235568 – ASSERTION FAILED: m_fragmentedFlow->objectShouldFragmentInFlowFragment(box, this)

Bug 235568 - ASSERTION FAILED: m_fragmentedFlow->objectShouldFragmentInFlowFragment(box, this)

Summary: ASSERTION FAILED: m_fragmentedFlow->objectShouldFragmentInFlowFragment(box, t...

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-01-25 04:16 PST by A
Modified:	2022-12-14 03:50 PST (History)
CC List:	10 users (show)

See Also:

Attachments
the html can make crash (1.55 MB, application/zip) 2022-01-25 04:16 PST, A	no flags	Details
Patch (1.32 KB, patch) 2022-10-18 13:53 PDT, Rob Buis	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description A 2022-01-25 04:16:45 PST

Created attachment 449910 [details]
the html can make crash

1. build a debug webkit
2. open the html
3. crash

ASSERTION FAILED: m_fragmentedFlow->objectShouldFragmentInFlowFragment(box, this)
../../Source/WebCore/rendering/RenderFragmentContainer.cpp(446) : void WebCore::RenderFragmentContainer::ensureOverflowForBox(const WebCore::RenderBox*, WTF::RefPtr<WebCore::RenderOverflow>&, bool)
1   0x7ff308b0c964 WTFReportBacktrace
2   0x7ff308b0cc01 WTFCrash
3   0x7ff322603ba1 WTF::CrashOnOverflow::overflowed()
4   0x7ff32bf89418 WebCore::RenderFragmentContainer::ensureOverflowForBox(WebCore::RenderBox const*, WTF::RefPtr<WebCore::RenderOverflow, WTF::RawPtrTraits<WebCore::RenderOverflow>, WTF::DefaultRefDerefTraits<WebCore::RenderOverflow> >&, bool)
5   0x7ff32bf8a743 WebCore::RenderFragmentContainer::layoutOverflowRectForBox(WebCore::RenderBox const*)
6   0x7ff32bf8ac1d WebCore::RenderFragmentContainer::layoutOverflowRectForBoxForPropagation(WebCore::RenderBox const*)
7   0x7ff32bf9a79b WebCore::RenderFragmentedFlow::addFragmentsOverflowFromChild(WebCore::RenderBox const*, WebCore::RenderBox const*, WebCore::LayoutSize const&)
8   0x7ff32be8a092 WebCore::RenderBox::addOverflowFromChild(WebCore::RenderBox const*, WebCore::LayoutSize const&)
9   0x7ff32bd3f1ab WebCore::RenderBlock::addOverflowFromPositionedObjects()
10  0x7ff32bd3e5fa WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool)
11  0x7ff32be28891 WebCore::RenderBlockFlow::computeOverflow(WebCore::LayoutUnit, bool)
12  0x7ff32be14b6e WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
13  0x7ff32be3e20e WebCore::RenderBlockFlow::relayoutForPagination()
14  0x7ff32be1431e WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
15  0x7ff32bd3d8ab WebCore::RenderBlock::layout()
16  0x7ff32be16a40 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
17  0x7ff32be15c96 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
18  0x7ff32be13fa4 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
19  0x7ff32bd3d8ab WebCore::RenderBlock::layout()
20  0x7ff32bc80e9e WebCore::RenderElement::layoutIfNeeded()
21  0x7ff32bc659be WebCore::GridTrackSizingAlgorithmStrategy::logicalHeightForChild(WebCore::RenderBox&) const
22  0x7ff32bc65ffd WebCore::GridTrackSizingAlgorithmStrategy::minContentForChild(WebCore::RenderBox&) const
23  0x7ff32bc66921 WebCore::GridTrackSizingAlgorithmStrategy::minSizeForChild(WebCore::RenderBox&) const
24  0x7ff32bc60097 WebCore::GridTrackSizingAlgorithm::sizeTrackToFitNonSpanningItem(WebCore::GridSpan const&, WebCore::RenderBox&, WebCore::GridTrack&)
25  0x7ff32bc6cf5a WebCore::GridTrackSizingAlgorithm::resolveIntrinsicTrackSizes()
26  0x7ff32bc6fafe WebCore::GridTrackSizingAlgorithm::run()
27  0x7ff32bfddf81 WebCore::RenderGrid::computeTrackSizesForIndefiniteSize(WebCore::GridTrackSizingAlgorithm&, WebCore::GridTrackSizingDirection, WebCore::LayoutUnit*, WebCore::LayoutUnit*) const
28  0x7ff32bfdbcba WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit)
29  0x7ff32bd3d8ab WebCore::RenderBlock::layout()
30  0x7ff32bc80e9e WebCore::RenderElement::layoutIfNeeded()
31  0x7ff32bd1b8b4 WebCore::LegacyLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)

Comment 1 Radar WebKit Bug Importer 2022-02-01 04:17:17 PST

<rdar://problem/88321949>

Comment 2 Rob Buis 2022-10-18 13:44:17 PDT

The box being added for overflow is an absolute positioned box and the overflow is being calculated at the time for a RenderMultiColumnSet.

Render tree at the time of ASSERT:
BR----L-- -+                      DIV RenderBlock at (0,48) size 33554432x33554432 renderer->(0x14fcbe540) node->(0x109afe6e0) [spans fragment containers in flow 0x14ec75380 from 0x108737640 to 0x108737640] layout->[self][normal child][positioned child]
B---YGL-- --                        RenderMultiColumnFlowThread at (33554432,33554432) size 0x21 renderer->(0x14ec75680) (layout overflow -33554430,-33554416 33554432x33554432) (visual overflow -33554430,-33554416 33554432x33554432) [fragment containers 0x108793a40] [spans fragment containers in flow 0x14ec75380 from 0x108737640 to 0x108737640]
-------- --                          Line: (top: -33554416 bottom: 19) with leading (top: 0 bottom: 21)
-------- --                          RootInlineBox at (0,2) size 2x17 (0x14edeb680) renderer->(0x14ec75680)
-------- --                            InlineBox at (-33554430,-33554416) size 33554432x33554432 (0x15064b420) renderer->(0x14fcbe240)
N-----L-- --                          DIV RenderBlock at (-33554430,-33554416) size 33554432x33554432 renderer->(0x14fcbe240) node->(0x109afe610) (layout overflow 3,0 33554426x33554432) [spans fragment containers in flow 0x14ec75680 from 0x108793a40 to 0x108793a40]
B---YGL-- --                            RenderMultiColumnFlowThread at (3,33554428) size 496x93 renderer->(0x14ec75980) [fragment containers 0x108726040] [spans fragment containers in flow 0x14ec75680 from 0x108793a40 to 0x108793a40]
B-------- --                              A RenderBlock at (0,0) size 496x93 renderer->(0x14fcbdf40) node->(0x109b40b60) [spans fragment containers in flow 0x14ec75980 from 0x108726040 to 0x108726040]
BA---GL-- --*                               <pseudo> RenderBlock at (33554432,16777216) size 0x23488100 renderer->(0x14fcbddc0) node->(0x109b845c0) (layout overflow 0,0 0x23488100) (visual overflow -17,-2 34x23488134) [spans fragment containers in flow 0x14ec75380 from 0x108737640 to 0x108737640]
-------- --                                  line at (0.00,0.00) size (0.00x0.00) baseline (0.00) enclosing top (-14.00) bottom (3.00)
-------- --                                    Root inline box at (0.00,-14.00) size (0.00x17.00)
-------- --                                    Run(s):
I---YG--- --                                  RenderText renderer->(0x108d80740)
BR----L-- --                                SPAN RenderBlock at (0,0) size 496x93 renderer->(0x14fcbdac0) node->(0x109afe540) [spans fragment containers in flow 0x14ec75980 from 0x108726040 to 0x108726040]
-------- --                                  Line: (top: 31 bottom: 62) with leading (top: 32 bottom: 62)
-------- --                                  RootInlineBox at (162.91,31) size 170.18x31 (0x14eded480) renderer->(0x14fcbdac0)
-------- --                                    InlineTextBox at (162.91,31) size 170.18x31 (0x1099d8730) renderer->(0x109b844e0) run(0, 6) "å<88><9b>å»ºå<85><8d>è´¹å¸<90>æ<88>·"
I-------- --                                  #text RenderText renderer->(0x109b844e0) node->(0x109992a00) length->(6) "å<88><9b>å»ºå<85><8d>è´¹å¸<90>æ<88>·"
B---YG--- --                            RenderMultiColumnSet at (3,33554428) size 33554426x31 renderer->(0x108726040) (column count 65535, size 496x31, gap 16) [spans fragment containers in flow 0x14ec75680 from 0x108793a40 to 0x108793a40]
I-------- --                          #text RenderText renderer->(0x109b84400) node->(0x1099928a0) length->(25) "\n                        "
B---YG--- --                        RenderMultiColumnSet at (33554432,33554432) size 0x16777216 renderer->(0x108793a40) (column count 65535, size 0x16777216, gap 16) [spans fragment containers in flow 0x14ec75380 from 0x108737640 to 0x108737640]

Comment 3 Rob Buis 2022-10-18 13:53:29 PDT

Created attachment 463062 [details]
Patch