139474 – Infinite recursion crash in WebCore::RenderBlockFlow::layoutBlock

RESOLVED FIXED 139474

Infinite recursion crash in WebCore::RenderBlockFlow::layoutBlock

https://bugs.webkit.org/show_bug.cgi?id=139474

Summary Infinite recursion crash in WebCore::RenderBlockFlow::layoutBlock

Renata Hodovan

Reported 2014-12-10 03:07:47 PST

Created attachment 243004 [details] Test case Loading the following test results in an infinite recursion where WebCore::RenderBlockFlow::layoutBlock calls WebCore::RenderBlockFlow::relayoutToAvoidWidows what calls back WebCore::RenderBlockFlow::layoutBlock and after a few thousand of iterations we end up in a crash at WebCore::Font::glyphDataAndPageForCharacter. <style> * { max-height: 0px; -webkit-column-count: 907; margin-right:-0.30em; widows: 33; } </style>a <input/> <br/><br/> <font></font> Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff98927700 (LWP 1692)] 0x00007ffff37dbe93 in WebCore::Font::glyphDataAndPageForCharacter (this=0x81eef8, c=<error reading variable: Cannot access memory at address 0x7fffff7feffc>, mirror=<error reading variable: Cannot access memory at address 0x7fffff7feff8>, variant=<error reading variable: Cannot access memory at address 0x7fffff7feff4>) at ../../Source/WebCore/platform/graphics/Font.h:195 195 std::pair<GlyphData, GlyphPage*> glyphDataAndPageForCharacter(UChar32 c, bool mirror, FontDataVariant variant) const #0 0x00007ffff37dbe93 in WebCore::Font::glyphDataAndPageForCharacter (this=0x81eef8, c=<error reading variable: Cannot access memory at address 0x7fffff7feffc>, mirror=<error reading variable: Cannot access memory at address 0x7fffff7feff8>, variant=<error reading variable: Cannot access memory at address 0x7fffff7feff4>) at ../../Source/WebCore/platform/graphics/Font.h:195 #1 0x00007ffff37dbe69 in WebCore::Font::glyphDataForCharacter (this=0x81eef8, c=97, mirror=false, variant=WebCore::AutoVariant) at ../../Source/WebCore/platform/graphics/Font.h:190 #2 0x00007ffff382d3bf in WebCore::WidthIterator::glyphDataForCharacter (this=0x7fffff7ff740, character=97, mirror=false, currentCharacter=0, advanceLength=@0x7fffff7ff144: 1, normalizedSpacesStringCache=...) at ../../Source/WebCore/platform/graphics/WidthIterator.cpp:84 #3 0x00007ffff382e28f in WebCore::WidthIterator::advanceInternal<WebCore::Latin1TextIterator> (this=0x7fffff7ff740, textIterator=..., glyphBuffer=0x0) at ../../Source/WebCore/platform/graphics/WidthIterator.cpp:180 #4 0x00007ffff382d7d8 in WebCore::WidthIterator::advance (this=0x7fffff7ff740, offset=1, glyphBuffer=0x0) at ../../Source/WebCore/platform/graphics/WidthIterator.cpp:346 #5 0x00007ffff37dad9b in WebCore::Font::floatWidthForSimpleText (this=0x81eef8, run=..., fallbackFonts=0x7fffff813860, glyphOverflow=0x0) at ../../Source/WebCore/platform/graphics/FontFastPath.cpp:287 #6 0x00007ffff37bede5 in WebCore::Font::width (this=0x81eef8, run=..., fallbackFonts=0x7fffff813860, glyphOverflow=0x0) at ../../Source/WebCore/platform/graphics/Font.cpp:398 #7 0x00007ffff3b64139 in WebCore::textWidth (text=0x812fd0, from=0, len=1, font=..., xPos=0, isFixedPitch=false, collapseWhiteSpace=true, fallbackFonts=..., layout=0x0) at ../../Source/WebCore/rendering/line/BreakingContextInlineHeaders.h:504 #8 0x00007ffff3b65932 in WebCore::BreakingContext::handleText (this=0x7fffff813c60, wordMeasurements=..., hyphenated=@0x7fffff813fc8: false, consecutiveHyphenatedLines=@0x7fffff813dc0: 0) at ../../Source/WebCore/rendering/line/BreakingContextInlineHeaders.h:715 #9 0x00007ffff3b61269 in WebCore::LineBreaker::nextSegmentBreak (this=0x7fffff813fc0, resolver=..., lineInfo=..., renderTextInfo=..., lastFloatFromPreviousLine=0x0, consecutiveHyphenatedLines=0, wordMeasurements=...) at ../../Source/WebCore/rendering/line/LineBreaker.cpp:115 #10 0x00007ffff3b60f07 in WebCore::LineBreaker::nextLineBreak (this=0x7fffff813fc0, resolver=..., lineInfo=..., renderTextInfo=..., lastFloatFromPreviousLine=0x0, consecutiveHyphenatedLines=0, wordMeasurements=...) at ../../Source/WebCore/rendering/line/LineBreaker.cpp:82 #11 0x00007ffff397d704 in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange (this=0x86ca90, layoutState=..., resolver=..., cleanLineStart=..., cleanLineBidiStatus=..., consecutiveHyphenatedLines=0) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1141 #12 0x00007ffff397d277 in WebCore::RenderBlockFlow::layoutRunsAndFloats (this=0x86ca90, layoutState=..., hasInlineChild=true) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1085 #13 0x00007ffff397faee in WebCore::RenderBlockFlow::layoutLineBoxes (this=0x86ca90, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1502 #14 0x00007ffff395f687 in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x86ca90, relayoutChildren=true, repaintLogicalTop=..., repaintLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:640 #15 0x00007ffff395e98a in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:471 #16 0x00007ffff3964910 in WebCore::RenderBlockFlow::relayoutToAvoidWidows (this=0x86ca90, statePusher=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:1746 #17 0x00007ffff395eb13 in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 #18 0x00007ffff3964910 in WebCore::RenderBlockFlow::relayoutToAvoidWidows (this=0x86ca90, statePusher=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:1746 #19 0x00007ffff395eb13 in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 #20 0x00007ffff3964910 in WebCore::RenderBlockFlow::relayoutToAvoidWidows (this=0x86ca90, statePusher=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:1746 #21 0x00007ffff395eb13 in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 #22 0x00007ffff3964910 in WebCore::RenderBlockFlow::relayoutToAvoidWidows (this=0x86ca90, statePusher=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:1746 #23 0x00007ffff395eb13 in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 #24 0x00007ffff3964910 in WebCore::RenderBlockFlow::relayoutToAvoidWidows (this=0x86ca90, statePusher=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:1746 #25 0x00007ffff395eb13 in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 #26 0x00007ffff3964910 in WebCore::RenderBlockFlow::relayoutToAvoidWidows (this=0x86ca90, statePusher=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:1746 #27 0x00007ffff395eb13 in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 #28 0x00007ffff3964910 in WebCore::RenderBlockFlow::relayoutToAvoidWidows (this=0x86ca90, statePusher=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:1746 #29 0x00007ffff395eb13 in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 #30 0x00007ffff3964910 in WebCore::RenderBlockFlow::relayoutToAvoidWidows (this=0x86ca90, statePusher=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:1746 #31 0x00007ffff395eb13 in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 ... calling layoutBlock and relayoutToAvoidWidows 25.000 times ... #25265 0x00007ffff395eb13 in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 #25266 0x00007ffff3964910 in WebCore::RenderBlockFlow::relayoutToAvoidWidows (this=0x86ca90, statePusher=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:1746 #25267 0x00007ffff395eb13 in WebCore::RenderBlockFlow::layoutBlock (this=0x86ca90, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 #25268 0x00007ffff393456f in WebCore::RenderBlock::layout (this=0x86ca90) at ../../Source/WebCore/rendering/RenderBlock.cpp:931 #25269 0x00007ffff39f612c in WebCore::RenderFlowThread::layout (this=0x86ca90) at ../../Source/WebCore/rendering/RenderFlowThread.cpp:201 #25270 0x00007ffff3aa390d in WebCore::RenderMultiColumnFlowThread::layout (this=0x86ca90) at ../../Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp:132 #25271 0x00007ffff396e4f2 in WebCore::RenderBlockFlow::layoutSpecialExcludedChild (this=0x813560, relayoutChildren=true) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:3681 #25272 0x00007ffff395f44a in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x813560, relayoutChildren=true, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:592 #25273 0x00007ffff395e9ae in WebCore::RenderBlockFlow::layoutBlock (this=0x813560, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:473 #25274 0x00007ffff396dd2f in WebCore::RenderBlockFlow::relayoutForPagination (this=0x813560, statePusher=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:3440 #25275 0x00007ffff395eaf6 in WebCore::RenderBlockFlow::layoutBlock (this=0x813560, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:480 #25276 0x00007ffff393456f in WebCore::RenderBlock::layout (this=0x813560) at ../../Source/WebCore/rendering/RenderBlock.cpp:931 #25277 0x00007ffff395fa64 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7c1e40, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:699 #25278 0x00007ffff395f581 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7c1e40, relayoutChildren=false, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:620 #25279 0x00007ffff395e9ae in WebCore::RenderBlockFlow::layoutBlock (this=0x7c1e40, relayoutChildren=false, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:473 #25280 0x00007ffff393456f in WebCore::RenderBlock::layout (this=0x7c1e40) at ../../Source/WebCore/rendering/RenderBlock.cpp:931 #25281 0x00007ffff39f612c in WebCore::RenderFlowThread::layout (this=0x7c1e40) at ../../Source/WebCore/rendering/RenderFlowThread.cpp:201 #25282 0x00007ffff3aa390d in WebCore::RenderMultiColumnFlowThread::layout (this=0x7c1e40) at ../../Source/WebCore/rendering/RenderMultiColumnFlowThread.cpp:132 #25283 0x00007ffff396e4f2 in WebCore::RenderBlockFlow::layoutSpecialExcludedChild (this=0x731760, relayoutChildren=true) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:3681 #25284 0x00007ffff395f44a in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x731760, relayoutChildren=true, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:592 #25285 0x00007ffff395e9ae in WebCore::RenderBlockFlow::layoutBlock (this=0x731760, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:473 #25286 0x00007ffff393456f in WebCore::RenderBlock::layout (this=0x731760) at ../../Source/WebCore/rendering/RenderBlock.cpp:931 #25287 0x00007ffff395fa64 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x476130, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:699 #25288 0x00007ffff395f581 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x476130, relayoutChildren=true, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:620 #25289 0x00007ffff395e9ae in WebCore::RenderBlockFlow::layoutBlock (this=0x476130, relayoutChildren=true, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:473 #25290 0x00007ffff393456f in WebCore::RenderBlock::layout (this=0x476130) at ../../Source/WebCore/rendering/RenderBlock.cpp:931 #25291 0x00007ffff3b2e84d in WebCore::RenderView::layoutContent (this=0x476130, state=...) at ../../Source/WebCore/rendering/RenderView.cpp:232 #25292 0x00007ffff3b2ef1d in WebCore::RenderView::layout (this=0x476130) at ../../Source/WebCore/rendering/RenderView.cpp:357 #25293 0x00007ffff369c389 in WebCore::FrameView::layout (this=0x7cdd20, allowSubtree=true) at ../../Source/WebCore/page/FrameView.cpp:1313 #25294 0x00007ffff3067dc5 in WebCore::Document::implicitClose (this=0x67fcf0) at ../../Source/WebCore/dom/Document.cpp:2486 #25295 0x00007ffff3547a0d in WebCore::FrameLoader::checkCallImplicitClose (this=0x79f5f8) at ../../Source/WebCore/loader/FrameLoader.cpp:898 #25296 0x00007ffff3547779 in WebCore::FrameLoader::checkCompleted (this=0x79f5f8) at ../../Source/WebCore/loader/FrameLoader.cpp:844 #25297 0x00007ffff35474e2 in WebCore::FrameLoader::finishedParsing (this=0x79f5f8) at ../../Source/WebCore/loader/FrameLoader.cpp:764 #25298 0x00007ffff3070c99 in WebCore::Document::finishedParsing (this=0x67fcf0) at ../../Source/WebCore/dom/Document.cpp:4615 #25299 0x00007ffff33c6039 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7cfbb8) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:395 #25300 0x00007ffff3403a33 in WebCore::HTMLTreeBuilder::finished (this=0x7cfba0) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:3009 #25301 0x00007ffff33ced4e in WebCore::HTMLDocumentParser::end (this=0x730db0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:439 #25302 0x00007ffff33cee39 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x730db0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:450 #25303 0x00007ffff33cd8e7 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x730db0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:165 #25304 0x00007ffff33cee7c in WebCore::HTMLDocumentParser::attemptToEnd (this=0x730db0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:462 #25305 0x00007ffff33cef33 in WebCore::HTMLDocumentParser::finish (this=0x730db0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:490 #25306 0x00007ffff3538b7f in WebCore::DocumentWriter::end (this=0x8209d0) at ../../Source/WebCore/loader/DocumentWriter.cpp:246 #25307 0x00007ffff35248db in WebCore::DocumentLoader::finishedLoading (this=0x820930, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:440 #25308 0x00007ffff3524644 in WebCore::DocumentLoader::notifyFinished (this=0x820930, resource=0x8d38d0) at ../../Source/WebCore/loader/DocumentLoader.cpp:374 #25309 0x00007ffff35d5370 in WebCore::CachedResource::checkNotify (this=0x8d38d0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:293 #25310 0x00007ffff35d546e in WebCore::CachedResource::finishLoading (this=0x8d38d0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:309 #25311 0x00007ffff35d1b63 in WebCore::CachedRawResource::finishLoading (this=0x8d38d0, data=0x4767d0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:104 #25312 0x00007ffff358594c in WebCore::SubresourceLoader::didFinishLoading (this=0x8d40d0, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:306 #25313 0x00007ffff35816e1 in WebCore::ResourceLoader::didFinishLoading (this=0x8d40d0, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:508 #25314 0x00007ffff3f303e1 in WebCore::readCallback (asyncResult=0x8b02d0, data=0x8d5190) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1300 #25315 0x00007fffeb7ab7d6 in async_ready_callback_wrapper (source_object=0x7fff74003ef0, res=0x8b02d0, user_data=user_data@entry=0x8d5190) at ginputstream.c:523 #25316 0x00007fffeb7d10d5 in g_task_return_now (task=0x8b02d0) at gtask.c:1077 #25317 0x00007fffeb7d10f9 in complete_in_idle_cb (task=0x8b02d0) at gtask.c:1086 #25318 0x00007fffeaa10a1d in g_main_dispatch (context=0x4780a0) at gmain.c:3064 #25319 g_main_context_dispatch (context=context@entry=0x4780a0) at gmain.c:3663 #25320 0x00007fffeaa10d88 in g_main_context_iterate (context=0x4780a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734 #25321 0x00007fffeaa1104a in g_main_loop_run (loop=0x8eb810) at gmain.c:3928 #25322 0x00007ffff45df9dc in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59 #25323 0x00007ffff2b44f82 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd948) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #25324 0x00007ffff2b44de7 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd948) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73 #25325 0x0000000000400891 in main (argc=2, argv=0x7fffffffd948) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44 /home/reni/.minibrowser.ini:6: Error in sourced command file: This command cannot be used at the top level.

Attachments
Test case (155 bytes, text/html) 2014-12-10 03:07 PST, Renata Hodovan	no flags	Details
Patch (6.03 KB, patch) 2016-08-25 10:21 PDT, zalan	no flags	Details Formatted Diff Diff
Patch (5.48 KB, patch) 2016-08-25 10:39 PDT, zalan	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Brent Fulgham

Comment 1 2016-08-04 12:49:06 PDT

Reproduces in r204037.

Radar WebKit Bug Importer

Comment 2 2016-08-04 12:49:25 PDT

<rdar://problem/27705190>

zalan

Comment 3 2016-08-25 10:21:54 PDT

Created attachment 286980 [details] Patch

Dave Hyatt

Comment 4 2016-08-25 10:30:25 PDT

Comment on attachment 286980 [details] Patch r=me, would probably be better as a static function in the file rather than being added as a member function to RenderBlockFlow.

zalan

Comment 5 2016-08-25 10:39:22 PDT

Created attachment 286981 [details] Patch

WebKit Commit Bot

Comment 6 2016-08-25 11:43:08 PDT

Comment on attachment 286981 [details] Patch Clearing flags on attachment: 286981 Committed r204980: <http://trac.webkit.org/changeset/204980>

WebKit Commit Bot

Comment 7 2016-08-25 11:43:13 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

zalan

Reported

2014-12-10 03:07 PST

Modified

2016-08-25 11:43 PDT History

CC List

10 users Show

URL

Keywords InRadar

Depends on

Blocks

116980

Dependencies

tree graph