WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
108619
Assertion in RenderGeometryMap::mapToContainer with LayoutUnit overflow
https://bugs.webkit.org/show_bug.cgi?id=108619
Summary
Assertion in RenderGeometryMap::mapToContainer with LayoutUnit overflow
Renata Hodovan
Reported
2013-02-01 05:23:52 PST
During CSS fuzzing I've got the following assertion faulire: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5632d50 in WebCore::RenderGeometryMap::mapToContainer (this=0x7fffffffc7a0, rect=..., container=0x0) at /home/reni/repos/webkit2/Source/WebCore/rendering/RenderGeometryMap.cpp:142 142 ASSERT(enclosingIntRect(rendererMappedResult) == enclosingIntRect(FloatQuad(result).boundingBox())); The test: <html id="test-element"> <head> <style> #test-element {font-size: 354em;} </style> <body> <div id="test-element" style="margin: 131em;"></div> <div id=word style="-webkit-box-shadow: 2px -2px;position: absolute; margin:131em;"></div> </body> </html> I've seen bugs (Qt: #89466, WIN: #88128) with similar issues but they are working for me right now.
Attachments
Repro
(163 bytes, text/html)
2014-09-08 04:18 PDT
,
Renata Hodovan
no flags
Details
Patch
(5.09 KB, patch)
2015-01-06 15:34 PST
,
zalan
no flags
Details
Formatted Diff
Diff
Patch
(4.90 KB, patch)
2015-01-06 15:58 PST
,
zalan
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1
2013-02-01 09:13:37 PST
font-size: 354em; This looks like layoutunit overflow.
Emil A Eklund
Comment 2
2013-02-01 10:32:46 PST
Simon is right, that is almost certainly due to overflow. Try to run with SATURATED_LAYOUT_ARITHMETIC enabled and see if it still happens.
Renata Hodovan
Comment 3
2014-09-08 04:18:54 PDT
Created
attachment 237777
[details]
Repro The original test case does not reproduce the issue anymore. However the attached one still does.
Renata Hodovan
Comment 4
2014-09-08 05:46:55 PDT
***
Bug 119627
has been marked as a duplicate of this bug. ***
Simon Fraser (smfr)
Comment 5
2014-11-09 20:08:40 PST
After the geometry map assertion, this asserts at: ASSERTION FAILED: y2 >= y1 /Volumes/DataSSD/Development/apple/webkit/OpenSource/Source/WebCore/rendering/RenderObject.cpp(923) : void WebCore::RenderObject::drawLineForBoxSide(WebCore::GraphicsContext *, float, float, float, float, WebCore::BoxSide, WebCore::Color, WebCore::EBorderStyle, float, float, bool) const 1 0x1033c9870 WTFCrash 2 0x10615dc97 WebCore::RenderObject::drawLineForBoxSide(WebCore::GraphicsContext*, float, float, float, float, WebCore::BoxSide, WebCore::Color, WebCore::EBorderStyle, float, float, bool) const 3 0x10615d89f WebCore::RenderObject::drawLineForBoxSide(WebCore::GraphicsContext*, float, float, float, float, WebCore::BoxSide, WebCore::Color, WebCore::EBorderStyle, float, float, bool) const 4 0x10615fb5f WebCore::RenderObject::paintOutline(WebCore::PaintInfo&, WebCore::LayoutRect const&) 5 0x1061731be WebCore::RenderReplaced::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 6 0x106086afa WebCore::RenderImage::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) 7 0x105f5dc20 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) 8 0x105f5d857 WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) (lldb) p y1 (float) $1 = 5 (lldb) p y2 (float) $2 = -33554432
zalan
Comment 6
2015-01-05 20:39:47 PST
With certain (big enough)values, the following code fails FloatRect rect(big number, big number, big number, big number); FloatQuad quad(rect); assert(rect.size() == quad.size()) because FloatQuad stores top left bottom right values internally -> float approx. value -> rect.m_size != quad.FloatRect(left, top, right - left, bottom - top).m_size
zalan
Comment 7
2015-01-06 14:55:48 PST
rdar://problem/19391214
zalan
Comment 8
2015-01-06 15:34:10 PST
Created
attachment 244102
[details]
Patch
Simon Fraser (smfr)
Comment 9
2015-01-06 15:46:22 PST
Comment on
attachment 244102
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=244102&action=review
> LayoutTests/fast/block/geometry-map-assertion-with-tall-content.html:10 > +<![CDATA[ > +* {} > +* { > + display:table-caption; > + outline-style:ridge; > + overflow-x:auto; > +}
This could be less crazy
zalan
Comment 10
2015-01-06 15:58:05 PST
Created
attachment 244105
[details]
Patch
WebKit Commit Bot
Comment 11
2015-01-06 17:22:12 PST
Comment on
attachment 244105
[details]
Patch Clearing flags on attachment: 244105 Committed
r178009
: <
http://trac.webkit.org/changeset/178009
>
WebKit Commit Bot
Comment 12
2015-01-06 17:22:25 PST
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug