| Summary: | [ macOS debug arm64 ] ASSERTION FAILED: count >= 1 ./rendering/RenderMultiColumnSet.cpp(450) : unsigned int WebCore::RenderMultiColumnSet::columnCount() const | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Robert Jenner <jenner> | ||||||||||
| Component: | Layout and Rendering | Assignee: | zalan <zalan> | ||||||||||
| Status: | RESOLVED FIXED | ||||||||||||
| Severity: | Normal | CC: | bfulgham, cdumez, changseok, esprehn+autocc, ews-watchlist, glenn, kondapallykalyan, pdr, simon.fraser, thorton, webkit-bot-watchers-bugzilla, webkit-bug-importer, zalan | ||||||||||
| Priority: | P2 | Keywords: | InRadar | ||||||||||
| Version: | WebKit Nightly Build | ||||||||||||
| Hardware: | Unspecified | ||||||||||||
| OS: | Unspecified | ||||||||||||
| Attachments: |
|
||||||||||||
|
Description
Robert Jenner
2021-03-12 15:48:05 PST
Created attachment 423089 [details]
223144-Full Crashlog
Attaching the full Crashlog to this bug.
I cannot reproduce the crash as it is only occurring on an Apple Silicon Mac, and I do not have access to one. It should also be noted that this has been crashing since it started running on an Apple Silicon Mac. This stack trace looks hilariously wrong. I really hope that it is wrong. This does reproduce locally as is. When reproducing locally, the stack trace looked normal. Updating test expectations to Crash while test is being reviewed: https://trac.webkit.org/changeset/274515/webkit The issue is that static_cast<float>(logicalHeightInColumns) is negative (-1.67771e+07). With ceil(), we end up with -108941.0 which we try to implicitly cast to an unsigned variable. Converting a negative double into an unsigned integer type is undefined behavior. I am guessing the real issue though is that logicalHeightInColumns should likely not be negative.. Created attachment 423666 [details]
Patch
I am trying to find out how we end up with a negative value in the first place (In reply to Chris Dumez from comment #9) > I am trying to find out how we end up with a negative value in the first > place RenderFragmentContainer::setFragmentedFlowPortionRect(-1.67771e+07, 300) 1 0x26ce2c9be WebCore::RenderFragmentContainer::setFragmentedFlowPortionRect(WebCore::LayoutRect const&) 2 0x26ce2f152 WebCore::RenderFragmentContainerSet::expandToEncompassFragmentedFlowContentsIfNeeded() 3 0x26cf37910 WebCore::RenderMultiColumnFlow::layout() 4 0x26cd720c9 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) 5 0x26cd5f827 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 6 0x26cd5e7e3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 7 0x26cd5fadc WebCore::RenderBlockFlow::relayoutForPagination() 8 0x26cd5e918 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 9 0x26cd45f69 WebCore::RenderBlock::layout() 10 0x26cc9dcdc WebCore::RenderElement::layoutIfNeeded() 11 0x26cd48a37 WebCore::RenderBlock::layoutPositionedObject(WebCore::RenderBox&, bool, bool) 12 0x26cd482fe WebCore::RenderBlock::layoutPositionedObjects(bool, bool) 13 0x26cd5ed5a WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 14 0x26cd45f69 WebCore::RenderBlock::layout() 15 0x26cfe4f13 WebCore::RenderView::layout() 16 0x26c4cf811 WebCore::FrameViewLayoutContext::layout() 17 0x26b70d666 WebCore::Document::implicitClose() 18 0x26c2c7b7b WebCore::FrameLoader::checkCallImplicitClose() 19 0x26c2c75aa WebCore::FrameLoader::checkCompleted() 20 0x26c2c5697 WebCore::FrameLoader::finishedParsing() 21 0x26b722176 WebCore::Document::finishedParsing() 22 0x26be5ccc8 WebCore::HTMLConstructionSite::finishedParsing() 23 0x26bea2a07 WebCore::HTMLTreeBuilder::finished() 24 0x26be642f8 WebCore::HTMLDocumentParser::end() 25 0x26be61fc8 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 26 0x26be61d07 WebCore::HTMLDocumentParser::prepareToStopParsing() 27 0x26be64362 WebCore::HTMLDocumentParser::attemptToEnd() 28 0x26be64429 WebCore::HTMLDocumentParser::finish() 29 0x26c29fba4 WebCore::DocumentWriter::end() 30 0x26c251f44 WebCore::DocumentLoader::finishedLoading() 31 0x26c2518e1 WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (In reply to Chris Dumez from comment #10) > (In reply to Chris Dumez from comment #9) > > I am trying to find out how we end up with a negative value in the first > > place > > RenderFragmentContainer::setFragmentedFlowPortionRect(-1.67771e+07, 300) > 1 0x26ce2c9be > WebCore::RenderFragmentContainer::setFragmentedFlowPortionRect(WebCore:: > LayoutRect const&) > 2 0x26ce2f152 > WebCore::RenderFragmentContainerSet:: > expandToEncompassFragmentedFlowContentsIfNeeded() > 3 0x26cf37910 WebCore::RenderMultiColumnFlow::layout() > 4 0x26cd720c9 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) > 5 0x26cd5f827 WebCore::RenderBlockFlow::layoutBlockChildren(bool, > WebCore::LayoutUnit&) > 6 0x26cd5e7e3 WebCore::RenderBlockFlow::layoutBlock(bool, > WebCore::LayoutUnit) > 7 0x26cd5fadc WebCore::RenderBlockFlow::relayoutForPagination() > 8 0x26cd5e918 WebCore::RenderBlockFlow::layoutBlock(bool, > WebCore::LayoutUnit) > 9 0x26cd45f69 WebCore::RenderBlock::layout() > 10 0x26cc9dcdc WebCore::RenderElement::layoutIfNeeded() > 11 0x26cd48a37 > WebCore::RenderBlock::layoutPositionedObject(WebCore::RenderBox&, bool, bool) > 12 0x26cd482fe WebCore::RenderBlock::layoutPositionedObjects(bool, bool) > 13 0x26cd5ed5a WebCore::RenderBlockFlow::layoutBlock(bool, > WebCore::LayoutUnit) > 14 0x26cd45f69 WebCore::RenderBlock::layout() > 15 0x26cfe4f13 WebCore::RenderView::layout() > 16 0x26c4cf811 WebCore::FrameViewLayoutContext::layout() > 17 0x26b70d666 WebCore::Document::implicitClose() > 18 0x26c2c7b7b WebCore::FrameLoader::checkCallImplicitClose() > 19 0x26c2c75aa WebCore::FrameLoader::checkCompleted() > 20 0x26c2c5697 WebCore::FrameLoader::finishedParsing() > 21 0x26b722176 WebCore::Document::finishedParsing() > 22 0x26be5ccc8 WebCore::HTMLConstructionSite::finishedParsing() > 23 0x26bea2a07 WebCore::HTMLTreeBuilder::finished() > 24 0x26be642f8 WebCore::HTMLDocumentParser::end() > 25 0x26be61fc8 > WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() > 26 0x26be61d07 WebCore::HTMLDocumentParser::prepareToStopParsing() > 27 0x26be64362 WebCore::HTMLDocumentParser::attemptToEnd() > 28 0x26be64429 WebCore::HTMLDocumentParser::finish() > 29 0x26c29fba4 WebCore::DocumentWriter::end() > 30 0x26c251f44 WebCore::DocumentLoader::finishedLoading() > 31 0x26c2518e1 > WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, > WebCore::NetworkLoadMetrics const&) In RenderFragmentContainerSet::expandToEncompassFragmentedFlowContentsIfNeeded(): ``` LayoutUnit logicalHeightWithOverflow = (isHorizontal ? layoutRect.maxY() : layoutRect.maxX()) - logicalTopOffset; ``` isHorizontal is true, layoutRect.maxY() is 154 and logicalTopOffset is 1.67772e+07. As a result, `layoutRect.maxY() - logicalTopOffset` becomes negative. Zalan will be taking over to figure out why we end up with a negative value in RenderFragmentContainerSet::expandToEncompassFragmentedFlowContentsIfNeeded() and a proper fix. Created attachment 423754 [details]
Patch
Created attachment 423803 [details]
Patch
Committed r274774: <https://commits.webkit.org/r274774> All reviewed patches have been landed. Closing bug and clearing flags on attachment 423803 [details]. |