Bug 178857 - Crash in WebCore::RenderStyle::overflowX with display:contents
Summary: Crash in WebCore::RenderStyle::overflowX with display:contents
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
: 178858 (view as bug list)
Depends on:
Blocks: 116980 157477
  Show dependency treegraph
 
Reported: 2017-10-26 05:02 PDT by Renata Hodovan
Modified: 2017-11-03 07:46 PDT (History)
8 users (show)

See Also:

Attachments
Test (73 bytes, text/html)
2017-10-26 05:02 PDT, Renata Hodovan 		no flags Details
patch (3.83 KB, patch)
2017-11-03 05:00 PDT, Antti Koivisto 		buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews102 for mac-elcapitan (1006.72 KB, application/zip)
2017-11-03 05:55 PDT, Build Bot 		no flags Details
Archive of layout-test-results from ews107 for mac-elcapitan-wk2 (1.16 MB, application/zip)
2017-11-03 06:04 PDT, Build Bot 		no flags Details
Archive of layout-test-results from ews113 for mac-elcapitan (1.79 MB, application/zip)
2017-11-03 06:16 PDT, Build Bot 		no flags Details
Archive of layout-test-results from ews123 for ios-simulator-wk2 (1006.48 KB, application/zip)
2017-11-03 06:22 PDT, Build Bot 		no flags Details
patch (6.94 KB, patch)
2017-11-03 06:31 PDT, Antti Koivisto 		no flags Details | Formatted Diff | Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2017-10-26 05:02:28 PDT 
Created attachment 324990 [details]
Test

Load the attached test with debug WebKitTestRunner:

Checked version: 9e82982
OS: macOS Sierra (10.12.6)

<html style="display:contents;">
<style>
* {
    overflow-x:auto;
}
</style>

Backtrace:

ASAN:DEADLYSIGNAL
=================================================================
==65062==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000078 (pc 0x000115e046a2 bp 0x7fff5790c450 sp 0x7fff5790c440 T0)
==65062==The signal is caused by a READ memory access.
==65062==Hint: address points to the zero page.
==65062==WARNING: invalid path to external symbolizer!
==65062==WARNING: Failed to use and restart external symbolizer!
    #0 0x115e046a1 in WebCore::RenderStyle::overflowX() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x91b6a1)
    #1 0x117765b3b in WebCore::RenderBox::updateFromStyle() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x227cb3b)
    #2 0x117ba41a6 in WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x26bb1a6)
    #3 0x117763704 in WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x227a704)
    #4 0x1175bb196 in WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x20d2196)
    #5 0x1176c2863 in WebCore::RenderBlockFlow::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x21d9863)
    #6 0x1178b4026 in WebCore::RenderElement::initializeStyle() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x23cb026)
    #7 0x11805558b in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b6c58b)
    #8 0x118053964 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b6a964)
    #9 0x1180527c7 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b697c7)
    #10 0x118051260 in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2b68260)
    #11 0x11c7bbfea in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x72d2fea)
    #12 0x11c7bebf2 in WebCore::Document::updateStyleIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x72d5bf2)
    #13 0x11c7f1692 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7308692)
    #14 0x11668b235 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x11a2235)
    #15 0x116a572c8 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x156e2c8)
    #16 0x116713eac in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x122aeac)
    #17 0x11670dfe8 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1224fe8)
    #18 0x11670db09 in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1224b09)
    #19 0x116713fcc in WebCore::HTMLDocumentParser::attemptToEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x122afcc)
    #20 0x116714107 in WebCore::HTMLDocumentParser::finish() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x122b107)
    #21 0x11d1d02d7 in WebCore::DocumentWriter::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce72d7)
    #22 0x11d1ce793 in WebCore::DocumentLoader::finishedLoading() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce5793)
    #23 0x11d1ce163 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce5163)
    #24 0x11d1cea8b in non-virtual thunk to WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce5a8b)
    #25 0x11d45eee8 in WebCore::CachedResource::checkNotify() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7f75ee8)
    #26 0x11d457003 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7f6e003)
    #27 0x11d458f92 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7f6ff92)
    #28 0x11d389f9f in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ea0f9f)
    #29 0x110bd8f59 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23a6f59)
    #30 0x110be59df in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23b39df)
    #31 0x110be55f8 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23b35f8)
    #32 0x110be281f in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23b081f)
    #33 0x110be084a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23ae84a)
    #34 0x10f1d9571 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x9a7571)
    #35 0x10eb5488a in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x32288a)
    #36 0x10eb38198 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x306198)
    #37 0x10eb555b7 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x3235b7)
    #38 0x10eb944bc in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x3624bc)
    #39 0x10eb943e8 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x3623e8)
    #40 0x1352df7e2 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3a987e2)
    #41 0x135336cec in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3aefcec)
    #42 0x135337d78 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3af0d78)
    #43 0x7fffa6c5e320 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa7320)
    #44 0x7fffa6c3f21c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8821c)
    #45 0x7fffa6c3e715 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87715)
    #46 0x7fffa6c3e113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113)
    #47 0x7fffa619eebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
    #48 0x7fffa619ecf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
    #49 0x7fffa619eb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
    #50 0x7fffa4737a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53)
    #51 0x7fffa4eb37ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed)
    #52 0x7fffa472c3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da)
    #53 0x7fffa46f6e0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d)
    #54 0x7fffbc61f8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
    #55 0x7fffbc61e2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
    #56 0x1082eadc0 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x100001dc0)
    #57 0x7fffbc3c6234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)

==65062==Register values:
rax = 0x0000000000000078  rbx = 0x00007fff5790c4c0  rcx = 0x000010000000000f  rdx = 0x00001c160001dcc2  
rdi = 0x0000000000000078  rsi = 0x0000000000000800  rbp = 0x00007fff5790c450  rsp = 0x00007fff5790c440  
 r8 = 0x00007fff5790c2a0   r9 = 0x000000000000002e  r10 = 0x00000001090be701  r11 = 0x0000000000000180  
r12 = 0x00007fff5790cc80  r13 = 0x0000000000000009  r14 = 0x00006120000d6e40  r15 = 0x00007fff5790cc60  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x91b6a1) in WebCore::RenderStyle::overflowX() const
==65062==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 65062)
LEAK: 1 WebProcessPool
LEAK: 1 WebPageProxy
Comment 1 Simon Fraser (smfr) 2017-10-26 10:49:26 PDT 
Cc antti for "display:contents"
Comment 2 Radar WebKit Bug Importer 2017-10-26 10:50:42 PDT 
<rdar://problem/35201120>
Comment 3 Antti Koivisto 2017-11-03 05:00:56 PDT 
Created attachment 325883 [details]
patch
Comment 4 Antti Koivisto 2017-11-03 05:01:22 PDT 
*** Bug 178858 has been marked as a duplicate of this bug. ***
Comment 5 Build Bot 2017-11-03 05:55:28 PDT 
Comment on attachment 325883 [details]
patch

Attachment 325883 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/5089236

New failing tests:
imported/w3c/web-platform-tests/css/css-display-3/display-contents-computed-style.html
Comment 6 Build Bot 2017-11-03 05:55:29 PDT 
Created attachment 325885 [details]
Archive of layout-test-results from ews102 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews102  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 7 Build Bot 2017-11-03 06:04:50 PDT 
Comment on attachment 325883 [details]
patch

Attachment 325883 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/5089267

New failing tests:
imported/w3c/web-platform-tests/css/css-display-3/display-contents-computed-style.html
Comment 8 Build Bot 2017-11-03 06:04:51 PDT 
Created attachment 325886 [details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 9 Build Bot 2017-11-03 06:16:28 PDT 
Comment on attachment 325883 [details]
patch

Attachment 325883 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/5089263

New failing tests:
imported/w3c/web-platform-tests/css/css-display-3/display-contents-computed-style.html
Comment 10 Build Bot 2017-11-03 06:16:30 PDT 
Created attachment 325887 [details]
Archive of layout-test-results from ews113 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews113  Port: mac-elcapitan  Platform: Mac OS X 10.11.6
Comment 11 Build Bot 2017-11-03 06:22:01 PDT 
Comment on attachment 325883 [details]
patch

Attachment 325883 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/5089286

New failing tests:
imported/w3c/web-platform-tests/css/css-display-3/display-contents-computed-style.html
Comment 12 Build Bot 2017-11-03 06:22:02 PDT 
Created attachment 325888 [details]
Archive of layout-test-results from ews123 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews123  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.6
Comment 13 Antti Koivisto 2017-11-03 06:31:20 PDT 
Created attachment 325889 [details]
patch
Comment 14 WebKit Commit Bot 2017-11-03 07:46:21 PDT 
Comment on attachment 325889 [details]
patch

Clearing flags on attachment: 325889

Committed r224394: <https://trac.webkit.org/changeset/224394>
Comment 15 WebKit Commit Bot 2017-11-03 07:46:23 PDT 
All reviewed patches have been landed.  Closing bug.