RESOLVED FIXED 179308
Assertion failure in RenderMultiColumnSet::requiresBalancing() on fast/multicol/spanner-crash-when-adding-summary.html 
https://bugs.webkit.org/show_bug.cgi?id=179308
Summary Assertion failure in RenderMultiColumnSet::requiresBalancing() on fast/multic...
Ryosuke Niwa
Reported 2017-11-05 16:39:13 PST
Running multi column tests locally and bots using debug builds hit this assertion: e.g. https://build.webkit.org/results/Apple%20Sierra%20Debug%20WK2%20(Tests)/r224468%20(3881)/com.apple.WebKit.WebContent.Development-78829-crash-log.txt https://build.webkit.org/builders/Apple%20Sierra%20Debug%20WK2%20%28Tests%29/builds/3881 CRASHING TEST: fast/multicol/spanner-crash-when-adding-summary.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000108c0dab4 WTFCrash + 36 (Assertions.cpp:270) 1 com.apple.WebCore 0x000000010ff52364 WebCore::RenderMultiColumnSet::requiresBalancing() const + 196 (RenderMultiColumnSet.cpp:327) 2 com.apple.WebCore 0x000000010ff527b8 WebCore::RenderMultiColumnSet::prepareForLayout(bool) + 216 (RenderMultiColumnSet.cpp:347) 3 com.apple.WebCore 0x000000010fd8af8e WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 254 (RenderBlockFlow.cpp:3808) 4 com.apple.WebCore 0x000000010fd72e05 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 277 (RenderBlockFlow.cpp:624) 5 com.apple.WebCore 0x000000010fd71ca2 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1058 (RenderBlockFlow.cpp:510) 6 com.apple.WebCore 0x000000010fd55459 WebCore::RenderBlock::layout() + 89 (RenderBlock.cpp:1040) 7 com.apple.WebCore 0x000000010fd75a16 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1270 (RenderBlockFlow.cpp:732) 8 com.apple.WebCore 0x000000010fd72f4a WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 602 (RenderBlockFlow.cpp:631) 9 com.apple.WebCore 0x000000010fd71ca2 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1058 (RenderBlockFlow.cpp:510) 10 com.apple.WebCore 0x000000010fd55459 WebCore::RenderBlock::layout() + 89 (RenderBlock.cpp:1040) 11 com.apple.WebCore 0x000000010fd75a16 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1270 (RenderBlockFlow.cpp:732) 12 com.apple.WebCore 0x000000010fd72f4a WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 602 (RenderBlockFlow.cpp:631) 13 com.apple.WebCore 0x000000010fd71ca2 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1058 (RenderBlockFlow.cpp:510) 14 com.apple.WebCore 0x000000010fd55459 WebCore::RenderBlock::layout() + 89 (RenderBlock.cpp:1040) 15 com.apple.WebCore 0x000000010fd75a16 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1270 (RenderBlockFlow.cpp:732) 16 com.apple.WebCore 0x000000010fd72f4a WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 602 (RenderBlockFlow.cpp:631) 17 com.apple.WebCore 0x000000010fd71ca2 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1058 (RenderBlockFlow.cpp:510) 18 com.apple.WebCore 0x000000010fd55459 WebCore::RenderBlock::layout() + 89 (RenderBlock.cpp:1040) 19 com.apple.WebCore 0x000000010ffec871 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) + 97 (RenderView.cpp:203) 20 com.apple.WebCore 0x000000010ffed317 WebCore::RenderView::layout() + 2135 (RenderView.cpp:268) 21 com.apple.WebCore 0x000000010f7a300d WebCore::LayoutContext::layout() + 1597 (LayoutContext.cpp:181) 22 com.apple.WebCore 0x000000010ef5e248 WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WebCore::DimensionsCheck) + 1640 (Document.cpp:2112) 23 com.apple.WebCore 0x000000010eff0510 WebCore::Element::offsetHeight() + 48 (Element.cpp:849) 24 com.apple.WebCore 0x000000010dc2cd0d WebCore::jsHTMLElementOffsetHeightGetter(JSC::ExecState&, WebCore::JSHTMLElement&, JSC::ThrowScope&) + 61 (JSHTMLElement.cpp:975) 25 com.apple.WebCore 0x000000010dbee5c0 long long WebCore::IDLAttribute<WebCore::JSHTMLElement>::get<&(WebCore::jsHTMLElementOffsetHeightGetter(JSC::ExecState&, WebCore::JSHTMLElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)3>(JSC::ExecState&, long long, char const*) + 224 (JSDOMAttribute.h:69) 26 com.apple.WebCore 0x000000010dbee4cb WebCore::jsHTMLElementOffsetHeight(JSC::ExecState*, long long, JSC::PropertyName) + 43 (JSHTMLElement.cpp:981) 27 com.apple.JavaScriptCore 0x000000010890b03d JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const + 461 (PropertySlot.cpp:50) 28 com.apple.JavaScriptCore 0x00000001077f90a2 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const + 178 (PropertySlot.h:408) 29 com.apple.JavaScriptCore 0x0000000107fb720f JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 319 (JSCJSValueInlines.h:806) 30 com.apple.JavaScriptCore 0x0000000108554d44 llint_slow_path_get_by_id + 372 (LLIntSlowPaths.cpp:662) 31 com.apple.JavaScriptCore 0x00000001077bf2e0 llint_entry + 13066 32 com.apple.JavaScriptCore 0x00000001077bbdb7 vmEntryToJavaScript + 343 33 com.apple.JavaScriptCore 0x00000001084ea69e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 350 (JITCode.cpp:81) 34 com.apple.JavaScriptCore 0x0000000108490e2d JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) + 5421 (Interpreter.cpp:927) 35 com.apple.JavaScriptCore 0x000000010870d2b7 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 471 (Completion.cpp:103) 36 com.apple.JavaScriptCore 0x000000010870d450 JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 80 (Completion.cpp:118) 37 com.apple.WebCore 0x000000010eb0eabb WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) + 75 (JSMainThreadExecState.h:78) 38 com.apple.WebCore 0x000000010eb0e8a8 WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) + 312 (ScriptController.cpp:177) 39 com.apple.WebCore 0x000000010eb0eb9d WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&, WebCore::ExceptionDetails*) + 61 (ScriptController.cpp:193) 40 com.apple.WebCore 0x000000010f09be35 WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) + 805 (ScriptElement.cpp:386) 41 com.apple.WebCore 0x000000010f09a312 WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) + 2386 (ScriptElement.cpp:266) 42 com.apple.WebCore 0x000000010f3fb610 WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) + 272 (HTMLScriptRunner.cpp:252) 43 com.apple.WebCore 0x000000010f3fb47f WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement>&&, WTF::TextPosition const&) + 79 (HTMLScriptRunner.cpp:142) 44 com.apple.WebCore 0x000000010f3deb45 WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() + 1365 (HTMLDocumentParser.cpp:212) 45 com.apple.WebCore 0x000000010f3df003 WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) + 211 (HTMLDocumentParser.cpp:233) 46 com.apple.WebCore 0x000000010f3ddd38 WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) + 424 (HTMLDocumentParser.cpp:281) 47 com.apple.WebCore 0x000000010f3dd8ab WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) + 171 (HTMLDocumentParser.cpp:173) 48 com.apple.WebCore 0x000000010f3e030a WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) + 874 (HTMLDocumentParser.cpp:397) 49 com.apple.WebCore 0x000000010ef41f42 WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) + 130 (DecodedDataDocumentParser.cpp:60) 50 com.apple.WebCore 0x000000010f5c0f5c WebCore::DocumentWriter::end() + 252 (DocumentWriter.cpp:274) 51 com.apple.WebCore 0x000000010f5c038f WebCore::DocumentLoader::finishedLoading() + 479 (DocumentLoader.cpp:415) 52 com.apple.WebCore 0x000000010f5c012d WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) + 349 (DocumentLoader.cpp:365) 53 com.apple.WebCore 0x000000010f5c051c non-virtual thunk to WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) + 44 54 com.apple.WebCore 0x000000010f6d13ad WebCore::CachedResource::checkNotify() + 125 (CachedResource.cpp:341) 55 com.apple.WebCore 0x000000010f6cdc51 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) + 49 (CachedResource.cpp:359) 56 com.apple.WebCore 0x000000010f6ceb0c WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 236 (CachedRawResource.cpp:100) 57 com.apple.WebCore 0x000000010f6706a9 WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 697 (SubresourceLoader.cpp:572) 58 com.apple.WebKit 0x000000010251467d WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) + 413 (WebResourceLoader.cpp:150) 59 com.apple.WebKit 0x0000000102517e96 void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) + 150 (HandleMessage.h:41) 60 com.apple.WebKit 0x0000000102517d08 void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) + 88 (HandleMessage.h:47) 61 com.apple.WebKit 0x00000001025171d2 void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) + 258 (HandleMessage.h:127) 62 com.apple.WebKit 0x00000001025168fc WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) + 636 (WebResourceLoaderMessageReceiver.cpp:66) 63 com.apple.WebKit 0x0000000101bf7e59 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 169 (NetworkProcessConnection.cpp:70) 64 com.apple.WebKit 0x000000010198cc63 IPC::Connection::dispatchMessage(IPC::Decoder&) + 51 (Connection.cpp:902) 65 com.apple.WebKit 0x00000001019822b8 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 712 (Connection.cpp:930) 66 com.apple.WebKit 0x000000010198d260 IPC::Connection::dispatchOneMessage() + 1520 (Connection.cpp:959) 67 com.apple.WebKit 0x00000001019a53fd IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() + 29 (Connection.cpp:896) 68 com.apple.WebKit 0x00000001019a5359 WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() + 25 (Function.h:101) 69 com.apple.JavaScriptCore 0x0000000108c4303b WTF::Function<void ()>::operator()() const + 139 (Function.h:56) 70 com.apple.JavaScriptCore 0x0000000108c635b3 WTF::RunLoop::performWork() + 211 (RunLoop.cpp:107) 71 com.apple.JavaScriptCore 0x0000000108c63e34 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38) 72 com.apple.CoreFoundation 0x00007fffa62763e1 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 73 com.apple.CoreFoundation 0x00007fffa625765c __CFRunLoopDoSources0 + 556 74 com.apple.CoreFoundation 0x00007fffa6256b46 __CFRunLoopRun + 934 75 com.apple.CoreFoundation 0x00007fffa6256544 CFRunLoopRunSpecific + 420 76 com.apple.HIToolbox 0x00007fffa57b6ebc RunCurrentEventLoopInMode + 240 77 com.apple.HIToolbox 0x00007fffa57b6cf1 ReceiveNextEventCommon + 432 78 com.apple.HIToolbox 0x00007fffa57b6b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71 79 com.apple.AppKit 0x00007fffa3d4fa54 _DPSNextEvent + 1120 80 com.apple.AppKit 0x00007fffa44cb7ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796 81 com.apple.AppKit 0x00007fffa3d443db -[NSApplication run] + 926 82 com.apple.AppKit 0x00007fffa3d0ee0e NSApplicationMain + 1237 83 libxpc.dylib 0x00007fffbc1e78c7 _xpc_objc_main + 775 84 libxpc.dylib 0x00007fffbc1e62e4 xpc_main + 494 85 com.apple.WebKit.WebContent 0x0000000101845145 main + 1189 (XPCServiceMain.mm:148) 86 libdyld.dylib 0x00007fffbbf8e235 start + 1
Attachments
patch (5.65 KB, patch)
2018-01-24 11:12 PST, Antti Koivisto 		zalan: review+
DetailsFormatted DiffDiff
patch (5.65 KB, patch)
2018-01-24 12:01 PST, Antti Koivisto 		commit-queue: commit-queue-
DetailsFormatted DiffDiff
patch (5.64 KB, patch)
2018-01-24 12:04 PST, Antti Koivisto 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Antti Koivisto
Comment 1 2018-01-24 11:03:00 PST
<rdar://problem/34592771>
Antti Koivisto
Comment 2 2018-01-24 11:12:12 PST
Created attachment 332180 [details] patch
zalan
Comment 3 2018-01-24 11:59:06 PST
Comment on attachment 332180 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=332180&action=review > Source/WebCore/ChangeLog:9 > + The issue here is that a we fail to tear down render tree for a summary element because adding another summary element "The issue here is that a we" -> "The issue here is that we"
Antti Koivisto
Comment 4 2018-01-24 12:01:45 PST
Created attachment 332184 [details] patch
WebKit Commit Bot
Comment 5 2018-01-24 12:04:11 PST
Comment on attachment 332184 [details] patch Rejecting attachment 332184 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-02', 'validate-changelog', '--check-oops', '--non-interactive', 332184, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/6198473
Antti Koivisto
Comment 6 2018-01-24 12:04:27 PST
Created attachment 332185 [details] patch
Antti Koivisto
Comment 7 2018-01-24 14:21:41 PST
https://trac.webkit.org/r227570
Note You need to log in before you can comment on or make changes to this bug.