comment 11 2020-03-07 19:57:37 PST
*** Bug 208317 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.