RESOLVED FIXED 219369
REGRESSION (r268604): [ Mac ] fast/layoutformattingcontext/table-basic-row-vertical-align-baseline.html is a flaky crash 
https://bugs.webkit.org/show_bug.cgi?id=219369
Summary REGRESSION (r268604): [ Mac ] fast/layoutformattingcontext/table-basic-row-ve...
Truitt Savell
Reported 2020-11-30 14:22:03 PST
fast/layoutformattingcontext/table-basic-row-vertical-align-baseline.html I am able to reproduce this crash with command: run-webkit-tests --iterations 2000 --exit-after-n-failures 1 --exit-after-n-crashes-or-timeouts 1 --debug-rwt-logging --no-retry --force --no-build -f fast/layoutformattingcontext/table-basic-row-vertical-align-baseline.html History: https://results.webkit.org/?suite=layout-tests&test=fast%2Flayoutformattingcontext%2Ftable-basic-row-vertical-align-baseline.html Crash: Application Specific Information: CRASHING TEST: fast/layoutformattingcontext/table-basic-row-baseline-with-nested-table.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000005b2ef47fa WebCore::Display::TreeBuilder::buildInlineDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::ContainerBox const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 42 (DisplayTreeBuilder.cpp:182) 1 com.apple.WebCore 0x00000005b2ef43ad WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 701 2 com.apple.WebCore 0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 764 3 com.apple.WebCore 0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 764 4 com.apple.WebCore 0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&, WebCore::Display::TreeBuilder::InsertionPosition&) + 764 5 com.apple.WebCore 0x00000005b2ef43ec WebCore::Display::TreeBuilder::recursiveBuildDisplayTree(WebCore::Layout::LayoutState const&, WebCore::Layout::Box const&,
Attachments
crash log (67.90 KB, text/plain)
2020-12-02 09:54 PST, Ryan Haddad 		no flags
Details
Patch (2.10 KB, patch)
2020-12-14 15:12 PST, Simon Fraser (smfr) 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-11-30 14:22:18 PST
<rdar://problem/71822844>
Truitt Savell
Comment 2 2020-11-30 14:46:51 PST
I was able to bisect this to r268604
Ryan Haddad
Comment 3 2020-12-02 09:54:15 PST
Created attachment 415230 [details] crash log
Ryan Haddad
Comment 4 2020-12-02 10:20:24 PST
Based on recent test history, it looks like this may be limited to release builds.
Simon Fraser (smfr)
Comment 5 2020-12-14 15:04:19 PST
What's happening is that during TestController::resetStateToConsistentValues() there are lots of calls to WebPage::preferencesDidChange() via the async IPC, and for some of those calls both layoutFormattingContextIntegrationEnabled and layoutFormattingContextEnabled are true. If Display::view() does a paint at that time, then we hit assertions. So the underlying causes are: 1. These two settings are incompatible with each other. 2. TestController::resetStateToConsistentValues() triggers lots of calls to WebPage::preferencesDidChange().
Simon Fraser (smfr)
Comment 6 2020-12-14 15:10:17 PST
<rdar://problem/69985187>
Simon Fraser (smfr)
Comment 7 2020-12-14 15:12:27 PST
Created attachment 416198 [details] Patch
EWS
Comment 8 2020-12-14 16:19:55 PST
Committed r270809: <https://trac.webkit.org/changeset/270809> All reviewed patches have been landed. Closing bug and clearing flags on attachment 416198 [details].
Note You need to log in before you can comment on or make changes to this bug.