267071 – [content-visibility](?) Crash under InlineIterator::BoxModernPath::box()

Tim Nguyen (:ntim)

Reported 2024-01-03 16:50:10 PST

Regression data on Apple's side suggests that this is linked to content-visibility: 50 WTF::CrashOnOverflow::crash() <== 50 WTF::CrashOnOverflow::overflowed() 50 WTF::Vector<WebCore::InlineDisplay::Box, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) const 50 WTF::Vector<WebCore::InlineDisplay::Box, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[](unsigned long) const 50 WebCore::InlineIterator::BoxModernPath::box() const 50 WebCore::InlineIterator::BoxModernPath::renderer() const 50 WebCore::RenderObject const& WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)::operator()<WebCore::InlineIterator::BoxModernPath const>(auto&) const 50 decltype(std::declval<auto>()(std::declval<WebCore::InlineIterator::BoxModernPath const&>())) std::__1::__invoke[abi:v160006]<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>, WebCore::InlineIterator::BoxModernPath const&>(auto&&, WebCore::InlineIterator::BoxModernPath const&) 50 decltype(auto) std::__1::__variant_detail::__visitation::__variant::__value_visitor<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>>::operator()[abi:v160006]<std::__1::__variant_detail::__alt<0ul, WebCore::InlineIterator::BoxModernPath> const&>(std::__1::__variant_detail::__alt<0ul, WebCore::InlineIterator::BoxModernPath> const&) const 50 decltype(std::declval<auto>()(std::declval<std::__1::__variant_detail::__alt<0ul, WebCore::InlineIterator::BoxModernPath> const&>())) std::__1::__invoke[abi:v160006]<std::__1::__variant_detail::__visitation::__variant::__value_visitor<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>>, std::__1::__variant_detail::__alt<0ul, WebCore::InlineIterator::BoxModernPath> const&>(auto&&, std::__1::__variant_detail::__alt<0ul, WebCore::InlineIterator::BoxModernPath> const&) 50 decltype(auto) std::__1::__variant_detail::__visitation::__base::__dispatcher<0ul>::__dispatch[abi:v160006]<std::__1::__variant_detail::__visitation::__variant::__value_visitor<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>>&&, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&>(auto, std::__1::__variant_detail::__base<(std::__1::__variant_detail::_Trait)1, WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&) 50 decltype(auto) std::__1::__variant_detail::__visitation::__base::__visit_alt[abi:v160006]<std::__1::__variant_detail::__visitation::__variant::__value_visitor<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>>, std::__1::__variant_detail::__impl<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&>(auto&&, std::__1::__variant_detail::__impl<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&) 50 decltype(auto) std::__1::__variant_detail::__visitation::__variant::__visit_alt[abi:v160006]<std::__1::__variant_detail::__visitation::__variant::__value_visitor<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>>, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&>(auto&&, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&) 50 decltype(auto) std::__1::__variant_detail::__visitation::__variant::__visit_value[abi:v160006]<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&>(auto&&, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&) 50 decltype(auto) std::__1::visit[abi:v160006]<WTF::Visitor<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&, void>(auto&&, std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&) 50 decltype(std::visit(makeVisitor(std::forward<WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>(fp0)), std::forward<auto>(fp))) WTF::switchOn<std::__1::variant<WebCore::InlineIterator::BoxModernPath, WebCore::InlineIterator::BoxLegacyPath> const&, WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)>(auto&&, WebCore::InlineIterator::Box::renderer() const::'lambda'(auto&)&&) 50 WebCore::InlineIterator::Box::renderer() const 50 WebCore::InlineIterator::InlineBox::renderer() const 50 auto WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox(WTF::Vector<WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::DecoratingBox, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::InlineIterator::TextBoxIterator const&, WebCore::FloatPoint, WebCore::TextDecorationPainter::Styles const&)::'lambda'(auto&, auto)::operator()<WebCore::InlineIterator::InlineBoxIterator, WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox(WTF::Vector<WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::DecoratingBox, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::InlineIterator::TextBoxIterator const&, WebCore::FloatPoint, WebCore::TextDecorationPainter::Styles const&)::UseOverriderDecorationStyle>(auto&, auto) const 50 WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::collectDecoratingBoxesForTextBox(WTF::Vector<WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::DecoratingBox, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::InlineIterator::TextBoxIterator const&, WebCore::FloatPoint, WebCore::TextDecorationPainter::Styles const&) 50 WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paintBackgroundDecorations(WebCore::TextDecorationPainter&, WebCore::StyledMarkedText const&, WebCore::FloatRect const&) 50 WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paintForegroundAndDecorations() 50 WebCore::TextBoxPainter<WebCore::InlineIterator::BoxModernPath>::paint() 50 WebCore::LayoutIntegration::InlineContentPainter::paintDisplayBox(WebCore::InlineDisplay::Box const&) 50 WebCore::LayoutIntegration::InlineContentPainter::paint() 50 WebCore::LayoutIntegration::LineLayout::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::RenderInline const*) 49 WebCore::RenderBlockFlow::paintInlineChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | 49 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | 49 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | 49 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | 48 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) | | 48 WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) | | 48 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | 48 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | 48 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | 43 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) | | | 43 WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) | | | 43 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | | 43 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | | 43 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | | 24 WebCore::paintPhase(WebCore::RenderElement&, WebCore::PaintPhase, WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | | | 24 WebCore::RenderElement::paintAsInlineBlock(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | | | 23 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) | | | | | 18 WebCore::RenderGrid::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) | | | | | | 18 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | | | | | 18 WebCore::RenderBlock::paintObject(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | | | | | 18 WebCore::RenderBlock::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | | | | | 18 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) | | | | | | 18 WebCore::RenderBlock::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) | | | | | | 18 WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | | | | | truncating... | | | | | pruning: 5 WebCore::RenderFlexibleBox::paintChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool) | | | | pruning: 1 WebCore::LayoutIntegration::InlineContentPainter::paintDisplayBox(WebCore::InlineDisplay::Box const&) | | | 13 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) | | | | 13 WebCore::RenderLayer::paintForegroundForFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::GraphicsContext&, WebCore::LayoutRect const&, bool, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) | | | | 13 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) | | | | 13 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) | | | | 13 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) | | | | 13 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) | | | | 13 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) | | | | pruning: 9 WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RegionContext*)::$_33::operator()(WebCore::RenderLayer&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) const | | | | pruning: 4 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) | | | pruning: 6 WebCore::RenderBlock::paintChild(WebCore::RenderBox&, WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::PaintInfo&, bool, WebCore::RenderBlock::PaintBlockType) | | pruning: 3 WebCore::paintPhase(WebCore::RenderElement&, WebCore::PaintPhase, WebCore::PaintInfo&, WebCore::LayoutPoint const&) | | pruning: 2 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) | pruning: 1 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*) pruning: 1 WebCore::RenderLayer::paintForegroundForFragmentsWithPhase(WebCore::PaintPhase, WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*)

Tim Nguyen (:ntim)

Comment 1 2024-01-03 16:50:21 PST

rdar://118133167

Rob Buis

Comment 2 2024-01-24 15:33:15 PST

Are there reproduction steps for this bug?