Bug 207032 - Crash in RenderListItem::addOverflowFromChildren
Summary: Crash in RenderListItem::addOverflowFromChildren
Status: RESOLVED DUPLICATE of bug 209262
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-01-30 23:15 PST by Ryosuke Niwa
Modified: 2020-04-01 20:24 PDT (History)
8 users (show)

See Also:

Attachments
Test case (unreduced) (496.09 KB, text/html)
2020-01-30 23:16 PST, Ryosuke Niwa 		no flags Details
Test case (reduced) (2.70 KB, text/html)
2020-02-04 12:12 PST, Ali Juma 		no flags Details
Minimal test case (143 bytes, text/html)
2020-02-07 07:07 PST, Ali Juma 		no flags Details
More-minimal test case (121 bytes, text/html)
2020-02-24 14:44 PST, Ali Juma 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2020-01-30 23:15:32 PST 
e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00007fff4a907991 WebCore::RenderListItem::addOverflowFromChildren() + 3553
1   com.apple.WebCore             	0x00007fff4a89ff81 WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool) + 113
2   com.apple.WebCore             	0x00007fff4c283dd7 WebCore::RenderBlockFlow::computeOverflow(WebCore::LayoutUnit, bool) + 23
3   com.apple.WebCore             	0x00007fff4c276075 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 4213
4   com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
5   com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
6   com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
7   com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
8   com.apple.WebCore             	0x00007fff4c3543f4 WebCore::RenderMultiColumnFlow::layout() + 212
9   com.apple.WebCore             	0x00007fff4c288c74 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 292
10  com.apple.WebCore             	0x00007fff4c276d5f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 1247
11  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
12  com.apple.WebCore             	0x00007fff4c275e55 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 3669
13  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
14  com.apple.WebCore             	0x00007fff4c36e4e6 WebCore::RenderTable::layoutCaption(WebCore::RenderTableCaption&) + 198
15  com.apple.WebCore             	0x00007fff4a944d5c WebCore::RenderTable::layout() + 12204
16  com.apple.WebCore             	0x00007fff4c27c267 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 4903
17  com.apple.WebCore             	0x00007fff4c27588e WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2190
18  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
19  com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
20  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
21  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
22  com.apple.WebCore             	0x00007fff4c3543f4 WebCore::RenderMultiColumnFlow::layout() + 212
23  com.apple.WebCore             	0x00007fff4c288c74 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 292
24  com.apple.WebCore             	0x00007fff4c276d5f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 1247
25  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
26  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
27  com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
28  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
29  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
30  com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
31  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
32  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
33  com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
34  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
35  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
36  com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
37  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
38  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
39  com.apple.WebCore             	0x00007fff4a89d380 WebCore::RenderView::layout() + 1120
40  com.apple.WebCore             	0x00007fff4bfe6b9c WebCore::FrameViewLayoutContext::layout() + 1532
41  com.apple.WebCore             	0x00007fff4a917137 WebCore::Document::updateLayout() + 279
42  com.apple.WebCore             	0x00007fff4a99bc75 WebCore::Element::scrollLeft() + 101
43  com.apple.WebCore             	0x00007fff4af3fb1f WebCore::jsElementPrototypeFunctionScrollBy(JSC::ExecState*) + 335

<rdar://problem/58447665>
Comment 1 Ryosuke Niwa 2020-01-30 23:16:44 PST 
Created attachment 389331 [details]
Test case (unreduced)
Comment 2 Ali Juma 2020-02-04 12:12:04 PST 
Created attachment 389691 [details]
Test case (reduced)
Comment 3 Ali Juma 2020-02-07 07:07:54 PST 
Created attachment 390082 [details]
Minimal test case
Comment 4 Ali Juma 2020-02-10 20:11:56 PST 
This is crashing because in the render tree, we have a RenderInline whose child is a RenderBox.

The minimal test case is just:
<label>
  <ul style="display: table-caption; columns: 1px">
    <li style="-webkit-border-image: url()">
      <dl style="-webkit-column-span: all;">
        <dd>p

In the render tree, the ul element's RenderTableCaption has a RenderTable parent, whose parent is the RenderInline for the label element.

We crash in RenderListItem::positionListMarker because as we keep updating |markerAncestor| in the loop at https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/rendering/RenderListItem.cpp#L341, going down the parentBox chain, we eventually get a null |markerAncestor| when we reach the RenderBox whose parent is that RenderInline (since RenderBox::parentBox returns null if parent() isn't a RenderBox).

In a debug build, we fail the assertion in RenderBox::parentBox that parent() is a RenderBox.

Where would be a good place to start looking to figure out why a RenderInline is getting a RenderBox child?
Comment 5 Ali Juma 2020-02-24 14:44:44 PST 
Created attachment 391582 [details]
More-minimal test case

Minimized the test case just a bit more.

I'm still not sure why the RenderInline is getting a RenderBox child rather than the usual logic of creating an anonymous block getting triggered, but it seems like RenderTreeBuilder::Inline::attachIgnoringContinuation is the place to debug.
Comment 6 Ryosuke Niwa 2020-04-01 20:24:09 PDT 
Oh looks like this got fixed in the bug 209262.
Comment 7 Ryosuke Niwa 2020-04-01 20:24:44 PDT 
Reverse duping

*** This bug has been marked as a duplicate of bug 209262 ***