Bug 220490 - [css-multicol] OOM with 1px height columns
Summary: [css-multicol] OOM with 1px height columns
Status: REOPENED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on: 224908
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-08 17:43 PST by Ryosuke Niwa
Modified: 2022-01-31 08:37 PST (History)
12 users (show)

See Also:

Attachments
Test (224 bytes, text/html)
2021-01-08 17:43 PST, Ryosuke Niwa 		no flags Details
Even smaller test case (173 bytes, text/html)
2021-01-13 04:13 PST, Sergio Villar Senin 		no flags Details
Patch (4.24 KB, patch)
2021-01-18 08:26 PST, Sergio Villar Senin 		no flags Details | Formatted Diff | Diff
Patch (4.95 KB, patch)
2021-01-19 00:49 PST, Sergio Villar Senin 		rniwa: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2021-01-08 17:43:21 PST 
Created attachment 417322 [details]
Test

With a non-ASAN release build, we hit the following crash with the attached the test case:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000054bbb644a bool WTF::VectorBufferBase<WebCore::LayerFragment, WTF::FastMalloc>::allocateBuffer<(WTF::FailureAction)0>(unsigned long) + 1 (Vector.h:293) [inlined]
1   com.apple.WebCore             	0x000000054bbb644a bool WTF::VectorBuffer<WebCore::LayerFragment, 1ul, WTF::FastMalloc>::allocateBuffer<(WTF::FailureAction)0>(unsigned long) + 1 (Vector.h:470) [inlined]
2   com.apple.WebCore             	0x000000054bbb644a bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveCapacity<(WTF::FailureAction)0>(unsigned long) + 266 (Vector.h:1195)
3   com.apple.WebCore             	0x000000054bbb6330 bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity<(WTF::FailureAction)0>(unsigned long) + 50 (Vector.h:1056) [inlined]
4   com.apple.WebCore             	0x000000054bbb6330 WebCore::LayerFragment* WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity<(WTF::FailureAction)0>(unsigned long, WebCore::LayerFragment*) + 144 (Vector.h:1065)
5   com.apple.WebCore             	0x000000054bbd3169 bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::appendSlowCase<(WTF::FailureAction)0, WebCore::LayerFragment&>(WebCore::LayerFragment&) + 18 (Vector.h:1317) [inlined]
6   com.apple.WebCore             	0x000000054bbd3169 bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::append<(WTF::FailureAction)0, WebCore::LayerFragment&>(WebCore::LayerFragment&) + 28 (Vector.h:1292) [inlined]
7   com.apple.WebCore             	0x000000054bbd3169 void WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::append<WebCore::LayerFragment&>(WebCore::LayerFragment&) + 28 (Vector.h:776) [inlined]
8   com.apple.WebCore             	0x000000054bbd3169 WebCore::RenderMultiColumnSet::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&) + 1865 (RenderMultiColumnSet.cpp:830)
9   com.apple.WebCore             	0x000000054bb50ba5 WebCore::RenderFragmentedFlow::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&) + 53 (RenderFragmentedFlow.cpp:857)
10  com.apple.WebCore             	0x000000054bb884cf WebCore::RenderLayer::collectFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayer const*, WebCore::LayoutRect const&, WebCore::RenderLayer::PaginationInclusionMode, WebCore::ClipRectsType, WebCore::OverlayScrollbarSizeRelevancy, WebCore::ShouldRespectOverflowClip, WebCore::LayoutSize const&, WebCore::LayoutRect const*, WebCore::ShouldApplyRootOffsetToFragments) + 1103 (RenderLayer.cpp:4947)
11  com.apple.WebCore             	0x000000054bb85f66 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 2790 (RenderLayer.cpp:4725)
12  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined]
13  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758)
14  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined]
15  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758)
16  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined]
17  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758)
18  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined]
19  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758)
20  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined]
21  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758)
22  com.apple.WebCore             	0x000000054bb862c3 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 76 (RenderLayer.cpp:4863) [inlined]
23  com.apple.WebCore             	0x000000054bb862c3 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3651 (RenderLayer.cpp:4761)
24  com.apple.WebCore             	0x000000054bb83928 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::RenderLayer::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 280 (RenderLayer.cpp:4222)
25  com.apple.WebCore             	0x000000054b7bc0dd WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 829 (FrameView.cpp:4326)
26  com.apple.WebCore             	0x000000054b87e81c WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 684 (ScrollView.cpp:1277)
27  com.apple.WebCore             	0x000000054ba9faaf WebCore::ContentfulPaintChecker::qualifiesForContentfulPaint(WebCore::FrameView&) + 127 (ContentfulPaintChecker.cpp:42)
28  com.apple.WebCore             	0x000000054b1e57db WebCore::Document::enqueuePaintTimingEntryIfNeeded() + 187 (Document.cpp:3222)
29  com.apple.WebCore             	0x000000054b7d626e WTF::Function<void (WebCore::Document&)>::operator()(WebCore::Document&) const + 10 (Function.h:83) [inlined]
30  com.apple.WebCore             	0x000000054b7d626e WebCore::Page::forEachDocument(WTF::Function<void (WebCore::Document&)> const&) const + 334 (Page.cpp:3177)
31  com.apple.WebCore             	0x000000054b7db76d WebCore::Page::doAfterUpdateRendering() + 189 (Page.cpp:1596)
32  com.apple.WebCore             	0x000000054b7db573 WebCore::Page::updateRendering() + 1219 (Page.cpp:1559)
33  com.apple.WebKit              	0x00000005484b4f48 WebKit::TiledCoreAnimationDrawingArea::updateRendering(WebKit::TiledCoreAnimationDrawingArea::UpdateRenderingType) + 60 (TiledCoreAnimationDrawingArea.mm:448)
34  com.apple.WebKit              	0x00000005484b4ed8 WebKit::TiledCoreAnimationDrawingArea::forceRepaint() + 130 (TiledCoreAnimationDrawingArea.mm:171)
35  com.apple.WebKitTestRunner.InjectedBundle	0x0000000554de583d WTR::InjectedBundlePage::dump() + 37 (InjectedBundlePage.cpp:811)
36  com.apple.WebKit              	0x000000054855a54a WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage&, WebKit::WebFrame&, WTF::RefPtr<API::Object, WTF::RawPtrTraits<API::Object>, WTF::DefaultRefDerefTraits<API::Object> >&) + 82 (InjectedBundlePageLoaderClient.cpp:140)
37  com.apple.WebKit              	0x00000005485ac486 WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() + 110 (WebFrameLoaderClient.cpp:671)
38  com.apple.WebCore             	0x000000054b6d415b WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 2075 (FrameLoader.cpp:2574)
39  com.apple.WebCore             	0x000000054b6ca65e WebCore::FrameLoader::checkLoadComplete() + 462 (FrameLoader.cpp:2729)
40  com.apple.WebCore             	0x000000054b6a3edb WebCore::DocumentLoader::finishedLoading() + 811 (DocumentLoader.cpp:487)
41  com.apple.WebCore             	0x000000054b73ab9f WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) + 95 (CachedResource.cpp:375)
42  com.apple.WebCore             	0x000000054b7386bf WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 24 (CachedResource.cpp:391) [inlined]
43  com.apple.WebCore             	0x000000054b7386bf WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 799 (CachedRawResource.cpp:123)
44  com.apple.WebCore             	0x000000054b708ce3 WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 1203 (SubresourceLoader.cpp:733)
45  com.apple.WebKit              	0x00000005485776a4 WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) + 238 (WebResourceLoader.cpp:227)
46  com.apple.WebKit              	0x0000000548700e2b void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) + 18 (HandleMessage.h:42) [inlined]
47  com.apple.WebKit              	0x0000000548700e2b void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) + 18 (HandleMessage.h:48) [inlined]
48  com.apple.WebKit              	0x0000000548700e2b void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) + 45 (HandleMessage.h:120) [inlined]
49  com.apple.WebKit              	0x0000000548700e2b WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) + 247 (WebResourceLoaderMessageReceiver.cpp:64)
50  com.apple.WebKit              	0x0000000548570077 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 91 (NetworkProcessConnection.cpp:93)
51  com.apple.WebKit              	0x000000054801f35a IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 152 (Connection.cpp:1139)
52  com.apple.WebKit              	0x000000054801f5a8 IPC::Connection::dispatchOneIncomingMessage() + 190 (Connection.cpp:1208)
53  com.apple.JavaScriptCore      	0x000000054ff8dfe1 WTF::Function<void ()>::operator()() const + 9 (Function.h:83) [inlined]
54  com.apple.JavaScriptCore      	0x000000054ff8dfe1 WTF::RunLoop::performWork() + 545 (RunLoop.cpp:128)

<rdar://problem/72425531>
Comment 1 Sergio Villar Senin 2021-01-13 04:13:44 PST 
Created attachment 417523 [details]
Even smaller test case

It crashes for me even without the webkit-line stuff.
Comment 2 Sergio Villar Senin 2021-01-13 04:54:22 PST 
It seems it's crashing due to an OOM situation caused by excesive allocations in a Vector of layer fragments. I've debugged a bit the issue and it looks like the problem is that the multicolumn code thinks that there are 10693 columns and thus create a layer fragment for each eventually making allocations fail.

Will provide more info as available.
Comment 3 Ryosuke Niwa 2021-01-13 13:05:06 PST 
(In reply to Sergio Villar Senin from comment #2)
> It seems it's crashing due to an OOM situation caused by excesive
> allocations in a Vector of layer fragments. I've debugged a bit the issue
> and it looks like the problem is that the multicolumn code thinks that there
> are 10693 columns and thus create a layer fragment for each eventually
> making allocations fail.

LOL. That's hilarious. How is that possible given the document is basically empty?
Comment 4 Sergio Villar Senin 2021-01-14 04:45:26 PST 
(In reply to Ryosuke Niwa from comment #3)
> (In reply to Sergio Villar Senin from comment #2)
> > It seems it's crashing due to an OOM situation caused by excesive
> > allocations in a Vector of layer fragments. I've debugged a bit the issue
> > and it looks like the problem is that the multicolumn code thinks that there
> > are 10693 columns and thus create a layer fragment for each eventually
> > making allocations fail.
> 
> LOL. That's hilarious. How is that possible given the document is basically
> empty?

That's why I'm figuring out ATM. We might be doing something wrong with overflows. Check out the overflow values for the top renderers:

B---YGL- --* RenderView at (0,0) size 1024x730 renderer->(0x6160002bcb80) (layout overflow 0,0 181782x730)
B-----L- --    HTML RenderBlock at (0,0) size 1x730 renderer->(0x612000366f40) node->(0x60c0002b63c0) (layout overflow 0,0 181782x730) (visual overflow 0,0 181782x730)
B---YGL- --      RenderMultiColumnFlowThread at (0,0) size 2x730 renderer->(0x615000286e80) (layout overflow 0,0 10694x730) (visual overflow 0,0 10694x730) [Rs:0x6140000a4e40 Re:0x6140000a4e40]
B-----L- --        HEAD RenderBlock at (0,0) size 1x730 renderer->(0x6120003670c0) node->(0x60c0002b6480) (layout overflow 0,0 10694x730) (visual overflow 0,0 10694x730) [Rs:0x6140000a4e40 Re:0x6140000a4e40]
B---YGL- --          RenderMultiColumnFlowThread at (0,0) size 1x730 renderer->(0x615000286c00) (layout overflow 0,0 630x730) (visual overflow 0,0 630x730) [Rs:0x6140000a4c40 Re:0x6140000a4c40]
Comment 5 Ryosuke Niwa 2021-01-14 17:35:01 PST 
Hm... maybe things are messed with vertical writing mode & columns?
Comment 6 Sergio Villar Senin 2021-01-18 08:26:09 PST 
Created attachment 417834 [details]
Patch
Comment 7 Sergio Villar Senin 2021-01-18 08:27:00 PST 
I've attached a patch with test case because I think we could consider this as non-security issue.
Comment 8 Sergio Villar Senin 2021-01-19 00:49:18 PST 
Created attachment 417862 [details]
Patch
Comment 9 Sergio Villar Senin 2021-01-20 02:59:47 PST 
Committed r271644: <https://trac.webkit.org/changeset/271644>
Comment 10 zalan 2021-04-14 11:09:43 PDT 
This has caused bug 221962
Comment 11 WebKit Commit Bot 2021-04-21 17:29:51 PDT 
Re-opened since this is blocked by bug 224908
Comment 12 Ryosuke Niwa 2021-04-21 17:58:19 PDT 
<rdar://76991040>