Bug 69275

Summary: Crash in IsolateTracker::addFakeRunIfNecessary(), preceded by assertion failure (m_nestedIsolateCount >= 1) in IsolateTracker::exitIsolate()
Product: WebKit Reporter: mitz
Component: Layout and RenderingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: eric, leviw, rniwa, xji
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: data:text/html,%3Cspan%20style=%22unicode-bidi:%20-webkit-isolate;%22%3E%3Cspan%20style=%22unicode-bidi:%20-webkit-isolate;%22%3Ea%3C/span%3E%3C/span%3E%3Cbr%3E
Bug Depends on:    
Bug Blocks: 69267    
Attachments:
Description Flags
fixes the bug eric: review+

Description mitz 2011-10-03 11:54:24 PDT 
To reproduce, navigate to the URL.

Results:

ASSERTION FAILED: m_nestedIsolateCount >= 1
Source/WebCore/rendering/InlineIterator.h(430) : void WebCore::IsolateTracker::exitIsolate()
1   WebCore::IsolateTracker::exitIsolate()
2   _ZN7WebCoreL28notifyObserverWillExitObjectINS_14IsolateTrackerEEEvPT_PNS_12RenderObjectE
3   _ZN7WebCoreL14bidiNextSharedINS_14IsolateTrackerEEEPNS_12RenderObjectES3_S3_PT_NS_19EmptyInlineBehaviorEPb
4   _ZN7WebCoreL28bidiNextSkippingEmptyInlinesINS_14IsolateTrackerEEEPNS_12RenderObjectES3_S3_PT_
5   WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::appendRun()
6   WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::createBidiRunsForLine(WebCore::InlineIterator const&, WebCore::VisualDirectionOverride, bool)
7   _ZN7WebCoreL17constructBidiRunsERNS_12BidiResolverINS_14InlineIteratorENS_7BidiRunEEERNS_11BidiRunListIS2_EERKS1_NS_23VisualDirectionOverrideEb
8   WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int)
9   WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool)
10  WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&)
11  WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass)
12  WebCore::RenderBlock::layout()
13  WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&)
14  WebCore::RenderBlock::layoutBlockChildren(bool, int&)
15  WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass)
16  WebCore::RenderBlock::layout()
17  WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&)
18  WebCore::RenderBlock::layoutBlockChildren(bool, int&)
19  WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass)
20  WebCore::RenderBlock::layout()
21  WebCore::RenderView::layout()
22  WebCore::FrameView::layout(bool)
23  WebCore::Document::implicitClose()
24  WebCore::FrameLoader::checkCallImplicitClose()
25  WebCore::FrameLoader::checkCompleted()
26  WebCore::FrameLoader::finishedParsing()
27  WebCore::Document::finishedParsing()
28  WebCore::HTMLTreeBuilder::finished()
29  WebCore::HTMLDocumentParser::end()
30  WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
31  WebCore::HTMLDocumentParser::prepareToStopParsing()
Comment 1 mitz 2011-10-03 12:03:16 PDT 
It’s not clear to me why IsolateTracker initializes m_nestedIsolateCount to 1 regardless of the number of enclosing isolating inlines.
Comment 2 mitz 2011-10-03 12:07:29 PDT 
In release builds, this ends up crashing in IsolateTracker::addFakeRunIfNecessary():

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000010

0   com.apple.WebCore             	0x0000000107adc69d WebCore::IsolateTracker::addFakeRunIfNecessary(WebCore::RenderObject*, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&) + 113
1   com.apple.WebCore             	0x00000001071a7536 WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::appendRun() + 724
2   com.apple.WebCore             	0x00000001071a701e WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::createBidiRunsForLine(WebCore::InlineIterator const&, WebCore::VisualDirectionOverride, bool) + 3626
3   com.apple.WebCore             	0x0000000107adae75 WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 1271
4   com.apple.WebCore             	0x0000000107adbdde WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1238
5   com.apple.WebCore             	0x00000001071a1391 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 425
6   com.apple.WebCore             	0x0000000107ad25d7 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 1655
7   com.apple.WebCore             	0x000000010719cab8 WebCore::RenderBlock::layout() + 42
8   com.apple.WebCore             	0x000000010719f5f2 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 838
9   com.apple.WebCore             	0x000000010719e60a WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 668
10  com.apple.WebCore             	0x0000000107ad25f5 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 1685
11  com.apple.WebCore             	0x000000010719cab8 WebCore::RenderBlock::layout() + 42
12  com.apple.WebCore             	0x000000010719f5f2 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 838
13  com.apple.WebCore             	0x000000010719e60a WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 668
14  com.apple.WebCore             	0x0000000107ad25f5 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 1685
15  com.apple.WebCore             	0x000000010719cab8 WebCore::RenderBlock::layout() + 42
16  com.apple.WebCore             	0x000000010719ca1f WebCore::RenderView::layout() + 579
Comment 3 mitz 2011-10-03 12:09:03 PDT 
<rdar://problem/10212881>
Comment 4 Eric Seidel (no email) 2011-10-03 13:17:32 PDT 
Thank you.
Comment 5 Eric Seidel (no email) 2011-10-04 04:10:43 PDT 
(In reply to comment #1)
> It’s not clear to me why IsolateTracker initializes m_nestedIsolateCount to 1 regardless of the number of enclosing isolating inlines.

It's probably wrong.

We simply don't have enough isolate test cases yet.
Comment 6 Ryosuke Niwa 2011-11-28 11:44:30 PST 
Hm... I can't reproduce this crash on ToT.
Comment 7 Ryosuke Niwa 2011-11-28 16:02:07 PST 
(In reply to comment #6)
> Hm... I can't reproduce this crash on ToT.

Apparently, I was doing it wrong. A patch coming in a minute.
Comment 8 Ryosuke Niwa 2011-11-28 16:07:47 PST 
Created attachment 116847 [details]
fixes the bug
Comment 9 Ryosuke Niwa 2011-11-28 16:08:30 PST 
Comment on attachment 116847 [details]
fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=116847&action=review

> Source/WebCore/ChangeLog:9
> +        The crash was caused by our false assumption that at most one isolated container exits between the start

s/exits/exists/
Comment 10 Levi Weintraub 2011-11-28 16:12:18 PST 
Comment on attachment 116847 [details]
fixes the bug

Looks right to me :)
Comment 11 Eric Seidel (no email) 2011-11-28 18:47:25 PST 
Comment on attachment 116847 [details]
fixes the bug

Seems fine to me.  I'm not sure I remember why I had that assumption.  Clearly I designed the system to accommodate more than one.  More test coverage will tell us if this is the right code design or not. :)
Comment 12 Ryosuke Niwa 2011-11-29 12:37:30 PST 
Committed r101406: <http://trac.webkit.org/changeset/101406>