Bug 207034

Summary:

Nullptr crash in InlineTextBox::emphasisMarkExistsAndIsAbove

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

Layout and Rendering

Assignee:

Antti Koivisto <koivisto>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ajuma, bfulgham, cdumez, esprehn+autocc, ews-watchlist, glenn, jacob_uphoff, koivisto, kondapallykalyan, mifenton, mmaxfield, pdr, product-security, rohitrao, shihchieh_lee, simon.fraser, sunny_he, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=209695

Attachments:

Description	Flags
Test case (unreduced)	none
reduced test case	none
patch	none
patch	none

Description Ryosuke Niwa 2020-01-30 23:50:36 PST

e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001b77b6964 WebCore::InlineTextBox::emphasisMarkExistsAndIsAbove(WebCore::RenderStyle const&) const + 964 (InlineTextBox.cpp:418)
1   com.apple.WebCore             	0x00000001b7796b04 WebCore::InlineFlowBox::computeOverAnnotationAdjustment(WebCore::LayoutUnit) const + 788 (InlineFlowBox.cpp:1592)
2   com.apple.WebCore             	0x00000001b7796887 WebCore::InlineFlowBox::computeOverAnnotationAdjustment(WebCore::LayoutUnit) const + 151 (InlineFlowBox.cpp:1566)
3   com.apple.WebCore             	0x00000001b7a9ae44 WebCore::RootInlineBox::selectionTop() const + 132 (RootInlineBox.cpp:577)
4   com.apple.WebCore             	0x00000001b79ed4f3 WebCore::RenderReplaced::localSelectionRect(bool) const + 291 (RenderReplaced.cpp:667)
5   com.apple.WebCore             	0x00000001b7be9bde WebCore::RenderSVGRoot::computeFloatVisibleRectInContainer(WebCore::FloatRect const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const + 478 (RenderSVGRoot.cpp:366)
6   com.apple.WebCore             	0x00000001b7c2b5de WebCore::SVGRenderSupport::computeFloatVisibleRectInContainer(WebCore::RenderElement const&, WebCore::FloatRect const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) + 430
7   com.apple.WebCore             	0x00000001b7c14ac7 WebCore::RenderSVGText::computeFloatVisibleRectInContainer(WebCore::FloatRect const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const + 71 (RenderSVGText.cpp:105)
8   com.apple.WebCore             	0x00000001b7c14a23 WebCore::RenderSVGText::computeVisibleRectInContainer(WebCore::LayoutRect const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const + 99 (RenderSVGText.cpp:98)
9   com.apple.WebCore             	0x00000001b79e5ac6 WebCore::RenderObject::computeVisibleRectInContainer(WebCore::LayoutRect const&, WebCore::RenderLayerModelObject const*, WebCore::RenderObject::VisibleRectContext) const + 342
10  com.apple.WebCore             	0x00000001b79e553e WebCore::RenderObject::computeRectForRepaint(WebCore::LayoutRect const&, WebCore::RenderLayerModelObject const*) const + 110 (RenderObject.cpp:983)
11  com.apple.WebCore             	0x00000001b7a5f416 WebCore::RenderText::collectSelectionRectsForLineBoxes(WebCore::RenderLayerModelObject const*, bool, WTF::Vector<WebCore::LayoutRect, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) + 982 (RenderText.cpp:1486)
12  com.apple.WebCore             	0x00000001b7a5f693 WebCore::RenderText::collectSelectionRectsForLineBoxes(WebCore::RenderLayerModelObject const*, bool, WTF::Vector<WebCore::LayoutRect, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) + 51 (RenderText.cpp:1492)
13  com.apple.WebCore             	0x00000001b7a0d878 WebCore::RenderSelectionInfo::RenderSelectionInfo(WebCore::RenderObject&, bool) + 168 (RenderSelectionInfo.cpp:50)
14  com.apple.WebCore             	0x00000001b7a0d91c WebCore::RenderSelectionInfo::RenderSelectionInfo(WebCore::RenderObject&, bool) + 44 (RenderSelectionInfo.cpp:54)
15  com.apple.WebCore             	0x00000001b7aada57 std::__1::__unique_if<WebCore::RenderSelectionInfo>::__unique_single std::__1::make_unique<WebCore::RenderSelectionInfo, WebCore::RenderObject&, bool>(WebCore::RenderObject&, bool&&) + 87 (memory:3132)
16  com.apple.WebCore             	0x00000001b7aa0c84 decltype(auto) WTF::makeUnique<WebCore::RenderSelectionInfo, WebCore::RenderObject&, bool>(WebCore::RenderObject&, bool&&) + 68 (StdLibExtras.h:483)
17  com.apple.WebCore             	0x00000001b7aa1238 WebCore::collect(WebCore::SelectionRangeData::Context const&, bool) + 344 (SelectionRangeData.cpp:134)
18  com.apple.WebCore             	0x00000001b7a9f41e WebCore::SelectionRangeData::apply(WebCore::SelectionRangeData::Context const&, WebCore::SelectionRangeData::RepaintMode) + 94 (SelectionRangeData.cpp:284)
19  com.apple.WebCore             	0x00000001b7a9f2c4 WebCore::SelectionRangeData::set(WebCore::SelectionRangeData::Context const&, WebCore::SelectionRangeData::RepaintMode) + 260 (SelectionRangeData.cpp:211)
20  com.apple.WebCore             	0x00000001b7aa0259 WebCore::SelectionRangeData::clear() + 89 (SelectionRangeData.cpp:216)
21  com.apple.WebCore             	0x00000001b65a06e2 WebCore::FrameSelection::setNeedsSelectionUpdate(WebCore::FrameSelection::RevealSelectionAfterUpdate) + 194 (FrameSelection.cpp:440)
22  com.apple.WebCore             	0x00000001b7c5cad8 WebCore::RenderTreeBuilder::detachFromRenderElement(WebCore::RenderElement&, WebCore::RenderObject&) + 792 (RenderTreeBuilder.cpp:851)
23  com.apple.WebCore             	0x00000001b7c59709 WebCore::RenderTreeBuilder::detach(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) + 905
24  com.apple.WebCore             	0x00000001b7c59219 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) + 153 (RenderTreeBuilder.cpp:166)
25  com.apple.WebCore             	0x00000001b7c5934d WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&) + 461 (RenderTreeBuilder.cpp:183)
26  com.apple.WebCore             	0x00000001b7c5f074 WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) + 228 (RenderTreeBuilder.cpp:782)
27  com.apple.WebCore             	0x00000001b7c8109d WebCore::RenderTreeUpdater::tearDownTextRenderer(WebCore::Text&, WebCore::RenderTreeBuilder&) + 61 (RenderTreeUpdater.cpp:618)
28  com.apple.WebCore             	0x00000001b7c7ea1a WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) + 186 (RenderTreeUpdater.cpp:497)
29  com.apple.WebCore             	0x00000001b7c7e38d WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 877 (RenderTreeUpdater.cpp:179)
30  com.apple.WebCore             	0x00000001b7c7dd09 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 473 (RenderTreeUpdater.cpp:128)
31  com.apple.WebCore             	0x00000001b627522a WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1306 (Document.cpp:1995)
32  com.apple.WebCore             	0x00000001b6275c8d WebCore::Document::updateStyleIfNeeded() + 493 (Document.cpp:2088)
33  com.apple.WebCore             	0x00000001b6271029 WebCore::Document::updateLayout() + 393 (Document.cpp:2110)
34  com.apple.WebCore             	0x00000001b627259e WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 94 (Document.cpp:2130)
35  com.apple.WebCore             	0x00000001b65fb3dc WebCore::TextIterator::TextIterator(WebCore::Range const*, unsigned short) + 316 (TextIterator.cpp:377)
36  com.apple.WebCore             	0x00000001b65fb4d8 WebCore::TextIterator::TextIterator(WebCore::Range const*, unsigned short) + 40 (TextIterator.cpp:392)
37  com.apple.WebCore             	0x00000001b65fffea WebCore::CharacterIterator::CharacterIterator(WebCore::Range const&, unsigned short) + 58 (TextIterator.cpp:1410)
38  com.apple.WebCore             	0x00000001b66000b8 WebCore::CharacterIterator::CharacterIterator(WebCore::Range const&, unsigned short) + 40 (TextIterator.cpp:1414)
39  com.apple.WebCore             	0x00000001b66029c9 WebCore::findPlainTextMatches(WebCore::Range const&, WTF::String const&, WTF::OptionSet<WebCore::FindOptionFlag>, WTF::Function<bool (unsigned long, unsigned long)> const&) + 505 (TextIterator.cpp:2635)
40  com.apple.WebCore             	0x00000001b6602e33 WebCore::findPlainText(WebCore::Range const&, WTF::String const&, WTF::OptionSet<WebCore::FindOptionFlag>) + 163 (TextIterator.cpp:2694)
41  com.apple.WebCore             	0x00000001b65976fe WebCore::Editor::rangeOfString(WTF::String const&, WebCore::Range*, WTF::OptionSet<WebCore::FindOptionFlag>) + 830 (Editor.cpp:3484)
42  com.apple.WebCore             	0x00000001b659723f WebCore::Editor::findString(WTF::String const&, WTF::OptionSet<WebCore::FindOptionFlag>) + 175 (Editor.cpp:3445)
43  com.apple.WebCore             	0x00000001b6f81d6a WebCore::DOMWindow::find(WTF::String const&, bool, bool, bool, bool, bool, bool) const + 298 (DOMWindow.cpp:1215)

<rdar://problem/57842366>

Comment 1 Ryosuke Niwa 2020-01-30 23:51:01 PST

You might also hit this crash:

0   com.apple.WebCore             	0x00000006b0f58deb WTFCrashWithInfo(int, char const*, char const*, int) + 27
1   com.apple.WebCore             	0x00000006b5d5ebaa WebCore::Shape::createRasterShape(WebCore::Image*, float, WebCore::LayoutRect const&, WebCore::LayoutRect const&, WebCore::WritingMode, float) + 3082
2   com.apple.WebCore             	0x00000006b5d60c28 WebCore::ShapeOutsideInfo::createShapeForImage(WebCore::StyleImage*, float, WebCore::WritingMode, float) const + 1000
3   com.apple.WebCore             	0x00000006b5d5f9e9 WebCore::ShapeOutsideInfo::computedShape() const + 857
4   com.apple.WebCore             	0x00000006b5d62dc9 WebCore::ShapeOutsideInfo::computeDeltasForContainingBlockLine(WebCore::RenderBlockFlow const&, WebCore::FloatingObject const&, WebCore::LayoutUnit, WebCore::LayoutUnit) + 1017
5   com.apple.WebCore             	0x00000006b5d030dc WebCore::LineWidth::shrinkAvailableWidthForNewFloatIfNeeded(WebCore::FloatingObject const&) + 460
6   com.apple.WebCore             	0x00000006b58005ed WebCore::ComplexLineLayout::positionNewFloatOnLine(WebCore::FloatingObject const&, WebCore::FloatingObject*, WebCore::LineInfo&, WebCore::LineWidth&) + 317
7   com.apple.WebCore             	0x00000006b5cf7db4 WebCore::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::FloatingObject*, WebCore::LineWidth&) + 932
8   com.apple.WebCore             	0x00000006b5cf8226 WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) + 518
9   com.apple.WebCore             	0x00000006b57f5c9b WebCore::ComplexLineLayout::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 1723
10  com.apple.WebCore             	0x00000006b57f3c3b WebCore::ComplexLineLayout::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1275
11  com.apple.WebCore             	0x00000006b57fb8be WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 2238
12  com.apple.WebCore             	0x00000006b5900637 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 407
13  com.apple.WebCore             	0x00000006b58febcf WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1135
14  com.apple.WebCore             	0x00000006b58c5905 WebCore::RenderBlock::layout() + 277
15  com.apple.WebCore             	0x00000006b5903d9f WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) + 687
16  com.apple.WebCore             	0x00000006b5cf7d9a WebCore::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::FloatingObject*, WebCore::LineWidth&) + 906
17  com.apple.WebCore             	0x00000006b5cf8226 WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) + 518
18  com.apple.WebCore             	0x00000006b57f5c9b WebCore::ComplexLineLayout::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 1723
19  com.apple.WebCore             	0x00000006b57f3c3b WebCore::ComplexLineLayout::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1275
20  com.apple.WebCore             	0x00000006b57fb8be WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 2238
21  com.apple.WebCore             	0x00000006b5900637 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 407
22  com.apple.WebCore             	0x00000006b58febcf WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1135
23  com.apple.WebCore             	0x00000006b58c5905 WebCore::RenderBlock::layout() + 277
24  com.apple.WebCore             	0x00000006b5c7d08b WebCore::RenderView::layout() + 1531
25  com.apple.WebCore             	0x00000006b5021178 WebCore::FrameViewLayoutContext::layout() + 1448
26  com.apple.WebCore             	0x00000006b405ec09 WebCore::Document::updateLayout() + 537
27  com.apple.WebCore             	0x00000006b4060ff3 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 147
28  com.apple.WebCore             	0x00000006b413b3c5 WebCore::Element::scrollLeft() + 181
29  com.apple.WebCore             	0x00000006b4137da1 WebCore::Element::scrollBy(WebCore::ScrollToOptions const&) + 257
30  com.apple.WebCore             	0x00000006b4138298 WebCore::Element::scrollBy(double, double) + 312

Comment 2 Ryosuke Niwa 2020-01-30 23:51:22 PST

Created attachment 389333 [details]
Test case (unreduced)

Comment 3 Ryosuke Niwa 2020-03-26 14:35:56 PDT

Antti is looking into this.

Comment 4 Antti Koivisto 2020-03-27 09:33:35 PDT

Created attachment 394722 [details]
reduced test case

Comment 5 Antti Koivisto 2020-03-27 10:21:33 PDT

Created attachment 394724 [details]
patch

Comment 6 zalan 2020-03-27 12:06:44 PDT

Comment on attachment 394724 [details]
patch

I was under the impression that the teardown direction was incorrect (re: email).

Comment 7 Antti Koivisto 2020-03-28 08:16:27 PDT

As discussed, changing the removal order may also be helpful.

Comment 8 EWS 2020-03-28 08:35:53 PDT

Committed r259158: <https://trac.webkit.org/changeset/259158>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 394724 [details].

Comment 9 Jacob Uphoff 2020-03-30 14:13:58 PDT

Reverted r259158 for reason:

This commit caused an assertion failure

Committed r259232: <https://trac.webkit.org/changeset/259232>

Comment 10 Jacob Uphoff 2020-03-30 14:15:29 PDT

Caused https://bugs.webkit.org/show_bug.cgi?id=209766

Comment 11 Ryosuke Niwa 2020-03-30 14:49:31 PDT

(In reply to Jacob Uphoff from comment #9)
> Reverted r259158 for reason:
> 
> This commit caused an assertion failure
> 
> Committed r259232: <https://trac.webkit.org/changeset/259232>

What what kind of assertion failures?

Comment 12 zalan 2020-03-30 14:51:25 PDT

https://build.webkit.org/results/Apple-Catalina-Debug-WK2-Tests/r259158%20(3190)/editing/selection/focus-and-display-none-crash-log.txt

ASSERTION FAILED: m_renderRange.startOffset()
./rendering/HighlightData.h(84) : unsigned int WebCore::HighlightData::startOffset() const
1   0x7f20e8229 WTFCrash
2   0x7d51eeffb WTFCrashWithInfo(int, char const*, char const*, int)
3   0x7d90faf88 WebCore::HighlightData::startOffset() const
4   0x7d90fae38 WebCore::InlineTextBox::selectionStartEnd() const
5   0x7d90fe943 WebCore::createMarkedTextFromSelectionInBox(WebCore::InlineTextBox const&)
6   0x7d90fccb2 WebCore::InlineTextBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit)
7   0x7d90f64cb WebCore::InlineFlowBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit)
8   0x7d93fd071 WebCore::RootInlineBox::paint(WebCore::PaintInfo&, WebCore::LayoutPoint const&, WebCore::LayoutUnit, WebCore::LayoutUnit)
9   0x7d92e69d8 WebCore::RenderLineBoxList::paint(WebCore::RenderBoxModelObject*, WebCore::PaintInfo&, WebCore::LayoutPoint const&) const
10  0x7d91566e1 WebCore::RenderBlockFlow::paintInlineChildren(WebCore::PaintInfo&, WebCore::LayoutPoint const&)
11  0x7d912b78e WebCore::RenderBlock::paintContents(WebCore::PaintInfo&, WebCore::LayoutPoint const&)

Comment 13 Antti Koivisto 2020-03-31 05:50:00 PDT

This is not actually a good approach since it may leave stray selection state behind in the render tree. Zalan already fixed the crash here in an alternative way in https://bugs.webkit.org/show_bug.cgi?id=209695. 

I'll just reland the test here and add a null check in case there are still cases not covered by 209695.

Comment 14 Antti Koivisto 2020-03-31 05:58:38 PDT

Created attachment 395028 [details]
patch

Comment 15 EWS 2020-03-31 07:13:56 PDT

Committed r259286: <https://trac.webkit.org/changeset/259286>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 395028 [details].