163450 – [css-grid] ASSERTION FAILED: !m_gridIsDirty in WebCore::RenderGrid::gridRowCount

Bug 163450 - [css-grid] ASSERTION FAILED: !m_gridIsDirty in WebCore::RenderGrid::gridRowCount

Summary: [css-grid] ASSERTION FAILED: !m_gridIsDirty in WebCore::RenderGrid::gridRowCount

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Manuel Rego Casasnovas

URL:
Keywords:

Depends on:
Blocks:	60731 116980
	Show dependency tree / graph

Reported:	2016-10-14 09:56 PDT by Renata Hodovan
Modified:	2016-11-11 03:11 PST (History)
CC List:	12 users (show)

See Also:

Attachments
Test case to reproduce the issue (165 bytes, text/html) 2016-10-17 02:35 PDT, Manuel Rego Casasnovas	no flags	Details
Patch (4.42 KB, patch) 2016-10-18 04:06 PDT, Manuel Rego Casasnovas	no flags	Details \| Formatted Diff \| Diff
Patch (9.72 KB, patch) 2016-11-04 04:49 PDT, Manuel Rego Casasnovas	no flags	Details \| Formatted Diff \| Diff
Patch for landing (9.41 KB, patch) 2016-11-07 04:15 PST, Manuel Rego Casasnovas	no flags	Details \| Formatted Diff \| Diff
Patch for landing rebased (9.42 KB, patch) 2016-11-10 04:53 PST, Manuel Rego Casasnovas	no flags	Details \| Formatted Diff \| Diff
Patch for landing rebased again (9.42 KB, patch) 2016-11-11 01:48 PST, Manuel Rego Casasnovas	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2016-10-14 09:56:05 PDT

The attached test was executed with debug WebKitTestRunner.

Checked version: 2c9fa6e
OS: Darwin-15.6.0-x86_64-i386-64bit

<style>*{display:grid;grid-area:3;position:absolute</style><select autofocus>

Backtrace:

ASSERTION FAILED: !m_gridIsDirty
WebKit/Source/WebCore/rendering/RenderGrid.cpp(400) : unsigned int WebCore::RenderGrid::gridRowCount() const
1   0x1120f04f1 WTFCrash
2   0x11b4138fb WebCore::RenderGrid::gridRowCount() const
3   0x11b4387ca WebCore::RenderGrid::offsetAndBreadthForPositionedChild(WebCore::RenderBox const&, WebCore::GridTrackSizingDirection, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
4   0x11b437931 WebCore::RenderGrid::layoutPositionedObject(WebCore::RenderBox&, bool, bool)
5   0x11b093505 WebCore::RenderBlock::layoutPositionedObjects(bool, bool)
6   0x11b092e6f WebCore::RenderBlock::simplifiedLayout()
7   0x11b418e5b WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit)
8   0x11b08d1b2 WebCore::RenderBlock::layout()
9   0x11b14e3e4 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
10  0x11b146f50 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
11  0x11b143808 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
12  0x11b08d1b2 WebCore::RenderBlock::layout()
13  0x117b1a3ec WebCore::RenderElement::layoutIfNeeded()
14  0x11b423e41 WebCore::RenderGrid::logicalHeightForChild(WebCore::RenderBox&) const
15  0x11b425652 WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
16  0x11b42473e WebCore::RenderGrid::minSizeForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
17  0x11b428a98 WebCore::RenderGrid::currentItemSizeForTrackSizeComputationPhase(WebCore::TrackSizeComputationPhase, WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
18  0x11b445f8e void WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems<(WebCore::TrackSizeComputationPhase)0>(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::GridItemsSpanGroupRange const&) const
19  0x11b420138 WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
20  0x11b416317 WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const
21  0x11b41bc6d WebCore::RenderGrid::computeIntrinsicLogicalHeight(WebCore::RenderGrid::GridSizingData&)
22  0x11b4195ad WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit)
23  0x11b08d1b2 WebCore::RenderBlock::layout()
24  0x117b1a3ec WebCore::RenderElement::layoutIfNeeded()
25  0x11b423e41 WebCore::RenderGrid::logicalHeightForChild(WebCore::RenderBox&) const
26  0x11b425652 WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
27  0x11b42473e WebCore::RenderGrid::minSizeForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
28  0x11b428a98 WebCore::RenderGrid::currentItemSizeForTrackSizeComputationPhase(WebCore::TrackSizeComputationPhase, WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
29  0x11b445f8e void WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems<(WebCore::TrackSizeComputationPhase)0>(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::GridItemsSpanGroupRange const&) const
30  0x11b420138 WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
31  0x11b416317 WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const
ASAN:DEADLYSIGNAL
=================================================================
==61319==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x0001120f0529 bp 0x7fff573a0b40 sp 0x7fff573a0b30 T0)
    #0 0x1120f0528 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528)
    #1 0x11b4138fa in WebCore::RenderGrid::gridRowCount() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x508f8fa)
    #2 0x11b4387c9 in WebCore::RenderGrid::offsetAndBreadthForPositionedChild(WebCore::RenderBox const&, WebCore::GridTrackSizingDirection, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50b47c9)
    #3 0x11b437930 in WebCore::RenderGrid::layoutPositionedObject(WebCore::RenderBox&, bool, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50b3930)
    #4 0x11b093504 in WebCore::RenderBlock::layoutPositionedObjects(bool, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d0f504)
    #5 0x11b092e6e in WebCore::RenderBlock::simplifiedLayout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d0ee6e)
    #6 0x11b418e5a in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5094e5a)
    #7 0x11b08d1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #8 0x11b14e3e3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dca3e3)
    #9 0x11b146f4f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc2f4f)
    #10 0x11b143807 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf807)
    #11 0x11b08d1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #12 0x117b1a3eb in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x17963eb)
    #13 0x11b423e40 in WebCore::RenderGrid::logicalHeightForChild(WebCore::RenderBox&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509fe40)
    #14 0x11b425651 in WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a1651)
    #15 0x11b42473d in WebCore::RenderGrid::minSizeForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a073d)
    #16 0x11b428a97 in WebCore::RenderGrid::currentItemSizeForTrackSizeComputationPhase(WebCore::TrackSizeComputationPhase, WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a4a97)
    #17 0x11b445f8d in void WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems<(WebCore::TrackSizeComputationPhase)0>(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::GridItemsSpanGroupRange const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50c1f8d)
    #18 0x11b420137 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509c137)
    #19 0x11b416316 in WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5092316)
    #20 0x11b41bc6c in WebCore::RenderGrid::computeIntrinsicLogicalHeight(WebCore::RenderGrid::GridSizingData&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5097c6c)
    #21 0x11b4195ac in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50955ac)
    #22 0x11b08d1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #23 0x117b1a3eb in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x17963eb)
    #24 0x11b423e40 in WebCore::RenderGrid::logicalHeightForChild(WebCore::RenderBox&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509fe40)
    #25 0x11b425651 in WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a1651)
    #26 0x11b42473d in WebCore::RenderGrid::minSizeForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a073d)
    #27 0x11b428a97 in WebCore::RenderGrid::currentItemSizeForTrackSizeComputationPhase(WebCore::TrackSizeComputationPhase, WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a4a97)
    #28 0x11b445f8d in void WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems<(WebCore::TrackSizeComputationPhase)0>(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::GridItemsSpanGroupRange const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50c1f8d)
    #29 0x11b420137 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509c137)
    #30 0x11b416316 in WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5092316)
    #31 0x11b41bc6c in WebCore::RenderGrid::computeIntrinsicLogicalHeight(WebCore::RenderGrid::GridSizingData&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5097c6c)
    #32 0x11b4195ac in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50955ac)
    #33 0x11b08d1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #34 0x117b1a3eb in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x17963eb)
    #35 0x11b423e40 in WebCore::RenderGrid::logicalHeightForChild(WebCore::RenderBox&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509fe40)
    #36 0x11b425651 in WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a1651)
    #37 0x11b42473d in WebCore::RenderGrid::minSizeForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a073d)
    #38 0x11b428a97 in WebCore::RenderGrid::currentItemSizeForTrackSizeComputationPhase(WebCore::TrackSizeComputationPhase, WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a4a97)
    #39 0x11b445f8d in void WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems<(WebCore::TrackSizeComputationPhase)0>(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::GridItemsSpanGroupRange const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50c1f8d)
    #40 0x11b420137 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509c137)
    #41 0x11b416316 in WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5092316)
    #42 0x11b41bc6c in WebCore::RenderGrid::computeIntrinsicLogicalHeight(WebCore::RenderGrid::GridSizingData&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5097c6c)
    #43 0x11b4195ac in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50955ac)
    #44 0x11b08d1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #45 0x117b1a3eb in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x17963eb)
    #46 0x11b423e40 in WebCore::RenderGrid::logicalHeightForChild(WebCore::RenderBox&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509fe40)
    #47 0x11b425651 in WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a1651)
    #48 0x11b42473d in WebCore::RenderGrid::minSizeForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a073d)
    #49 0x11b428a97 in WebCore::RenderGrid::currentItemSizeForTrackSizeComputationPhase(WebCore::TrackSizeComputationPhase, WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a4a97)
    #50 0x11b445f8d in void WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems<(WebCore::TrackSizeComputationPhase)0>(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::GridItemsSpanGroupRange const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50c1f8d)
    #51 0x11b420137 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509c137)
    #52 0x11b416316 in WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5092316)
    #53 0x11b41bc6c in WebCore::RenderGrid::computeIntrinsicLogicalHeight(WebCore::RenderGrid::GridSizingData&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5097c6c)
    #54 0x11b4195ac in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50955ac)
    #55 0x11b08d1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #56 0x117b1a3eb in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x17963eb)
    #57 0x11b423e40 in WebCore::RenderGrid::logicalHeightForChild(WebCore::RenderBox&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509fe40)
    #58 0x11b425651 in WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a1651)
    #59 0x11b42473d in WebCore::RenderGrid::minSizeForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a073d)
    #60 0x11b428a97 in WebCore::RenderGrid::currentItemSizeForTrackSizeComputationPhase(WebCore::TrackSizeComputationPhase, WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a4a97)
    #61 0x11b445f8d in void WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems<(WebCore::TrackSizeComputationPhase)0>(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::GridItemsSpanGroupRange const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50c1f8d)
    #62 0x11b420137 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509c137)
    #63 0x11b416316 in WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5092316)
    #64 0x11b41bc6c in WebCore::RenderGrid::computeIntrinsicLogicalHeight(WebCore::RenderGrid::GridSizingData&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5097c6c)
    #65 0x11b4195ac in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50955ac)
    #66 0x11b08d1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #67 0x117b1a3eb in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x17963eb)
    #68 0x11b423e40 in WebCore::RenderGrid::logicalHeightForChild(WebCore::RenderBox&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509fe40)
    #69 0x11b425651 in WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a1651)
    #70 0x11b42473d in WebCore::RenderGrid::minSizeForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a073d)
    #71 0x11b428a97 in WebCore::RenderGrid::currentItemSizeForTrackSizeComputationPhase(WebCore::TrackSizeComputationPhase, WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50a4a97)
    #72 0x11b445f8d in void WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForItems<(WebCore::TrackSizeComputationPhase)0>(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::GridItemsSpanGroupRange const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50c1f8d)
    #73 0x11b420137 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509c137)
    #74 0x11b416316 in WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5092316)
    #75 0x11b41bc6c in WebCore::RenderGrid::computeIntrinsicLogicalHeight(WebCore::RenderGrid::GridSizingData&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5097c6c)
    #76 0x11b4195ac in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50955ac)
    #77 0x11b08d1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #78 0x11b14e3e3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dca3e3)
    #79 0x11b146f4f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc2f4f)
    #80 0x11b143807 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf807)
    #81 0x11b08d1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #82 0x11bad43b5 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57503b5)
    #83 0x11bad6815 in WebCore::RenderView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5752815)
    #84 0x117e886a1 in WebCore::FrameView::layout(bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b046a1)
    #85 0x1175086f9 in WebCore::Document::updateLayout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11846f9)
    #86 0x117510fc0 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118cfc0)
    #87 0x11787dc10 in WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x14f9c10)
    #88 0x1175321d1 in WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11ae1d1)
    #89 0x118f7f9f8 in WebCore::jsDocumentPrototypeFunctionExecCommand(JSC::ExecState*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2bfb9f8)
    #90 0x56b7c1201027  (<unknown module>)
    #91 0x111775993 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2386993)
    #92 0x11176e4ad in vmEntryToJavaScript (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x237f4ad)
    #93 0x11119c2bd in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1dad2bd)
    #94 0x1110666ef in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1c776ef)
    #95 0x10fd4a6c8 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x95b6c8)
    #96 0x10fd4ab70 in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x95bb70)
    #97 0x11bcf2935 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x596e935)
    #98 0x11bcec709 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5968709)
    #99 0x11bcecb09 in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5968b09)
    #100 0x11bd1511d in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x599111d)
    #101 0x11bd12327 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x598e327)
    #102 0x1184137c2 in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x208f7c2)
    #103 0x1184131c9 in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x208f1c9)
    #104 0x11822c8d4 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea88d4)
    #105 0x11822ccde in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea8cde)
    #106 0x11822aeb2 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea6eb2)
    #107 0x11822a86f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea686f)
    #108 0x11822eafb in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaaafb)
    #109 0x1173dc1eb in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x10581eb)
    #110 0x1176facf1 in WebCore::DocumentWriter::addData(char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1376cf1)
    #111 0x117655045 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12d1045)
    #112 0x109946e4d in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x10ede4d)
    #113 0x11765a1b6 in WebCore::DocumentLoader::commitLoad(char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12d61b6)
    #114 0x117659efa in WebCore::DocumentLoader::dataReceived(char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12d5efa)
    #115 0x11765a598 in WebCore::DocumentLoader::dataReceived(WebCore::CachedResource&, char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12d6598)
    #116 0x11698a931 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x606931)
    #117 0x11698a5e0 in WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6065e0)
    #118 0x11c48691a in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer>&&, long long, WebCore::DataPayloadType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x610291a)
    #119 0x11c486250 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6102250)
    #120 0x10a2ea1fa in WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a911fa)
    #121 0x10a2f8003 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9f003)
    #122 0x10a2f7b04 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<IPC::DataReference, long long>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9eb04)
    #123 0x10a2f5211 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9c211)
    #124 0x10a2f37c0 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9a7c0)
    #125 0x10901cda9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c3da9)
    #126 0x108a30fba in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d7fba)
    #127 0x108a197c4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c07c4)
    #128 0x108a31ca5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d8ca5)
    #129 0x108a4225c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e925c)
    #130 0x108a42188 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e9188)
    #131 0x112174830 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d85830)
    #132 0x1121bec46 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dcfc46)
    #133 0x1121bfb11 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dd0b11)
    #134 0x7fff80d30880 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa880)
    #135 0x7fff80d0ffbb in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89fbb)
    #136 0x7fff80d0f4de in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x894de)
    #137 0x7fff80d0eed7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88ed7)
    #138 0x7fff820ef934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #139 0x7fff820ef76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #140 0x7fff820ef5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #141 0x7fff8d754df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #142 0x7fff8d754225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #143 0x7fff8d748d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #144 0x7fff8d712367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #145 0x7fff9201a193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #146 0x7fff92018bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
    #147 0x108840f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73)
    #148 0x7fff89c9e5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #149 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) in WTFCrash
==61319==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 61319)

Comment 1 Manuel Rego Casasnovas 2016-10-17 02:35:52 PDT

Created attachment 291804 [details]
Test case to reproduce the issue

I can verify the crash too. I'm attached a little bit reduced test case.

The issue is that for some reason when we have the "autofocus" property
a simplifiedLayout() is performed.
So in RenderGrid::layoutBlock() we early return and the grid is not populated,
so the m_gridIsDirty flag is not cleared.

As the grid was not populated we cannot ask for the size of the grid
when trying to layout the positioned object.

Comment 2 Manuel Rego Casasnovas 2016-10-18 04:06:32 PDT

Created attachment 291937 [details]
Patch

Comment 3 Javier Fernandez 2016-10-18 04:57:58 PDT

Comment on attachment 291937 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=291937&action=review

> Source/WebCore/rendering/RenderGrid.cpp:453
> +    if (!relayoutChildren && !posChildNeedsLayout() && simplifiedLayout())

I understand that we need to ensure the grid is laid out before performing a simplifiedLayout on positioned items, but I'm not sure whether we are addressing the root cause of the issue. Why simplifiedLayout doesn't return false because of the Gird needsLayout flag ?

Comment 4 Manuel Rego Casasnovas 2016-10-19 02:47:30 PDT

Comment on attachment 291937 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=291937&action=review

>> Source/WebCore/rendering/RenderGrid.cpp:453
>> +    if (!relayoutChildren && !posChildNeedsLayout() && simplifiedLayout())
> 
> I understand that we need to ensure the grid is laid out before performing a simplifiedLayout on positioned items, but I'm not sure whether we are addressing the root cause of the issue. Why simplifiedLayout doesn't return false because of the Gird needsLayout flag ?

So basically in this example RenderGrid::layoutBlock() is called 3 times.
The 1st one the flags that are TRUE are selfNeedsLayout(), normalChildNeedsLayout() and posChildNeedsLayout().
The 2nd time only normalChildNeedsLayout() is TRUE.
The 3rd time, which only happens if you use "autofocus", only posChildNeedsLayout() is TRUE.

The problem is that at the end of RenderGrid::layoutBlock() we call clearGrid(),
so after each layout we clear the grid and set the dirty flag to TRUE.
So I think that in this situation we should force a layout (with posChildNeedsLayout() TRUE)
to be sure that we can check the number of columns/rows and the size of them.

Comment 5 Darin Adler 2016-10-26 18:25:09 PDT

Comment on attachment 291937 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=291937&action=review

>>> Source/WebCore/rendering/RenderGrid.cpp:453
>>> +    if (!relayoutChildren && !posChildNeedsLayout() && simplifiedLayout())
>> 
>> I understand that we need to ensure the grid is laid out before performing a simplifiedLayout on positioned items, but I'm not sure whether we are addressing the root cause of the issue. Why simplifiedLayout doesn't return false because of the Gird needsLayout flag ?
> 
> So basically in this example RenderGrid::layoutBlock() is called 3 times.
> The 1st one the flags that are TRUE are selfNeedsLayout(), normalChildNeedsLayout() and posChildNeedsLayout().
> The 2nd time only normalChildNeedsLayout() is TRUE.
> The 3rd time, which only happens if you use "autofocus", only posChildNeedsLayout() is TRUE.
> 
> The problem is that at the end of RenderGrid::layoutBlock() we call clearGrid(),
> so after each layout we clear the grid and set the dirty flag to TRUE.
> So I think that in this situation we should force a layout (with posChildNeedsLayout() TRUE)
> to be sure that we can check the number of columns/rows and the size of them.

I think someone with more render tree knowledge than me should review. Hyatt? Zalan?

Comment 6 zalan 2016-10-27 13:27:57 PDT

(In reply to comment #5)
> Comment on attachment 291937 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=291937&action=review
> 
> >>> Source/WebCore/rendering/RenderGrid.cpp:453
> >>> +    if (!relayoutChildren && !posChildNeedsLayout() && simplifiedLayout())
> >> 
> >> I understand that we need to ensure the grid is laid out before performing a simplifiedLayout on positioned items, but I'm not sure whether we are addressing the root cause of the issue. Why simplifiedLayout doesn't return false because of the Gird needsLayout flag ?
> > 
> > So basically in this example RenderGrid::layoutBlock() is called 3 times.
> > The 1st one the flags that are TRUE are selfNeedsLayout(), normalChildNeedsLayout() and posChildNeedsLayout().
> > The 2nd time only normalChildNeedsLayout() is TRUE.
> > The 3rd time, which only happens if you use "autofocus", only posChildNeedsLayout() is TRUE.
> > 
> > The problem is that at the end of RenderGrid::layoutBlock() we call clearGrid(),
> > so after each layout we clear the grid and set the dirty flag to TRUE.
> > So I think that in this situation we should force a layout (with posChildNeedsLayout() TRUE)
> > to be sure that we can check the number of columns/rows and the size of them.
> 
> I think someone with more render tree knowledge than me should review.
> Hyatt? Zalan?
Looking 
(In reply to comment #5)
> Comment on attachment 291937 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=291937&action=review
> 
> >>> Source/WebCore/rendering/RenderGrid.cpp:453
> >>> +    if (!relayoutChildren && !posChildNeedsLayout() && simplifiedLayout())
> >> 
> >> I understand that we need to ensure the grid is laid out before performing a simplifiedLayout on positioned items, but I'm not sure whether we are addressing the root cause of the issue. Why simplifiedLayout doesn't return false because of the Gird needsLayout flag ?
> > 
> > So basically in this example RenderGrid::layoutBlock() is called 3 times.
> > The 1st one the flags that are TRUE are selfNeedsLayout(), normalChildNeedsLayout() and posChildNeedsLayout().
> > The 2nd time only normalChildNeedsLayout() is TRUE.
> > The 3rd time, which only happens if you use "autofocus", only posChildNeedsLayout() is TRUE.
> > 
> > The problem is that at the end of RenderGrid::layoutBlock() we call clearGrid(),
> > so after each layout we clear the grid and set the dirty flag to TRUE.
> > So I think that in this situation we should force a layout (with posChildNeedsLayout() TRUE)
> > to be sure that we can check the number of columns/rows and the size of them.
> 
> I think someone with more render tree knowledge than me should review.
> Hyatt? Zalan?
Looking at it now.

Comment 7 zalan 2016-10-28 11:56:11 PDT

Comment on attachment 291937 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=291937&action=review

>>>>>> Source/WebCore/rendering/RenderGrid.cpp:453
>>>>>> +    if (!relayoutChildren && !posChildNeedsLayout() && simplifiedLayout())
>>>>> 
>>>>> I understand that we need to ensure the grid is laid out before performing a simplifiedLayout on positioned items, but I'm not sure whether we are addressing the root cause of the issue. Why simplifiedLayout doesn't return false because of the Gird needsLayout flag ?
>>>> 
>>>> So basically in this example RenderGrid::layoutBlock() is called 3 times.
>>>> The 1st one the flags that are TRUE are selfNeedsLayout(), normalChildNeedsLayout() and posChildNeedsLayout().
>>>> The 2nd time only normalChildNeedsLayout() is TRUE.
>>>> The 3rd time, which only happens if you use "autofocus", only posChildNeedsLayout() is TRUE.
>>>> 
>>>> The problem is that at the end of RenderGrid::layoutBlock() we call clearGrid(),
>>>> so after each layout we clear the grid and set the dirty flag to TRUE.
>>>> So I think that in this situation we should force a layout (with posChildNeedsLayout() TRUE)
>>>> to be sure that we can check the number of columns/rows and the size of them.
>>> 
>>> I think someone with more render tree knowledge than me should review. Hyatt? Zalan?
>> 
>> Looking 
>> (In reply to comment #5)
> 
> Looking at it now.

I am not too familiar with the grid dependencies but it seems a bit odd that the grid gets dirty soon after the layout is done, even before any changes happen to the tree. However since this is how it currently works, any kind of layout computation that has any dependency on the grid can't go through the simplified layout path.
Simplified layout supports 2 type of changes (atm)
- positioned descendant move
- overflow re-computation
It seems obvious that while computing offsets (offsetAndBreadthForPositionedChild) for the positioned grid descendants, we rely on some of the grid values -although m_rowPositions looks just fine to me  (but again I don't know whether those values are stale or not)
The question is whether re-computing the overflow has some dependencies on this grid too. If it does, simplified layout is clearly not working for RenderGrid and should be removed it completely.
if not, then my proposal is do something like this:
Right now RenderBlock::simplifiedLayout() checks first whether it can actually do a simplified layout and if so, we preform both the positioned placement and the overflow computation. It might be better to decouple them and have a virtual function to check if we can perform simplified layout at all. This function then could be overwritten by RenderGrid and return false when the type of the layout requires a clean grid 
bool RenderGrid::foobarCanDoSimplifiedLayout() (<-terrible name)
{
  if (posChildNeedsLayout() && m_gridIsDirty) (in the future m_gridIsDirty might not be dirty after every layout) 
    return false;
  return RenderBlock::foobarCanDoSimplifiedLayout();
}

Comment 8 Manuel Rego Casasnovas 2016-11-04 04:49:57 PDT

Created attachment 293879 [details]
Patch

Comment 9 Manuel Rego Casasnovas 2016-11-04 05:01:15 PDT

Thanks for the detailed review Zalan!

(In reply to comment #7)
> I am not too familiar with the grid dependencies but it seems a bit odd that
> the grid gets dirty soon after the layout is done, even before any changes
> happen to the tree. However since this is how it currently works, any kind
> of layout computation that has any dependency on the grid can't go through
> the simplified layout path.

Yeah eventually we want to avoid marking the grid as dirty after every layout.
Anyway I believe we should protect the simplified layout code path,
in case it's run on a dirty grid with positioned items.

> Right now RenderBlock::simplifiedLayout() checks first whether it can
> actually do a simplified layout and if so, we preform both the positioned
> placement and the overflow computation. It might be better to decouple them
> and have a virtual function to check if we can perform simplified layout at
> all. This function then could be overwritten by RenderGrid and return false
> when the type of the layout requires a clean grid 
> bool RenderGrid::foobarCanDoSimplifiedLayout() (<-terrible name)
> {
>   if (posChildNeedsLayout() && m_gridIsDirty) (in the future m_gridIsDirty
> might not be dirty after every layout) 
>     return false;
>   return RenderBlock::foobarCanDoSimplifiedLayout();
> }

I've implemented this proposal. Actually on top of the crash we were having
a wrong behavior when you move a positioned grid item. This will fix it too.

Comment 10 Darin Adler 2016-11-05 22:46:26 PDT

Comment on attachment 293879 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=293879&action=review

> Source/WebCore/rendering/RenderBlock.h:400
>  private:
> +
>      static std::unique_ptr<RenderBlock> createAnonymousBlockWithStyleAndDisplay(Document&, const RenderStyle&, EDisplay);

Please don’t add this blank line.

> Source/WebCore/rendering/RenderGrid.h:112
> +    bool canPerformSimplifiedLayout() const override;

I suggest we use final here instead of override, since there is no need to override further at this time.

Comment 11 Manuel Rego Casasnovas 2016-11-07 04:15:24 PST

Created attachment 294050 [details]
Patch for landing

Comment 12 Manuel Rego Casasnovas 2016-11-07 04:15:59 PST

Thanks for the review.

(In reply to comment #10)
> Comment on attachment 293879 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=293879&action=review
> 
> > Source/WebCore/rendering/RenderBlock.h:400
> >  private:
> > +
> >      static std::unique_ptr<RenderBlock> createAnonymousBlockWithStyleAndDisplay(Document&, const RenderStyle&, EDisplay);
> 
> Please don’t add this blank line.

Fixed.

> > Source/WebCore/rendering/RenderGrid.h:112
> > +    bool canPerformSimplifiedLayout() const override;
> 
> I suggest we use final here instead of override, since there is no need to
> override further at this time.

Done.

Comment 13 Manuel Rego Casasnovas 2016-11-10 04:53:11 PST

Created attachment 294362 [details]
Patch for landing rebased

Comment 14 Manuel Rego Casasnovas 2016-11-11 01:48:51 PST

Created attachment 294484 [details]
Patch for landing rebased again

Comment 15 WebKit Commit Bot 2016-11-11 03:11:45 PST

Comment on attachment 294484 [details]
Patch for landing rebased again

Clearing flags on attachment: 294484

Committed r208586: <http://trac.webkit.org/changeset/208586>

Comment 16 WebKit Commit Bot 2016-11-11 03:11:50 PST

All reviewed patches have been landed.  Closing bug.