Bug 207032

Summary: Crash in RenderListItem::addOverflowFromChildren
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ajuma, bfulgham, koivisto, product-security, rohitrao, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test case (unreduced)
none
Test case (reduced)
none
Minimal test case
none
More-minimal test case none

Description Ryosuke Niwa 2020-01-30 23:15:32 PST 
e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00007fff4a907991 WebCore::RenderListItem::addOverflowFromChildren() + 3553
1   com.apple.WebCore             	0x00007fff4a89ff81 WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool) + 113
2   com.apple.WebCore             	0x00007fff4c283dd7 WebCore::RenderBlockFlow::computeOverflow(WebCore::LayoutUnit, bool) + 23
3   com.apple.WebCore             	0x00007fff4c276075 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 4213
4   com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
5   com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
6   com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
7   com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
8   com.apple.WebCore             	0x00007fff4c3543f4 WebCore::RenderMultiColumnFlow::layout() + 212
9   com.apple.WebCore             	0x00007fff4c288c74 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 292
10  com.apple.WebCore             	0x00007fff4c276d5f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 1247
11  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
12  com.apple.WebCore             	0x00007fff4c275e55 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 3669
13  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
14  com.apple.WebCore             	0x00007fff4c36e4e6 WebCore::RenderTable::layoutCaption(WebCore::RenderTableCaption&) + 198
15  com.apple.WebCore             	0x00007fff4a944d5c WebCore::RenderTable::layout() + 12204
16  com.apple.WebCore             	0x00007fff4c27c267 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 4903
17  com.apple.WebCore             	0x00007fff4c27588e WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2190
18  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
19  com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
20  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
21  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
22  com.apple.WebCore             	0x00007fff4c3543f4 WebCore::RenderMultiColumnFlow::layout() + 212
23  com.apple.WebCore             	0x00007fff4c288c74 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 292
24  com.apple.WebCore             	0x00007fff4c276d5f WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 1247
25  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
26  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
27  com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
28  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
29  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
30  com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
31  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
32  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
33  com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
34  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
35  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
36  com.apple.WebCore             	0x00007fff4c27783d WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 4029
37  com.apple.WebCore             	0x00007fff4c275877 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2167
38  com.apple.WebCore             	0x00007fff4a89d62a WebCore::RenderBlock::layout() + 42
39  com.apple.WebCore             	0x00007fff4a89d380 WebCore::RenderView::layout() + 1120
40  com.apple.WebCore             	0x00007fff4bfe6b9c WebCore::FrameViewLayoutContext::layout() + 1532
41  com.apple.WebCore             	0x00007fff4a917137 WebCore::Document::updateLayout() + 279
42  com.apple.WebCore             	0x00007fff4a99bc75 WebCore::Element::scrollLeft() + 101
43  com.apple.WebCore             	0x00007fff4af3fb1f WebCore::jsElementPrototypeFunctionScrollBy(JSC::ExecState*) + 335

<rdar://problem/58447665>
Comment 1 Ryosuke Niwa 2020-01-30 23:16:44 PST 
Created attachment 389331 [details]
Test case (unreduced)
Comment 2 Ali Juma 2020-02-04 12:12:04 PST 
Created attachment 389691 [details]
Test case (reduced)
Comment 3 Ali Juma 2020-02-07 07:07:54 PST 
Created attachment 390082 [details]
Minimal test case
Comment 4 Ali Juma 2020-02-10 20:11:56 PST 
This is crashing because in the render tree, we have a RenderInline whose child is a RenderBox.

The minimal test case is just:
<label>
  <ul style="display: table-caption; columns: 1px">
    <li style="-webkit-border-image: url()">
      <dl style="-webkit-column-span: all;">
        <dd>p

In the render tree, the ul element's RenderTableCaption has a RenderTable parent, whose parent is the RenderInline for the label element.

We crash in RenderListItem::positionListMarker because as we keep updating |markerAncestor| in the loop at https://trac.webkit.org/browser/webkit/trunk/Source/WebCore/rendering/RenderListItem.cpp#L341, going down the parentBox chain, we eventually get a null |markerAncestor| when we reach the RenderBox whose parent is that RenderInline (since RenderBox::parentBox returns null if parent() isn't a RenderBox).

In a debug build, we fail the assertion in RenderBox::parentBox that parent() is a RenderBox.

Where would be a good place to start looking to figure out why a RenderInline is getting a RenderBox child?
Comment 5 Ali Juma 2020-02-24 14:44:44 PST 
Created attachment 391582 [details]
More-minimal test case

Minimized the test case just a bit more.

I'm still not sure why the RenderInline is getting a RenderBox child rather than the usual logic of creating an anonymous block getting triggered, but it seems like RenderTreeBuilder::Inline::attachIgnoringContinuation is the place to debug.
Comment 6 Ryosuke Niwa 2020-04-01 20:24:09 PDT 
Oh looks like this got fixed in the bug 209262.
Comment 7 Ryosuke Niwa 2020-04-01 20:24:44 PDT 
Reverse duping

*** This bug has been marked as a duplicate of bug 209262 ***