Bug 226367

Summary: Release assert in RenderFlexibleBox::computeInnerFlexBaseSizeForChild via RenderFlexibleBox::layoutFlexItems
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Layout and RenderingAssignee: Rob Buis <rbuis>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cgarcia, darin, ews-feeder, fred.wang, gpoo, koivisto, product-security, rbuis, simon.fraser, svillar, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=226790
Attachments:
Description Flags
Test
none
Patch
none
Patch none

Ryosuke Niwa
Reported 2021-05-27 22:00:29 PDT
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 1 com.apple.WebCore 0x0000000201ae3e5e std::__1::__throw_bad_optional_access() + 14 (optional:193) 2 com.apple.WebCore 0x00000002071ad053 std::__1::optional<WebCore::LayoutUnit>::value() && + 51 (optional:965) 3 com.apple.WebCore 0x000000020736faad WebCore::RenderFlexibleBox::computeInnerFlexBaseSizeForChild(WebCore::RenderBox&, WebCore::LayoutUnit) + 429 (RenderFlexibleBox.cpp:953) 4 com.apple.WebCore 0x00000002073709a5 WebCore::RenderFlexibleBox::constructFlexItem(WebCore::RenderBox&, bool) + 613 (RenderFlexibleBox.cpp:1340) 5 com.apple.WebCore 0x000000020736769d WebCore::RenderFlexibleBox::layoutFlexItems(bool) + 685 (RenderFlexibleBox.cpp:995) 6 com.apple.WebCore 0x0000000207366aa7 WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit) + 999 (RenderFlexibleBox.cpp:307) 7 com.apple.WebCore 0x000000020721ef8a WebCore::RenderBlock::layout() + 282 (RenderBlock.cpp:598) 8 com.apple.WebCore 0x00000002072555e5 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1461 (RenderBlockFlow.cpp:764) 9 com.apple.WebCore 0x000000020725200e WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 718 (RenderBlockFlow.cpp:675) 10 com.apple.WebCore 0x0000000207250188 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlockFlow.cpp:527) 11 com.apple.WebCore 0x000000020721ef8a WebCore::RenderBlock::layout() + 282 (RenderBlock.cpp:598) 12 com.apple.WebCore 0x00000002075d5547 WebCore::RenderView::layout() + 1479 (RenderView.cpp:185) 13 com.apple.WebCore 0x00000002066c77bf WebCore::FrameViewLayoutContext::layout() + 1359 (FrameViewLayoutContext.cpp:233) 14 com.apple.WebCore 0x000000020549fc28 WebCore::Document::implicitClose() + 1064 (Document.cpp:3187) 15 com.apple.WebCore 0x0000000206429bb9 WebCore::FrameLoader::checkCallImplicitClose() + 217 (FrameLoader.cpp:940) 16 com.apple.WebCore 0x0000000206429043 WebCore::FrameLoader::checkCompleted() + 691 (FrameLoader.cpp:881) 17 com.apple.WebCore 0x0000000206425615 WebCore::FrameLoader::finishedParsing() + 453 (FrameLoader.cpp:786) 18 com.apple.WebCore 0x00000002054c0894 WebCore::Document::finishedParsing() + 612 (Document.cpp:6060) 19 com.apple.WebCore 0x0000000205e55075 WebCore::HTMLConstructionSite::finishedParsing() + 37 (HTMLConstructionSite.cpp:419) 20 com.apple.WebCore 0x0000000205eb4d0e WebCore::HTMLTreeBuilder::finished() + 30 (HTMLTreeBuilder.cpp:2843) 21 com.apple.WebCore 0x0000000205e654e8 WebCore::HTMLDocumentParser::end() + 24 (HTMLDocumentParser.cpp:449) 22 com.apple.WebCore 0x0000000205e62da9 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 57 (HTMLDocumentParser.cpp:458) 23 com.apple.WebCore 0x0000000205e62cc1 WebCore::HTMLDocumentParser::prepareToStopParsing() + 273 (HTMLDocumentParser.cpp:152) 24 com.apple.WebCore 0x0000000205e65530 WebCore::HTMLDocumentParser::attemptToEnd() + 64 (HTMLDocumentParser.cpp:470) 25 com.apple.WebCore 0x0000000205e655ca WebCore::HTMLDocumentParser::finish() + 42 (HTMLDocumentParser.cpp:498) 26 com.apple.WebCore 0x00000002063aaad1 WebCore::DocumentWriter::end() + 417 (DocumentWriter.cpp:294) 27 com.apple.WebCore 0x00000002063a9633 WebCore::DocumentLoader::finishedLoading() + 739 (DocumentLoader.cpp:489) 28 com.apple.WebCore 0x00000002063a8e4e WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) + 1262 (DocumentLoader.cpp:433) 29 com.apple.WebCore 0x0000000206589060 WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) + 384 (CachedResource.cpp:336) 30 com.apple.WebCore 0x00000002065835cf WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 79 (CachedResource.cpp:352) <rdar://78570689>
Attachments
Test (131 bytes, text/html)
2021-05-27 22:39 PDT, Ryosuke Niwa 		no flags
Details
Patch (1.50 KB, patch)
2021-05-28 03:21 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Patch (3.28 KB, patch)
2021-05-28 05:28 PDT, Rob Buis 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Rob Buis
Comment 1 2021-05-27 22:22:30 PDT
Needs a testcase :)
Ryosuke Niwa
Comment 2 2021-05-27 22:39:06 PDT
Created attachment 429987 [details] Test
Ryosuke Niwa
Comment 3 2021-05-27 22:42:08 PDT
(In reply to Rob Buis from comment #1) > Needs a testcase :) Oops, added.
Rob Buis
Comment 4 2021-05-27 23:11:30 PDT
This seems related to width: intrinsic usage, will have a look.
Ryosuke Niwa
Comment 5 2021-05-28 00:44:44 PDT
(In reply to Rob Buis from comment #4) > This seems related to width: intrinsic usage, will have a look. Huh, is that feature enabled on trunk?
Rob Buis
Comment 6 2021-05-28 00:47:16 PDT
(In reply to Ryosuke Niwa from comment #5) > (In reply to Rob Buis from comment #4) > > This seems related to width: intrinsic usage, will have a look. > > Huh, is that feature enabled on trunk? I know very little about this keyword. So far I found it is listed as kind of an alias for max-content here: https://developer.mozilla.org/en-US/docs/Web/CSS/width However replacing intrinsic with max-content does not make the test crash, so it is not a pure alias.
Rob Buis
Comment 7 2021-05-28 03:21:20 PDT
Created attachment 429998 [details] Patch
Rob Buis
Comment 8 2021-05-28 05:28:26 PDT
Created attachment 430004 [details] Patch
EWS
Comment 9 2021-05-31 02:22:20 PDT
Committed r278275 (238312@main): <https://commits.webkit.org/238312@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 430004 [details].
Sergio Villar Senin
Comment 10 2021-05-31 04:27:21 PDT
Comment on attachment 430004 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=430004&action=review > Source/WebCore/rendering/RenderFlexibleBox.cpp:878 > + if (isColumnFlow() && (flexBasis.isIntrinsic() || flexBasis.type() == LengthType::Intrinsic)) Does the attached test case crash with LenghtType::MinIntrinsic. If so can we replaced this second part with flexBasis.isLegacyIntrinsic() ?
Note You need to log in before you can comment on or make changes to this bug.