Bug 222711

Summary: ASSERTION FAILED: contentSize >= 0 in WebCore::RenderFlexibleBox::adjustChildSizeForMinAndMax
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: Layout and RenderingAssignee: Sergio Villar Senin <svillar>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, changseok, esprehn+autocc, ews-watchlist, glenn, koivisto, kondapallykalyan, pdr, rbuis, sabouhallawa, simon.fraser, svillar, thorton, webkit-bot-watchers-bugzilla, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=222651
Attachments:
Description Flags
Patch
simon.fraser: review+, zalan: commit-queue-
Patch none

Description Ryan Haddad 2021-03-03 23:25:28 PST 
imported/w3c/web-platform-tests/css/css-flexbox/frameset-crash.html, which was recently imported with https://trac.webkit.org/changeset/273825/webkit, is frequently asserting on iOS and macOS debug bots.

https://results.webkit.org/?suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Fcss%2Fcss-flexbox%2Fframeset-crash.html

ASSERTION FAILED: contentSize >= 0
./rendering/RenderFlexibleBox.cpp(1210) : WebCore::LayoutUnit WefbCore::RenderFlexibleBox::adjustChildSizeForMinAndMax(const WebCore::RenderBox &, WebCore::LayoutUnit)
1   0x144404329 WTFCrash
2   0x127ee57db WTFCrashWithInfo(int, char const*, char const*, int)
3   0x12c8ccbaa WebCore::RenderFlexibleBox::adjustChildSizeForMinAndMax(WebCore::RenderBox const&, WebCore::LayoutUnit)
4   0x12c8ca6f0 WebCore::RenderFlexibleBox::constructFlexItem(WebCore::RenderBox&, bool)
5   0x12c8c585a WebCore::RenderFlexibleBox::layoutFlexItems(bool)
6   0x12c8c5364 WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit)
7   0x12c7db8b9 WebCore::RenderBlock::layout()
8   0x12c7f6a02 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
9   0x12c7f5344 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
10  0x12c7f41c3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
11  0x12c7db8b9 WebCore::RenderBlock::layout()
12  0x12c7f6a02 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
13  0x12c7f5344 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
14  0x12c7f41c3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
15  0x12c7db8b9 WebCore::RenderBlock::layout()
16  0x12c7f6a02 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
17  0x12c7f5344 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
18  0x12c7f41c3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
19  0x12c7db8b9 WebCore::RenderBlock::layout()
20  0x12caaee33 WebCore::RenderView::layout()
21  0x12be804b1 WebCore::FrameViewLayoutContext::layout()
22  0x12af61ce6 WebCore::Document::implicitClose()
23  0x12bc44d6b WebCore::FrameLoader::checkCallImplicitClose()
24  0x12bc4479a WebCore::FrameLoader::checkCompleted()
25  0x12bc42887 WebCore::FrameLoader::finishedParsing()
26  0x12af76866 WebCore::Document::finishedParsing()
27  0x12b76fdd8 WebCore::HTMLConstructionSite::finishedParsing()
28  0x12b7b8c97 WebCore::HTMLTreeBuilder::finished()
29  0x12b777418 WebCore::HTMLDocumentParser::end()
30  0x12b7750e8 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
31  0x12b774e27 WebCore::HTMLDocumentParser::prepareToStopParsing()
Comment 1 Radar WebKit Bug Importer 2021-03-03 23:25:55 PST 
<rdar://problem/75022692>
Comment 2 Sergio Villar Senin 2021-03-04 00:49:04 PST 
Committed r273876 (234837@main): <https://commits.webkit.org/234837@main>
Comment 3 Sergio Villar Senin 2021-03-04 00:50:12 PST 
This was not meant to be closed.

I've just landed in r273876 a gardening patch skipping this test in Debug until we figure out what's going on.
Comment 4 Sergio Villar Senin 2021-03-16 05:26:33 PDT 
Created attachment 423322 [details]
Patch
Comment 5 Sergio Villar Senin 2021-03-18 05:17:43 PDT 
Ping reviewers
Comment 6 Sergio Villar Senin 2021-04-13 01:52:40 PDT 
Another gentle ping
Comment 7 zalan 2021-05-03 18:52:25 PDT 
Comment on attachment 423322 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=423322&action=review

> Source/WebCore/rendering/RenderFrameSet.cpp:437
> +    ASSERT(preferredLogicalWidthsDirty());
> +
> +    RenderBox::computePreferredLogicalWidths(style().logicalMinWidth(), style().logicalMaxWidth(), borderAndPaddingLogicalWidth());
> +    setPreferredLogicalWidthsDirty(false);

I am curious as to why RenderBox::computePreferredLogicalWidths() does not simply call the other computePreferredLogicalWidths() function. I did a quick grep and it looked like many RenderBox subclasses override this function. It would be interesting to know if there's another class that's missing the override and whether it is intentional or just a mistake like this. I'd move this functionality up to the RenderBox unless there's a good reason not to (so that we don't end up with this exact same bug if someone introduces a new subclass).
Comment 8 Sergio Villar Senin 2021-05-04 04:11:39 PDT 
Created attachment 427650 [details]
Patch

Something like this Alan?
Comment 9 zalan 2021-05-04 06:41:58 PDT 
(In reply to Sergio Villar Senin from comment #8)
> Created attachment 427650 [details]
> Patch
> 
> Something like this Alan?
Exactly like this! Thanks! Will review it in a bit.
Comment 10 zalan 2021-05-04 10:19:44 PDT 
Comment on attachment 427650 [details]
Patch

So it looks like there are 2 classes with no computePreferredLogicalWidths override, RenderTableRow and RenderMultiColumnSpannerPlaceholder. If this patch regresses them in any way, we could just override and leave them empty with an explanation of why they should not need to provide the preferred logical width.
Comment 11 EWS 2021-05-04 11:19:51 PDT 
Committed r276971 (237300@main): <https://commits.webkit.org/237300@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 427650 [details].