Bug 226367

Summary: Release assert in RenderFlexibleBox::computeInnerFlexBaseSizeForChild via RenderFlexibleBox::layoutFlexItems
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Layout and RenderingAssignee: Rob Buis <rbuis>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cgarcia, darin, ews-feeder, fred.wang, gpoo, koivisto, product-security, rbuis, simon.fraser, svillar, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=226790
Attachments:
Description Flags
Test
none
Patch
none
Patch none

Description Ryosuke Niwa 2021-05-27 22:00:29 PDT 
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
1   com.apple.WebCore             	0x0000000201ae3e5e std::__1::__throw_bad_optional_access() + 14 (optional:193)
2   com.apple.WebCore             	0x00000002071ad053 std::__1::optional<WebCore::LayoutUnit>::value() && + 51 (optional:965)
3   com.apple.WebCore             	0x000000020736faad WebCore::RenderFlexibleBox::computeInnerFlexBaseSizeForChild(WebCore::RenderBox&, WebCore::LayoutUnit) + 429 (RenderFlexibleBox.cpp:953)
4   com.apple.WebCore             	0x00000002073709a5 WebCore::RenderFlexibleBox::constructFlexItem(WebCore::RenderBox&, bool) + 613 (RenderFlexibleBox.cpp:1340)
5   com.apple.WebCore             	0x000000020736769d WebCore::RenderFlexibleBox::layoutFlexItems(bool) + 685 (RenderFlexibleBox.cpp:995)
6   com.apple.WebCore             	0x0000000207366aa7 WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit) + 999 (RenderFlexibleBox.cpp:307)
7   com.apple.WebCore             	0x000000020721ef8a WebCore::RenderBlock::layout() + 282 (RenderBlock.cpp:598)
8  com.apple.WebCore             	0x00000002072555e5 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1461 (RenderBlockFlow.cpp:764)
9  com.apple.WebCore             	0x000000020725200e WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 718 (RenderBlockFlow.cpp:675)
10  com.apple.WebCore             	0x0000000207250188 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlockFlow.cpp:527)
11  com.apple.WebCore             	0x000000020721ef8a WebCore::RenderBlock::layout() + 282 (RenderBlock.cpp:598)
12  com.apple.WebCore             	0x00000002075d5547 WebCore::RenderView::layout() + 1479 (RenderView.cpp:185)
13  com.apple.WebCore             	0x00000002066c77bf WebCore::FrameViewLayoutContext::layout() + 1359 (FrameViewLayoutContext.cpp:233)
14  com.apple.WebCore             	0x000000020549fc28 WebCore::Document::implicitClose() + 1064 (Document.cpp:3187)
15  com.apple.WebCore             	0x0000000206429bb9 WebCore::FrameLoader::checkCallImplicitClose() + 217 (FrameLoader.cpp:940)
16  com.apple.WebCore             	0x0000000206429043 WebCore::FrameLoader::checkCompleted() + 691 (FrameLoader.cpp:881)
17  com.apple.WebCore             	0x0000000206425615 WebCore::FrameLoader::finishedParsing() + 453 (FrameLoader.cpp:786)
18  com.apple.WebCore             	0x00000002054c0894 WebCore::Document::finishedParsing() + 612 (Document.cpp:6060)
19  com.apple.WebCore             	0x0000000205e55075 WebCore::HTMLConstructionSite::finishedParsing() + 37 (HTMLConstructionSite.cpp:419)
20  com.apple.WebCore             	0x0000000205eb4d0e WebCore::HTMLTreeBuilder::finished() + 30 (HTMLTreeBuilder.cpp:2843)
21  com.apple.WebCore             	0x0000000205e654e8 WebCore::HTMLDocumentParser::end() + 24 (HTMLDocumentParser.cpp:449)
22  com.apple.WebCore             	0x0000000205e62da9 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 57 (HTMLDocumentParser.cpp:458)
23  com.apple.WebCore             	0x0000000205e62cc1 WebCore::HTMLDocumentParser::prepareToStopParsing() + 273 (HTMLDocumentParser.cpp:152)
24  com.apple.WebCore             	0x0000000205e65530 WebCore::HTMLDocumentParser::attemptToEnd() + 64 (HTMLDocumentParser.cpp:470)
25  com.apple.WebCore             	0x0000000205e655ca WebCore::HTMLDocumentParser::finish() + 42 (HTMLDocumentParser.cpp:498)
26  com.apple.WebCore             	0x00000002063aaad1 WebCore::DocumentWriter::end() + 417 (DocumentWriter.cpp:294)
27  com.apple.WebCore             	0x00000002063a9633 WebCore::DocumentLoader::finishedLoading() + 739 (DocumentLoader.cpp:489)
28  com.apple.WebCore             	0x00000002063a8e4e WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) + 1262 (DocumentLoader.cpp:433)
29  com.apple.WebCore             	0x0000000206589060 WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) + 384 (CachedResource.cpp:336)
30  com.apple.WebCore             	0x00000002065835cf WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 79 (CachedResource.cpp:352)

<rdar://78570689>
Comment 1 Rob Buis 2021-05-27 22:22:30 PDT 
Needs a testcase :)
Comment 2 Ryosuke Niwa 2021-05-27 22:39:06 PDT 
Created attachment 429987 [details]
Test
Comment 3 Ryosuke Niwa 2021-05-27 22:42:08 PDT 
(In reply to Rob Buis from comment #1)
> Needs a testcase :)

Oops, added.
Comment 4 Rob Buis 2021-05-27 23:11:30 PDT 
This seems related to width: intrinsic usage, will have a look.
Comment 5 Ryosuke Niwa 2021-05-28 00:44:44 PDT 
(In reply to Rob Buis from comment #4)
> This seems related to width: intrinsic usage, will have a look.

Huh, is that feature enabled on trunk?
Comment 6 Rob Buis 2021-05-28 00:47:16 PDT 
(In reply to Ryosuke Niwa from comment #5)
> (In reply to Rob Buis from comment #4)
> > This seems related to width: intrinsic usage, will have a look.
> 
> Huh, is that feature enabled on trunk?

I know very little about this keyword. So far I found it is listed as kind of an alias for max-content here:
https://developer.mozilla.org/en-US/docs/Web/CSS/width

However replacing intrinsic with max-content does not make the test crash, so it is not a pure alias.
Comment 7 Rob Buis 2021-05-28 03:21:20 PDT 
Created attachment 429998 [details]
Patch
Comment 8 Rob Buis 2021-05-28 05:28:26 PDT 
Created attachment 430004 [details]
Patch
Comment 9 EWS 2021-05-31 02:22:20 PDT 
Committed r278275 (238312@main): <https://commits.webkit.org/238312@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 430004 [details].
Comment 10 Sergio Villar Senin 2021-05-31 04:27:21 PDT 
Comment on attachment 430004 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=430004&action=review

> Source/WebCore/rendering/RenderFlexibleBox.cpp:878
> +    if (isColumnFlow() && (flexBasis.isIntrinsic() || flexBasis.type() == LengthType::Intrinsic))

Does the attached test case crash with LenghtType::MinIntrinsic. If so can we replaced this second part with flexBasis.isLegacyIntrinsic() ?