164185 – ASSERTION FAILED: m_endLine > 0 in WebCore::GridSpan::translate

Bug 164185 - ASSERTION FAILED: m_endLine > 0 in WebCore::GridSpan::translate

Summary: ASSERTION FAILED: m_endLine > 0 in WebCore::GridSpan::translate

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2016-10-29 11:56 PDT by Renata Hodovan
Modified:	2017-11-21 01:21 PST (History)
CC List:	2 users (show)

See Also:

Attachments
Test (77 bytes, text/html) 2016-10-29 11:56 PDT, Renata Hodovan	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2016-10-29 11:56:11 PDT

Load the attached test with debug WebKitTestRunner:

Checked version: 8af8b44
OS: Darwin-15.6.0-x86_64-i386-64bit

<style>{}*|*,a{grid-row-end:2168081754 span}*{display:inline-grid;grid-area:i

Backtrace:

ASSERTION FAILED: m_endLine > 0
WebKit/Source/WebCore/rendering/style/GridArea.h(147) : void WebCore::GridSpan::translate(unsigned int)
1   0x10a3b14f1 WTFCrash
2   0x1137142c9 WebCore::GridSpan::translate(unsigned int)
3   0x1136e2b49 WebCore::RenderGrid::placeItemsOnGrid(WebCore::RenderGrid::SizingOperation)
4   0x1136e134e WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit)
5   0x1133551b2 WebCore::RenderBlock::layout()
6   0x1134163e4 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
7   0x11340ef50 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
8   0x11340b808 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
9   0x1133551b2 WebCore::RenderBlock::layout()
10  0x113d9c3b6 WebCore::RenderView::layoutContent(WebCore::LayoutState const&)
11  0x113d9e816 WebCore::RenderView::layout()
12  0x1101506a2 WebCore::FrameView::layout(bool)
13  0x10f7d06fa WebCore::Document::updateLayout()
14  0x10f7d8fc1 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks)
15  0x11045b6ec WebCore::HTMLBodyElement::scrollHeight()
16  0x11169c73a WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)
17  0x1116675b8 long long WebCore::BindingCaller<WebCore::JSElement>::attribute<&(WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, char const*)
18  0x11166725b WebCore::jsElementScrollHeight(JSC::ExecState*, long long, JSC::PropertyName)
19  0x109e8d62a JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const
20  0x107a79673 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const
21  0x107a78dbd JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const
22  0x109a041ff llint_slow_path_get_by_id
23  0x109a326b6 llint_entry
24  0x109a2f4ae vmEntryToJavaScript
25  0x10945d2be JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
26  0x1093286f1 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
27  0x107e0971b JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
28  0x107e09c38 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
29  0x107e0a6ae JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
30  0x110fd91f1 WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
31  0x1116eebed WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*)
ASAN:DEADLYSIGNAL
=================================================================
==9513==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010a3b1529 bp 0x7fff5f0fabe0 sp 0x7fff5f0fabd0 T0)
    #0 0x10a3b1528 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528)
    #1 0x1137142c8 in WebCore::GridSpan::translate(unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50c82c8)
    #2 0x1136e2b48 in WebCore::RenderGrid::placeItemsOnGrid(WebCore::RenderGrid::SizingOperation) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5096b48)
    #3 0x1136e134d in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509534d)
    #4 0x1133551b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #5 0x1134163e3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dca3e3)
    #6 0x11340ef4f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc2f4f)
    #7 0x11340b807 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf807)
    #8 0x1133551b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #9 0x113d9c3b5 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57503b5)
    #10 0x113d9e815 in WebCore::RenderView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5752815)
    #11 0x1101506a1 in WebCore::FrameView::layout(bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b046a1)
    #12 0x10f7d06f9 in WebCore::Document::updateLayout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11846f9)
    #13 0x10f7d8fc0 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118cfc0)
    #14 0x11045b6eb in WebCore::HTMLBodyElement::scrollHeight() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e0f6eb)
    #15 0x11169c739 in WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x3050739)
    #16 0x1116675b7 in long long WebCore::BindingCaller<WebCore::JSElement>::attribute<&(WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, char const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x301b5b7)
    #17 0x11166725a in WebCore::jsElementScrollHeight(JSC::ExecState*, long long, JSC::PropertyName) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x301b25a)
    #18 0x109e8d629 in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x27dd629)
    #19 0x107a79672 in JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3c9672)
    #20 0x107a78dbc in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3c8dbc)
    #21 0x109a041fe in llint_slow_path_get_by_id (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x23541fe)
    #22 0x109a326b5 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x23826b5)
    #23 0x109a2f4ad in vmEntryToJavaScript (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x237f4ad)
    #24 0x10945d2bd in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1dad2bd)
    #25 0x1093286f0 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1c786f0)
    #26 0x107e0971a in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x75971a)
    #27 0x107e09c37 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x759c37)
    #28 0x107e0a6ad in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x75a6ad)
    #29 0x110fd91f0 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x298d1f0)
    #30 0x1116eebec in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x30a2bec)
    #31 0x10fc663c8 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x161a3c8)
    #32 0x10fc65c15 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1619c15)
    #33 0x10fa3d92a in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x13f192a)
    #34 0x10fa54344 in WebCore::DOMWindow::dispatchLoadEvent() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1408344)
    #35 0x10f7e2ad1 in WebCore::Document::dispatchWindowLoadEvent() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1196ad1)
    #36 0x10f7d854c in WebCore::Document::implicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118c54c)
    #37 0x1100be1e2 in WebCore::FrameLoader::checkCallImplicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a721e2)
    #38 0x1100bdccb in WebCore::FrameLoader::checkCompleted() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a71ccb)
    #39 0x1100bdde4 in WebCore::FrameLoader::loadDone() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a71de4)
    #40 0x10ec9221e in WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x64621e)
    #41 0x11474f339 in WebCore::SubresourceLoader::notifyDone() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6103339)
    #42 0x11474fa9a in WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6103a9a)
    #43 0x1025a56d0 in WebKit::WebResourceLoader::didFailResourceLoad(WebCore::ResourceError const&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a916d0)
    #44 0x1025b3e09 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&), std::__1::tuple<WebCore::ResourceError>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&), std::__1::tuple<WebCore::ResourceError>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9fe09)
    #45 0x1025b3a14 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&), std::__1::tuple<WebCore::ResourceError>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::ResourceError>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9fa14)
    #46 0x1025b0a93 in void IPC::handleMessage<Messages::WebResourceLoader::DidFailResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9ca93)
    #47 0x1025aec4b in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9ac4b)
    #48 0x1012d7da9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c3da9)
    #49 0x100cebfba in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d7fba)
    #50 0x100cd47c4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c07c4)
    #51 0x100cecca5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d8ca5)
    #52 0x100cfd25c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e925c)
    #53 0x100cfd188 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e9188)
    #54 0x10a435830 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d85830)
    #55 0x10a47fc46 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dcfc46)
    #56 0x10a480b11 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dd0b11)
    #57 0x7fff81c1f880 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa880)
    #58 0x7fff81bfefbb in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89fbb)
    #59 0x7fff81bfe4de in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x894de)
    #60 0x7fff81bfded7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88ed7)
    #61 0x7fff82fde934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #62 0x7fff82fde76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #63 0x7fff82fde5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #64 0x7fff8e643df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #65 0x7fff8e643225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #66 0x7fff8e637d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #67 0x7fff8e601367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #68 0x7fff92f09193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #69 0x7fff92f07bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
    #70 0x100afbf73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73)
    #71 0x7fff8ab8d5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #72 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) in WTFCrash
==9513==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 9513)

Comment 1 Renata Hodovan 2016-10-29 11:56:14 PDT

Created attachment 293305 [details]
Test

Comment 2 Frédéric Wang (:fredw) 2017-11-16 08:42:02 PST

@Renata: I'm not able to reproduce the issue. I tried with debug build of WebKitGTK (r224920) and macOS (r224757).

Comment 3 Renata Hodovan 2017-11-21 01:20:40 PST

(In reply to Frédéric Wang (:fredw) from comment #2)
> @Renata: I'm not able to reproduce the issue. I tried with debug build of
> WebKitGTK (r224920) and macOS (r224757).

@Frédéric: I cannot repro it either, so I think we can close it.

Comment 4 Frédéric Wang (:fredw) 2017-11-21 01:21:42 PST

OK, thanks for checking it!