Bug 222711 - ASSERTION FAILED: contentSize >= 0 in WebCore::RenderFlexibleBox::adjustChildSizeForMinAndMax
Summary: ASSERTION FAILED: contentSize >= 0 in WebCore::RenderFlexibleBox::adjustChild...
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Sergio Villar Senin
Keywords: InRadar
Depends on:
Reported: 2021-03-03 23:25 PST by Ryan Haddad
Modified: 2021-05-04 11:19 PDT (History)
17 users (show)

See Also:

Patch (3.97 KB, patch)
2021-03-16 05:26 PDT, Sergio Villar Senin
simon.fraser: review+
zalan: commit-queue-
Details | Formatted Diff | Diff
Patch (4.52 KB, patch)
2021-05-04 04:11 PDT, Sergio Villar Senin
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryan Haddad 2021-03-03 23:25:28 PST
imported/w3c/web-platform-tests/css/css-flexbox/frameset-crash.html, which was recently imported with https://trac.webkit.org/changeset/273825/webkit, is frequently asserting on iOS and macOS debug bots.


ASSERTION FAILED: contentSize >= 0
./rendering/RenderFlexibleBox.cpp(1210) : WebCore::LayoutUnit WefbCore::RenderFlexibleBox::adjustChildSizeForMinAndMax(const WebCore::RenderBox &, WebCore::LayoutUnit)
1   0x144404329 WTFCrash
2   0x127ee57db WTFCrashWithInfo(int, char const*, char const*, int)
3   0x12c8ccbaa WebCore::RenderFlexibleBox::adjustChildSizeForMinAndMax(WebCore::RenderBox const&, WebCore::LayoutUnit)
4   0x12c8ca6f0 WebCore::RenderFlexibleBox::constructFlexItem(WebCore::RenderBox&, bool)
5   0x12c8c585a WebCore::RenderFlexibleBox::layoutFlexItems(bool)
6   0x12c8c5364 WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit)
7   0x12c7db8b9 WebCore::RenderBlock::layout()
8   0x12c7f6a02 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
9   0x12c7f5344 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
10  0x12c7f41c3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
11  0x12c7db8b9 WebCore::RenderBlock::layout()
12  0x12c7f6a02 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
13  0x12c7f5344 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
14  0x12c7f41c3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
15  0x12c7db8b9 WebCore::RenderBlock::layout()
16  0x12c7f6a02 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
17  0x12c7f5344 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
18  0x12c7f41c3 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
19  0x12c7db8b9 WebCore::RenderBlock::layout()
20  0x12caaee33 WebCore::RenderView::layout()
21  0x12be804b1 WebCore::FrameViewLayoutContext::layout()
22  0x12af61ce6 WebCore::Document::implicitClose()
23  0x12bc44d6b WebCore::FrameLoader::checkCallImplicitClose()
24  0x12bc4479a WebCore::FrameLoader::checkCompleted()
25  0x12bc42887 WebCore::FrameLoader::finishedParsing()
26  0x12af76866 WebCore::Document::finishedParsing()
27  0x12b76fdd8 WebCore::HTMLConstructionSite::finishedParsing()
28  0x12b7b8c97 WebCore::HTMLTreeBuilder::finished()
29  0x12b777418 WebCore::HTMLDocumentParser::end()
30  0x12b7750e8 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
31  0x12b774e27 WebCore::HTMLDocumentParser::prepareToStopParsing()
Comment 1 Radar WebKit Bug Importer 2021-03-03 23:25:55 PST
Comment 2 Sergio Villar Senin 2021-03-04 00:49:04 PST
Committed r273876 (234837@main): <https://commits.webkit.org/234837@main>
Comment 3 Sergio Villar Senin 2021-03-04 00:50:12 PST
This was not meant to be closed.

I've just landed in r273876 a gardening patch skipping this test in Debug until we figure out what's going on.
Comment 4 Sergio Villar Senin 2021-03-16 05:26:33 PDT
Created attachment 423322 [details]
Comment 5 Sergio Villar Senin 2021-03-18 05:17:43 PDT
Ping reviewers
Comment 6 Sergio Villar Senin 2021-04-13 01:52:40 PDT
Another gentle ping
Comment 7 zalan 2021-05-03 18:52:25 PDT
Comment on attachment 423322 [details]

View in context: https://bugs.webkit.org/attachment.cgi?id=423322&action=review

> Source/WebCore/rendering/RenderFrameSet.cpp:437
> +    ASSERT(preferredLogicalWidthsDirty());
> +
> +    RenderBox::computePreferredLogicalWidths(style().logicalMinWidth(), style().logicalMaxWidth(), borderAndPaddingLogicalWidth());
> +    setPreferredLogicalWidthsDirty(false);

I am curious as to why RenderBox::computePreferredLogicalWidths() does not simply call the other computePreferredLogicalWidths() function. I did a quick grep and it looked like many RenderBox subclasses override this function. It would be interesting to know if there's another class that's missing the override and whether it is intentional or just a mistake like this. I'd move this functionality up to the RenderBox unless there's a good reason not to (so that we don't end up with this exact same bug if someone introduces a new subclass).
Comment 8 Sergio Villar Senin 2021-05-04 04:11:39 PDT
Created attachment 427650 [details]

Something like this Alan?
Comment 9 zalan 2021-05-04 06:41:58 PDT
(In reply to Sergio Villar Senin from comment #8)
> Created attachment 427650 [details]
> Patch
> Something like this Alan?
Exactly like this! Thanks! Will review it in a bit.
Comment 10 zalan 2021-05-04 10:19:44 PDT
Comment on attachment 427650 [details]

So it looks like there are 2 classes with no computePreferredLogicalWidths override, RenderTableRow and RenderMultiColumnSpannerPlaceholder. If this patch regresses them in any way, we could just override and leave them empty with an explanation of why they should not need to provide the preferred logical width.
Comment 11 EWS 2021-05-04 11:19:51 PDT
Committed r276971 (237300@main): <https://commits.webkit.org/237300@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 427650 [details].