Bug 219369

Summary: REGRESSION (r268604): [ Mac ] fast/layoutformattingcontext/table-basic-row-vertical-align-baseline.html is a flaky crash
Product: WebKit Reporter: Truitt Savell <tsavell>
Component: New BugsAssignee: Simon Fraser (smfr) <simon.fraser>
Status: RESOLVED FIXED    
Severity: Normal CC: koivisto, sam, simon.fraser, webkit-bot-watchers-bugzilla, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
crash log
none
Patch none

Description Truitt Savell 2020-11-30 14:22:03 PST 
fast/layoutformattingcontext/table-basic-row-vertical-align-baseline.html

I am able to reproduce this crash with command:
run-webkit-tests --iterations 2000 --exit-after-n-failures 1 --exit-after-n-crashes-or-timeouts 1 --debug-rwt-logging --no-retry --force --no-build -f fast/layoutformattingcontext/table-basic-row-vertical-align-baseline.html

History:
https://results.webkit.org/?suite=layout-tests&test=fast%2Flayoutformattingcontext%2Ftable-basic-row-vertical-align-baseline.html

Crash:
Application Specific Information:
CRASHING TEST: fast/layoutformattingcontext/table-basic-row-baseline-with-nested-table.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000005b2ef47fa WebCore::Display::TreeBuilder::buildInlineDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::ContainerBox const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 42 (DisplayTreeBuilder.cpp:182)
1   com.apple.WebCore             	0x00000005b2ef43ad WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 701
2   com.apple.WebCore             	0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 764
3   com.apple.WebCore             	0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 764
4   com.apple.WebCore             	0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 764
5   com.apple.WebCore             	0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&,
Comment 1 Radar WebKit Bug Importer 2020-11-30 14:22:18 PST 
<rdar://problem/71822844>
Comment 2 Truitt Savell 2020-11-30 14:46:51 PST 
I was able to bisect this to r268604
Comment 3 Ryan Haddad 2020-12-02 09:54:15 PST 
Created attachment 415230 [details]
crash log
Comment 4 Ryan Haddad 2020-12-02 10:20:24 PST 
Based on recent test history, it looks like this may be limited to release builds.
Comment 5 Simon Fraser (smfr) 2020-12-14 15:04:19 PST 
What's happening is that during TestController::resetStateToConsistentValues() there are lots of calls to WebPage::preferencesDidChange() via the async IPC, and for some of those calls both layoutFormattingContextIntegrationEnabled and layoutFormattingContextEnabled are true. If Display::view() does a paint at that time, then we hit assertions.

So the underlying causes are:
1. These two settings are incompatible with each other.
2. TestController::resetStateToConsistentValues() triggers lots of calls to WebPage::preferencesDidChange().
Comment 6 Simon Fraser (smfr) 2020-12-14 15:10:17 PST 
<rdar://problem/69985187>
Comment 7 Simon Fraser (smfr) 2020-12-14 15:12:27 PST 
Created attachment 416198 [details]
Patch
Comment 8 EWS 2020-12-14 16:19:55 PST 
Committed r270809: <https://trac.webkit.org/changeset/270809>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 416198 [details].