Bug 223144

Summary:

[ macOS debug arm64 ] ASSERTION FAILED: count >= 1 ./rendering/RenderMultiColumnSet.cpp(450) : unsigned int WebCore::RenderMultiColumnSet::columnCount() const

Product:

WebKit

Reporter:

Robert Jenner <jenner>

Component:

Layout and Rendering

Assignee:

alan <zalan>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, cdumez, changseok, esprehn+autocc, ews-watchlist, glenn, kondapallykalyan, pdr, simon.fraser, thorton, webkit-bot-watchers-bugzilla, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
223144-Full Crashlog	none
Patch	none
Patch	none
Patch	none

Robert Jenner

Reported 2021-03-12 15:48:05 PST

fast/multicol/crash-when-spanner-candidate-is-out-of-flow.html is crashing/an Assertion Failure in macOS Debug on Apple Silicon only. HISTORY URL: https://results.webkit.org/?suite=layout-tests&test=fast%2Fmulticol%2Fcrash-when-spanner-candidate-is-out-of-flow.html CRASHLOG TEXT: ASSERTION FAILED: count >= 1 ./rendering/RenderMultiColumnSet.cpp(450) : unsigned int WebCore::RenderMultiColumnSet::columnCount() const 1 0x135b34bcc WTFCrash 2 0x114ae0da0 WebCore::JSRTCRtpReceiver::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) 3 0x1183b1a3c WebCore::RenderMultiColumnSet::columnCount() const 4 0x1183b3ff8 WebCore::RenderMultiColumnSet::addOverflowFromChildren() 5 0x1181b12e4 WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool) 6 0x1181d2038 WebCore::RenderBlockFlow::computeOverflow(WebCore::LayoutUnit, bool) 7 0x1181c796c WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 8 0x1181b0dfc WebCore::RenderBlock::layout() 9 0x1183b2254 WebCore::RenderMultiColumnSet::layout() 10 0x1181c98b8 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 11 0x1181c82f8 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 12 0x1181c7588 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 13 0x1181c8490 WebCore::RenderBlockFlow::relayoutForPagination() 14 0x1181c767c WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 15 0x1181b0dfc WebCore::RenderBlock::layout() 16 0x1180fbfdc WebCore::RenderElement::layoutIfNeeded() 17 0x1181b37bc WebCore::RenderBlock::layoutPositionedObject(WebCore::RenderBox&, bool, bool) 18 0x1181b304c WebCore::RenderBlock::layoutPositionedObjects(bool, bool) 19 0x1181c7938 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 20 0x1181b0dfc WebCore::RenderBlock::layout() 21 0x11846b094 WebCore::RenderView::layout() 22 0x11781e0e0 WebCore::FrameViewLayoutContext::layout() 23 0x1168c68ac WebCore::Document::implicitClose() 24 0x1175ddadc WebCore::FrameLoader::checkCallImplicitClose() 25 0x1175dd5b4 WebCore::FrameLoader::checkCompleted() 26 0x1175db7dc WebCore::FrameLoader::finishedParsing() 27 0x1168d9b10 WebCore::Document::finishedParsing() 28 0x1170fa1dc WebCore::HTMLConstructionSite::finishedParsing() 29 0x117141d5c WebCore::HTMLTreeBuilder::finished() 30 0x117101644 WebCore::HTMLDocumentParser::end() 31 0x1170ff4fc WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() LEAK: 1 WebPageProxy

Attachments
223144-Full Crashlog (111.63 KB, text/plain) 2021-03-12 15:50 PST, Robert Jenner	no flags	Details
Patch (3.18 KB, patch) 2021-03-18 16:08 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Patch (6.73 KB, patch) 2021-03-19 11:30 PDT, alan	no flags	Details Formatted Diff Diff
Patch (6.80 KB, patch) 2021-03-19 20:56 PDT, alan	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-03-12 15:49:22 PST

<rdar://problem/75381496>

Robert Jenner

Comment 2 2021-03-12 15:50:20 PST

Created attachment 423089 [details] 223144-Full Crashlog Attaching the full Crashlog to this bug.

Robert Jenner

Comment 3 2021-03-12 15:50:28 PST

I cannot reproduce the crash as it is only occurring on an Apple Silicon Mac, and I do not have access to one. It should also be noted that this has been crashing since it started running on an Apple Silicon Mac.

Alexey Proskuryakov

Comment 4 2021-03-12 16:32:59 PST

This stack trace looks hilariously wrong. I really hope that it is wrong. This does reproduce locally as is.

Alexey Proskuryakov

Comment 5 2021-03-12 16:53:52 PST

When reproducing locally, the stack trace looked normal.

Robert Jenner

Comment 6 2021-03-16 14:13:47 PDT

Updating test expectations to Crash while test is being reviewed: https://trac.webkit.org/changeset/274515/webkit

Chris Dumez

Comment 7 2021-03-18 16:01:45 PDT

The issue is that static_cast<float>(logicalHeightInColumns) is negative (-1.67771e+07). With ceil(), we end up with -108941.0 which we try to implicitly cast to an unsigned variable. Converting a negative double into an unsigned integer type is undefined behavior. I am guessing the real issue though is that logicalHeightInColumns should likely not be negative..

Chris Dumez

Comment 8 2021-03-18 16:08:46 PDT

Created attachment 423666 [details] Patch

Chris Dumez

Comment 9 2021-03-18 16:11:21 PDT

I am trying to find out how we end up with a negative value in the first place

Chris Dumez

Comment 10 2021-03-18 16:12:40 PDT

(In reply to Chris Dumez from comment #9) > I am trying to find out how we end up with a negative value in the first > place RenderFragmentContainer::setFragmentedFlowPortionRect(-1.67771e+07, 300) 1 0x26ce2c9be WebCore::RenderFragmentContainer::setFragmentedFlowPortionRect(WebCore::LayoutRect const&) 2 0x26ce2f152 WebCore::RenderFragmentContainerSet::expandToEncompassFragmentedFlowContentsIfNeeded() 3 0x26cf37910 WebCore::RenderMultiColumnFlow::layout() 4 0x26cd720c9 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) 5 0x26cd5f827 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 6 0x26cd5e7e3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 7 0x26cd5fadc WebCore::RenderBlockFlow::relayoutForPagination() 8 0x26cd5e918 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 9 0x26cd45f69 WebCore::RenderBlock::layout() 10 0x26cc9dcdc WebCore::RenderElement::layoutIfNeeded() 11 0x26cd48a37 WebCore::RenderBlock::layoutPositionedObject(WebCore::RenderBox&, bool, bool) 12 0x26cd482fe WebCore::RenderBlock::layoutPositionedObjects(bool, bool) 13 0x26cd5ed5a WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 14 0x26cd45f69 WebCore::RenderBlock::layout() 15 0x26cfe4f13 WebCore::RenderView::layout() 16 0x26c4cf811 WebCore::FrameViewLayoutContext::layout() 17 0x26b70d666 WebCore::Document::implicitClose() 18 0x26c2c7b7b WebCore::FrameLoader::checkCallImplicitClose() 19 0x26c2c75aa WebCore::FrameLoader::checkCompleted() 20 0x26c2c5697 WebCore::FrameLoader::finishedParsing() 21 0x26b722176 WebCore::Document::finishedParsing() 22 0x26be5ccc8 WebCore::HTMLConstructionSite::finishedParsing() 23 0x26bea2a07 WebCore::HTMLTreeBuilder::finished() 24 0x26be642f8 WebCore::HTMLDocumentParser::end() 25 0x26be61fc8 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 26 0x26be61d07 WebCore::HTMLDocumentParser::prepareToStopParsing() 27 0x26be64362 WebCore::HTMLDocumentParser::attemptToEnd() 28 0x26be64429 WebCore::HTMLDocumentParser::finish() 29 0x26c29fba4 WebCore::DocumentWriter::end() 30 0x26c251f44 WebCore::DocumentLoader::finishedLoading() 31 0x26c2518e1 WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&)

Chris Dumez

Comment 11 2021-03-18 16:18:56 PDT

(In reply to Chris Dumez from comment #10) > (In reply to Chris Dumez from comment #9) > > I am trying to find out how we end up with a negative value in the first > > place > > RenderFragmentContainer::setFragmentedFlowPortionRect(-1.67771e+07, 300) > 1 0x26ce2c9be > WebCore::RenderFragmentContainer::setFragmentedFlowPortionRect(WebCore:: > LayoutRect const&) > 2 0x26ce2f152 > WebCore::RenderFragmentContainerSet:: > expandToEncompassFragmentedFlowContentsIfNeeded() > 3 0x26cf37910 WebCore::RenderMultiColumnFlow::layout() > 4 0x26cd720c9 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) > 5 0x26cd5f827 WebCore::RenderBlockFlow::layoutBlockChildren(bool, > WebCore::LayoutUnit&) > 6 0x26cd5e7e3 WebCore::RenderBlockFlow::layoutBlock(bool, > WebCore::LayoutUnit) > 7 0x26cd5fadc WebCore::RenderBlockFlow::relayoutForPagination() > 8 0x26cd5e918 WebCore::RenderBlockFlow::layoutBlock(bool, > WebCore::LayoutUnit) > 9 0x26cd45f69 WebCore::RenderBlock::layout() > 10 0x26cc9dcdc WebCore::RenderElement::layoutIfNeeded() > 11 0x26cd48a37 > WebCore::RenderBlock::layoutPositionedObject(WebCore::RenderBox&, bool, bool) > 12 0x26cd482fe WebCore::RenderBlock::layoutPositionedObjects(bool, bool) > 13 0x26cd5ed5a WebCore::RenderBlockFlow::layoutBlock(bool, > WebCore::LayoutUnit) > 14 0x26cd45f69 WebCore::RenderBlock::layout() > 15 0x26cfe4f13 WebCore::RenderView::layout() > 16 0x26c4cf811 WebCore::FrameViewLayoutContext::layout() > 17 0x26b70d666 WebCore::Document::implicitClose() > 18 0x26c2c7b7b WebCore::FrameLoader::checkCallImplicitClose() > 19 0x26c2c75aa WebCore::FrameLoader::checkCompleted() > 20 0x26c2c5697 WebCore::FrameLoader::finishedParsing() > 21 0x26b722176 WebCore::Document::finishedParsing() > 22 0x26be5ccc8 WebCore::HTMLConstructionSite::finishedParsing() > 23 0x26bea2a07 WebCore::HTMLTreeBuilder::finished() > 24 0x26be642f8 WebCore::HTMLDocumentParser::end() > 25 0x26be61fc8 > WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() > 26 0x26be61d07 WebCore::HTMLDocumentParser::prepareToStopParsing() > 27 0x26be64362 WebCore::HTMLDocumentParser::attemptToEnd() > 28 0x26be64429 WebCore::HTMLDocumentParser::finish() > 29 0x26c29fba4 WebCore::DocumentWriter::end() > 30 0x26c251f44 WebCore::DocumentLoader::finishedLoading() > 31 0x26c2518e1 > WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, > WebCore::NetworkLoadMetrics const&) In RenderFragmentContainerSet::expandToEncompassFragmentedFlowContentsIfNeeded(): ``` LayoutUnit logicalHeightWithOverflow = (isHorizontal ? layoutRect.maxY() : layoutRect.maxX()) - logicalTopOffset; ``` isHorizontal is true, layoutRect.maxY() is 154 and logicalTopOffset is 1.67772e+07. As a result, `layoutRect.maxY() - logicalTopOffset` becomes negative.

Chris Dumez

Comment 12 2021-03-18 16:28:33 PDT

Zalan will be taking over to figure out why we end up with a negative value in RenderFragmentContainerSet::expandToEncompassFragmentedFlowContentsIfNeeded() and a proper fix.

alan

Comment 13 2021-03-19 11:30:21 PDT

Created attachment 423754 [details] Patch

alan

Comment 14 2021-03-19 20:56:07 PDT

Created attachment 423803 [details] Patch

EWS

Comment 15 2021-03-22 12:29:20 PDT

Committed r274774: <https://commits.webkit.org/r274774> All reviewed patches have been landed. Closing bug and clearing flags on attachment 423803 [details].

Note You need to log in before you can comment on or make changes to this bug.