Bug 272127
| Summary: | REGRESSION(277009@main) fast/text/remove-renderer-and-select-crash.html makes a subsequent test crash: RELEASE_ASSERT(index != notFound) in LayoutIntegration::BoxTree::rendererForLayoutBox | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Fujii Hironori <fujii.hironori> |
| Component: | Layout and Rendering | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | Normal | CC: | bfulgham, simon.fraser, webkit-bug-importer, zalan |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=272123 | ||
Fujii Hironori
After 277009@main added fast/text/remove-renderer-and-select-crash.html, the subsequent test fast/text/remove-text-node-linebox-not-dirty-crash.html is crashing.
Buildbot: builder WinCairo-64-bit-Release-Tests build 4098 : 277016@main
https://build.webkit.org/#/builders/728/builds/4098
Regressions: Unexpected crashes (1)
fast/text/remove-text-node-linebox-not-dirty-crash.html [ Crash ]
STACK_TEXT:
000000e1`0612d7c0 00007ff9`8e52ac6d : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : WTF!WTFCrash+0xe
000000e1`0612d7f0 00007ff9`8f8e7e83 : 00000000`3c800000 00000000`00000000 000000e1`0612d950 0000027f`6682e0d0 : WebCore!WTFCrashWithInfo+0x1d
000000e1`0612d830 00007ff9`8fd60d85 : 000000e1`0612ddf0 000000e1`0612d920 000000e1`0612dcd0 000000e1`0612de18 : WebCore!WebCore::LayoutIntegration::BoxTree::rendererForLayoutBox+0x133
000000e1`0612d8b0 00007ff9`8fd4089c : 000000e1`0612ddf0 000000e1`0612de18 000000e1`0612dcd0 000000e1`0612de18 : WebCore!WebCore::RenderBlockFlow::positionForPointWithInlineChildren+0xa75
000000e1`0612da30 00007ff9`8fd618b6 : 00000000`00000000 0000fe29`3810c0f5 0000027f`6682d3d0 00000000`00000000 : WebCore!WebCore::RenderBlock::positionForPoint+0x1ac
000000e1`0612dac0 00007ff9`8fd40420 : 000000e1`00000002 0000027f`66954de0 0000027f`669be8a0 00007ff9`8fd4198b : WebCore!WebCore::RenderBlockFlow::positionForPoint+0x16
000000e1`0612db00 00007ff9`8fd40ac9 : 0000027f`44480000 0000027f`228f0000 00000000`00000000 44160000`44480000 : WebCore!WebCore::positionForPointRespectingEditingBoundaries+0x1a0
000000e1`0612db80 00007ff9`8fd618b6 : 00000000`00000000 000000e1`0612de18 000000e1`0612de18 0000027f`667b5eb0 : WebCore!WebCore::RenderBlock::positionForPoint+0x3d9
000000e1`0612dc10 00007ff9`8fd40420 : 000000e1`0612dcc0 00007ff9`8fea433d 000000e1`0612ddf0 00007ff9`8fd4198b : WebCore!WebCore::RenderBlockFlow::positionForPoint+0x16
000000e1`0612dc50 00007ff9`8fd40ac9 : 00000000`00000000 000000e1`0612e3a0 0000027f`667c7120 0000027f`667b5eb0 : WebCore!WebCore::positionForPointRespectingEditingBoundaries+0x1a0
000000e1`0612dcd0 00007ff9`8fd618b6 : 000000e1`0612de18 00000000`00000000 000000e1`0612e3a0 0000027f`667c7120 : WebCore!WebCore::RenderBlock::positionForPoint+0x3d9
000000e1`0612dd60 00007ff9`8f5968d9 : 00000000`00000000 00000000`00000000 000000e1`0612de88 00007ff9`8fb35cfc : WebCore!WebCore::RenderBlockFlow::positionForPoint+0x16
000000e1`0612dda0 00007ff9`8e043b9a : 00000000`00000001 00007ff9`8e28ad3a 0000027f`667b6f60 0000027f`66884920 : WebCore!WebCore::FrameSelection::contains+0x1f9
000000e1`0612df30 00007ff9`8e2dee7d : 0000027f`667b5eb0 00000000`00000001 000000e1`0612e058 0000027f`6a74f5d0 : WebKit2!WebKit::WebHitTestResultData::WebHitTestResultData+0x1aa
000000e1`0612dfb0 00007ff9`8f9e19c8 : 00000000`00000000 00000000`3f800000 3f800000`3f800000 3f800000`00000000 : WebKit2!WebKit::WebChromeClient::mouseDidMoveOverElement+0x9d
000000e1`0612e2b0 00007ff9`8fa1473a : 00000000`00000000 00007ff9`8e043323 00000000`00000000 00000001`8de4ae00 : WebCore!WebCore::Chrome::mouseDidMoveOverElement+0x1a8
000000e1`0612e370 00007ff9`8e346f70 : 00000000`00000000 00000000`00000002 00000000`00000000 000000e1`0612e549 : WebCore!WebCore::EventHandler::mouseMoved+0x11a
000000e1`0612e480 00007ff9`8e3204fb : 00000000`00000000 00007ff9`8e490e00 00000000`00000001 0000027f`6a754d01 : WebKit2!WebKit::WebFrame::handleMouseEvent+0x130
000000e1`0612e550 00007ff9`8dd5bbad : 00000000`00000000 00000000`00000000 00007ff9`8e376230 0000027f`6a754dc0 : WebKit2!WebKit::WebPage::mouseEvent+0x18b
000000e1`0612e610 00007ff9`8dd59595 : 00000000`00000000 00000000`00000000 0000027f`22936aa0 00000000`00000000 : WebKit2!IPC::handleMessageAsync<Messages::WebPage::MouseEvent,WebKit::WebPage,WebKit::WebPage,void (WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> >, const WebKit::WebMouseEvent &, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle,0,WTF::CrashOnOverflow,16,WTF::FastMalloc> > &&, WTF::CompletionHandler<void (std::optional<WebKit::WebEventType>, bool, std::optional<WebCore::RemoteUserInputEventData>)> &&)>+0xed
000000e1`0612e760 00007ff9`8e037355 : 0000027f`229453c0 00007ffa`4d4d37eb 0000027f`6a75544f 0000027f`0000003d : WebKit2!WebKit::WebPage::didReceiveWebPageMessage+0x1475
000000e1`0612f390 00007ff9`8e19fd79 : 00000000`00000092 00000000`0000000a 0000fe0d`54ba65c8 00000000`00000000 : WebKit2!IPC::MessageReceiverMap::dispatchMessage+0x185
000000e1`0612f410 00007ff9`8e032205 : 0000027f`66a51450 0000027f`228f0000 00000000`00000000 00000000`00000401 : WebKit2!WebKit::WebProcess::didReceiveMessage+0x19
000000e1`0612f450 00007ff9`8e03238c : 00000000`00000401 00000000`00000000 00000000`00000000 00007ffa`4f8b8603 : WebKit2!IPC::Connection::dispatchMessage+0xf5
000000e1`0612f4a0 00007ff9`b87e069e : 0000027f`2515f940 00007ffa`00000000 00000000`00000000 00000000`000a12e4 : WebKit2!IPC::Connection::dispatchOneIncomingMessage+0xec
000000e1`0612f500 00007ff9`b884a088 : 00000000`000a12e4 00000000`00000000 0000027f`22916630 00007ff9`8e59d873 : WTF!WTF::RunLoop::performWork+0x19e
000000e1`0612f550 00007ffa`4f548241 : 000000e1`0612f6d8 00000000`00000000 00000000`00000000 00000000`80000022 : WTF!WTF::RunLoop::RunLoopWndProc+0x38
000000e1`0612f5a0 00007ffa`4f547d01 : 00000000`00000000 00007ff9`b884a050 00000000`000a12e4 000000e1`0612f7a0 : USER32!UserCallWinProcCheckWow+0x2d1
000000e1`0612f700 00007ff9`b884a1ff : 000000e1`0612f7a0 00000000`00000000 00007ffa`4f54a130 000000e1`0612f7a0 : USER32!DispatchMessageWorker+0x1f1
000000e1`0612f780 00007ff9`8dc317bd : 0000027f`00000000 00000000`00000000 0000027f`229010f0 00000000`00000000 : WTF!WTF::RunLoop::run+0x5f
000000e1`0612f800 00007ff6`cd0c100a : 00000000`00000007 00000000`00000001 00000000`00000000 00007ffa`4f8bce70 : WebKit2!WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWin>+0xad
000000e1`0612f890 00007ff6`cd0c13bc : 00000000`00000000 00007ff6`cd0c1435 0000027f`228a0000 00000000`00000000 : WebKitWebProcess!main+0xa
000000e1`0612f8c0 00007ffa`4d72257d : 00000000`00000000 00000000`00000000 000000e1`063d4000 00000000`00000000 : WebKitWebProcess!__scrt_common_main_seh+0x10c
000000e1`0612f900 00007ffa`4f8eaa58 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x1d
000000e1`0612f930 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x28
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Fujii Hironori
This isn't a Release build specfic problem, but Debug build can't reproduce this due to another problem bug#272123.
By commenting out, it's reproducible with Debug build.
diff --git a/Source/WebCore/page/LocalFrameViewLayoutContext.cpp b/Source/WebCore/page/LocalFrameViewLayoutContext.cpp
index 7c1b8dfe35e1..e9e189be5d25 100644
--- a/Source/WebCore/page/LocalFrameViewLayoutContext.cpp
+++ b/Source/WebCore/page/LocalFrameViewLayoutContext.cpp
@@ -232,7 +232,7 @@ void LocalFrameViewLayoutContext::performLayout()
SubtreeLayoutStateMaintainer subtreeLayoutStateMaintainer(subtreeLayoutRoot());
RenderView::RepaintRegionAccumulator repaintRegionAccumulator(renderView());
#ifndef NDEBUG
- RenderTreeNeedsLayoutChecker checker(*renderView());
+ //RenderTreeNeedsLayoutChecker checker(*renderView());
#endif
layoutRoot->layout();
++m_layoutCount;
> python .\Tools\Scripts\run-webkit-tests --wincairo --debug --no-retry --iter=2 fast/text/remove-renderer-and-select-crash.html
Fujii Hironori
With the above patch, stderr has the following message:
ASSERTION FAILED: index != notFound
C:\webkit\Source\WebCore\layout/integration/LayoutIntegrationBoxTree.cpp(389) : rendererForLayoutBox
1 00007FF9B20B1CA9 WTFCrash
2 00007FF988862EFD WTFCrashWithInfo
3 00007FF98BFB2DE0 WebCore::LayoutIntegration::BoxTree::rendererForLayoutBox
4 00007FF98BFB304D WebCore::LayoutIntegration::BoxTree::rendererForLayoutBox
5 00007FF98BFF7DF1 WebCore::LayoutIntegration::LineLayout::rendererForLayoutBox
6 00007FF98BFD9595 WebCore::LayoutIntegration::InlineContent::rendererForLayoutBox
7 00007FF98AAADA0C WebCore::InlineIterator::BoxModernPath::renderer
8 00007FF98AAAD9C8 WebCore::InlineIterator::Box::renderer::<lambda_1>::operator()<const WebCore::InlineIterator::BoxModernPath>
9 00007FF98AAAD96D std::invoke<WTF::Visitor<`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>,const WebCore::InlineIterator::BoxModernPath &>
10 00007FF98AAAD8FD std::_Variant_dispatcher<std::integer_sequence<unsigned long long,1> >::_Dispatch2<const WebCore::RenderObject &,WTF::Visitor<`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>,const std::variant<WebCore::InlineIterator::BoxModernPath,WebCore::InlineIterator::BoxLegacyPath> &,0>
11 00007FF98AAAD843 std::_Visit_strategy<1>::_Visit2<const WebCore::RenderObject &,std::_Meta_list<std::integer_sequence<unsigned long long,0>,std::integer_sequence<unsigned long long,1>,std::integer_sequence<unsigned long long,2> >,WTF::Visitor<`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>,const std::variant<WebCore::InlineIterator::BoxModernPath,WebCore::InlineIterator::BoxLegacyPath> &>
12 00007FF98AAAD7DA std::_Visit_impl<3,const WebCore::RenderObject &,std::_Meta_list<std::integer_sequence<unsigned long long,0>,std::integer_sequence<unsigned long long,1>,std::integer_sequence<unsigned long long,2> >,WTF::Visitor<`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>,const std::variant<WebCore::InlineIterator::BoxModernPath,WebCore::InlineIterator::BoxLegacyPath> &>
13 00007FF98AAAD756 std::visit<WTF::Visitor<`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>,const std::variant<WebCore::InlineIterator::BoxModernPath,WebCore::InlineIterator::BoxLegacyPath> &,void>
14 00007FF98AAAD714 WTF::switchOn<const std::variant<WebCore::InlineIterator::BoxModernPath,WebCore::InlineIterator::BoxLegacyPath> &,`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>
15 00007FF98AA9C1C7 WebCore::InlineIterator::Box::renderer
16 00007FF98CA0E7DA WebCore::RenderBlockFlow::positionForPointWithInlineChildren
17 00007FF98C9EAFB5 WebCore::RenderBlock::positionForPoint
18 00007FF98CA0EE4F WebCore::RenderBlockFlow::positionForPoint
19 00007FF98C9EA876 WebCore::positionForPointRespectingEditingBoundaries
20 00007FF98C9EB325 WebCore::RenderBlock::positionForPoint
21 00007FF98CA0EE4F WebCore::RenderBlockFlow::positionForPoint
22 00007FF98C9EA876 WebCore::positionForPointRespectingEditingBoundaries
23 00007FF98C9EB325 WebCore::RenderBlock::positionForPoint
24 00007FF98CA0EE4F WebCore::RenderBlockFlow::positionForPoint
25 00007FF98B7B4379 WebCore::FrameSelection::contains
26 00007FF98C972199 WebCore::HitTestResult::isSelected
27 00007FF98F7A7B7D WebKit::WebHitTestResultData::WebHitTestResultData
28 00007FF990098A26 WebKit::WebChromeClient::mouseDidMoveOverElement
29 00007FF98C2103CD WebCore::Chrome::mouseDidMoveOverElement
30 00007FF98C267F50 WebCore::EventHandler::mouseMoved
31 00007FF9901DBEE6 WebKit::WebFrame::handleMouseEvent
Radar WebKit Bug Importer
<rdar://problem/126240107>
Fujii Hironori
No longer reproducible.