fast/layoutformattingcontext/table-basic-row-vertical-align-baseline.html I am able to reproduce this crash with command: run-webkit-tests --iterations 2000 --exit-after-n-failures 1 --exit-after-n-crashes-or-timeouts 1 --debug-rwt-logging --no-retry --force --no-build -f fast/layoutformattingcontext/table-basic-row-vertical-align-baseline.html History: https://results.webkit.org/?suite=layout-tests&test=fast%2Flayoutformattingcontext%2Ftable-basic-row-vertical-align-baseline.html Crash: Application Specific Information: CRASHING TEST: fast/layoutformattingcontext/table-basic-row-baseline-with-nested-table.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000005b2ef47fa WebCore::Display::TreeBuilder::buildInlineDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::ContainerBox const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 42 (DisplayTreeBuilder.cpp:182) 1 com.apple.WebCore 0x00000005b2ef43ad WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 701 2 com.apple.WebCore 0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 764 3 com.apple.WebCore 0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 764 4 com.apple.WebCore 0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 764 5 com.apple.WebCore 0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&,
<rdar://problem/71822844>
I was able to bisect this to r268604
Created attachment 415230 [details] crash log
Based on recent test history, it looks like this may be limited to release builds.
What's happening is that during TestController::resetStateToConsistentValues() there are lots of calls to WebPage::preferencesDidChange() via the async IPC, and for some of those calls both layoutFormattingContextIntegrationEnabled and layoutFormattingContextEnabled are true. If Display::view() does a paint at that time, then we hit assertions. So the underlying causes are: 1. These two settings are incompatible with each other. 2. TestController::resetStateToConsistentValues() triggers lots of calls to WebPage::preferencesDidChange().
<rdar://problem/69985187>
Created attachment 416198 [details] Patch
Committed r270809: <https://trac.webkit.org/changeset/270809> All reviewed patches have been landed. Closing bug and clearing flags on attachment 416198 [details].