93564 – Crash in RenderLayer::setStaticInlinePosition loading this test case

Bug 93564 - Crash in RenderLayer::setStaticInlinePosition loading this test case

Summary: Crash in RenderLayer::setStaticInlinePosition loading this test case

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-08-08 18:03 PDT by Simon Fraser (smfr)
Modified:	2013-03-06 10:38 PST (History)
CC List:	3 users (show)

See Also:

Attachments
Testcase (1.96 KB, text/html) 2012-08-08 18:03 PDT, Simon Fraser (smfr)	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Simon Fraser (smfr) 2012-08-08 18:03:55 PDT

Created attachment 157355 [details]
Testcase

Loading the attached testcase on TOT crashes:

(lldb) p this
(WebCore::RenderLayer *) $0 = 0x0000000000000000
(lldb) 

* thread #1: tid = 0x2603, 0x0000000103f7163e WebCore`WebCore::RenderLayer::setStaticInlinePosition(WebCore::FractionalLayoutUnit) + 14 at RenderLayer.h:578, stop reason = EXC_BAD_ACCESS (code=1, address=0xd8)
    frame #0: 0x0000000103f7163e WebCore`WebCore::RenderLayer::setStaticInlinePosition(WebCore::FractionalLayoutUnit) + 14 at RenderLayer.h:578
    frame #1: 0x0000000103f9d990 WebCore`setStaticPositions + 192 at RenderBlockLineLayout.cpp:888
    frame #2: 0x0000000103fa020b WebCore`WebCore::RenderBlock::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, WebCore::RenderBlock::FloatingObject*, WebCore::LineWidth&) + 187 at RenderBlockLineLayout.cpp:1924
    frame #3: 0x0000000103f9a2d0 WebCore`WebCore::RenderBlock::LineBreaker::nextLineBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, std::__1::pair<WebCore::RenderText*, WebCore::LazyLineBreakIterator>&, WebCore::RenderBlock::FloatingObject*, unsigned int) + 320 at RenderBlockLineLayout.cpp:2137
    frame #4: 0x0000000103f9873b WebCore`WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 939 at RenderBlockLineLayout.cpp:1270
    frame #5: 0x0000000103f97508 WebCore`WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1224 at RenderBlockLineLayout.cpp:1235
    frame #6: 0x0000000103f9e1a9 WebCore`WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1497 at RenderBlockLineLayout.cpp:1530
    frame #7: 0x0000000103f40fd2 WebCore`WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1602 at RenderBlock.cpp:1483
    frame #8: 0x0000000103f40385 WebCore`WebCore::RenderBlock::layout() + 117 at RenderBlock.cpp:1346
    frame #9: 0x0000000103f4cb7c WebCore`WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1324 at RenderBlock.cpp:2403
    frame #10: 0x0000000103f43b39 WebCore`WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1385 at RenderBlock.cpp:2339
    frame #11: 0x0000000103f40ff5 WebCore`WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1637 at RenderBlock.cpp:1485
    frame #12: 0x0000000103f40385 WebCore`WebCore::RenderBlock::layout() + 117 at RenderBlock.cpp:1346
    frame #13: 0x00000001034365e6 WebCore`WebCore::RenderObject::layoutIfNeeded() + 54 at RenderObject.h:640
    frame #14: 0x0000000103f9ad90 WebCore`WebCore::RenderBlock::LineBreaker::nextLineBreak(WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::LineInfo&, std::__1::pair<WebCore::RenderText*, WebCore::LazyLineBreakIterator>&, WebCore::RenderBlock::FloatingObject*, unsigned int) + 3072 at RenderBlockLineLayout.cpp:2289
    frame #15: 0x0000000103f9873b WebCore`WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 939 at RenderBlockLineLayout.cpp:1270
    frame #16: 0x0000000103f97508 WebCore`WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1224 at RenderBlockLineLayout.cpp:1235
    frame #17: 0x0000000103f9e1a9 WebCore`WebCore::RenderBlock::layoutInlineChildren(bool, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1497 at RenderBlockLineLayout.cpp:1530
    frame #18: 0x0000000103f40fd2 WebCore`WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1602 at RenderBlock.cpp:1483
    frame #19: 0x0000000103f40385 WebCore`WebCore::RenderBlock::layout() + 117 at RenderBlock.cpp:1346
    frame #20: 0x0000000103f4cb7c WebCore`WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1324 at RenderBlock.cpp:2403
    frame #21: 0x0000000103f43b39 WebCore`WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1385 at RenderBlock.cpp:2339
    frame #22: 0x0000000103f40ff5 WebCore`WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1637 at RenderBlock.cpp:1485
    frame #23: 0x0000000103f40385 WebCore`WebCore::RenderBlock::layout() + 117 at RenderBlock.cpp:1346
    frame #24: 0x0000000103f4cb7c WebCore`WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, WebCore::FractionalLayoutUnit&, WebCore::FractionalLayoutUnit&) + 1324 at RenderBlock.cpp:2403
    frame #25: 0x0000000103f43b39 WebCore`WebCore::RenderBlock::layoutBlockChildren(bool, WebCore::FractionalLayoutUnit&) + 1385 at RenderBlock.cpp:2339
    frame #26: 0x0000000103f40ff5 WebCore`WebCore::RenderBlock::layoutBlock(bool, WebCore::FractionalLayoutUnit) + 1637 at RenderBlock.cpp:1485
    frame #27: 0x0000000103f40385 WebCore`WebCore::RenderBlock::layout() + 117 at RenderBlock.cpp:1346
    frame #28: 0x00000001041ba15d WebCore`WebCore::RenderView::layout() + 1021 at RenderView.cpp:156
    frame #29: 0x00000001034c145f WebCore`WebCore::FrameView::layout(bool) + 3135 at FrameView.cpp:1117
    frame #30: 0x00000001031ace1e WebCore`WebCore::Document::updateLayout() + 270 at Document.cpp:1921
    frame #31: 0x00000001031acef5 WebCore`WebCore::Document::updateLayoutIgnorePendingStylesheets() + 197 at Document.cpp:1953
    frame #32: 0x000000010334547d WebCore`WebCore::DOMWindow::scrollTo(int, int) const + 61 at DOMWindow.cpp:1417
    frame #33: 0x000000010395d382 WebCore`WebCore::jsDOMWindowPrototypeFunctionScrollTo(JSC::ExecState*) + 658 at JSDOMWindow.cpp:12414
    frame #34: 0x00004de00a401265
    frame #35: 0x00000001021e0024 JavaScriptCore`JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*) + 84 at JITCode.h:133
    frame #36: 0x00000001021dcddf JavaScriptCore`JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1727 at Interpreter.cpp:1322
    frame #37: 0x000000010208e828 JavaScriptCore`JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 296 at CallData.cpp:39
    frame #38: 0x0000000103869b62 WebCore`WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 146 at JSMainThreadExecState.h:56
    frame #39: 0x0000000103996bce WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 1294 at JSEventListener.cpp:132
    frame #40: 0x00000001033ef0d7 WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 359 at EventTarget.cpp:231
    frame #41: 0x00000001033eef3b WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 315 at EventTarget.cpp:198
    frame #42: 0x000000010333f840 WebCore`WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 272 at DOMWindow.cpp:1665
    frame #43: 0x0000000103346578 WebCore`WebCore::DOMWindow::dispatchLoadEvent() + 296 at DOMWindow.cpp:1639
    frame #44: 0x00000001031aef5a WebCore`WebCore::Document::dispatchWindowLoadEvent() + 138 at Document.cpp:4083
    frame #45: 0x00000001031ac7a0 WebCore`WebCore::Document::implicitClose() + 480 at Document.cpp:2523
    frame #46: 0x00000001034984db WebCore`WebCore::FrameLoader::checkCallImplicitClose() + 155 at FrameLoader.cpp:763
    frame #47: 0x00000001034981d3 WebCore`WebCore::FrameLoader::checkCompleted() + 323 at FrameLoader.cpp:709
    frame #48: 0x0000000103497173 WebCore`WebCore::FrameLoader::finishedParsing() + 179 at FrameLoader.cpp:642
    frame #49: 0x00000001031b7e42 WebCore`WebCore::Document::finishedParsing() + 530 at Document.cpp:4862
    frame #50: 0x000000010367192c WebCore`WebCore::HTMLTreeBuilder::finished() + 140 at HTMLTreeBuilder.cpp:2792
    frame #51: 0x00000001035ad043 WebCore`WebCore::HTMLDocumentParser::end() + 211 at HTMLDocumentParser.cpp:372
    frame #52: 0x00000001035ac1a6 WebCore`WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 262 at HTMLDocumentParser.cpp:381
    frame #53: 0x00000001035abfa2 WebCore`WebCore::HTMLDocumentParser::prepareToStopParsing() + 242 at HTMLDocumentParser.cpp:149
    frame #54: 0x00000001035ad093 WebCore`WebCore::HTMLDocumentParser::attemptToEnd() + 67 at HTMLDocumentParser.cpp:393
    frame #55: 0x00000001035ad0e8 WebCore`WebCore::HTMLDocumentParser::finish() + 72 at HTMLDocumentParser.cpp:420
    frame #56: 0x0000000103215d1f WebCore`WebCore::DocumentWriter::end() + 383 at DocumentWriter.cpp:241
    frame #57: 0x00000001031f4e7f WebCore`WebCore::DocumentLoader::finishedLoading() + 207 at DocumentLoader.cpp:300
    frame #58: 0x0000000103dd026d WebCore`WebCore::MainResourceLoader::didFinishLoading(double) + 445 at MainResourceLoader.cpp:520
    frame #59: 0x00000001041e66d5 WebCore`WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) + 53 at ResourceLoader.cpp:436
    frame #60: 0x00000001041e333a WebCore`-[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] + 186 at ResourceHandleMac.mm:860
    frame #61: 0x00007fff8b6e31e8 Foundation`__65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0 + 28
    frame #62: 0x00007fff8b6e312c Foundation`-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 227
    frame #63: 0x00007fff8b6e3028 Foundation`-[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 63
    frame #64: 0x00007fff90c84181 CFNetwork`___delegate_didFinishLoading_block_invoke_0 + 40
    frame #65: 0x00007fff90c766fa CFNetwork`___withDelegateAsync_block_invoke_0 + 90
    frame #66: 0x00007fff90d065ca CFNetwork`__block_global_1 + 28
    frame #67: 0x00007fff94958e44 CoreFoundation`CFArrayApplyFunction + 68
    frame #68: 0x00007fff90c67894 CFNetwork`RunloopBlockContext::perform() + 124
    frame #69: 0x00007fff90c6776b CFNetwork`MultiplexerSource::perform() + 221
    frame #70: 0x00007fff9493a841 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
    frame #71: 0x00007fff9493a165 CoreFoundation`__CFRunLoopDoSources0 + 245
    frame #72: 0x00007fff9495d4e5 CoreFoundation`__CFRunLoopRun + 789
    frame #73: 0x00007fff9495cdd2 CoreFoundation`CFRunLoopRunSpecific + 290
    frame #74: 0x00007fff93c96774 HIToolbox`RunCurrentEventLoopInMode + 209
    frame #75: 0x00007fff93c96512 HIToolbox`ReceiveNextEventCommon + 356
    frame #76: 0x00007fff93c963a3 HIToolbox`BlockUntilNextEventMatchingListInMode + 62
    frame #77: 0x00007fff8f22bf73 AppKit`_DPSNextEvent + 685
    frame #78: 0x00007fff8f22b832 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128
    frame #79: 0x00007fff8f222bd3 AppKit`-[NSApplication run] + 517
    frame #80: 0x000000010420cedc WebCore`WebCore::RunLoop::run() + 92 at RunLoopMac.mm:36
    frame #81: 0x00000001012fed88 WebKit2`WebKit::WebProcessMain(WebKit::CommandLine const&) + 3368 at WebProcessMainMac.mm:183
    frame #82: 0x0000000101211ba8 WebKit2`WebKitMain + 200 at WebKitMain.cpp:50
    frame #83: 0x0000000101211ac4 WebKit2`WebKitMain + 148 at WebKitMain.cpp:74
    frame #84: 0x0000000100000da2 WebProcess`main + 274 at MainMac.cpp:68

Comment 1 Julien Chaffraix 2012-09-27 19:37:13 PDT

The test doesn't crash on ToT (tried Chromium Canary build 129708 and local Mac WebKit build @ r129643). Not sure which change fixed it though and if the test should be landed to ensure we don't regress it.

Comment 2 Julien Chaffraix 2013-03-06 10:38:55 PST

It's still not crashing. As the test needs some massaging before being landed and I have no way to reproduce, it's probably better to just ignore it.