166030 – ASSERTION FAILED: run->m_stop > 0 in *WebCore::RenderBlockFlow::computeInlineDirectionPositionsForSegment

Bug 166030 - ASSERTION FAILED: run->m_stop > 0 in *WebCore::RenderBlockFlow::computeInlineDirectionPositionsForSegment

Summary: ASSERTION FAILED: run->m_stop > 0 in *WebCore::RenderBlockFlow::computeInline...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Myles C. Maxfield

URL:
Keywords:

Depends on:
Blocks:	116980
	Show dependency tree / graph

Reported:	2016-12-19 12:25 PST by Renata Hodovan
Modified:	2017-01-11 15:07 PST (History)
CC List:	9 users (show)

See Also:

Attachments
Test (146 bytes, text/html) 2016-12-19 12:25 PST, Renata Hodovan	no flags	Details
Test reduction (114 bytes, text/html) 2016-12-23 20:59 PST, zalan	no flags	Details
Test reduction (155 bytes, text/html) 2016-12-25 15:29 PST, zalan	no flags	Details
Patch (4.90 KB, patch) 2017-01-07 15:21 PST, Myles C. Maxfield	no flags	Details \| Formatted Diff \| Diff
Archive of layout-test-results from ews102 for mac-elcapitan (781.97 KB, application/zip) 2017-01-07 16:20 PST, Build Bot	no flags	Details
Archive of layout-test-results from ews104 for mac-elcapitan-wk2 (963.13 KB, application/zip) 2017-01-07 16:24 PST, Build Bot	no flags	Details
Archive of layout-test-results from ews116 for mac-elcapitan (1.66 MB, application/zip) 2017-01-07 16:40 PST, Build Bot	no flags	Details
Patch (4.28 KB, patch) 2017-01-09 17:41 PST, Myles C. Maxfield	no flags	Details \| Formatted Diff \| Diff
Patch (4.25 KB, patch) 2017-01-10 15:47 PST, Myles C. Maxfield	rniwa: review+	Details \| Formatted Diff \| Diff
Patch for committing (4.51 KB, patch) 2017-01-10 23:21 PST, Myles C. Maxfield	commit-queue: commit-queue-	Details \| Formatted Diff \| Diff
Show Obsolete (7) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2016-12-19 12:25:12 PST

Load the attached test with WebKitTestRunner:

Checked version: f368f1d
OS: Darwin-15.6.0-x86_64-i386-64bit

<table><font dir="auto">8888VVVVVVVVVVVVVVV
<td></td>
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR<body contenteditable="plaintext-only">

Backtrace:

ASSERTION FAILED: run->m_stop > 0
WebKit/Source/WebCore/rendering/RenderBlockLineLayout.cpp(897) : WebCore::BidiRun *WebCore::RenderBlockFlow::computeInlineDirectionPositionsForSegment(WebCore::RootInlineBox *, const WebCore::LineInfo &, WebCore::ETextAlign, float &, float &, WebCore::BidiRun *, WebCore::BidiRun *, GlyphOverflowAndFallbackFontsMap &, WebCore::VerticalPositionCache &, WordMeasurements &)
1   0x112d4dc71 WTFCrash
2   0x11c6e62eb WebCore::RenderBlockFlow::computeInlineDirectionPositionsForSegment(WebCore::RootInlineBox*, WebCore::LineInfo const&, WebCore::ETextAlign, float&, float&, WebCore::BidiRun*, WebCore::BidiRun*, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::Font const*, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::Font const*, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&)
3   0x11c6e4094 WebCore::RenderBlockFlow::computeInlineDirectionPositionsForLine(WebCore::RootInlineBox*, WebCore::LineInfo const&, WebCore::BidiRun*, WebCore::BidiRun*, bool, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::Font const*, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::Font const*, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&)
4   0x11c6eafe0 WebCore::RenderBlockFlow::createLineBoxesFromBidiRuns(unsigned int, WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&)
5   0x11c6efbe2 WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int)
6   0x11c6ebca1 WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool)
7   0x11c6f7aed WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
8   0x11c672acb WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
9   0x11c66fac1 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
10  0x11c5b92b4 WebCore::RenderBlock::layout()
11  0x11c67a714 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
12  0x11c673280 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
13  0x11c66fb38 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
14  0x11c5b92b4 WebCore::RenderBlock::layout()
15  0x11c67a714 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
16  0x11c673280 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
17  0x11c66fb38 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
18  0x11c5b92b4 WebCore::RenderBlock::layout()
19  0x11c67a714 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
20  0x11c673280 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
21  0x11c66fb38 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
22  0x11c5b92b4 WebCore::RenderBlock::layout()
23  0x11c67a714 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
24  0x11c673280 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
25  0x11c66fb38 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
26  0x11c5b92b4 WebCore::RenderBlock::layout()
27  0x11c67a714 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
28  0x11c673280 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
29  0x11c66fb38 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
30  0x11c5b92b4 WebCore::RenderBlock::layout()
31  0x11c67a714 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
ASAN:DEADLYSIGNAL
=================================================================
==38943==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x000112d4dca9 bp 0x7fff56c20e50 sp 0x7fff56c20e40 T0)
    #0 0x112d4dca8 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2f81ca8)
    #1 0x11c6e62ea in WebCore::RenderBlockFlow::computeInlineDirectionPositionsForSegment(WebCore::RootInlineBox*, WebCore::LineInfo const&, WebCore::ETextAlign, float&, float&, WebCore::BidiRun*, WebCore::BidiRun*, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::Font const*, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::Font const*, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53c52ea)
    #2 0x11c6e4093 in WebCore::RenderBlockFlow::computeInlineDirectionPositionsForLine(WebCore::RootInlineBox*, WebCore::LineInfo const&, WebCore::BidiRun*, WebCore::BidiRun*, bool, WTF::HashMap<WebCore::InlineTextBox const*, std::__1::pair<WTF::Vector<WebCore::Font const*, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::GlyphOverflow>, WTF::PtrHash<WebCore::InlineTextBox const*>, WTF::HashTraits<WebCore::InlineTextBox const*>, WTF::HashTraits<std::__1::pair<WTF::Vector<WebCore::Font const*, 0ul, WTF::CrashOnOverflow, 16ul>, WebCore::GlyphOverflow> > >&, WebCore::VerticalPositionCache&, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53c3093)
    #3 0x11c6eafdf in WebCore::RenderBlockFlow::createLineBoxesFromBidiRuns(unsigned int, WebCore::BidiRunList<WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::LineInfo&, WebCore::VerticalPositionCache&, WebCore::BidiRun*, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53c9fdf)
    #4 0x11c6efbe1 in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53cebe1)
    #5 0x11c6ebca0 in WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53caca0)
    #6 0x11c6f7aec in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53d6aec)
    #7 0x11c672aca in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5351aca)
    #8 0x11c66fac0 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eac0)
    #9 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #10 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #11 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #12 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #13 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #14 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #15 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #16 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #17 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #18 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #19 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #20 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #21 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #22 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #23 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #24 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #25 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #26 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #27 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #28 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #29 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #30 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #31 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #32 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #33 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #34 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #35 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #36 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #37 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #38 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #39 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #40 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #41 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #42 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #43 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #44 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #45 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #46 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #47 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #48 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #49 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #50 0x11c67a713 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5359713)
    #51 0x11c67327f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x535227f)
    #52 0x11c66fb37 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x534eb37)
    #53 0x11c5b92b3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x52982b3)
    #54 0x11cfebae5 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ccaae5)
    #55 0x11cfedf45 in WebCore::RenderView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5cccf45)
    #56 0x118ec6a7e in WebCore::FrameView::layout(bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ba5a7e)
    #57 0x1184faf29 in WebCore::Document::updateLayout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11d9f29)
    #58 0x118503a70 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11e2a70)
    #59 0x1188e26c9 in WebCore::Element::focus(bool, WebCore::FocusDirection) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x15c16c9)
    #60 0x1193065be in WebCore::HTMLFormControlElement::didAttachRenderers()::$_1::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fe55be)
    #61 0x119306478 in WTF::Function<void ()>::CallableWrapper<WebCore::HTMLFormControlElement::didAttachRenderers()::$_1>::call() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fe5478)
    #62 0x1174824f0 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1614f0)
    #63 0x11d9e0b4c in WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x66bfb4c)
    #64 0x11d9e0c14 in WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x66bfc14)
    #65 0x1185026be in WebCore::Document::recalcStyle(WebCore::Style::Change) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11e16be)
    #66 0x1184ec8ca in WebCore::Document::updateStyleIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11cb8ca)
    #67 0x118527ae9 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1206ae9)
    #68 0x119215195 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ef4195)
    #69 0x1195309b7 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x220f9b7)
    #70 0x11928f3db in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6e3db)
    #71 0x11928b116 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6a116)
    #72 0x11928ad7d in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f69d7d)
    #73 0x11928c59a in WebCore::HTMLDocumentParser::endIfDelayed() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6b59a)
    #74 0x11928c415 in WebCore::HTMLDocumentParser::resumeParsingAfterYield() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1f6b415)
    #75 0x11944f8b5 in WebCore::HTMLParserScheduler::continueNextChunkTimerFired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x212e8b5)
    #76 0x119453bb8 in void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&>(std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2132bb8)
    #77 0x1194538c8 in std::__1::__function::__func<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>, std::__1::allocator<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*> >, void ()>::operator()() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x21328c8)
    #78 0x117434a94 in std::__1::function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x113a94)
    #79 0x117434628 in WebCore::Timer::fired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x113628)
    #80 0x11de950de in WebCore::ThreadTimers::sharedTimerFiredInternal() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6b740de)
    #81 0x11de98290 in WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6b77290)
    #82 0x11de9825c in void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&>(WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6b7725c)
    #83 0x11de98208 in std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator()() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6b77208)
    #84 0x117434a94 in std::__1::function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x113a94)
    #85 0x11bc4c46d in WebCore::MainThreadSharedTimer::fired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x492b46d)
    #86 0x11bc4ccf2 in WebCore::timerFired(__CFRunLoopTimer*, void*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x492bcf2)
    #87 0x7fff94ee5af3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92af3)
    #88 0x7fff94ee5782 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92782)
    #89 0x7fff94ee52d9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x922d9)
    #90 0x7fff94edc7d0 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x897d0)
    #91 0x7fff94edbe37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
    #92 0x7fff93297934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #93 0x7fff9329776e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #94 0x7fff932975ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #95 0x7fff98137df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #96 0x7fff98137225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #97 0x7fff9812bd7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #98 0x7fff980f5367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #99 0x7fff8beec193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #100 0x7fff8beeabbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
    #101 0x108fc4f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73)
    #102 0x7fff9ecd85ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #103 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2f81ca8) in WTFCrash
==38943==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 38943)

Comment 1 Renata Hodovan 2016-12-19 12:25:15 PST

Created attachment 297473 [details]
Test

Comment 2 zalan 2016-12-23 20:59:10 PST

Created attachment 297730 [details]
Test reduction

Comment 3 zalan 2016-12-25 15:29:29 PST

Created attachment 297756 [details]
Test reduction

We end up processing a fake isolated run. Not sure at which point we are supposed to get rid of it.

Comment 4 Myles C. Maxfield 2017-01-07 15:21:09 PST

Created attachment 298286 [details]
Patch

Comment 5 Myles C. Maxfield 2017-01-07 15:22:08 PST

(In reply to comment #3)
> Created attachment 297756 [details]
> Test reduction
> 
> We end up processing a fake isolated run. Not sure at which point we are
> supposed to get rid of it.

// Note that we do not delete the runs from the resolver.
// We're not guaranteed to get any BidiRuns in the previous step. If we don't, we allow the placeholder
// itself to be turned into an InlineBox. We can't remove it here without potentially losing track of
// the logically last run.

Comment 6 Build Bot 2017-01-07 16:20:26 PST

Comment on attachment 298286 [details]
Patch

Attachment 298286 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/2851120

New failing tests:
fast/text/word-space.html

Comment 7 Build Bot 2017-01-07 16:20:30 PST

Created attachment 298288 [details]
Archive of layout-test-results from ews102 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews102  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment 8 Build Bot 2017-01-07 16:24:14 PST

Comment on attachment 298286 [details]
Patch

Attachment 298286 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/2851123

New failing tests:
fast/text/word-space.html

Comment 9 Build Bot 2017-01-07 16:24:18 PST

Created attachment 298289 [details]
Archive of layout-test-results from ews104 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6

Comment 10 Build Bot 2017-01-07 16:40:20 PST

Comment on attachment 298286 [details]
Patch

Attachment 298286 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/2851126

New failing tests:
fast/text/word-space.html

Comment 11 Build Bot 2017-01-07 16:40:24 PST

Created attachment 298290 [details]
Archive of layout-test-results from ews116 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews116  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment 12 Myles C. Maxfield 2017-01-09 17:41:30 PST

Created attachment 298427 [details]
Patch

Comment 13 Said Abou-Hallawa 2017-01-09 18:27:45 PST

Comment on attachment 298427 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=298427&action=review

> Source/WebCore/rendering/RenderBlockLineLayout.cpp:900
> +                needsWordSpacing = run->m_stop > 0 && !isSpaceOrNewline(renderText.characterAt(run->m_stop - 1)) && run->m_stop == length;

There is no need to check run->m_stop > 0 since you are checking run->m_stop == length and length > 0 since it is unsigned and it is not zero.

I would suggest moving the condition run->m_stop == length at the beginning to prevent calculating run->m_stop - 1 if run->m_stop == 0.

needsWordSpacing = run->m_stop == length && !isSpaceOrNewline(renderText.characterAt(run->m_stop - 1));

Comment 14 Myles C. Maxfield 2017-01-10 15:47:05 PST

Created attachment 298517 [details]
Patch

Comment 15 Ryosuke Niwa 2017-01-10 15:55:32 PST

Comment on attachment 298517 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=298517&action=review

> Source/WebCore/ChangeLog:9
> +        In the general case, it is impossible to have an empty BiDi run (because
> +        we filter them out). However, when using isolates, we invoke extra machinery

This is a big misleading. “general case” usually refers to the most generic scenario,
which certainly includes the case where unicode-bidi: isolate is used.
It’s probably more accurate to “Ordinarily, we don’t have” or “Usually, we don’t have”.
Furthermore, “it is impossible” seems rather too strong of a word to describe
a condition that doesn’t hold under certain circumstances.

> Source/WebCore/rendering/RenderBlockLineLayout.cpp:-900
> -                ASSERT(run->m_stop > 0);

Why don’t we assert that either run->m_stop > 0 or that the run is created for unicode-bidi instead?

> LayoutTests/fast/text/bidi-isolate-empty-run.html:1
> +<style>

I’d prefer having at least DOCTYPE and body so that we’re testing the strict mode, and not quirks mode.

Comment 16 Myles C. Maxfield 2017-01-10 23:21:22 PST

Created attachment 298556 [details]
Patch for committing

Comment 17 WebKit Commit Bot 2017-01-11 07:51:13 PST

Comment on attachment 298556 [details]
Patch for committing

Rejecting attachment 298556 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-03', 'validate-changelog', '--check-oops', '--non-interactive', 298556, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

ChangeLog entry in LayoutTests/ChangeLog contains OOPS!.

Full output: http://webkit-queues.webkit.org/results/2870057

Comment 18 Myles C. Maxfield 2017-01-11 15:07:27 PST

Committed r210601: <http://trac.webkit.org/changeset/210601>