Bug 136939 - (CVE-2014-4469 component) ASSERTION FAILED: !gridWasPopulated() in WebCore::RenderGrid::placeItemsOnGrid
Summary: (CVE-2014-4469 component) ASSERTION FAILED: !gridWasPopulated() in WebCore::R...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Manuel Rego Casasnovas - OOO (back 1st Sep)
URL:
Keywords:
Depends on:
Blocks: 60731 116980
  Show dependency treegraph
 
Reported: 2014-09-19 01:12 PDT by Renata Hodovan
Modified: 2015-12-08 14:00 PST (History)
8 users (show)

See Also:


Attachments
Test case (181 bytes, text/html)
2014-09-19 01:12 PDT, Renata Hodovan
no flags Details
Patch (4.40 KB, patch)
2014-10-16 05:39 PDT, Manuel Rego Casasnovas - OOO (back 1st Sep)
no flags Details | Formatted Diff | Diff
Patch (5.18 KB, patch)
2014-10-16 13:31 PDT, Manuel Rego Casasnovas - OOO (back 1st Sep)
no flags Details | Formatted Diff | Diff
Patch (5.26 KB, patch)
2014-10-20 05:18 PDT, Manuel Rego Casasnovas - OOO (back 1st Sep)
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2014-09-19 01:12:49 PDT
Created attachment 238353 [details]
Test case

The following test produces the assertion failure:

<!DOCTYPE html>
<style>
*  {
    display:-webkit-grid;
    -webkit-columns: 5;
}
</style>
<details open>
<button>
    <sup>
        <input placeholder="aaaa"/>
    </sup>
</button>


Its backtrace:

ASSERTION FAILED: !gridWasPopulated()
../../Source/WebCore/rendering/RenderGrid.cpp(694) : void WebCore::RenderGrid::placeItemsOnGrid()

0x00007fffedbf3127 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329
329	    *(int *)(uintptr_t)0xbbadbeef = 0;
gdb$ bt
#0  0x00007fffedbf3127 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329
#1  0x00007ffff3a07294 in WebCore::RenderGrid::placeItemsOnGrid (this=0xa40b30) at ../../Source/WebCore/rendering/RenderGrid.cpp:694
#2  0x00007ffff3a0487a in WebCore::RenderGrid::computeIntrinsicLogicalWidths (this=0xa40b30, minLogicalWidth=..., maxLogicalWidth=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:244
#3  0x00007ffff3a04a62 in WebCore::RenderGrid::computePreferredLogicalWidths (this=0xa40b30) at ../../Source/WebCore/rendering/RenderGrid.cpp:274
#4  0x00007ffff397f300 in WebCore::RenderBox::minPreferredLogicalWidth (this=0xa40b30) at ../../Source/WebCore/rendering/RenderBox.cpp:996
#5  0x00007ffff392ca7f in WebCore::RenderBlock::computeBlockPreferredLogicalWidths (this=0xa1ca70, minLogicalWidth=..., maxLogicalWidth=...) at ../../Source/WebCore/rendering/RenderBlock.cpp:2851
#6  0x00007ffff394c9ef in WebCore::RenderBlockFlow::computeIntrinsicLogicalWidths (this=0xa1ca70, minLogicalWidth=..., maxLogicalWidth=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:359
#7  0x00007ffff392c2f5 in WebCore::RenderBlock::computePreferredLogicalWidths (this=0xa1ca70) at ../../Source/WebCore/rendering/RenderBlock.cpp:2777
#8  0x00007ffff397f300 in WebCore::RenderBox::minPreferredLogicalWidth (this=0xa1ca70) at ../../Source/WebCore/rendering/RenderBox.cpp:996
#9  0x00007ffff39d9d0a in WebCore::RenderFlexibleBox::computeIntrinsicLogicalWidths (this=0xa1f0b0, minLogicalWidth=..., maxLogicalWidth=...) at ../../Source/WebCore/rendering/RenderFlexibleBox.cpp:105
#10 0x00007ffff39da041 in WebCore::RenderFlexibleBox::computePreferredLogicalWidths (this=0xa1f0b0) at ../../Source/WebCore/rendering/RenderFlexibleBox.cpp:144
#11 0x00007ffff397f386 in WebCore::RenderBox::maxPreferredLogicalWidth (this=0xa1f0b0) at ../../Source/WebCore/rendering/RenderBox.cpp:1008
#12 0x00007ffff39865c5 in WebCore::RenderBox::computeLogicalWidthInRegionUsing (this=0xa1f0b0, widthType=WebCore::MainOrPreferredSize, logicalWidth=..., availableLogicalWidth=..., cb=0x8d6810, region=0x7c69d0) at ../../Source/WebCore/rendering/RenderBox.cpp:2412
#13 0x00007ffff3985cee in WebCore::RenderBox::computeLogicalWidthInRegion (this=0xa1f0b0, computedValues=..., region=0x7c69d0) at ../../Source/WebCore/rendering/RenderBox.cpp:2321
#14 0x00007ffff398724e in WebCore::RenderBox::renderBoxRegionInfo (this=0xa1f0b0, region=0x7c69d0, cacheFlag=WebCore::RenderBox::CacheRenderBoxRegionInfo) at ../../Source/WebCore/rendering/RenderBox.cpp:2556
#15 0x00007ffff3987293 in WebCore::RenderBox::renderBoxRegionInfo (this=0xa1ca70, region=0x7c69d0, cacheFlag=WebCore::RenderBox::CacheRenderBoxRegionInfo) at ../../Source/WebCore/rendering/RenderBox.cpp:2561
#16 0x00007ffff398388c in WebCore::RenderBox::containingBlockLogicalWidthForContentInRegion (this=0xa40b30, region=0x7c69d0) at ../../Source/WebCore/rendering/RenderBox.cpp:1855
#17 0x00007ffff3985a26 in WebCore::RenderBox::computeLogicalWidthInRegion (this=0xa40b30, computedValues=..., region=0x7c69d0) at ../../Source/WebCore/rendering/RenderBox.cpp:2302
#18 0x00007ffff398724e in WebCore::RenderBox::renderBoxRegionInfo (this=0xa40b30, region=0x7c69d0, cacheFlag=WebCore::RenderBox::CacheRenderBoxRegionInfo) at ../../Source/WebCore/rendering/RenderBox.cpp:2556
#19 0x00007ffff398388c in WebCore::RenderBox::containingBlockLogicalWidthForContentInRegion (this=0x8e1d50, region=0x7c69d0) at ../../Source/WebCore/rendering/RenderBox.cpp:1855
#20 0x00007ffff3985a26 in WebCore::RenderBox::computeLogicalWidthInRegion (this=0x8e1d50, computedValues=..., region=0x7c69d0) at ../../Source/WebCore/rendering/RenderBox.cpp:2302
#21 0x00007ffff398724e in WebCore::RenderBox::renderBoxRegionInfo (this=0x8e1d50, region=0x7c69d0, cacheFlag=WebCore::RenderBox::CacheRenderBoxRegionInfo) at ../../Source/WebCore/rendering/RenderBox.cpp:2556
#22 0x00007ffff397b721 in WebCore::RenderBox::borderBoxRectInRegion (this=0xb00a20, region=0x7c69d0, cacheFlag=WebCore::RenderBox::CacheRenderBoxRegionInfo) at ../../Source/WebCore/rendering/RenderBox.cpp:213
#23 0x00007ffff3abda13 in WebCore::RenderRegion::ensureOverflowForBox (this=0x7c69d0, box=0xb00a20, overflow=..., forceCreation=0x0) at ../../Source/WebCore/rendering/RenderRegion.cpp:445
#24 0x00007ffff3abdfef in WebCore::RenderRegion::addVisualOverflowForBox (this=0x7c69d0, box=0xb00a20, rect=...) at ../../Source/WebCore/rendering/RenderRegion.cpp:509
#25 0x00007ffff39e99eb in WebCore::RenderFlowThread::addRegionsOverflowFromChild (this=0xb00a20, box=0xb00a20, child=0xa42030, delta=...) at ../../Source/WebCore/rendering/RenderFlowThread.cpp:1449
#26 0x00007ffff3990cdc in WebCore::RenderBox::addOverflowFromChild (this=0xb00a20, child=0xa42030, delta=...) at ../../Source/WebCore/rendering/RenderBox.cpp:4338
#27 0x00007ffff3933891 in WebCore::RenderBox::addOverflowFromChild (this=0xb00a20, child=0xa42030) at ../../Source/WebCore/rendering/RenderBox.h:208
#28 0x00007ffff3923086 in WebCore::RenderBlock::addOverflowFromBlockChildren (this=0xb00a20) at ../../Source/WebCore/rendering/RenderBlock.cpp:1147
#29 0x00007ffff3922c59 in WebCore::RenderBlock::addOverflowFromChildren (this=0xb00a20) at ../../Source/WebCore/rendering/RenderBlock.cpp:1088
#30 0x00007ffff3922d29 in WebCore::RenderBlock::computeOverflow (this=0xb00a20, oldClientAfterEdge=...) at ../../Source/WebCore/rendering/RenderBlock.cpp:1102
#31 0x00007ffff3954d8b in WebCore::RenderBlockFlow::computeOverflow (this=0xb00a20, oldClientAfterEdge=..., recomputeFloats=0x0) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:2081
#32 0x00007ffff394daa5 in WebCore::RenderBlockFlow::layoutBlock (this=0xb00a20, relayoutChildren=0x1, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:528
#33 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0xb00a20) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#34 0x00007ffff39e3a84 in WebCore::RenderFlowThread::layout (this=0xb00a20) at ../../Source/WebCore/rendering/RenderFlowThread.cpp:201
#35 0x00007ffff3a8e6ae in WebCore::RenderMultiColumnFlowThread::layout (this=0xb00a20) at ../../Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp:135
#36 0x00007ffff394e6b0 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x8e1d50, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:712
#37 0x00007ffff394e1d1 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x8e1d50, relayoutChildren=0x1, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:633
#38 0x00007ffff394d5ee in WebCore::RenderBlockFlow::layoutBlock (this=0x8e1d50, relayoutChildren=0x1, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:486
#39 0x00007ffff3b085c1 in WebCore::RenderTextControlSingleLine::layout (this=0x8e1d50) at ../../Source/WebCore/rendering/RenderTextControlSingleLine.cpp:140
#40 0x00007ffff38ed18f in WebCore::RenderElement::layoutIfNeeded (this=0x8e1d50) at ../../Source/WebCore/rendering/RenderElement.h:102
#41 0x00007ffff3a05e97 in WebCore::RenderGrid::logicalContentHeightForChild (this=0xa40b30, child=..., columnTracks=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:498
#42 0x00007ffff3a05f92 in WebCore::RenderGrid::minContentForChild (this=0xa40b30, child=..., direction=WebCore::ForRows, columnTracks=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:515
#43 0x00007ffff3a068d5 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems (this=0xa40b30, direction=WebCore::ForRows, sizingData=..., gridItemWithSpan=..., filterFunction=(bool (WebCore::GridTrackSize::*)(const WebCore::GridTrackSize * const)) 0x7ffff3a09f26 <WebCore::GridTrackSize::hasMinOrMaxContentMinTrackBreadth() const>, sizingFunction=(WebCore::LayoutUnit (WebCore::RenderGrid::*)(WebCore::RenderGrid * const, WebCore::RenderBox &, WebCore::GridTrackSizingDirection, WTF::Vector<WebCore::GridTrack, 0ul, WTF::CrashOnOverflow> &)) 0x7ffff3a05ed8 <WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WTF::Vector<WebCore::GridTrack, 0ul, WTF::CrashOnOverflow>&)>, trackGetter=(WebCore::LayoutUnit (WebCore::GridTrack::*)(const WebCore::GridTrack * const)) 0x7ffff3a0a3c6 <WebCore::GridTrack::usedBreadth() const>, trackGrowthFunction=(void (WebCore::GridTrack::*)(WebCore::GridTrack * const, WebCore::LayoutUnit)) 0x7ffff3a0a366 <WebCore::GridTrack::growUsedBreadth(WebCore::LayoutUnit)>) at ../../Source/WebCore/rendering/RenderGrid.cpp:605
#44 0x00007ffff3a06322 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions (this=0xa40b30, direction=WebCore::ForRows, sizingData=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:574
#45 0x00007ffff3a04d8c in WebCore::RenderGrid::computeUsedBreadthOfGridTracks (this=0xa40b30, direction=WebCore::ForRows, sizingData=..., availableLogicalSpace=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:320
#46 0x00007ffff3a04b31 in WebCore::RenderGrid::computeUsedBreadthOfGridTracks (this=0xa40b30, direction=WebCore::ForRows, sizingData=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:286
#47 0x00007ffff3a086f7 in WebCore::RenderGrid::layoutGridItems (this=0xa40b30) at ../../Source/WebCore/rendering/RenderGrid.cpp:883
#48 0x00007ffff3a046f0 in WebCore::RenderGrid::layoutBlock (this=0xa40b30, relayoutChildren=0x0) at ../../Source/WebCore/rendering/RenderGrid.cpp:218
#49 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0xa40b30) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#50 0x00007ffff394e6b0 in WebCore::RenderBlockFlow::layoutBlockChild (this=0xa1ca70, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:712
#51 0x00007ffff394e1d1 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0xa1ca70, relayoutChildren=0x1, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:633
#52 0x00007ffff394d5ee in WebCore::RenderBlockFlow::layoutBlock (this=0xa1ca70, relayoutChildren=0x1, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:486
#53 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0xa1ca70) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#54 0x00007ffff38ed18f in WebCore::RenderElement::layoutIfNeeded (this=0xa1ca70) at ../../Source/WebCore/rendering/RenderElement.h:102
#55 0x00007ffff39debea in WebCore::RenderFlexibleBox::layoutAndPlaceChildren (this=0xa1f0b0, crossAxisOffset=..., children=..., childSizes=..., availableFreeSpace=..., relayoutChildren=0x1, lineContexts=...) at ../../Source/WebCore/rendering/RenderFlexibleBox.cpp:1102
#56 0x00007ffff39dca2f in WebCore::RenderFlexibleBox::layoutFlexItems (this=0xa1f0b0, relayoutChildren=0x1, lineContexts=...) at ../../Source/WebCore/rendering/RenderFlexibleBox.cpp:705
#57 0x00007ffff39dad65 in WebCore::RenderFlexibleBox::layoutBlock (this=0xa1f0b0, relayoutChildren=0x1) at ../../Source/WebCore/rendering/RenderFlexibleBox.cpp:283
#58 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0xa1f0b0) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#59 0x00007ffff394e6b0 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x8d6810, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:712
#60 0x00007ffff394e1d1 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x8d6810, relayoutChildren=0x0, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:633
#61 0x00007ffff394d5ee in WebCore::RenderBlockFlow::layoutBlock (this=0x8d6810, relayoutChildren=0x0, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:486
#62 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0x8d6810) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#63 0x00007ffff39e3a84 in WebCore::RenderFlowThread::layout (this=0x8d6810) at ../../Source/WebCore/rendering/RenderFlowThread.cpp:201
#64 0x00007ffff3a8e6ae in WebCore::RenderMultiColumnFlowThread::layout (this=0x8d6810) at ../../Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp:135
#65 0x00007ffff395cfb6 in WebCore::RenderBlockFlow::layoutSpecialExcludedChild (this=0x951f70, relayoutChildren=0x1) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:3682
#66 0x00007ffff394e09a in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x951f70, relayoutChildren=0x1, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:605
#67 0x00007ffff394d5ee in WebCore::RenderBlockFlow::layoutBlock (this=0x951f70, relayoutChildren=0x1, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:486
#68 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0x951f70) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#69 0x00007ffff38ed18f in WebCore::RenderElement::layoutIfNeeded (this=0x951f70) at ../../Source/WebCore/rendering/RenderElement.h:102
#70 0x00007ffff3a05e97 in WebCore::RenderGrid::logicalContentHeightForChild (this=0xa4dc00, child=..., columnTracks=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:498
#71 0x00007ffff3a05f92 in WebCore::RenderGrid::minContentForChild (this=0xa4dc00, child=..., direction=WebCore::ForRows, columnTracks=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:515
#72 0x00007ffff3a068d5 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems (this=0xa4dc00, direction=WebCore::ForRows, sizingData=..., gridItemWithSpan=..., filterFunction=(bool (WebCore::GridTrackSize::*)(const WebCore::GridTrackSize * const)) 0x7ffff3a09f26 <WebCore::GridTrackSize::hasMinOrMaxContentMinTrackBreadth() const>, sizingFunction=(WebCore::LayoutUnit (WebCore::RenderGrid::*)(WebCore::RenderGrid * const, WebCore::RenderBox &, WebCore::GridTrackSizingDirection, WTF::Vector<WebCore::GridTrack, 0ul, WTF::CrashOnOverflow> &)) 0x7ffff3a05ed8 <WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WTF::Vector<WebCore::GridTrack, 0ul, WTF::CrashOnOverflow>&)>, trackGetter=(WebCore::LayoutUnit (WebCore::GridTrack::*)(const WebCore::GridTrack * const)) 0x7ffff3a0a3c6 <WebCore::GridTrack::usedBreadth() const>, trackGrowthFunction=(void (WebCore::GridTrack::*)(WebCore::GridTrack * const, WebCore::LayoutUnit)) 0x7ffff3a0a366 <WebCore::GridTrack::growUsedBreadth(WebCore::LayoutUnit)>) at ../../Source/WebCore/rendering/RenderGrid.cpp:605
#73 0x00007ffff3a06322 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions (this=0xa4dc00, direction=WebCore::ForRows, sizingData=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:574
#74 0x00007ffff3a04d8c in WebCore::RenderGrid::computeUsedBreadthOfGridTracks (this=0xa4dc00, direction=WebCore::ForRows, sizingData=..., availableLogicalSpace=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:320
#75 0x00007ffff3a04b31 in WebCore::RenderGrid::computeUsedBreadthOfGridTracks (this=0xa4dc00, direction=WebCore::ForRows, sizingData=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:286
#76 0x00007ffff3a086f7 in WebCore::RenderGrid::layoutGridItems (this=0xa4dc00) at ../../Source/WebCore/rendering/RenderGrid.cpp:883
#77 0x00007ffff3a046f0 in WebCore::RenderGrid::layoutBlock (this=0xa4dc00, relayoutChildren=0x0) at ../../Source/WebCore/rendering/RenderGrid.cpp:218
#78 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0xa4dc00) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#79 0x00007ffff38ed18f in WebCore::RenderElement::layoutIfNeeded (this=0xa4dc00) at ../../Source/WebCore/rendering/RenderElement.h:102
#80 0x00007ffff3a05e97 in WebCore::RenderGrid::logicalContentHeightForChild (this=0x860f50, child=..., columnTracks=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:498
#81 0x00007ffff3a05f92 in WebCore::RenderGrid::minContentForChild (this=0x860f50, child=..., direction=WebCore::ForRows, columnTracks=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:515
#82 0x00007ffff3a068d5 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems (this=0x860f50, direction=WebCore::ForRows, sizingData=..., gridItemWithSpan=..., filterFunction=(bool (WebCore::GridTrackSize::*)(const WebCore::GridTrackSize * const)) 0x7ffff3a09f26 <WebCore::GridTrackSize::hasMinOrMaxContentMinTrackBreadth() const>, sizingFunction=(WebCore::LayoutUnit (WebCore::RenderGrid::*)(WebCore::RenderGrid * const, WebCore::RenderBox &, WebCore::GridTrackSizingDirection, WTF::Vector<WebCore::GridTrack, 0ul, WTF::CrashOnOverflow> &)) 0x7ffff3a05ed8 <WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WTF::Vector<WebCore::GridTrack, 0ul, WTF::CrashOnOverflow>&)>, trackGetter=(WebCore::LayoutUnit (WebCore::GridTrack::*)(const WebCore::GridTrack * const)) 0x7ffff3a0a3c6 <WebCore::GridTrack::usedBreadth() const>, trackGrowthFunction=(void (WebCore::GridTrack::*)(WebCore::GridTrack * const, WebCore::LayoutUnit)) 0x7ffff3a0a366 <WebCore::GridTrack::growUsedBreadth(WebCore::LayoutUnit)>) at ../../Source/WebCore/rendering/RenderGrid.cpp:605
#83 0x00007ffff3a06322 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions (this=0x860f50, direction=WebCore::ForRows, sizingData=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:574
#84 0x00007ffff3a04d8c in WebCore::RenderGrid::computeUsedBreadthOfGridTracks (this=0x860f50, direction=WebCore::ForRows, sizingData=..., availableLogicalSpace=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:320
#85 0x00007ffff3a04b31 in WebCore::RenderGrid::computeUsedBreadthOfGridTracks (this=0x860f50, direction=WebCore::ForRows, sizingData=...) at ../../Source/WebCore/rendering/RenderGrid.cpp:286
#86 0x00007ffff3a086f7 in WebCore::RenderGrid::layoutGridItems (this=0x860f50) at ../../Source/WebCore/rendering/RenderGrid.cpp:883
#87 0x00007ffff3a046f0 in WebCore::RenderGrid::layoutBlock (this=0x860f50, relayoutChildren=0x0) at ../../Source/WebCore/rendering/RenderGrid.cpp:218
#88 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0x860f50) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#89 0x00007ffff394e6b0 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x8ab010, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:712
#90 0x00007ffff394e1d1 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x8ab010, relayoutChildren=0x1, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:633
#91 0x00007ffff394d5ee in WebCore::RenderBlockFlow::layoutBlock (this=0x8ab010, relayoutChildren=0x1, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:486
#92 0x00007ffff392285f in WebCore::RenderBlock::layout (this=0x8ab010) at ../../Source/WebCore/rendering/RenderBlock.cpp:1019
#93 0x00007ffff3b1aaa9 in WebCore::RenderView::layoutContent (this=0x8ab010, state=...) at ../../Source/WebCore/rendering/RenderView.cpp:230
#94 0x00007ffff3b1b179 in WebCore::RenderView::layout (this=0x8ab010) at ../../Source/WebCore/rendering/RenderView.cpp:355
#95 0x00007ffff369240f in WebCore::FrameView::layout (this=0x85abd0, allowSubtree=0x1) at ../../Source/WebCore/page/FrameView.cpp:1301
#96 0x00007ffff30613d5 in WebCore::Document::implicitClose (this=0xa45940) at ../../Source/WebCore/dom/Document.cpp:2441
#97 0x00007ffff3540b63 in WebCore::FrameLoader::checkCallImplicitClose (this=0x88c838) at ../../Source/WebCore/loader/FrameLoader.cpp:898
#98 0x00007ffff35408cb in WebCore::FrameLoader::checkCompleted (this=0x88c838) at ../../Source/WebCore/loader/FrameLoader.cpp:844
#99 0x00007ffff3540634 in WebCore::FrameLoader::finishedParsing (this=0x88c838) at ../../Source/WebCore/loader/FrameLoader.cpp:764
#100 0x00007ffff3069e57 in WebCore::Document::finishedParsing (this=0xa45940) at ../../Source/WebCore/dom/Document.cpp:4524
#101 0x00007ffff33bd667 in WebCore::HTMLConstructionSite::finishedParsing (this=0x81dc78) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:395
#102 0x00007ffff33fb1dd in WebCore::HTMLTreeBuilder::finished (this=0x81dc60) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2997
#103 0x00007ffff33c60d0 in WebCore::HTMLDocumentParser::end (this=0x85b520) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:439
#104 0x00007ffff33c61bb in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x85b520) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:450
#105 0x00007ffff33c4c69 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x85b520) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:165
#106 0x00007ffff33c61fe in WebCore::HTMLDocumentParser::attemptToEnd (this=0x85b520) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:462
#107 0x00007ffff33c62b5 in WebCore::HTMLDocumentParser::finish (this=0x85b520) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:490
#108 0x00007ffff35322d1 in WebCore::DocumentWriter::end (this=0x949c20) at ../../Source/WebCore/loader/DocumentWriter.cpp:246
#109 0x00007ffff351d9ad in WebCore::DocumentLoader::finishedLoading (this=0x949b80, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:441
#110 0x00007ffff351d716 in WebCore::DocumentLoader::notifyFinished (this=0x949b80, resource=0x8a7910) at ../../Source/WebCore/loader/DocumentLoader.cpp:375
#111 0x00007ffff35d47c4 in WebCore::CachedResource::checkNotify (this=0x8a7910) at ../../Source/WebCore/loader/cache/CachedResource.cpp:347
#112 0x00007ffff35d48ce in WebCore::CachedResource::finishLoading (this=0x8a7910) at ../../Source/WebCore/loader/cache/CachedResource.cpp:363
#113 0x00007ffff35d11f4 in WebCore::CachedRawResource::finishLoading (this=0x8a7910, data=0xa43e60) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:101
#114 0x00007ffff3580a50 in WebCore::SubresourceLoader::didFinishLoading (this=0x8a7e80, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:309
#115 0x00007ffff357c73b in WebCore::ResourceLoader::didFinishLoading (this=0x8a7e80, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:512
#116 0x00007ffff3eecb0f in WebCore::readCallback (asyncResult=0x81d1a0, data=0x8a4aa0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1302
#117 0x00007fffebac72ea in async_ready_callback_wrapper (source_object=0xa3bb30, res=0x81d1a0, user_data=0x8a4aa0) at ginputstream.c:519
#118 0x00007fffebae6ceb in g_task_return_now (task=0x81d1a0) at gtask.c:1108
#119 0x00007fffebae6d09 in complete_in_idle_cb (task=0x81d1a0) at gtask.c:1117
#120 0x00007fffead3d2e6 in g_main_dispatch (context=0x677bb0) at gmain.c:3065
#121 g_main_context_dispatch (context=context@entry=0x677bb0) at gmain.c:3641
#122 0x00007fffead3d638 in g_main_context_iterate (context=0x677bb0, block=block@entry=0x1, dispatch=dispatch@entry=0x1, self=<optimized out>) at gmain.c:3712
#123 0x00007fffead3da3a in g_main_loop_run (loop=0xafe450) at gmain.c:3906
#124 0x00007ffff45e062e in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#125 0x00007ffff2b1c1e2 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=0x2, argv=0x7fffffffd9b8) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#126 0x00007ffff2b1c047 in WebKit::WebProcessMainUnix (argc=0x2, argv=0x7fffffffd9b8) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73
#127 0x000000000040080d in main (argc=0x2, argv=0x7fffffffd9b8) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32
Comment 1 Manuel Rego Casasnovas - OOO (back 1st Sep) 2014-10-16 05:39:02 PDT
Created attachment 239944 [details]
Patch
Comment 2 Manuel Rego Casasnovas - OOO (back 1st Sep) 2014-10-16 13:31:24 PDT
Created attachment 239960 [details]
Patch

New patch, as I was just testing in debug and didn't realize that the gridWasPopulated() was only available in debug.
Comment 3 Sergio Villar Senin 2014-10-17 04:25:09 PDT
Comment on attachment 239960 [details]
Patch

The fix looks good, but I'm concerned about the test case. It'd be nice if you could come up with something that wouldn't require <details>, <sup> and the like...
Comment 4 Manuel Rego Casasnovas - OOO (back 1st Sep) 2014-10-20 05:18:01 PDT
Created attachment 240112 [details]
Patch
Comment 5 Manuel Rego Casasnovas - OOO (back 1st Sep) 2014-10-20 05:25:16 PDT
(In reply to comment #3)
> Comment on attachment 239960 [details]
> Patch
> 
> The fix looks good, but I'm concerned about the test case. It'd be nice if
> you could come up with something that wouldn't require <details>, <sup> and
> the like...

Reduced the test case as much as possible, but I still need some special tags like details, button or input to reproduce it.

It seems that inputs elements merged with multi-column have some problems (as reported in bug #137878).
Comment 6 Darin Adler 2014-10-20 09:55:27 PDT
Comment on attachment 240112 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=240112&action=review

> Source/WebCore/rendering/RenderGrid.cpp:245
> +    bool wasPopulated = gridWasPopulated();

Is this a good enough check? The check in gridWasPopulated seems a bit ad hoc, fine for an assertion but maybe not precise enough to properly detect the case we are in here?

> Source/WebCore/rendering/RenderGrid.cpp:247
> +        const_cast<RenderGrid*>(this)->placeItemsOnGrid();

This const_cast is peculiar. We should consider fixing this by using mutable.
Comment 7 Manuel Rego Casasnovas - OOO (back 1st Sep) 2014-10-21 04:34:18 PDT
(In reply to comment #6)
> Comment on attachment 240112 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=240112&action=review
> 
> > Source/WebCore/rendering/RenderGrid.cpp:245
> > +    bool wasPopulated = gridWasPopulated();
> 
> Is this a good enough check? The check in gridWasPopulated seems a bit ad
> hoc, fine for an assertion but maybe not precise enough to properly detect
> the case we are in here?

I think the check is right, as we need to be sure that both rows and columns have been populated.

> > Source/WebCore/rendering/RenderGrid.cpp:247
> > +        const_cast<RenderGrid*>(this)->placeItemsOnGrid();
> 
> This const_cast is peculiar. We should consider fixing this by using mutable.

The const_cast was introduced due to this comment:
https://bugs.webkit.org/show_bug.cgi?id=109881#c4

It seems that if we want to use "mutable" we should mark placeItemsOnGrid(), computeUsedBreadthOfGridTracks() and clearGrid() as const. And it seems quite that these methods are marked as const.

Anyway this could be done in a later patch if you think it's worth changing.
Comment 8 WebKit Commit Bot 2014-10-21 05:11:33 PDT
Comment on attachment 240112 [details]
Patch

Clearing flags on attachment: 240112

Committed r174946: <http://trac.webkit.org/changeset/174946>
Comment 9 WebKit Commit Bot 2014-10-21 05:11:38 PDT
All reviewed patches have been landed.  Closing bug.
Comment 10 Brent Fulgham 2015-12-08 14:00:25 PST
Part of the fix for CVE-2014-4469.