REOPENED 220490
[css-multicol] OOM with 1px height columns 
https://bugs.webkit.org/show_bug.cgi?id=220490
Summary [css-multicol] OOM with 1px height columns
Ryosuke Niwa
Reported 2021-01-08 17:43:21 PST
Created attachment 417322 [details] Test With a non-ASAN release build, we hit the following crash with the attached the test case: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x000000054bbb644a bool WTF::VectorBufferBase<WebCore::LayerFragment, WTF::FastMalloc>::allocateBuffer<(WTF::FailureAction)0>(unsigned long) + 1 (Vector.h:293) [inlined] 1 com.apple.WebCore 0x000000054bbb644a bool WTF::VectorBuffer<WebCore::LayerFragment, 1ul, WTF::FastMalloc>::allocateBuffer<(WTF::FailureAction)0>(unsigned long) + 1 (Vector.h:470) [inlined] 2 com.apple.WebCore 0x000000054bbb644a bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveCapacity<(WTF::FailureAction)0>(unsigned long) + 266 (Vector.h:1195) 3 com.apple.WebCore 0x000000054bbb6330 bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity<(WTF::FailureAction)0>(unsigned long) + 50 (Vector.h:1056) [inlined] 4 com.apple.WebCore 0x000000054bbb6330 WebCore::LayerFragment* WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity<(WTF::FailureAction)0>(unsigned long, WebCore::LayerFragment*) + 144 (Vector.h:1065) 5 com.apple.WebCore 0x000000054bbd3169 bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::appendSlowCase<(WTF::FailureAction)0, WebCore::LayerFragment&>(WebCore::LayerFragment&) + 18 (Vector.h:1317) [inlined] 6 com.apple.WebCore 0x000000054bbd3169 bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::append<(WTF::FailureAction)0, WebCore::LayerFragment&>(WebCore::LayerFragment&) + 28 (Vector.h:1292) [inlined] 7 com.apple.WebCore 0x000000054bbd3169 void WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::append<WebCore::LayerFragment&>(WebCore::LayerFragment&) + 28 (Vector.h:776) [inlined] 8 com.apple.WebCore 0x000000054bbd3169 WebCore::RenderMultiColumnSet::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&) + 1865 (RenderMultiColumnSet.cpp:830) 9 com.apple.WebCore 0x000000054bb50ba5 WebCore::RenderFragmentedFlow::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&) + 53 (RenderFragmentedFlow.cpp:857) 10 com.apple.WebCore 0x000000054bb884cf WebCore::RenderLayer::collectFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayer const*, WebCore::LayoutRect const&, WebCore::RenderLayer::PaginationInclusionMode, WebCore::ClipRectsType, WebCore::OverlayScrollbarSizeRelevancy, WebCore::ShouldRespectOverflowClip, WebCore::LayoutSize const&, WebCore::LayoutRect const*, WebCore::ShouldApplyRootOffsetToFragments) + 1103 (RenderLayer.cpp:4947) 11 com.apple.WebCore 0x000000054bb85f66 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 2790 (RenderLayer.cpp:4725) 12 com.apple.WebCore 0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined] 13 com.apple.WebCore 0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758) 14 com.apple.WebCore 0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined] 15 com.apple.WebCore 0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758) 16 com.apple.WebCore 0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined] 17 com.apple.WebCore 0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758) 18 com.apple.WebCore 0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined] 19 com.apple.WebCore 0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758) 20 com.apple.WebCore 0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined] 21 com.apple.WebCore 0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758) 22 com.apple.WebCore 0x000000054bb862c3 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 76 (RenderLayer.cpp:4863) [inlined] 23 com.apple.WebCore 0x000000054bb862c3 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3651 (RenderLayer.cpp:4761) 24 com.apple.WebCore 0x000000054bb83928 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::RenderLayer::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 280 (RenderLayer.cpp:4222) 25 com.apple.WebCore 0x000000054b7bc0dd WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 829 (FrameView.cpp:4326) 26 com.apple.WebCore 0x000000054b87e81c WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 684 (ScrollView.cpp:1277) 27 com.apple.WebCore 0x000000054ba9faaf WebCore::ContentfulPaintChecker::qualifiesForContentfulPaint(WebCore::FrameView&) + 127 (ContentfulPaintChecker.cpp:42) 28 com.apple.WebCore 0x000000054b1e57db WebCore::Document::enqueuePaintTimingEntryIfNeeded() + 187 (Document.cpp:3222) 29 com.apple.WebCore 0x000000054b7d626e WTF::Function<void (WebCore::Document&)>::operator()(WebCore::Document&) const + 10 (Function.h:83) [inlined] 30 com.apple.WebCore 0x000000054b7d626e WebCore::Page::forEachDocument(WTF::Function<void (WebCore::Document&)> const&) const + 334 (Page.cpp:3177) 31 com.apple.WebCore 0x000000054b7db76d WebCore::Page::doAfterUpdateRendering() + 189 (Page.cpp:1596) 32 com.apple.WebCore 0x000000054b7db573 WebCore::Page::updateRendering() + 1219 (Page.cpp:1559) 33 com.apple.WebKit 0x00000005484b4f48 WebKit::TiledCoreAnimationDrawingArea::updateRendering(WebKit::TiledCoreAnimationDrawingArea::UpdateRenderingType) + 60 (TiledCoreAnimationDrawingArea.mm:448) 34 com.apple.WebKit 0x00000005484b4ed8 WebKit::TiledCoreAnimationDrawingArea::forceRepaint() + 130 (TiledCoreAnimationDrawingArea.mm:171) 35 com.apple.WebKitTestRunner.InjectedBundle 0x0000000554de583d WTR::InjectedBundlePage::dump() + 37 (InjectedBundlePage.cpp:811) 36 com.apple.WebKit 0x000000054855a54a WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage&, WebKit::WebFrame&, WTF::RefPtr<API::Object, WTF::RawPtrTraits<API::Object>, WTF::DefaultRefDerefTraits<API::Object> >&) + 82 (InjectedBundlePageLoaderClient.cpp:140) 37 com.apple.WebKit 0x00000005485ac486 WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() + 110 (WebFrameLoaderClient.cpp:671) 38 com.apple.WebCore 0x000000054b6d415b WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 2075 (FrameLoader.cpp:2574) 39 com.apple.WebCore 0x000000054b6ca65e WebCore::FrameLoader::checkLoadComplete() + 462 (FrameLoader.cpp:2729) 40 com.apple.WebCore 0x000000054b6a3edb WebCore::DocumentLoader::finishedLoading() + 811 (DocumentLoader.cpp:487) 41 com.apple.WebCore 0x000000054b73ab9f WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) + 95 (CachedResource.cpp:375) 42 com.apple.WebCore 0x000000054b7386bf WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 24 (CachedResource.cpp:391) [inlined] 43 com.apple.WebCore 0x000000054b7386bf WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 799 (CachedRawResource.cpp:123) 44 com.apple.WebCore 0x000000054b708ce3 WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 1203 (SubresourceLoader.cpp:733) 45 com.apple.WebKit 0x00000005485776a4 WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) + 238 (WebResourceLoader.cpp:227) 46 com.apple.WebKit 0x0000000548700e2b void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) + 18 (HandleMessage.h:42) [inlined] 47 com.apple.WebKit 0x0000000548700e2b void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) + 18 (HandleMessage.h:48) [inlined] 48 com.apple.WebKit 0x0000000548700e2b void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) + 45 (HandleMessage.h:120) [inlined] 49 com.apple.WebKit 0x0000000548700e2b WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) + 247 (WebResourceLoaderMessageReceiver.cpp:64) 50 com.apple.WebKit 0x0000000548570077 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 91 (NetworkProcessConnection.cpp:93) 51 com.apple.WebKit 0x000000054801f35a IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 152 (Connection.cpp:1139) 52 com.apple.WebKit 0x000000054801f5a8 IPC::Connection::dispatchOneIncomingMessage() + 190 (Connection.cpp:1208) 53 com.apple.JavaScriptCore 0x000000054ff8dfe1 WTF::Function<void ()>::operator()() const + 9 (Function.h:83) [inlined] 54 com.apple.JavaScriptCore 0x000000054ff8dfe1 WTF::RunLoop::performWork() + 545 (RunLoop.cpp:128) <rdar://problem/72425531>
Attachments
Test (224 bytes, text/html)
2021-01-08 17:43 PST, Ryosuke Niwa 		no flags
Details
Even smaller test case (173 bytes, text/html)
2021-01-13 04:13 PST, Sergio Villar Senin 		no flags
Details
Patch (4.24 KB, patch)
2021-01-18 08:26 PST, Sergio Villar Senin 		no flags
DetailsFormatted DiffDiff
Patch (4.95 KB, patch)
2021-01-19 00:49 PST, Sergio Villar Senin 		rniwa: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Sergio Villar Senin
Comment 1 2021-01-13 04:13:44 PST
Created attachment 417523 [details] Even smaller test case It crashes for me even without the webkit-line stuff.
Sergio Villar Senin
Comment 2 2021-01-13 04:54:22 PST
It seems it's crashing due to an OOM situation caused by excesive allocations in a Vector of layer fragments. I've debugged a bit the issue and it looks like the problem is that the multicolumn code thinks that there are 10693 columns and thus create a layer fragment for each eventually making allocations fail. Will provide more info as available.
Ryosuke Niwa
Comment 3 2021-01-13 13:05:06 PST
(In reply to Sergio Villar Senin from comment #2) > It seems it's crashing due to an OOM situation caused by excesive > allocations in a Vector of layer fragments. I've debugged a bit the issue > and it looks like the problem is that the multicolumn code thinks that there > are 10693 columns and thus create a layer fragment for each eventually > making allocations fail. LOL. That's hilarious. How is that possible given the document is basically empty?
Sergio Villar Senin
Comment 4 2021-01-14 04:45:26 PST
(In reply to Ryosuke Niwa from comment #3) > (In reply to Sergio Villar Senin from comment #2) > > It seems it's crashing due to an OOM situation caused by excesive > > allocations in a Vector of layer fragments. I've debugged a bit the issue > > and it looks like the problem is that the multicolumn code thinks that there > > are 10693 columns and thus create a layer fragment for each eventually > > making allocations fail. > > LOL. That's hilarious. How is that possible given the document is basically > empty? That's why I'm figuring out ATM. We might be doing something wrong with overflows. Check out the overflow values for the top renderers: B---YGL- --* RenderView at (0,0) size 1024x730 renderer->(0x6160002bcb80) (layout overflow 0,0 181782x730) B-----L- -- HTML RenderBlock at (0,0) size 1x730 renderer->(0x612000366f40) node->(0x60c0002b63c0) (layout overflow 0,0 181782x730) (visual overflow 0,0 181782x730) B---YGL- -- RenderMultiColumnFlowThread at (0,0) size 2x730 renderer->(0x615000286e80) (layout overflow 0,0 10694x730) (visual overflow 0,0 10694x730) [Rs:0x6140000a4e40 Re:0x6140000a4e40] B-----L- -- HEAD RenderBlock at (0,0) size 1x730 renderer->(0x6120003670c0) node->(0x60c0002b6480) (layout overflow 0,0 10694x730) (visual overflow 0,0 10694x730) [Rs:0x6140000a4e40 Re:0x6140000a4e40] B---YGL- -- RenderMultiColumnFlowThread at (0,0) size 1x730 renderer->(0x615000286c00) (layout overflow 0,0 630x730) (visual overflow 0,0 630x730) [Rs:0x6140000a4c40 Re:0x6140000a4c40]
Ryosuke Niwa
Comment 5 2021-01-14 17:35:01 PST
Hm... maybe things are messed with vertical writing mode & columns?
Sergio Villar Senin
Comment 6 2021-01-18 08:26:09 PST
Created attachment 417834 [details] Patch
Sergio Villar Senin
Comment 7 2021-01-18 08:27:00 PST
I've attached a patch with test case because I think we could consider this as non-security issue.
Sergio Villar Senin
Comment 8 2021-01-19 00:49:18 PST
Created attachment 417862 [details] Patch
Sergio Villar Senin
Comment 9 2021-01-20 02:59:47 PST
Committed r271644: <https://trac.webkit.org/changeset/271644>
alan
Comment 10 2021-04-14 11:09:43 PDT
This has caused bug 221962
WebKit Commit Bot
Comment 11 2021-04-21 17:29:51 PDT
Re-opened since this is blocked by bug 224908
Ryosuke Niwa
Comment 12 2021-04-21 17:58:19 PDT
<rdar://76991040>
Note You need to log in before you can comment on or make changes to this bug.