207032 – Crash in RenderListItem::addOverflowFromChildren

RESOLVED DUPLICATE of bug 209262 207032

Crash in RenderListItem::addOverflowFromChildren

https://bugs.webkit.org/show_bug.cgi?id=207032

Summary Crash in RenderListItem::addOverflowFromChildren

Ryosuke Niwa

Reported 2020-01-30 23:15:32 PST

e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff4a907991 WebCore::RenderListItem::addOverflowFromChildren() + 3553 1 com.apple.WebCore 0x00007fff4a89ff81 WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool) + 113 2 com.apple.WebCore 0x00007fff4c283dd7 WebCore::RenderBlockFlow::computeOverflow(WebCore::LayoutUnit, bool) + 23 3 com.apple.WebCore 0x00007fff4c276075 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 4213 4 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 5 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 6 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 7 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 8 com.apple.WebCore 0x00007fff4c3543f4 WebCore::RenderMultiColumnFlow::layout() + 212 9 com.apple.WebCore 0x00007fff4c288c74 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 292 10 com.apple.WebCore 0x00007fff4c276d5f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 1247 11 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 12 com.apple.WebCore 0x00007fff4c275e55 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 3669 13 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 14 com.apple.WebCore 0x00007fff4c36e4e6 WebCore::RenderTable::layoutCaption(WebCore::RenderTableCaption&) + 198 15 com.apple.WebCore 0x00007fff4a944d5c WebCore::RenderTable::layout() + 12204 16 com.apple.WebCore 0x00007fff4c27c267 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 4903 17 com.apple.WebCore 0x00007fff4c27588e WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2190 18 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 19 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 20 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 21 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 22 com.apple.WebCore 0x00007fff4c3543f4 WebCore::RenderMultiColumnFlow::layout() + 212 23 com.apple.WebCore 0x00007fff4c288c74 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 292 24 com.apple.WebCore 0x00007fff4c276d5f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 1247 25 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 26 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 27 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 28 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 29 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 30 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 31 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 32 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 33 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 34 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 35 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 36 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 37 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 38 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 39 com.apple.WebCore 0x00007fff4a89d380 WebCore::RenderView::layout() + 1120 40 com.apple.WebCore 0x00007fff4bfe6b9c WebCore::FrameViewLayoutContext::layout() + 1532 41 com.apple.WebCore 0x00007fff4a917137 WebCore::Document::updateLayout() + 279 42 com.apple.WebCore 0x00007fff4a99bc75 WebCore::Element::scrollLeft() + 101 43 com.apple.WebCore 0x00007fff4af3fb1f WebCore::jsElementPrototypeFunctionScrollBy(JSC::ExecState*) + 335 <rdar://problem/58447665>

Attachments
Test case (unreduced) (496.09 KB, text/html) 2020-01-30 23:16 PST, Ryosuke Niwa	no flags	Details
Test case (reduced) (2.70 KB, text/html) 2020-02-04 12:12 PST, Ali Juma	no flags	Details
Minimal test case (143 bytes, text/html) 2020-02-07 07:07 PST, Ali Juma	no flags	Details
More-minimal test case (121 bytes, text/html) 2020-02-24 14:44 PST, Ali Juma	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2020-01-30 23:16:44 PST

Created attachment 389331 [details] Test case (unreduced)

Ali Juma

Comment 2 2020-02-04 12:12:04 PST

Created attachment 389691 [details] Test case (reduced)

Ali Juma

Comment 3 2020-02-07 07:07:54 PST

Created attachment 390082 [details] Minimal test case

Ali Juma

Comment 4 2020-02-10 20:11:56 PST

This is crashing because in the render tree, we have a RenderInline whose child is a RenderBox. The minimal test case is just: <label> <ul style="display: table-caption; columns: 1px"> <li style="-webkit-border-image: url()"> <dl style="-webkit-column-span: all;"> <dd>p In the render tree, the ul element's RenderTableCaption has a RenderTable parent, whose parent is the RenderInline for the label element. We crash in RenderListItem::positionListMarker because as we keep updating |markerAncestor| in the loop at https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/rendering/RenderListItem.cpp#L341, going down the parentBox chain, we eventually get a null |markerAncestor| when we reach the RenderBox whose parent is that RenderInline (since RenderBox::parentBox returns null if parent() isn't a RenderBox). In a debug build, we fail the assertion in RenderBox::parentBox that parent() is a RenderBox. Where would be a good place to start looking to figure out why a RenderInline is getting a RenderBox child?

Ali Juma

Comment 5 2020-02-24 14:44:44 PST

Created attachment 391582 [details] More-minimal test case Minimized the test case just a bit more. I'm still not sure why the RenderInline is getting a RenderBox child rather than the usual logic of creating an anonymous block getting triggered, but it seems like RenderTreeBuilder::Inline::attachIgnoringContinuation is the place to debug.

Ryosuke Niwa

Comment 6 2020-04-01 20:24:09 PDT

Oh looks like this got fixed in the bug 209262.

Ryosuke Niwa

Comment 7 2020-04-01 20:24:44 PDT

Reverse duping *** This bug has been marked as a duplicate of bug 209262 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 209262

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2020-01-30 23:15 PST

Modified

2020-04-01 20:24 PDT History

CC List

8 users Show

URL

Keywords InRadar

Depends on

Blocks