RESOLVED FIXED 108619
Assertion in RenderGeometryMap::mapToContainer with LayoutUnit overflow
https://bugs.webkit.org/show_bug.cgi?id=108619
Summary Assertion in RenderGeometryMap::mapToContainer with LayoutUnit overflow
Renata Hodovan
Reported 2013-02-01 05:23:52 PST
During CSS fuzzing I've got the following assertion faulire: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5632d50 in WebCore::RenderGeometryMap::mapToContainer (this=0x7fffffffc7a0, rect=..., container=0x0) at /home/reni/repos/webkit2/Source/WebCore/rendering/RenderGeometryMap.cpp:142 142 ASSERT(enclosingIntRect(rendererMappedResult) == enclosingIntRect(FloatQuad(result).boundingBox())); The test: <html id="test-element"> <head> <style> #test-element {font-size: 354em;} </style> <body> <div id="test-element" style="margin: 131em;"></div> <div id=word style="-webkit-box-shadow: 2px -2px;position: absolute; margin:131em;"></div> </body> </html> I've seen bugs (Qt: #89466, WIN: #88128) with similar issues but they are working for me right now.
Attachments
Repro (163 bytes, text/html)
2014-09-08 04:18 PDT, Renata Hodovan
no flags
Patch (5.09 KB, patch)
2015-01-06 15:34 PST, zalan
no flags
Patch (4.90 KB, patch)
2015-01-06 15:58 PST, zalan
no flags
Simon Fraser (smfr)
Comment 1 2013-02-01 09:13:37 PST
font-size: 354em; This looks like layoutunit overflow.
Emil A Eklund
Comment 2 2013-02-01 10:32:46 PST
Simon is right, that is almost certainly due to overflow. Try to run with SATURATED_LAYOUT_ARITHMETIC enabled and see if it still happens.
Renata Hodovan
Comment 3 2014-09-08 04:18:54 PDT
Created attachment 237777 [details] Repro The original test case does not reproduce the issue anymore. However the attached one still does.
Renata Hodovan
Comment 4 2014-09-08 05:46:55 PDT
*** Bug 119627 has been marked as a duplicate of this bug. ***
Simon Fraser (smfr)
Comment 5 2014-11-09 20:08:40 PST
After the geometry map assertion, this asserts at: ASSERTION FAILED: y2 >= y1 /Volumes/DataSSD/Development/apple/webkit/OpenSource/Source/WebCore/rendering/RenderObject.cpp(923) : void WebCore::RenderObject::drawLineForBoxSide(WebCore::GraphicsContext *, float, float, float, float, WebCore::BoxSide, WebCore::Color, WebCore::EBorderStyle, float, float, bool) const 1 0x1033c9870 WTFCrash 2 0x10615dc97 WebCore::RenderObject::drawLineForBoxSide(WebCore::GraphicsContext*, float, float, float, float, WebCore::BoxSide, WebCore::Color, WebCore::EBorderStyle, float, float, bool) const 3 0x10615d89f WebCore::RenderObject::drawLineForBoxSide(WebCore::GraphicsContext*, float, float, float, float, WebCore::BoxSide, WebCore::Color, WebCore::EBorderStyle, float, float, bool) const 4 0x10615fb5f WebCore::RenderObject::paintOutline(WebCore::PaintInfo&, WebCore::LayoutRect const&) 5 0x1061731be WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 6 0x106086afa WebCore::RenderImage::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 7 0x105f5dc20 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) 8 0x105f5d857 WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (lldb) p y1 (float) $1 = 5 (lldb) p y2 (float) $2 = -33554432
zalan
Comment 6 2015-01-05 20:39:47 PST
With certain (big enough)values, the following code fails FloatRect rect(big number, big number, big number, big number); FloatQuad quad(rect); assert(rect.size() == quad.size()) because FloatQuad stores top left bottom right values internally -> float approx. value -> rect.m_size != quad.FloatRect(left, top, right - left, bottom - top).m_size
zalan
Comment 7 2015-01-06 14:55:48 PST
zalan
Comment 8 2015-01-06 15:34:10 PST
Simon Fraser (smfr)
Comment 9 2015-01-06 15:46:22 PST
Comment on attachment 244102 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=244102&action=review > LayoutTests/fast/block/geometry-map-assertion-with-tall-content.html:10 > +<![CDATA[ > +* {} > +* { > + display:table-caption; > + outline-style:ridge; > + overflow-x:auto; > +} This could be less crazy
zalan
Comment 10 2015-01-06 15:58:05 PST
WebKit Commit Bot
Comment 11 2015-01-06 17:22:12 PST
Comment on attachment 244105 [details] Patch Clearing flags on attachment: 244105 Committed r178009: <http://trac.webkit.org/changeset/178009>
WebKit Commit Bot
Comment 12 2015-01-06 17:22:25 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.