218205 – Assert in BoxTree::layoutBoxForRenderer() under RenderLayer::updateScrollCornerStyle()

RESOLVED FIXED 218205

Assert in BoxTree::layoutBoxForRenderer() under RenderLayer::updateScrollCornerStyle()

https://bugs.webkit.org/show_bug.cgi?id=218205

Summary Assert in BoxTree::layoutBoxForRenderer() under RenderLayer::updateScrollCorn...

Simon Fraser (smfr)

Reported 2020-10-26 14:03:43 PDT

fast/css-generated-content/text-before-table-col-crash.html can assert: 0 com.apple.JavaScriptCore 0x000000063e2de1ce WTFCrash + 14 1 com.apple.WebCore 0x0000000645a78eeb WTFCrashWithInfo(int, char const*, char const*, int) + 27 2 com.apple.WebCore 0x00000006490662f9 WebCore::LayoutIntegration::BoxTree::layoutBoxForRenderer(WebCore::RenderObject const&) + 217 3 com.apple.WebCore 0x000000064906613d WebCore::LayoutIntegration::BoxTree::updateStyle(WebCore::RenderBoxModelObject const&) + 45 4 com.apple.WebCore 0x000000064906a166 WebCore::LayoutIntegration::LineLayout::updateStyle(WebCore::RenderBoxModelObject const&) + 38 5 com.apple.WebCore 0x0000000649ae77d5 WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 2661 6 com.apple.WebCore 0x0000000649ae6cae WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 62 7 com.apple.WebCore 0x0000000649d0c73d WebCore::RenderScrollbarPart::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 45 8 com.apple.WebCore 0x0000000649b9bec1 WebCore::RenderElement::setStyle(WebCore::RenderStyle&&, WebCore::StyleDifference) + 609 9 com.apple.WebCore 0x0000000649c40517 WebCore::RenderLayer::updateScrollCornerStyle() + 487 10 com.apple.WebCore 0x0000000649c5356f WebCore::RenderLayer::styleChanged(WebCore::StyleDifference, WebCore::RenderStyle const*) + 1263 11 com.apple.WebCore 0x0000000649c82ca6 WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 710 12 com.apple.WebCore 0x0000000649ae6db7 WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 71 13 com.apple.WebCore 0x0000000649ae6cae WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 62 14 com.apple.WebCore 0x0000000649b11103 WebCore::RenderBlockFlow::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 51 15 com.apple.WebCore 0x0000000649b9bec1 WebCore::RenderElement::setStyle(WebCore::RenderStyle&&, WebCore::StyleDifference) + 609 16 com.apple.WebCore 0x0000000649f22953 WebCore::RenderTreeUpdater::updateRendererStyle(WebCore::RenderElement&, WebCore::RenderStyle&&, WebCore::StyleDifference) + 99 17 com.apple.WebCore 0x0000000649f21f76 WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) + 998 18 com.apple.WebCore 0x0000000649f2141f WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 1087 19 com.apple.WebCore 0x0000000649f20cb3 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 483 20 com.apple.WebCore 0x000000064857a8ad WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 253 21 com.apple.WebCore 0x000000064857ae1d WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1213 22 com.apple.WebCore 0x000000064857b7bd WebCore::Document::updateStyleIfNeeded() + 509 23 com.apple.WebCore 0x000000064933e387 WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive() + 183 24 com.apple.WebCore 0x00000006493b6e6e WebCore::Page::layoutIfNeeded() + 62 25 com.apple.WebCore 0x00000006493b75ac WebCore::Page::updateRendering() + 412 26 com.apple.WebKit 0x0000000629b43fa6 WebKit::WebPage::updateRendering() + 38 27 com.apple.WebKit 0x00000006286b86fb WebKit::RemoteLayerTreeDrawingArea::updateRendering() + 171 28 com.apple.WebKit 0x00000006286c24e7 decltype(*(std::__1::forward<WebKit::RemoteLayerTreeDrawingArea*&>(fp0)).*fp()) std::__1::__invoke<void (WebKit::RemoteLayerTreeDrawingArea::*&)(), WebKit::RemoteLayerTreeDrawingArea*&, void>(void (WebKit::RemoteLayerTreeDrawingArea::*&)(), WebKit::RemoteLayerTreeDrawingArea*&) + 119 29 com.apple.WebKit 0x00000006286c2460 std::__1::__bind_return<void (WebKit::RemoteLayerTreeDrawingArea::*)(), std::__1::tuple<WebKit::RemoteLayerTreeDrawingArea*>, std::__1::tuple<>, __is_valid_bind_return<void (WebKit::RemoteLayerTreeDrawingArea::*)(), std::__1::tuple<WebKit::RemoteLayerTreeDrawingArea*>, std::__1::tuple<> >::value>::type std::__1::__apply_functor<void (WebKit::RemoteLayerTreeDrawingArea::*)(), std::__1::tuple<WebKit::RemoteLayerTreeDrawingArea*>, 0ul, std::__1::tuple<> >(void (WebKit::RemoteLayerTreeDrawingArea::*&)(), std::__1::tuple<WebKit::RemoteLayerTreeDrawingArea*>&, std::__1::__tuple_indices<0ul>, std::__1::tuple<>&&) + 64 30 com.apple.WebKit 0x00000006286c2419 std::__1::__bind_return<void (WebKit::RemoteLayerTreeDrawingArea::*)(), std::__1::tuple<WebKit::RemoteLayerTreeDrawingArea*>, std::__1::tuple<>, __is_valid_bind_return<void (WebKit::RemoteLayerTreeDrawingArea::*)(), std::__1::tuple<WebKit::RemoteLayerTreeDrawingArea*>, std::__1::tuple<> >::value>::type std::__1::__bind<void (WebKit::RemoteLayerTreeDrawingArea::*&)(), WebKit::RemoteLayerTreeDrawingArea*>::operator()<>() + 41 31 com.apple.WebKit 0x00000006286c23be WTF::Detail::CallableWrapper<std::__1::__bind<void (WebKit::RemoteLayerTreeDrawingArea::*&)(), WebKit::RemoteLayerTreeDrawingArea*>, void>::call() + 30 32 com.apple.WebKit 0x00000006280ca5e2 WTF::Function<void ()>::operator()() const + 130 33 com.apple.WebKit 0x00000006286bdb0e WebCore::Timer::fired() + 30 34 com.apple.WebCore 0x0000000649599644 WebCore::ThreadTimers::sharedTimerFiredInternal() + 644 35 com.apple.WebCore 0x00000006495a0b31 WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const + 33 36 com.apple.WebCore 0x00000006495a0ade WTF::Detail::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, void>::call() + 30 37 com.apple.WebCore 0x0000000645a8ed42 WTF::Function<void ()>::operator()() const + 130 38 com.apple.WebCore 0x0000000649558c4b WebCore::MainThreadSharedTimer::fired() + 139 39 com.apple.WebCore 0x00000006495fe886 WebCore::timerFired(__CFRunLoopTimer*, void*) + 38 40 com.apple.CoreFoundation 0x00000006353be112 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 41 com.apple.CoreFoundation 0x00000006353bdbe5 __CFRunLoopDoTimer + 926 42 com.apple.CoreFoundation 0x00000006353bd198 __CFRunLoopDoTimers + 265 43 com.apple.CoreFoundation 0x00000006353b7826 __CFRunLoopRun + 1949 44 com.apple.CoreFoundation 0x00000006353b6b9e CFRunLoopRunSpecific + 567 45 com.apple.Foundation 0x000000010eb80e61 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 209 46 com.apple.Foundation 0x000000010eb81075 -[NSRunLoop(NSRunLoop) run] + 76 47 libxpc.dylib 0x0000000636cdf506 _xpc_objc_main + 591 48 libxpc.dylib 0x0000000636ce14aa xpc_main + 143 49 com.apple.WebKit 0x0000000628b19175 WebKit::XPCServiceMain(int, char const**) + 1077 50 com.apple.WebKit 0x0000000629f115cb WKXPCServiceMain + 27 51 com.apple.WebKit.WebContent 0x000000010ea62d42 main + 34 52 libdyld.dylib 0x0000000636977415 start + 1

Attachments
patch (1.60 KB, patch) 2020-10-27 01:07 PDT, Antti Koivisto	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2020-10-26 14:04:02 PDT

<rdar://problem/70694256>

Antti Koivisto

Comment 2 2020-10-27 01:07:10 PDT

Created attachment 412399 [details] patch

EWS

Comment 3 2020-10-27 06:56:34 PDT

Committed r269038: <https://trac.webkit.org/changeset/269038> All reviewed patches have been landed. Closing bug and clearing flags on attachment 412399 [details].

Simon Fraser (smfr)

Comment 4 2020-10-27 08:44:32 PDT

Comment on attachment 412399 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=412399&action=review > Source/WebCore/layout/integration/LayoutIntegrationLineLayout.cpp:75 > + if (renderer.isReplica() || renderer.isRenderScrollbarPart()) Maybe we need renderer.isBlah() that covers these two cases?

Antti Koivisto

Comment 5 2020-10-27 09:59:58 PDT

> Maybe we need renderer.isBlah() that covers these two cases? "Someone" should just refactor them to not be RenderObjects (or at least not have parent set).

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Safari Technology Preview

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2020-10-26 14:03 PDT

Modified

2020-10-27 09:59 PDT History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks