Bug 207032

Summary: Crash in RenderListItem::addOverflowFromChildren
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ajuma, bfulgham, koivisto, product-security, rohitrao, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test case (unreduced)
none
Test case (reduced)
none
Minimal test case
none
More-minimal test case none

Ryosuke Niwa
Reported 2020-01-30 23:15:32 PST
e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff4a907991 WebCore::RenderListItem::addOverflowFromChildren() + 3553 1 com.apple.WebCore 0x00007fff4a89ff81 WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool) + 113 2 com.apple.WebCore 0x00007fff4c283dd7 WebCore::RenderBlockFlow::computeOverflow(WebCore::LayoutUnit, bool) + 23 3 com.apple.WebCore 0x00007fff4c276075 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 4213 4 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 5 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 6 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 7 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 8 com.apple.WebCore 0x00007fff4c3543f4 WebCore::RenderMultiColumnFlow::layout() + 212 9 com.apple.WebCore 0x00007fff4c288c74 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 292 10 com.apple.WebCore 0x00007fff4c276d5f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 1247 11 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 12 com.apple.WebCore 0x00007fff4c275e55 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 3669 13 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 14 com.apple.WebCore 0x00007fff4c36e4e6 WebCore::RenderTable::layoutCaption(WebCore::RenderTableCaption&) + 198 15 com.apple.WebCore 0x00007fff4a944d5c WebCore::RenderTable::layout() + 12204 16 com.apple.WebCore 0x00007fff4c27c267 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 4903 17 com.apple.WebCore 0x00007fff4c27588e WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2190 18 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 19 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 20 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 21 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 22 com.apple.WebCore 0x00007fff4c3543f4 WebCore::RenderMultiColumnFlow::layout() + 212 23 com.apple.WebCore 0x00007fff4c288c74 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 292 24 com.apple.WebCore 0x00007fff4c276d5f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 1247 25 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 26 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 27 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 28 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 29 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 30 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 31 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 32 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 33 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 34 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 35 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 36 com.apple.WebCore 0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029 37 com.apple.WebCore 0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167 38 com.apple.WebCore 0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42 39 com.apple.WebCore 0x00007fff4a89d380 WebCore::RenderView::layout() + 1120 40 com.apple.WebCore 0x00007fff4bfe6b9c WebCore::FrameViewLayoutContext::layout() + 1532 41 com.apple.WebCore 0x00007fff4a917137 WebCore::Document::updateLayout() + 279 42 com.apple.WebCore 0x00007fff4a99bc75 WebCore::Element::scrollLeft() + 101 43 com.apple.WebCore 0x00007fff4af3fb1f WebCore::jsElementPrototypeFunctionScrollBy(JSC::ExecState*) + 335 <rdar://problem/58447665>
Attachments
Test case (unreduced) (496.09 KB, text/html)
2020-01-30 23:16 PST, Ryosuke Niwa 		no flags
Details
Test case (reduced) (2.70 KB, text/html)
2020-02-04 12:12 PST, Ali Juma 		no flags
Details
Minimal test case (143 bytes, text/html)
2020-02-07 07:07 PST, Ali Juma 		no flags
Details
More-minimal test case (121 bytes, text/html)
2020-02-24 14:44 PST, Ali Juma 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2020-01-30 23:16:44 PST
Created attachment 389331 [details] Test case (unreduced)
Ali Juma
Comment 2 2020-02-04 12:12:04 PST
Created attachment 389691 [details] Test case (reduced)
Ali Juma
Comment 3 2020-02-07 07:07:54 PST
Created attachment 390082 [details] Minimal test case
Ali Juma
Comment 4 2020-02-10 20:11:56 PST
This is crashing because in the render tree, we have a RenderInline whose child is a RenderBox. The minimal test case is just: <label> <ul style="display: table-caption; columns: 1px"> <li style="-webkit-border-image: url()"> <dl style="-webkit-column-span: all;"> <dd>p In the render tree, the ul element's RenderTableCaption has a RenderTable parent, whose parent is the RenderInline for the label element. We crash in RenderListItem::positionListMarker because as we keep updating |markerAncestor| in the loop at https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/rendering/RenderListItem.cpp#L341, going down the parentBox chain, we eventually get a null |markerAncestor| when we reach the RenderBox whose parent is that RenderInline (since RenderBox::parentBox returns null if parent() isn't a RenderBox). In a debug build, we fail the assertion in RenderBox::parentBox that parent() is a RenderBox. Where would be a good place to start looking to figure out why a RenderInline is getting a RenderBox child?
Ali Juma
Comment 5 2020-02-24 14:44:44 PST
Created attachment 391582 [details] More-minimal test case Minimized the test case just a bit more. I'm still not sure why the RenderInline is getting a RenderBox child rather than the usual logic of creating an anonymous block getting triggered, but it seems like RenderTreeBuilder::Inline::attachIgnoringContinuation is the place to debug.
Ryosuke Niwa
Comment 6 2020-04-01 20:24:09 PDT
Oh looks like this got fixed in the bug 209262.
Ryosuke Niwa
Comment 7 2020-04-01 20:24:44 PDT
Reverse duping *** This bug has been marked as a duplicate of bug 209262 ***
Note You need to log in before you can comment on or make changes to this bug.