Created attachment 461966 [details] the html ASSERTION FAILED: !hasEllipsisBox() /home/fuzzer/temp/webkit/webkitgtk-2.36.0/Source/WebCore/rendering/LegacyRootInlineBox.cpp(135) : float WebCore::LegacyRootInlineBox::placeEllipsis(const WTF::AtomString &, bool, float, float, float, WebCore::LegacyInlineBox *) ** (MiniBrowser:3380): WARNING **: 12:59:40.030: WebProcess CRASHED
<rdar://problem/99559298>
Created attachment 463078 [details] Minimized testcase Here is a minimized test. I verified that it hits the following assert on non-ASAN macOS/GTK debug builds: ASSERTION FAILED: !hasEllipsisBox() rendering/LegacyRootInlineBox.cpp(135) : float WebCore::LegacyRootInlineBox::placeEllipsis(const WTF::AtomString &, bool, float, float, float, WebCore::LegacyInlineBox *) 1 0x13c773550 WTFCrash 2 0x2806e7470 WebCore::JSBeforeUnloadEvent::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) 3 0x2853b8dd8 WebCore::LegacyRootInlineBox::placeEllipsis(WTF::AtomString const&, bool, float, float, float, WebCore::LegacyInlineBox*) 4 0x2854a3eb8 WebCore::RenderDeprecatedFlexibleBox::applyLineClamp(WebCore::FlexBoxIterator&, bool) 5 0x2854a1440 WebCore::RenderDeprecatedFlexibleBox::layoutVerticalBox(bool) 6 0x28549f828 WebCore::RenderDeprecatedFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit) 7 0x2853f9abc WebCore::RenderBlock::layout() 8 0x285417030 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 9 0x28541597c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 10 0x285414ad4 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 11 0x2853f9abc WebCore::RenderBlock::layout() 12 0x2844d9dc4 WebCore::RenderElement::layoutIfNeeded() 13 0x285417f3c WebCore::RenderBlockFlow::layoutModernLines(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 14 0x285415730 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 15 0x285414abc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 16 0x2853f9abc WebCore::RenderBlock::layout() 17 0x285417030 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 18 0x28541597c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 19 0x285414ad4 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 20 0x2853f9abc WebCore::RenderBlock::layout() 21 0x285417030 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 22 0x28541597c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 23 0x285414ad4 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 24 0x2853f9abc WebCore::RenderBlock::layout() 25 0x2856a2388 WebCore::RenderView::layout() 26 0x284887b34 WebCore::FrameViewLayoutContext::performLayout() 27 0x284887454 WebCore::FrameViewLayoutContext::layout() 28 0x283842ad8 WebCore::Document::implicitClose() 29 0x2845b0ad4 WebCore::FrameLoader::checkCallImplicitClose() 30 0x2845b0538 WebCore::FrameLoader::checkCompleted() 31 0x2845ae9c0 WebCore::FrameLoader::finishedParsing()
Same ASSERT without the dynamic script lines: <meta charset="utf-8"> <style> body { font-family: Arial,sans-serif } #container1 { display: inline-block; margin: 1e+21em; line-break: anywhere; font-variant-caps: petite-caps; } #container2 { -webkit-box-orient: vertical; -webkit-line-clamp: 2; display: -webkit-box; overflow: hidden; text-overflow: ellipsis; } </style> <div id="container1"> <span id="container2">Tastaturen und Mäuse</span> </div>
Created attachment 463711 [details] Patch
Comment on attachment 463711 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=463711&action=review > Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:1171 > + if (!lastVisibleLine->lineCanAccommodateEllipsis(leftToRight, blockRightEdge, lastVisibleLine->x() + lastVisibleLine->logicalWidth(), totalWidth) || lastVisibleLine->hasEllipsisBox()) this could potentially break the 'anchor box' case -while "text-overflow: ellipsis" produces a static trailing content only, line-clamp, in some cases (e.g 'see more' type of content) constructs a clickable line ending.
This can't be reproduced with modern IFC since r256989.
Created attachment 463755 [details] Patch
Comment on attachment 463711 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=463711&action=review >> Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:1171 >> + if (!lastVisibleLine->lineCanAccommodateEllipsis(leftToRight, blockRightEdge, lastVisibleLine->x() + lastVisibleLine->logicalWidth(), totalWidth) || lastVisibleLine->hasEllipsisBox()) > > this could potentially break the 'anchor box' case -while "text-overflow: ellipsis" produces a static trailing content only, line-clamp, in some cases (e.g 'see more' type of content) constructs a clickable line ending. Thanks! I did not know that. I made a new patch and verified it works by locally reverting r256989.
Comment on attachment 463755 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=463755&action=review > Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:1174 > + // text-overflow: elipsis may have added an ellipsis already, give priority to potentially clickable line-clamp. Spelling error “elipsis” here
Created attachment 463769 [details] Patch
(In reply to Rob Buis from comment #8) > Comment on attachment 463711 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=463711&action=review > > >> Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:1171 > >> + if (!lastVisibleLine->lineCanAccommodateEllipsis(leftToRight, blockRightEdge, lastVisibleLine->x() + lastVisibleLine->logicalWidth(), totalWidth) || lastVisibleLine->hasEllipsisBox()) > > > > this could potentially break the 'anchor box' case -while "text-overflow: ellipsis" produces a static trailing content only, line-clamp, in some cases (e.g 'see more' type of content) constructs a clickable line ending. > > Thanks! I did not know that. I made a new patch and verified it works by > locally reverting r256989. are you sure about r256989? It's a commit from early 2020.
Comment on attachment 463769 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=463769&action=review > LayoutTests/fast/flexbox/line-clamp-link-after-ellipsis-crash.html:1 > +<meta charset="utf-8"> So I assume this test case passes fine on trunk because of the IFC progression. You should be able to force legacy codepath by disabling IFC here (<!DOCTYPE html><!-- webkit-test-runner [ InlineFormattingContextIntegrationEnabled=false ] --> )
Comment on attachment 463711 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=463711&action=review >>>> Source/WebCore/rendering/RenderDeprecatedFlexibleBox.cpp:1171 >>>> + if (!lastVisibleLine->lineCanAccommodateEllipsis(leftToRight, blockRightEdge, lastVisibleLine->x() + lastVisibleLine->logicalWidth(), totalWidth) || lastVisibleLine->hasEllipsisBox()) >>> >>> this could potentially break the 'anchor box' case -while "text-overflow: ellipsis" produces a static trailing content only, line-clamp, in some cases (e.g 'see more' type of content) constructs a clickable line ending. >> >> Thanks! I did not know that. I made a new patch and verified it works by locally reverting r256989. > > are you sure about r256989? It's a commit from early 2020. Oops, I guess old style revisions are gone, I meant https://commits.webkit.org/256989@main.
Created attachment 463781 [details] Patch
Committed 257115@main (94e2a2fd0228): <https://commits.webkit.org/257115@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 463781 [details].