Bug 271902

Summary:

ASAN_SEGV | RenderTreeBuilder::Block::attachIgnoringContinuation; RenderTreeBuilder::Block::attach; RenderTreeBuilder::BlockFlow::attach

Product:

WebKit

Reporter:

John Wilander <wilander>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

abifox, bfulgham, cgarcia, csaavedra, fred.wang, gpoo, koivisto, mikhail, msaboff, pgriffis, rbuis, simon.fraser, webkit-bug-importer, xan.lopez, zalan, zdobersek

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=268770

Attachments:

Description	Flags
repro case	none

John Wilander

Reported 2024-03-29 12:37:07 PDT

Created attachment 470667 [details] repro case <rdar://125183625> See attached repro case.

Attachments
repro case (1.75 KB, text/html) 2024-03-29 12:37 PDT, John Wilander	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Frédéric Wang (:fredw)

Comment 1 2024-04-02 08:07:50 PDT

This is a duplicate of bug 268770. Crash is happening in WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation where beforeChildContainer is dereferenced after reaching the outermost ancestor: 164 while (beforeChildContainer->parent() != &parent) (rr) bt #0 WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation(WebCore::RenderBlock&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=0x7fa5aa24afb0, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=0x7fa54200f8c0) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:164 #1 0x00007fa5cca75432 in WebCore::RenderTreeBuilder::Block::attach(WebCore::RenderBlock&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=0x7fa5aa24afb0, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=beforeChild@entry=0x7fa54200f8c0) at /usr/include/c++/11/bits/unique_ptr.h:172 #2 0x00007fa5cca75958 in WebCore::RenderTreeBuilder::BlockFlow::attach(WebCore::RenderBlockFlow&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=<optimized out>, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=<optimized out>) at /usr/include/c++/11/bits/unique_ptr.h:172 #3 0x00007fa5cca6fc31 in WebCore::RenderTreeBuilder::attachInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=<optimized out>, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=<optimized out>) at /usr/include/c++/11/bits/unique_ptr.h:172 #4 0x00007fa5cca75b1b in operator()(WebCore::RenderElement&) const (__closure=0x7ffc313959f0, parentCandidate=...) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:207 #5 0x00007fa5cca6f8f1 in WebCore::RenderTreeBuilder::attachInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=this@entry=0x7ffc31398360, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=<optimized out>, beforeChild@entry=0x7fa54200f8c0) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:328 #6 0x00007fa5cca6ff16 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=this@entry=0x7ffc31398360, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=0x7fa54200f8c0) at /usr/include/c++/11/bits/unique_ptr.h:172 #7 0x00007fa5cca7f52a in WebCore::RenderTreeUpdater::createTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) (this=this@entry=0x7ffc31398330, textNode=..., textUpdate=textUpdate@entry=0x7fa5aa205398) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreePosition.h:45 #8 0x00007fa5cca7f92b in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) (this=this@entry=0x7ffc31398330, text=..., textUpdate=textUpdate@entry=0x7fa5aa205398) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:624 #9 0x00007fa5cca800fe in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (this=this@entry=0x7ffc31398330, root=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:238 #10 0x00007fa5cca80583 in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) (this=0x7ffc31398330, styleUpdate=std::unique_ptr<WebCore::Style::Update> = {...}) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:127 #11 0x00007fa5cbb5dda1 in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) (this=this@entry=0x7fa55a141c00, styleUpdate=std::unique_ptr<WebCore::Style::Update> = {...}) at /usr/include/c++/11/bits/unique_ptr.h:172 #12 0x00007fa5cbb7f79e in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (this=this@entry=0x7fa55a141c00, type=<optimized out>, type@entry=WebCore::Document::ResolveStyleType::Normal) at /usr/include/c++/11/bits/unique_ptr.h:172 #13 0x00007fa5cbb7fc45 in WebCore::Document::updateStyleIfNeeded() (this=this@entry=0x7fa55a141c00) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:2668 #14 0x00007fa5cbc97405 in WebCore::CompositeEditCommand::textNodeForRebalance(WebCore::Position const&) const (this=this@entry=0x7fa5aa109ff0, position=...) at /home/fred/src-obj/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:911 #15 0x00007fa5cbc97ad0 in WebCore::CompositeEditCommand::rebalanceWhitespaceAt(WebCore::Position const&) (this=this@entry=0x7fa5aa109ff0, position=...) at /home/fred/src-obj/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:925 #16 0x00007fa5cbd0f2f8 in WebCore::InsertTextCommand::doApply() (this=0x7fa5aa109ff0) at /home/fred/src-obj/WebKit/Source/WebCore/editing/InsertTextCommand.cpp:213 #17 0x00007fa5cbc900c3 in WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::CompositeEditCommand, WTF::RawPtrTraits<WebCore::CompositeEditCommand>, WTF::DefaultRefDerefTraits<WebCore::CompositeEditCommand> >&&, WebCore::VisibleSelection const&) (this=this@entry=0x7fa5aa0a0d20, command=..., selection=...) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/RawPtrTraits.h:44 #18 0x00007fa5cbd48c57 in WebCore::TypingCommand::insertTextRunWithoutNewlines(WTF::String const&, bool) (selectInsertedText=false, text=..., this=0x7fa5aa0a0d20) at /home/fred/src-obj/WebKit/Source/WebCore/editing/TypingCommand.cpp:557 #19 WebCore::TypingCommand::insertTextRunWithoutNewlines(WTF::String const&, bool) (this=0x7fa5aa0a0d20, text=..., selectInsertedText=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/editing/TypingCommand.cpp:549 --Type <RET> for more, q to quit, c to continue without paging--c #20 0x00007fa5cbd58038 in WebCore::TypingCommandLineOperation::operator()(unsigned long, unsigned long, bool) const (isLastLine=<optimized out>, lineLength=<optimized out>, lineOffset=<optimized out>, this=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/editing/TypingCommand.cpp:70 #21 WebCore::TypingCommandLineOperation::operator()(unsigned long, unsigned long, bool) const (isLastLine=<optimized out>, lineLength=<optimized out>, lineOffset=<optimized out>, this=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/editing/TypingCommand.cpp:66 #22 WebCore::forEachLineInString<WebCore::TypingCommandLineOperation>(WTF::String const&, WebCore::TypingCommandLineOperation const&) (string=..., operation=...) at /home/fred/src-obj/WebKit/Source/WebCore/editing/TextInsertionBaseCommand.h:64 #23 0x00007fa5cbd49759 in WebCore::TypingCommand::insertText(WTF::String const&, bool) (this=<optimized out>, text=..., selectInsertedText=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/editing/TypingCommand.cpp:535 #24 0x00007fa5cbd49867 in WebCore::TypingCommand::insertTextAndNotifyAccessibility(WTF::String const&, bool) (this=0x7fa5aa0a0d20, text=..., selectInsertedText=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/editing/TypingCommand.cpp:544 #25 0x00007fa5cbc8faf3 in WebCore::CompositeEditCommand::apply() (this=0x7fa5aa0a0d20) at /home/fred/src-obj/WebKit/Source/WebCore/editing/CompositeEditCommand.cpp:402 #26 0x00007fa5cbd49c41 in WebCore::TypingCommand::insertText(WTF::Ref<WebCore::Document, WTF::RawPtrTraits<WebCore::Document>, WTF::DefaultRefDerefTraits<WebCore::Document> >&&, WTF::String const&, WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::TypingCommand::Option>, WebCore::TypingCommand::TextCompositionType) (document=..., text=<optimized out>, selectionForInsertion=..., options=..., compositionType=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/editing/TypingCommand.cpp:267 #27 0x00007fa5cbd49fa8 in WebCore::TypingCommand::insertText(WTF::Ref<WebCore::Document, WTF::RawPtrTraits<WebCore::Document>, WTF::DefaultRefDerefTraits<WebCore::Document> >&&, WTF::String const&, WTF::OptionSet<WebCore::TypingCommand::Option>, WebCore::TypingCommand::TextCompositionType) (document=..., text=<optimized out>, options=..., options@entry=..., composition=composition@entry=WebCore::TypingCommand::TextCompositionType::None) at /home/fred/src-obj/WebKit/Source/WebCore/editing/TypingCommand.cpp:231 #28 0x00007fa5cbccfd24 in WebCore::executeInsertText(WebCore::LocalFrame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) (frame=<optimized out>, value=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/editing/EditorCommand.cpp:536 #29 0x00007fa5cbb81c5b in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (this=0x7fa55a141c00, commandName=..., userInterface=<optimized out>, value=...) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:6860 #30 0x00007fa5cac4caf5 in WebCore::jsDocumentPrototypeFunction_execCommandBody (castedThis=<optimized out>, callFrame=<optimized out>, lexicalGlobalObject=0x7fa55a017088) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WebCore/DerivedSources/JSDocument.cpp:6433 #31 WebCore::IDLOperation<WebCore::JSDocument>::call<WebCore::jsDocumentPrototypeFunction_execCommandBody> (operationName=0x7fa5cd184c7a "execCommand", callFrame=<optimized out>, lexicalGlobalObject=...) at /home/fred/src-obj/WebKit/Source/WebCore/bindings/js/JSDOMOperation.h:63 #32 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) (lexicalGlobalObject=0x7fa55a017088, callFrame=<optimized out>) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WebCore/DerivedSources/JSDocument.cpp:6438 #33 0x00007fa55c008038 in () #34 0x00007ffc31398ed0 in () #35 0x00007fa5c7a3fade in op_call_return_location () at /home/fred/src-obj/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1172 #36 0x0000000000000000 in () Going up to https://searchfox.org/wubkat/rev/2f857be7d42f00feb7b59870709310154181a774/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp#302, we have the following configuration: RenderView at (0,0) size 800x585 renderer (0x7fa5420007a0) layout box ((nil)) (layout overflow 0,0 7748x585) HTML RenderFlexibleBox at (0,0) size 800x585 renderer (0x7fa5420085c0) layout box ((nil)) node (0x7fa5420010e0) (layout overflow 0,0 7748x585) (visual overflow 0,0 7748x585) BODY RenderFlexibleBox at (8,8) size 7740x569 renderer (0x7fa542008770) layout box ((nil)) node (0x7fa542001230) (layout overflow 0,0 7740x569) (visual overflow 0,-7 7740x583) KEYGEN RenderBlock at (0,0) size 0x569 renderer (0x7fa5420015e0) layout box ((nil)) node (0x7fa542004920) METER RenderBlock at (0,0) size 80x16 renderer (0x7fa5420017f0) layout box ((nil)) node (0x7fa542004b20) DIV RenderBlock at (0,0) size 80x16 renderer (0x7fa542003220) layout box ((nil)) node (0x7fa542004e80) DIV RenderBlock at (0,0) size 80x16 renderer (0x7fa542003430) layout box ((nil)) node (0x7fa542004ef0) DIV RenderBlock at (0,0) size 80x16 renderer (0x7fa542008920) layout box ((nil)) node (0x7fa542004f60) SHADOW RenderBlock at (80,0) size 0x569 renderer (0x7fa542008a10) layout box ((nil)) node (0x7fa542004990) svg RenderSVGRoot at (80,0) size 300x569 renderer (0x7fa542008b00) layout box ((nil)) node (0x7fa542005c20) [parent]--->RUBY RenderBlock at (380,0) size 7200x569 renderer (0x7fa54200f300) layout box ((nil)) node (0x7fa542005e20) (layout overflow 0,0 7200x569) (visual overflow -7,-7 7214x583) RenderBlock at (0,0) size 7200x18 renderer (0x7fa54200f4e0) layout box (0x7fa54200db40) line at (0.00,0.00) size (7200.00x18.00) baseline (14.00) enclosing top (0.00) bottom (17.00) Root inline box at (0.00,0.00) size (7200.00x17.00) Inline box at (0.00,0.00) size (0.00x17.00) renderer->(0x7fa542008ff0) Inline box at (0.00,0.00) size (0.00x17.00) renderer->(0x7fa54200ad50) Inline box at (0.00,0.00) size (0.00x17.00) renderer->(0x7fa542008f50) Inline box at (4800.00,0.00) size (2400.00x17.00) renderer->(0x7fa54200f7b0) Run(s): Text at (0.00,0.00) size 4800.00x17.00 run(0, 400) renderer->(0x7fa54200ace0) Text at (4800.00,0.00) size 2400.00x17.00 run(0, 200) renderer->(0x7fa54200f850) RenderInline renderer (0x7fa542008ff0) layout box (0x7fa54200dbd0) RenderInline renderer (0x7fa54200ad50) layout box (0x7fa54200e260) FONT RenderInline renderer (0x7fa542008f50) layout box (0x7fa54200e2f0) node (0x7fa54200cd40) continuation->(0x7fa54200f3f0) #text RenderText renderer (0x7fa54200ace0) layout box (0x7fa54200d060) node (0x7fa54200c880) length->(400) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"... A RenderInline renderer (0x7fa54200f7b0) layout box (0x7fa54200e380) node (0x7fa54200f270) continuation->(0x7fa5420104c0) #text RenderText renderer (0x7fa54200f850) layout box (0x7fa54200d0e0) node (0x7fa54200c8e0) length->(200) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"... RenderBlock at (0,18) size 7200x18 renderer (0x7fa54200d600) layout box (0x7fa54200e4a0) line at (0.00,0.00) size (7200.00x18.00) baseline (14.00) enclosing top (0.00) bottom (17.00) Root inline box at (0.00,0.00) size (16.00x17.00) Inline box at (0.00,0.00) size (0.00x17.00) renderer->(0x7fa5420104c0) Run(s): Text at (0.00,0.00) size 16.00x17.00 run(0, 2) renderer->(0x7fa54200f8c0) Atomic box at (16.00,14.00) size 0.00x0.00 renderer->(0x7fa54200ae90) A RenderInline renderer (0x7fa5420104c0) layout box (0x7fa54200e920) node (0x7fa54200f270) [beforeChild]-->#text RenderText renderer (0x7fa54200f8c0) layout box (0x7fa54200dce0) node (0x7fa542005dc0) length->(2) "A\n" CAPTION RenderFlexibleBox at (16,14) size 0x0 renderer (0x7fa54200ae90) layout box (0x7fa54200e9b0) node (0x7fa54200a320) RenderBlock at (0,36) size 7200x18 renderer (0x7fa54200f3f0) layout box ((nil)) continuation->(0x7fa54200adf0) A RenderFlexibleBox at (0,0) size 7200x18 renderer (0x7fa54200a170) layout box ((nil)) node (0x7fa54200d280) RenderBlock at (0,0) size 180x18 renderer (0x7fa54200f6c0) layout box (0x7fa54200ecf0) line at (0.00,0.00) size (180.00x18.00) baseline (14.00) enclosing top (0.00) bottom (17.00) Root inline box at (0.00,0.00) size (180.00x17.00) Run(s): Text at (0.00,0.00) size 180.00x17.00 run(1, 16) renderer->(0x7fa542008ee0) #text RenderText renderer (0x7fa542008ee0) layout box (0x7fa54200ebe0) node (0x7fa54200c820) length->(16) "\nAAAAAAAAAAAAAAA" RenderBlock at (0,54) size 7200x0 renderer (0x7fa54200f5d0) layout box (0x7fa54200f930) line at (0.00,0.00) size (7200.00x0.00) baseline (0.00) enclosing top (0.00) bottom (0.00) Root inline box at (0.00,-14.00) size (0.00x17.00) Run(s): FONT RenderInline renderer (0x7fa54200adf0) layout box (0x7fa54200f9c0) node (0x7fa54200cd40) SPAN RenderFlexibleBox at (7580,0) size 160x569 renderer (0x7fa542009090) layout box ((nil)) node (0x7fa542006020) DATA RenderFlexibleBox at (0,0) size 160x569 renderer (0x7fa542009240) layout box ((nil)) node (0x7fa542006100) U RenderFlexibleBox at (0,0) size 160x569 renderer (0x7fa5420093f0) layout box ((nil)) node (0x7fa542006250) BLOCKQUOTE RenderFlexibleBox at (40,16) size 80x537 renderer (0x7fa5420095a0) layout box ((nil)) node (0x7fa542006450) BLOCKQUOTE RenderFlexibleBox at (40,16) size 0x505 renderer (0x7fa542009750) layout box ((nil)) node (0x7fa5420064c0) H6 RenderFlexibleBox at (0,24.97) size 0x455.06 renderer (0x7fa542009900) layout box ((nil)) node (0x7fa542005990) LABEL RenderFlexibleBox at (0,0) size 0x455.06 renderer (0x7fa542009ab0) layout box ((nil)) node (0x7fa542006650) A RenderFlexibleBox at (0,0) size 0x455.06 renderer (0x7fa542009c60) layout box ((nil)) node (0x7fa542006750) H1 RenderFlexibleBox at (0,14.36) size 0x426.34 renderer (0x7fa542009e10) layout box ((nil)) node (0x7fa542006870) LABEL RenderFlexibleBox at (0,0) size 0x426.34 renderer (0x7fa542009fc0) layout box ((nil)) node (0x7fa5420066d0) FORM RenderBlock at (0,0) size 0x404.91 renderer (0x7fa542008df0) layout box ((nil)) node (0x7fa542006a10) SPAN RenderFlexibleBox at (0,0) size 0x426.34 renderer (0x7fa54200aa40) layout box ((nil)) node (0x7fa542006090) findOrCreateParentForStyleBasedRubyChild would return the first child in release mode and failing assertion ASSERT(parent.firstChild()->style().display() == DisplayType::Ruby) in debug mode. Then insertRecursiveIfNeeded will lead to the nullptr beforeChildContainer.

Frédéric Wang (:fredw)

Comment 2 2024-04-10 04:19:34 PDT

*** This bug has been marked as a duplicate of bug 268770 ***

Note You need to log in before you can comment on or make changes to this bug.