Bug 216668

Summary: ASSERTION FAILED: &formattingContextRoot == m_rootContainer.get() in WebCore::Layout::LayoutState::establishedInlineFormattingState
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: Layout and RenderingAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, bfulgham, cdumez, esprehn+autocc, ews-watchlist, kangil.han, simon.fraser, webkit-bot-watchers-bugzilla, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
crash log
none
Patch none

Ryan Haddad
Reported 2020-09-17 15:36:43 PDT
Seeing this assertion failure with various LFC layout tests on macOS debug bots: ASSERTION FAILED: &formattingContextRoot == m_rootContainer.get() ./layout/LayoutState.cpp(118) : WebCore::Layout::InlineFormattingState &WebCore::Layout::LayoutState::establishedInlineFormattingState(const WebCore::Layout::ContainerBox &) const 1 0x4ff075629 WTFCrash 2 0x4e0007dbb WTFCrashWithInfo(int, char const*, char const*, int) 3 0x4e394aca4 WebCore::Layout::LayoutState::establishedInlineFormattingState(WebCore::Layout::ContainerBox const&) const 4 0x4e39a1a54 auto WebCore::Display::paintSubtree(WebCore::GraphicsContext&, WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::IntRect const&, WebCore::Display::PaintPhase)::$_2::operator()<WebCore::Layout::Box const>(WebCore::Layout::Box const&) const 5 0x4e399caa5 WebCore::Display::paintSubtree(WebCore::GraphicsContext&, WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::IntRect const&, WebCore::Display::PaintPhase) 6 0x4e399c6cb WebCore::Display::Painter::paint(WebCore::Layout::LayoutState const&, WebCore::GraphicsContext&, WebCore::IntRect const&) 7 0x4e3956295 WebCore::Layout::LayoutContext::paint(WebCore::Layout::LayoutState const&, WebCore::GraphicsContext&, WebCore::IntRect const&) 8 0x4e3999b1a WebCore::Display::LayerController::RootLayerClient::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) 9 0x4e40c3160 WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) 10 0x4e4160ccf WebCore::GraphicsLayerCA::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, unsigned int) 11 0x4e1bfcca1 WebCore::PlatformCALayer::drawLayerContents(WebCore::GraphicsContext&, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, unsigned int) 12 0x4e1d9770d -[WebLayer drawInContext:] 13 0x7fff3864ae02 CABackingStoreUpdate_ 14 0x7fff386aca0d invocation function for block in CA::Layer::display_() 15 0x7fff3864a020 -[CALayer _display] 16 0x4e1d97eeb -[WebSimpleLayer display] 17 0x7fff38649551 CA::Layer::display_if_needed(CA::Transaction*) 18 0x7fff386377c6 CA::Context::commit_transaction(CA::Transaction*) 19 0x7fff38636ea6 CA::Transaction::commit() 20 0x7fff38636ba6 CA::Transaction::observer_callback(__CFRunLoopObserver*, unsigned long, void*) 21 0x7fff2dc2af28 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ 22 0x7fff2dc2ae5d __CFRunLoopDoObservers 23 0x7fff2dbccef9 CFRunLoopRunSpecific 24 0x7fff2fe317df -[NSRunLoop(NSRunLoop) runMode:beforeDate:] 25 0x7fff2fe316b4 -[NSRunLoop(NSRunLoop) run] 26 0x7fff59d5c077 _xpc_objc_main 27 0x7fff59d5bb79 _xpc_copy_xpcservice_dictionary 28 0x102893136 WebKit::XPCServiceMain(int, char const**) 29 0x103c7913b WKXPCServiceMain 30 0x101f66eb2 main 31 0x7fff59b233d5 start LEAK: 1 WebPageProxy
Attachments
crash log (63.26 KB, text/plain)
2020-09-17 15:37 PDT, Ryan Haddad 		no flags
Details
Patch (5.61 KB, patch)
2020-09-18 21:44 PDT, Simon Fraser (smfr) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryan Haddad
Comment 1 2020-09-17 15:37:22 PDT
fast/layoutformattingcontext/table-basic-row-baseline-with-nested-table.html fast/layoutformattingcontext/table-flex-width-border-collapse.html https://build.webkit.org/results/Apple%20Mojave%20Debug%20WK2%20(Tests)/r267204%20(12039)/results.html
Ryan Haddad
Comment 2 2020-09-17 15:37:33 PDT
Created attachment 409073 [details] crash log
Radar WebKit Bug Importer
Comment 3 2020-09-17 15:37:49 PDT
<rdar://problem/69101155>
zalan
Comment 4 2020-09-17 15:38:48 PDT
RuntimeEnabledFeatures::sharedFeatures().layoutFormattingContextIntegrationEnabled() is not supposed to be true in LayoutState::establishedInlineFormattingState() while running these test cases.
Ryan Haddad
Comment 5 2020-09-17 16:01:24 PDT
fast/layoutformattingcontext/anonymous-inline-container-simple.html https://build.webkit.org/results/Apple-Catalina-Debug-WK2-Tests/r267166%20(6676)/results.html fast/layoutformattingcontext/absolute-positioned-simple-table3.html fast/layoutformattingcontext/table-fixed-width-with-max-distribution.html https://build.webkit.org/results/Apple-Catalina-Debug-WK2-Tests/r267141%20(6665)/results.html fast/layoutformattingcontext/absolute-positioned-simple-table2.html fast/layoutformattingcontext/table-cell-vertical-alignment-simple.html https://build.webkit.org/results/Apple-Catalina-Debug-WK2-Tests/r267206%20(6698)/results.html
Ryan Haddad
Comment 6 2020-09-18 14:32:28 PDT
This appears to be a recent regression (maybe in the last 5 days?) and it is slowing down EWS.
zalan
Comment 7 2020-09-18 14:37:35 PDT
I think it's caused by https://trac.webkit.org/changeset/267024/webkit (Simon can confirm it). The patch is correct, it's just that something happens to the runtime switch while running/in-between the tests.
Simon Fraser (smfr)
Comment 8 2020-09-18 21:01:03 PDT
We crash *after* loading about:blank between tests. I think about:blank has some special handling, so maybe we leave the LayoutState from the previous test around?
Simon Fraser (smfr)
Comment 9 2020-09-18 21:44:41 PDT
Created attachment 409193 [details] Patch
EWS
Comment 10 2020-09-19 05:54:57 PDT
Committed r267310: <https://trac.webkit.org/changeset/267310> All reviewed patches have been landed. Closing bug and clearing flags on attachment 409193 [details].
Note You need to log in before you can comment on or make changes to this bug.