178865 – ASSERTION FAILED: !renderer->needsLayout() in WebCore::RenderBlock::checkPositionedObjectsNeedLayout with MathML

Bug 178865 - ASSERTION FAILED: !renderer->needsLayout() in WebCore::RenderBlock::checkPositionedObjectsNeedLayout with MathML

Summary: ASSERTION FAILED: !renderer->needsLayout() in WebCore::RenderBlock::checkPosi...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	MathML (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Frédéric Wang (:fredw)

URL:
Keywords:	InRadar

Depends on:
Blocks:	116980 179739
	Show dependency tree / graph

Reported:	2017-10-26 06:44 PDT by Renata Hodovan
Modified:	2017-11-15 15:04 PST (History)
CC List:	9 users (show)

See Also:

Attachments
Test (163 bytes, text/html) 2017-10-26 06:44 PDT, Renata Hodovan	no flags	Details
Patch (WIP) (2.11 KB, patch) 2017-11-15 04:52 PST, Frédéric Wang (:fredw)	no flags	Details \| Formatted Diff \| Diff
Patch (14.70 KB, patch) 2017-11-15 11:36 PST, Frédéric Wang (:fredw)	rego: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Renata Hodovan 2017-10-26 06:44:24 PDT

Created attachment 325005 [details]
Test

Load the attached test with debug WebKitTestRunner:

<math style="transform: matrix(266, 638, -645, 889, 768, 735)">
    <mi>
      <a>
          <a style="position: absolute;"></a>
      </a>
    </mi>
</math>

Checked version: 9e82982
OS: macOS Sierra (10.12.5)

Backtrace:

ASSERTION FAILED: !renderer->needsLayout()
WebKit/Source/WebCore/rendering/RenderBlock.cpp(3625) : void WebCore::RenderBlock::checkPositionedObjectsNeedLayout()
1   0x12d2ad321 WTFCrash
2   0x10c1194f7 WebCore::RenderBlock::checkPositionedObjectsNeedLayout()
3   0x10c79e49f WebCore::RenderObject::checkBlockPositionedObjectsNeedLayout()
4   0x10c79e411 WebCore::RenderObject::clearNeedsLayout()
5   0x10c733372 WebCore::RenderMathMLRow::layoutBlock(bool, WebCore::LayoutUnit)
6   0x10c0cd603 WebCore::RenderBlock::layout()
7   0x10b04e4ac WebCore::RenderElement::layoutIfNeeded()
8   0x10c22235d WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
9   0x10c195306 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
10  0x10c1919dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
11  0x10c0cd603 WebCore::RenderBlock::layout()
12  0x10c19f7fb WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
13  0x10c195b2b WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
14  0x10c191a53 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
15  0x10c0cd603 WebCore::RenderBlock::layout()
16  0x10c19f7fb WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
17  0x10c195b2b WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
18  0x10c191a53 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
19  0x10c0cd603 WebCore::RenderBlock::layout()
20  0x10cb8d3d6 WebCore::RenderView::layoutContent(WebCore::LayoutState const&)
21  0x10cb8efea WebCore::RenderView::layout()
22  0x10ad86a1f WebCore::FrameView::layout()
23  0x1112c03a9 WebCore::Document::implicitClose()
24  0x111d82fc5 WebCore::FrameLoader::checkCallImplicitClose()
25  0x111d82706 WebCore::FrameLoader::checkCompleted()
26  0x111d7e4ea WebCore::FrameLoader::finishedParsing()
27  0x1112f46b2 WebCore::Document::finishedParsing()
28  0x10b18e236 WebCore::HTMLConstructionSite::finishedParsing()
29  0x10b55a2c9 WebCore::HTMLTreeBuilder::finished()
30  0x10b216ead WebCore::HTMLDocumentParser::end()
31  0x10b210fe9 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
ASAN:DEADLYSIGNAL
=================================================================
==84587==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00012d2ad359 bp 0x7fff5f2b5890 sp 0x7fff5f2b5880 T0)
==84587==The signal is caused by a WRITE memory access.
==84587==WARNING: invalid path to external symbolizer!
==84587==WARNING: Failed to use and restart external symbolizer!
    #0 0x12d2ad358 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x39fe358)
    #1 0x10c1194f6 in WebCore::RenderBlock::checkPositionedObjectsNeedLayout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x212d4f6)
    #2 0x10c79e49e in WebCore::RenderObject::checkBlockPositionedObjectsNeedLayout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x27b249e)
    #3 0x10c79e410 in WebCore::RenderObject::clearNeedsLayout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x27b2410)
    #4 0x10c733371 in WebCore::RenderMathMLRow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2747371)
    #5 0x10c0cd602 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x20e1602)
    #6 0x10b04e4ab in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x10624ab)
    #7 0x10c22235c in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x223635c)
    #8 0x10c195305 in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x21a9305)
    #9 0x10c1919db in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x21a59db)
    #10 0x10c0cd602 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x20e1602)
    #11 0x10c19f7fa in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x21b37fa)
    #12 0x10c195b2a in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x21a9b2a)
    #13 0x10c191a52 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x21a5a52)
    #14 0x10c0cd602 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x20e1602)
    #15 0x10c19f7fa in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x21b37fa)
    #16 0x10c195b2a in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x21a9b2a)
    #17 0x10c191a52 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x21a5a52)
    #18 0x10c0cd602 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x20e1602)
    #19 0x10cb8d3d5 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba13d5)
    #20 0x10cb8efe9 in WebCore::RenderView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba2fe9)
    #21 0x10ad86a1e in WebCore::FrameView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0xd9aa1e)
    #22 0x1112c03a8 in WebCore::Document::implicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x72d43a8)
    #23 0x111d82fc4 in WebCore::FrameLoader::checkCallImplicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7d96fc4)
    #24 0x111d82705 in WebCore::FrameLoader::checkCompleted() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7d96705)
    #25 0x111d7e4e9 in WebCore::FrameLoader::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7d924e9)
    #26 0x1112f46b1 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x73086b1)
    #27 0x10b18e235 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x11a2235)
    #28 0x10b55a2c8 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x156e2c8)
    #29 0x10b216eac in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x122aeac)
    #30 0x10b210fe8 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1224fe8)
    #31 0x10b210b09 in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x1224b09)
    #32 0x10b216fcc in WebCore::HTMLDocumentParser::attemptToEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x122afcc)
    #33 0x10b217107 in WebCore::HTMLDocumentParser::finish() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x122b107)
    #34 0x111cd32d7 in WebCore::DocumentWriter::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce72d7)
    #35 0x111cd1793 in WebCore::DocumentLoader::finishedLoading() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce5793)
    #36 0x111cd1163 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce5163)
    #37 0x111cd1a8b in non-virtual thunk to WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ce5a8b)
    #38 0x111f61ee8 in WebCore::CachedResource::checkNotify() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7f75ee8)
    #39 0x111f5a003 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7f6e003)
    #40 0x111f5bf92 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7f6ff92)
    #41 0x111e8cf9f in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore:x86_64+0x7ea0f9f)
    #42 0x102d00f59 in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23a6f59)
    #43 0x102d0d9df in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23b39df)
    #44 0x102d0d5f8 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23b35f8)
    #45 0x102d0a81f in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23b081f)
    #46 0x102d0884a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x23ae84a)
    #47 0x101301571 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x9a7571)
    #48 0x100c7c88a in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x32288a)
    #49 0x100c60198 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x306198)
    #50 0x100c7d5b7 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x3235b7)
    #51 0x100cbc4bc in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x3624bc)
    #52 0x100cbc3e8 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit:x86_64+0x3623e8)
    #53 0x12d3477e2 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3a987e2)
    #54 0x12d39ee1e in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3aefe1e)
    #55 0x12d39fd78 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x3af0d78)
    #56 0x7fffa6c5e320 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa7320)
    #57 0x7fffa6c3f21c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8821c)
    #58 0x7fffa6c3e715 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87715)
    #59 0x7fffa6c3e113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113)
    #60 0x7fffa619eebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
    #61 0x7fffa619ecf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
    #62 0x7fffa619eb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
    #63 0x7fffa4737a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53)
    #64 0x7fffa4eb37ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed)
    #65 0x7fffa472c3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da)
    #66 0x7fffa46f6e0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d)
    #67 0x7fffbc61f8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
    #68 0x7fffbc61e2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
    #69 0x100940dc0 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x100001dc0)
    #70 0x7fffbc3c6234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)

==84587==Register values:
rax = 0x00000000bbadbeef  rbx = 0x00007fff5f2b5900  rcx = 0x00000000bbadbeef  rdx = 0x0000000000000000  
rdi = 0x00001fffebe56ac8  rsi = 0x0000000000000000  rbp = 0x00007fff5f2b5890  rsp = 0x00007fff5f2b5880  
 r8 = 0x0000000000000041   r9 = 0x0000200000000000  r10 = 0x0000000000000000  r11 = 0xffffffffffffffff  
r12 = 0xf204f201f1f1f104  r13 = 0x0000100000000000  r14 = 0x00007fff5f2b5a90  r15 = 0x00007fff5f2b5aa0  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x39fe358) in WTFCrash
==84587==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 84587)
LEAK: 1 WebProcessPool
LEAK: 1 WebPageProxy

Comment 1 Frédéric Wang (:fredw) 2017-11-14 14:31:28 PST

Just reading the code, I see that RenderMathMLRow::layoutRowItems does not call layoutIfNeeded for OutOfFlowPositioned children. This logic was copied from the flexbox code but I'm not sure how RenderFlexibleBox::layoutBlock ensures that clearNeedsLayout() won't ASSERT. I wonder whether we could just remove that OutOfFlowPositioned logic for MathML.

@javi: Any idea?

Comment 2 Frédéric Wang (:fredw) 2017-11-15 04:52:10 PST

Created attachment 326976 [details]
Patch (WIP)

I discussed that a bit with rego, and the absolutely-positioned HTML element is not a child of the MathML element so the crash is actually not due to how RenderMathMLRow::layoutRowItems performs

        if (child->isOutOfFlowPositioned()) {
            child->containingBlock()->insertPositionedObject(*child);
            continue;
        }

However, a similar insertPositionedObject call should happen inside the HTML renderers. And because of the CSS transform on it, the <math> element becomes the containing block of the absolutely-positioned HTML element and hence must call layoutPositionedObjects(). The attached patch does that and addresses the case reported here.

This is still WIP, we need to:

1) Call layoutPositionedObjects() in other MathML layout functions. For example the ASSERT will also happen with

      <math>
        <mtext style="position: relative">
          <span>
            <span style="position: absolute">X</span>
          </span>
        </mtext>
      </math>

2) Maybe call insertPositionedObject in other MathML layout functions too (probably a edge cases and not really important, for example Firefox does not handle that correctly either). For example compare the position of A and B in

      <math>
        <mtext style="position: absolute; left: 100px; top: 100px;">A</mtext>
        <mfrac>
          <mtext style="position: absolute; left: 100px; top: 100px;">B</mtext>
          <mtext></mtext>
        </mfrac>
      </math>

Comment 3 zalan 2017-11-15 08:36:51 PST

>2) Maybe call insertPositionedObject in other MathML layout functions too
Not sure how much it actually matter for MatML content, but in general any container (block or inline) could potentially be a containing block for any out of flow positioned descendant.

Comment 4 Frédéric Wang (:fredw) 2017-11-15 09:07:14 PST

(In reply to zalan from comment #3)
> >2) Maybe call insertPositionedObject in other MathML layout functions too
> Not sure how much it actually matter for MatML content, but in general any
> container (block or inline) could potentially be a containing block for any
> out of flow positioned descendant.

I think we should definitely handle (1) i.e. call layoutPositionedObjects() in all MathML layoutBlock functions in order to address this kind of ASSERT failures where MathML elements have out-of-flow child in descendants.

I'm less sure about (2) i.e. passing out-of-flow children of a MathML element to insertPositionedObject. That would be easy to do but this would also add some special handling in all MathML layoutBlock functions just for the sake of some weird use cases (e.g. absolutely positioning a numerator or a super-script). So I actually lean toward removing that from RenderMathMLRow too which is even more straightforward and simplify code further.

Comment 5 Frédéric Wang (:fredw) 2017-11-15 11:36:43 PST

Created attachment 327003 [details]
Patch

Comment 6 Frédéric Wang (:fredw) 2017-11-15 11:38:28 PST

I've uploaded a patch to fix the ASSERTION failures and opened bug 179739 for the handling of out-of-flow positioned children.

Comment 7 Manuel Rego Casasnovas 2017-11-15 12:04:07 PST

Comment on attachment 327003 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=327003&action=review

r=me

> Source/WebCore/ChangeLog:9
> +        out-of-flow positioned descendants. Also all MathML elements can be block container and hence

Nit: s/block container/containing block/

Comment 8 Frédéric Wang (:fredw) 2017-11-15 12:10:59 PST

https://trac.webkit.org/changeset/224894/

Comment 9 Radar WebKit Bug Importer 2017-11-15 15:04:32 PST

<rdar://problem/35572670>