Bug 207034 - Nullptr crash in InlineTextBox::emphasisMarkExistsAndIsAbove
Summary: Nullptr crash in InlineTextBox::emphasisMarkExistsAndIsAbove
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Antti Koivisto
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-01-30 23:50 PST by Ryosuke Niwa
Modified: 2020-03-31 07:13 PDT (History)
19 users (show)

See Also:

Attachments
Test case (unreduced) (515.96 KB, text/html)
2020-01-30 23:51 PST, Ryosuke Niwa 		no flags Details
reduced test case (281 bytes, text/html)
2020-03-27 09:33 PDT, Antti Koivisto 		no flags Details
patch (8.53 KB, patch)
2020-03-27 10:21 PDT, Antti Koivisto 		no flags Details | Formatted Diff | Diff
patch (3.37 KB, patch)
2020-03-31 05:58 PDT, Antti Koivisto 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2020-01-30 23:50:36 PST 
e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001b77b6964 WebCore::InlineTextBox::emphasisMarkExistsAndIsAbove(WebCore::RenderStyle const&) const + 964 (InlineTextBox.cpp:418)
1   com.apple.WebCore             	0x00000001b7796b04 WebCore::InlineFlowBox::computeOverAnnotationAdjustment(WebCore::LayoutUnit) const + 788 (InlineFlowBox.cpp:1592)
2   com.apple.WebCore             	0x00000001b7796887 WebCore::InlineFlowBox::computeOverAnnotationAdjustment(WebCore::LayoutUnit) const + 151 (InlineFlowBox.cpp:1566)
3   com.apple.WebCore             	0x00000001b7a9ae44 WebCore::RootInlineBox::selectionTop() const + 132 (RootInlineBox.cpp:577)
4   com.apple.WebCore             	0x00000001b79ed4f3 WebCore::RenderReplaced::localSelectionRect(bool) const + 291 (RenderReplaced.cpp:667)
5   com.apple.WebCore             	0x00000001b7be9bde WebCore::RenderSVGRoot::computeFloatVisibleRectInContainer(WebCore::FloatRect const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const + 478 (RenderSVGRoot.cpp:366)
6   com.apple.WebCore             	0x00000001b7c2b5de WebCore::SVGRenderSupport::computeFloatVisibleRectInContainer(WebCore::RenderElement const&, WebCore::FloatRect const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) + 430
7   com.apple.WebCore             	0x00000001b7c14ac7 WebCore::RenderSVGText::computeFloatVisibleRectInContainer(WebCore::FloatRect const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const + 71 (RenderSVGText.cpp:105)
8   com.apple.WebCore             	0x00000001b7c14a23 WebCore::RenderSVGText::computeVisibleRectInContainer(WebCore::LayoutRect const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const + 99 (RenderSVGText.cpp:98)
9   com.apple.WebCore             	0x00000001b79e5ac6 WebCore::RenderObject::computeVisibleRectInContainer(WebCore::LayoutRect const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const + 342
10  com.apple.WebCore             	0x00000001b79e553e WebCore::RenderObject::computeRectForRepaint(WebCore::LayoutRect const&, WebCore::RenderLayerModelObject const*) const + 110 (RenderObject.cpp:983)
11  com.apple.WebCore             	0x00000001b7a5f416 WebCore::RenderText::collectSelectionRectsForLineBoxes(WebCore::RenderLayerModelObject const*, bool, WTF::Vector<WebCore::LayoutRect, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) + 982 (RenderText.cpp:1486)
12  com.apple.WebCore             	0x00000001b7a5f693 WebCore::RenderText::collectSelectionRectsForLineBoxes(WebCore::RenderLayerModelObject const*, bool, WTF::Vector<WebCore::LayoutRect, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) + 51 (RenderText.cpp:1492)
13  com.apple.WebCore             	0x00000001b7a0d878 WebCore::RenderSelectionInfo::RenderSelectionInfo(WebCore::RenderObject&, bool) + 168 (RenderSelectionInfo.cpp:50)
14  com.apple.WebCore             	0x00000001b7a0d91c WebCore::RenderSelectionInfo::RenderSelectionInfo(WebCore::RenderObject&, bool) + 44 (RenderSelectionInfo.cpp:54)
15  com.apple.WebCore             	0x00000001b7aada57 std::__1::__unique_if<WebCore::RenderSelectionInfo>::__unique_single std::__1::make_unique<WebCore::RenderSelectionInfo, WebCore::RenderObject&, bool>(WebCore::RenderObject&, bool&&) + 87 (memory:3132)
16  com.apple.WebCore             	0x00000001b7aa0c84 decltype(auto) WTF::makeUnique<WebCore::RenderSelectionInfo, WebCore::RenderObject&, bool>(WebCore::RenderObject&, bool&&) + 68 (StdLibExtras.h:483)
17  com.apple.WebCore             	0x00000001b7aa1238 WebCore::collect(WebCore::SelectionRangeData::Context const&, bool) + 344 (SelectionRangeData.cpp:134)
18  com.apple.WebCore             	0x00000001b7a9f41e WebCore::SelectionRangeData::apply(WebCore::SelectionRangeData::Context const&, WebCore::SelectionRangeData::RepaintMode) + 94 (SelectionRangeData.cpp:284)
19  com.apple.WebCore             	0x00000001b7a9f2c4 WebCore::SelectionRangeData::set(WebCore::SelectionRangeData::Context const&, WebCore::SelectionRangeData::RepaintMode) + 260 (SelectionRangeData.cpp:211)
20  com.apple.WebCore             	0x00000001b7aa0259 WebCore::SelectionRangeData::clear() + 89 (SelectionRangeData.cpp:216)
21  com.apple.WebCore             	0x00000001b65a06e2 WebCore::FrameSelection::setNeedsSelectionUpdate(WebCore::FrameSelection::RevealSelectionAfterUpdate) + 194 (FrameSelection.cpp:440)
22  com.apple.WebCore             	0x00000001b7c5cad8 WebCore::RenderTreeBuilder::detachFromRenderElement(WebCore::RenderElement&, WebCore::RenderObject&) + 792 (RenderTreeBuilder.cpp:851)
23  com.apple.WebCore             	0x00000001b7c59709 WebCore::RenderTreeBuilder::detach(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) + 905
24  com.apple.WebCore             	0x00000001b7c59219 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) + 153 (RenderTreeBuilder.cpp:166)
25  com.apple.WebCore             	0x00000001b7c5934d WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) + 461 (RenderTreeBuilder.cpp:183)
26  com.apple.WebCore             	0x00000001b7c5f074 WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) + 228 (RenderTreeBuilder.cpp:782)
27  com.apple.WebCore             	0x00000001b7c8109d WebCore::RenderTreeUpdater::tearDownTextRenderer(WebCore::Text&, WebCore::RenderTreeBuilder&) + 61 (RenderTreeUpdater.cpp:618)
28  com.apple.WebCore             	0x00000001b7c7ea1a WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) + 186 (RenderTreeUpdater.cpp:497)
29  com.apple.WebCore             	0x00000001b7c7e38d WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 877 (RenderTreeUpdater.cpp:179)
30  com.apple.WebCore             	0x00000001b7c7dd09 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 473 (RenderTreeUpdater.cpp:128)
31  com.apple.WebCore             	0x00000001b627522a WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1306 (Document.cpp:1995)
32  com.apple.WebCore             	0x00000001b6275c8d WebCore::Document::updateStyleIfNeeded() + 493 (Document.cpp:2088)
33  com.apple.WebCore             	0x00000001b6271029 WebCore::Document::updateLayout() + 393 (Document.cpp:2110)
34  com.apple.WebCore             	0x00000001b627259e WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 94 (Document.cpp:2130)
35  com.apple.WebCore             	0x00000001b65fb3dc WebCore::TextIterator::TextIterator(WebCore::Range const*, unsigned short) + 316 (TextIterator.cpp:377)
36  com.apple.WebCore             	0x00000001b65fb4d8 WebCore::TextIterator::TextIterator(WebCore::Range const*, unsigned short) + 40 (TextIterator.cpp:392)
37  com.apple.WebCore             	0x00000001b65fffea WebCore::CharacterIterator::CharacterIterator(WebCore::Range const&, unsigned short) + 58 (TextIterator.cpp:1410)
38  com.apple.WebCore             	0x00000001b66000b8 WebCore::CharacterIterator::CharacterIterator(WebCore::Range const&, unsigned short) + 40 (TextIterator.cpp:1414)
39  com.apple.WebCore             	0x00000001b66029c9 WebCore::findPlainTextMatches(WebCore::Range const&, WTF::String const&, WTF::OptionSet<WebCore::FindOptionFlag>, WTF::Function<bool (unsigned long, unsigned long)> const&) + 505 (TextIterator.cpp:2635)
40  com.apple.WebCore             	0x00000001b6602e33 WebCore::findPlainText(WebCore::Range const&, WTF::String const&, WTF::OptionSet<WebCore::FindOptionFlag>) + 163 (TextIterator.cpp:2694)
41  com.apple.WebCore             	0x00000001b65976fe WebCore::Editor::rangeOfString(WTF::String const&, WebCore::Range*, WTF::OptionSet<WebCore::FindOptionFlag>) + 830 (Editor.cpp:3484)
42  com.apple.WebCore             	0x00000001b659723f WebCore::Editor::findString(WTF::String const&, WTF::OptionSet<WebCore::FindOptionFlag>) + 175 (Editor.cpp:3445)
43  com.apple.WebCore             	0x00000001b6f81d6a WebCore::DOMWindow::find(WTF::String const&, bool, bool, bool, bool, bool, bool) const + 298 (DOMWindow.cpp:1215)

<rdar://problem/57842366>
Comment 1 Ryosuke Niwa 2020-01-30 23:51:01 PST 
You might also hit this crash:

0   com.apple.WebCore             	0x00000006b0f58deb WTFCrashWithInfo(int, char const*, char const*, int) + 27
1   com.apple.WebCore             	0x00000006b5d5ebaa WebCore::Shape::createRasterShape(WebCore::Image*, float, WebCore::LayoutRect const&, WebCore::LayoutRect const&, WebCore::WritingMode, float) + 3082
2   com.apple.WebCore             	0x00000006b5d60c28 WebCore::ShapeOutsideInfo::createShapeForImage(WebCore::StyleImage*, float, WebCore::WritingMode, float) const + 1000
3   com.apple.WebCore             	0x00000006b5d5f9e9 WebCore::ShapeOutsideInfo::computedShape() const + 857
4   com.apple.WebCore             	0x00000006b5d62dc9 WebCore::ShapeOutsideInfo::computeDeltasForContainingBlockLine(WebCore::RenderBlockFlow const&, WebCore::FloatingObject const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1017
5   com.apple.WebCore             	0x00000006b5d030dc WebCore::LineWidth::shrinkAvailableWidthForNewFloatIfNeeded(WebCore::FloatingObject const&) + 460
6   com.apple.WebCore             	0x00000006b58005ed WebCore::ComplexLineLayout::positionNewFloatOnLine(WebCore::FloatingObject const&, WebCore::FloatingObject*, WebCore::LineInfo&, WebCore::LineWidth&) + 317
7   com.apple.WebCore             	0x00000006b5cf7db4 WebCore::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::FloatingObject*, WebCore::LineWidth&) + 932
8   com.apple.WebCore             	0x00000006b5cf8226 WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) + 518
9   com.apple.WebCore             	0x00000006b57f5c9b WebCore::ComplexLineLayout::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 1723
10  com.apple.WebCore             	0x00000006b57f3c3b WebCore::ComplexLineLayout::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1275
11  com.apple.WebCore             	0x00000006b57fb8be WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 2238
12  com.apple.WebCore             	0x00000006b5900637 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 407
13  com.apple.WebCore             	0x00000006b58febcf WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1135
14  com.apple.WebCore             	0x00000006b58c5905 WebCore::RenderBlock::layout() + 277
15  com.apple.WebCore             	0x00000006b5903d9f WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) + 687
16  com.apple.WebCore             	0x00000006b5cf7d9a WebCore::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::FloatingObject*, WebCore::LineWidth&) + 906
17  com.apple.WebCore             	0x00000006b5cf8226 WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) + 518
18  com.apple.WebCore             	0x00000006b57f5c9b WebCore::ComplexLineLayout::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 1723
19  com.apple.WebCore             	0x00000006b57f3c3b WebCore::ComplexLineLayout::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1275
20  com.apple.WebCore             	0x00000006b57fb8be WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 2238
21  com.apple.WebCore             	0x00000006b5900637 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 407
22  com.apple.WebCore             	0x00000006b58febcf WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1135
23  com.apple.WebCore             	0x00000006b58c5905 WebCore::RenderBlock::layout() + 277
24  com.apple.WebCore             	0x00000006b5c7d08b WebCore::RenderView::layout() + 1531
25  com.apple.WebCore             	0x00000006b5021178 WebCore::FrameViewLayoutContext::layout() + 1448
26  com.apple.WebCore             	0x00000006b405ec09 WebCore::Document::updateLayout() + 537
27  com.apple.WebCore             	0x00000006b4060ff3 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 147
28  com.apple.WebCore             	0x00000006b413b3c5 WebCore::Element::scrollLeft() + 181
29  com.apple.WebCore             	0x00000006b4137da1 WebCore::Element::scrollBy(WebCore::ScrollToOptions const&) + 257
30  com.apple.WebCore             	0x00000006b4138298 WebCore::Element::scrollBy(double, double) + 312
Comment 2 Ryosuke Niwa 2020-01-30 23:51:22 PST 
Created attachment 389333 [details]
Test case (unreduced)
Comment 3 Ryosuke Niwa 2020-03-26 14:35:56 PDT 
Antti is looking into this.
Comment 4 Antti Koivisto 2020-03-27 09:33:35 PDT 
Created attachment 394722 [details]
reduced test case
Comment 5 Antti Koivisto 2020-03-27 10:21:33 PDT 
Created attachment 394724 [details]
patch
Comment 6 zalan 2020-03-27 12:06:44 PDT 
Comment on attachment 394724 [details]
patch

I was under the impression that the teardown direction was incorrect (re: email).
Comment 7 Antti Koivisto 2020-03-28 08:16:27 PDT 
As discussed, changing the removal order may also be helpful.
Comment 8 EWS 2020-03-28 08:35:53 PDT 
Committed r259158: <https://trac.webkit.org/changeset/259158>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 394724 [details].
Comment 9 Jacob Uphoff 2020-03-30 14:13:58 PDT 
Reverted r259158 for reason:

This commit caused an assertion failure

Committed r259232: <https://trac.webkit.org/changeset/259232>
Comment 10 Jacob Uphoff 2020-03-30 14:15:29 PDT 
Caused https://bugs.webkit.org/show_bug.cgi?id=209766
Comment 11 Ryosuke Niwa 2020-03-30 14:49:31 PDT 
(In reply to Jacob Uphoff from comment #9)
> Reverted r259158 for reason:
> 
> This commit caused an assertion failure
> 
> Committed r259232: <https://trac.webkit.org/changeset/259232>

What what kind of assertion failures?
Comment 12 zalan 2020-03-30 14:51:25 PDT 
https://build.webkit.org/results/Apple-Catalina-Debug-WK2-Tests/r259158%20(3190)/editing/selection/focus-and-display-none-crash-log.txt

ASSERTION FAILED: m_renderRange.startOffset()
./rendering/HighlightData.h(84) : unsigned int WebCore::HighlightData::startOffset() const
1   0x7f20e8229 WTFCrash
2   0x7d51eeffb WTFCrashWithInfo(int, char const*, char const*, int)
3   0x7d90faf88 WebCore::HighlightData::startOffset() const
4   0x7d90fae38 WebCore::InlineTextBox::selectionStartEnd() const
5   0x7d90fe943 WebCore::createMarkedTextFromSelectionInBox(WebCore::InlineTextBox const&)
6   0x7d90fccb2 WebCore::InlineTextBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit)
7   0x7d90f64cb WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit)
8   0x7d93fd071 WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit)
9   0x7d92e69d8 WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const
10  0x7d91566e1 WebCore::RenderBlockFlow::paintInlineChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&)
11  0x7d912b78e WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&)
Comment 13 Antti Koivisto 2020-03-31 05:50:00 PDT 
This is not actually a good approach since it may leave stray selection state behind in the render tree. Zalan already fixed the crash here in an alternative way in https://bugs.webkit.org/show_bug.cgi?id=209695. 

I'll just reland the test here and add a null check in case there are still cases not covered by 209695.
Comment 14 Antti Koivisto 2020-03-31 05:58:38 PDT 
Created attachment 395028 [details]
patch
Comment 15 EWS 2020-03-31 07:13:56 PDT 
Committed r259286: <https://trac.webkit.org/changeset/259286>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 395028 [details].