RESOLVED DUPLICATE of bug 280023286135
Safari iOS 18.2: Tab crashes with flex + line-clamp + float combo in Layout::BoxGeometry::paddingStart() 
https://bugs.webkit.org/show_bug.cgi?id=286135
Summary Safari iOS 18.2: Tab crashes with flex + line-clamp + float combo in Layout::...
Jesper Jaques
Reported 2025-01-17 02:36:24 PST
Created attachment 473931 [details] Minimal test case HTML file showing a Safari crash using flex, max-width, line-clamp, and float properties together. Safari on iOS 18.2 and later crashes when rendering a page that combines flex container, line-clamp, max-width, and float properties in a specific nested structure. Steps to reproduce: 1. Host the attached minimal test case HTML file on a web server 2. Open the page in Safari on iOS 18.2 or later 3. Observe that the page loads briefly, then crashes with the error message "Der var gentagne problemer med '[url]'" (Translation: "There were repeated problems with '[url]'") Test case HTML attached, key properties: - Parent container with display: flex - Child div with max-width: 50% - Paragraph with line-clamp: 1 - Span with float: right Environment: - Confirmed on iPhone iOS 18.2 (22C152) - Confirmed on iPad iOS 18.2.1 (22C161) - Suspected to work correctly on earlier iOS versions (needs verification) Expected behavior: Page should load and display normally without crashing. Actual behavior: Page loads briefly then crashes Safari, requiring the user to reload or close the tab.
Attachments
Minimal test case HTML file showing a Safari crash using flex, max-width, line-clamp, and float properties together. (559 bytes, text/html)
2025-01-17 02:36 PST, Jesper Jaques 		no flags
Details
test reduction (261 bytes, text/html)
2025-01-17 18:24 PST, alan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2025-01-17 17:41:39 PST
Thank you for the report! Please let us now if you manage to confirm that this worked on earlier releases.
Radar WebKit Bug Importer
Comment 2 2025-01-17 17:41:50 PST
<rdar://problem/143163066>
alan
Comment 3 2025-01-17 18:15:25 PST
Looks like we end up with a dirty renderer here. (B)lock/(I)nline Box/(A)tomic inline, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, hasLayer(S)crollableArea, (C)omposited, Content-visibility:(H)idden/(A)uto, (S)kipped content, (+)Dirty style, (+)Dirty layout B---YGLSC-- -- RenderView at (0,0) size 1293x624 renderer (0x117008470) layout box (0x0) B-----LS--- -- HTML RenderBlock at (0,0) size 1293x624 renderer (0x1170100b0) layout box (0x0) node (0x11700f1a0) B---------- -- BODY RenderBody at (8,8) size 1277x608 renderer (0x11700ef00) layout box (0x0) node (0x11700f3e0) B---------- -- DIV RenderFlexibleBox at (0,0) size 1277x50 renderer (0x117015040) layout box (0x0) node (0x1170052d0) B---------- -- DIV RenderBlock at (0,0) size 161.34x50 renderer (0x11700fc00) layout box (0x0) node (0x117014800) B---------- -- DIV RenderBlock at (0,16) size 80.67x18 renderer (0x1170152c0) layout box (0x0) node (0x117014890) B---------- -- P RenderBlock at (0,0) size 80.67x18 renderer (0x117015430) layout box (0x117015930) node (0x117014a20) floating object (0x117016600) renderer (0x117015670) at (0,0) size 0x0 paintsFloat 1 shouldPaint 1 -- line at (0.00,0.00) size (80.67x18.00) baseline (14.00) enclosing top (0.00) bottom (18.00) -- Root inline box at (0.00,0.00) size (47.98x18.00) -- Run(s): -- Text at (0.00,0.00) size 47.98x18.00 run(13, 20) renderer->(0x1170155a0) I---------- -- #text RenderText renderer (0x1170155a0) layout box (0x11700d060) node (0x117014c00) length->(48) "\n E-mail: fake@email.com\n " B-F-------- -+* SPAN RenderBlock at (0,0) size 0x0 renderer (0x117015670) layout box (0x117015a00) node (0x117014ab0) layout->[self] I---------- -- #text RenderText renderer (0x1170157e0) layout box (0x117015ba0) node (0x117014c80) length->(11) "\n " SHOULD NEVER BE REACHED /Volumes/Work/trunk/OpenSource/Source/WebCore/page/LocalFrameViewLayoutContext.cpp(96) : auto WebCore::RenderTreeNeedsLayoutChecker::~RenderTreeNeedsLayoutChecker()::(anonymous class)::operator()(const RenderObject &) const
alan
Comment 4 2025-01-17 18:24:30 PST
Created attachment 473937 [details] test reduction
alan
Comment 5 2025-01-17 19:00:13 PST
This has progressed at 284099@main and the crash no longer reproduces but apparently there's still some remaining work (debug assert) tracked at bug 286187.
alan
Comment 6 2025-01-17 19:00:32 PST
*** This bug has been marked as a duplicate of bug 280023 ***
Note You need to log in before you can comment on or make changes to this bug.