166819 – ASSERTION FAILED: view().layoutDeltaMatches(oldLayoutDelta) in WebCore::RenderBlockFlow::layoutBlockChild

NEW 166819

ASSERTION FAILED: view().layoutDeltaMatches(oldLayoutDelta) in WebCore::RenderBlockFlow::layoutBlockChild

https://bugs.webkit.org/show_bug.cgi?id=166819

Summary ASSERTION FAILED: view().layoutDeltaMatches(oldLayoutDelta) in WebCore::Rende...

Renata Hodovan

Reported 2017-01-08 11:44:42 PST

Load the attached test with debug WebKitTestRunner: Checked version: 217d599 OS: Darwin-15.6.0-x86_64-i386-64bit <style>{}*{margin-bottom:-20932678!important</style><blockquote>L</blockquote><footer>t</footer>9 Backtrace: ASSERTION FAILED: view().layoutDeltaMatches(oldLayoutDelta) WebKit/Source/WebCore/rendering/RenderBlockFlow.cpp(794) : void WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox &, WebCore::RenderBlockFlow::MarginInfo &, WebCore::LayoutUnit &, WebCore::LayoutUnit &) 1 0x10b2144f1 WTFCrash 2 0x11427abea WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 3 0x114271f50 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 4 0x11426e808 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 5 0x1141b81b2 WebCore::RenderBlock::layout() 6 0x1142793e4 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 7 0x114271f50 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 8 0x11426e808 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 9 0x1141b81b2 WebCore::RenderBlock::layout() 10 0x1142793e4 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 11 0x114271f50 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 12 0x11426e808 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 13 0x1141b81b2 WebCore::RenderBlock::layout() 14 0x114bff3b6 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) 15 0x114c01816 WebCore::RenderView::layout() 16 0x110fb36a2 WebCore::FrameView::layout(bool) 17 0x11063b9d6 WebCore::Document::implicitClose() 18 0x110f211e3 WebCore::FrameLoader::checkCallImplicitClose() 19 0x110f20ccc WebCore::FrameLoader::checkCompleted() 20 0x110f1d177 WebCore::FrameLoader::finishedParsing() 21 0x11065fab3 WebCore::Document::finishedParsing() 22 0x1112e6556 WebCore::HTMLConstructionSite::finishedParsing() 23 0x1115de5b8 WebCore::HTMLTreeBuilder::finished() 24 0x111359cfc WebCore::HTMLDocumentParser::end() 25 0x1113559e7 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 26 0x11135564e WebCore::HTMLDocumentParser::prepareToStopParsing() 27 0x111359d9c WebCore::HTMLDocumentParser::attemptToEnd() 28 0x111359df4 WebCore::HTMLDocumentParser::finish() 29 0x110824980 WebCore::DocumentWriter::end() 30 0x11077ee57 WebCore::DocumentLoader::finishedLoading(double) 31 0x11077e98b WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) ASAN:DEADLYSIGNAL ================================================================= ==18439==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010b214529 bp 0x7fff5e299350 sp 0x7fff5e299340 T0) #0 0x10b214528 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) #1 0x11427abe9 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dcbbe9) #2 0x114271f4f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc2f4f) #3 0x11426e807 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf807) #4 0x1141b81b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1) #5 0x1142793e3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dca3e3) #6 0x114271f4f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc2f4f) #7 0x11426e807 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf807) #8 0x1141b81b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1) #9 0x1142793e3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dca3e3) #10 0x114271f4f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc2f4f) #11 0x11426e807 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf807) #12 0x1141b81b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1) #13 0x114bff3b5 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57503b5) #14 0x114c01815 in WebCore::RenderView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5752815) #15 0x110fb36a1 in WebCore::FrameView::layout(bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b046a1) #16 0x11063b9d5 in WebCore::Document::implicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118c9d5) #17 0x110f211e2 in WebCore::FrameLoader::checkCallImplicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a721e2) #18 0x110f20ccb in WebCore::FrameLoader::checkCompleted() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a71ccb) #19 0x110f1d176 in WebCore::FrameLoader::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a6e176) #20 0x11065fab2 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11b0ab2) #21 0x1112e6555 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e37555) #22 0x1115de5b7 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x212f5b7) #23 0x111359cfb in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaacfb) #24 0x1113559e6 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea69e6) #25 0x11135564d in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea664d) #26 0x111359d9b in WebCore::HTMLDocumentParser::attemptToEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaad9b) #27 0x111359df3 in WebCore::HTMLDocumentParser::finish() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaadf3) #28 0x11082497f in WebCore::DocumentWriter::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x137597f) #29 0x11077ee56 in WebCore::DocumentLoader::finishedLoading(double) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12cfe56) #30 0x11077e98a in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12cf98a) #31 0x10fac0b23 in WebCore::CachedResource::checkNotify() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x611b23) #32 0x10fac0d13 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x611d13) #33 0x10fab5d54 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x606d54) #34 0x1155aee8e in WebCore::SubresourceLoader::didFinishLoading(double) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60ffe8e) #35 0x10340b43e in WebKit::WebResourceLoader::didFinishResourceLoad(double) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9143e) #36 0x1034196ce in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9f6ce) #37 0x103419374 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9f374) #38 0x103416680 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9c680) #39 0x103414a10 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9aa10) #40 0x10213dda9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c3da9) #41 0x101b51fba in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d7fba) #42 0x101b3a7c4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c07c4) #43 0x101b52ca5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d8ca5) #44 0x101b6325c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e925c) #45 0x101b63188 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e9188) #46 0x10b298830 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d85830) #47 0x10b2e2d50 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dcfd50) #48 0x10b2e3b11 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dd0b11) #49 0x7fff81c1f880 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa880) #50 0x7fff81bfefbb in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89fbb) #51 0x7fff81bfe4de in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x894de) #52 0x7fff81bfded7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88ed7) #53 0x7fff82fde934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934) #54 0x7fff82fde76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e) #55 0x7fff82fde5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae) #56 0x7fff8e643df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5) #57 0x7fff8e643225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225) #58 0x7fff8e637d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f) #59 0x7fff8e601367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367) #60 0x7fff92f09193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193) #61 0x7fff92f07bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd) #62 0x10195df73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73) #63 0x7fff8ab8d5ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #64 0x0 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) in WTFCrash ==18439==ABORTING #CRASHED - com.apple.WebKit.WebContent.Development (pid 18439)

Attachments
Test (97 bytes, text/html) 2017-01-08 11:44 PST, Renata Hodovan	no flags	Details
Alternative repro (318 bytes, text/html) 2022-10-25 08:12 PDT, Frédéric Wang (:fredw)	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Renata Hodovan

Comment 1 2017-01-08 11:44:46 PST

Created attachment 298309 [details] Test

Simon Fraser (smfr)

Comment 2 2017-01-08 11:58:20 PST

Renata, please cc: zalan on these assertion bugs.

Frédéric Wang (:fredw)

Comment 3 2022-10-25 08:10:41 PDT

*** Bug 235570 has been marked as a duplicate of this bug. ***

Frédéric Wang (:fredw)

Comment 4 2022-10-25 08:11:00 PDT

*** Bug 244466 has been marked as a duplicate of this bug. ***

Frédéric Wang (:fredw)

Comment 5 2022-10-25 08:12:39 PDT

Created attachment 463217 [details] Alternative repro This is minimal testcase obtained from the original testcase of bug 244580. Bug 235570 and bug 244466 also have large testcases apparently generated by the same fuzzer, so I made them a duplicate of this one.

Frédéric Wang (:fredw)

Comment 6 2022-10-25 08:14:03 PDT

I forgot to say that my minimal repro was reproduced at https://commits.webkit.org/255418@main with macos/gtk debug builds.

Tim Nguyen (:ntim)

Comment 7 2023-04-28 20:57:51 PDT

rdar://88322054

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2017-01-08 11:44 PST

Modified

2023-04-28 20:57 PDT History

CC List

6 users Show

URL

Keywords InRadar

Duplicates (2)

235570 244466 View as bug list

Depends on

Blocks

116980

Dependencies

tree graph