Bug 207296

Summary: Nullptr crash in RenderStyle::isFlippedBlocksWritingMode when fragment flow gains a new in-flow descendant
Product: WebKit Reporter: Jack <shihchieh_lee>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: aakash_jain, ajuma, bfulgham, ews-feeder, koivisto, product-security, rniwa, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: All   
OS: All   
Attachments:
Description Flags
Patch
none
Patch koivisto: review+, aakash_jain: commit-queue-

Description Jack 2020-02-05 14:30:06 PST 
<rdar://56967115>

    #0 0x4b1c42ab1 in WebCore::RenderStyle::writingMode() const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1c40ab1)
    #1 0x4b405e128 in WebCore::RenderStyle::isFlippedBlocksWritingMode() const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x405c128)
    #2 0x4b495d0fa in WebCore::RenderBox::flipForWritingMode(WebCore::LayoutPoint const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x495b0fa)
    #3 0x4b4bd811f in WebCore::RenderMultiColumnFlow::physicalTranslationFromFragmentToFlow(WebCore::RenderMultiColumnSet const*, WebCore::LayoutPoint const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4bd611f)
    #4 0x4b4bd7df6 in WebCore::RenderMultiColumnFlow::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4bd5df6)
    #5 0x4b49c5521 in WebCore::RenderBoxModelObject::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x49c3521)
    #6 0x4b49c5521 in WebCore::RenderBoxModelObject::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x49c3521)
    #7 0x4b49c5521 in WebCore::RenderBoxModelObject::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x49c3521)
    #8 0x4b4bfda9a in WebCore::RenderObject::absoluteToLocal(WebCore::FloatPoint const&, unsigned int) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4bfba9a)
    #9 0x4b40670ea in WebCore::FrameView::convertFromContainingViewToRenderer(WebCore::RenderElement const*, WebCore::IntRect const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x40650ea)
    #10 0x4b4067ee8 in WebCore::FrameView::convertFromContainingView(WebCore::IntRect const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/
Comment 1 Jack 2020-02-05 14:33:38 PST 
Root cause analysis from Alan:

Without the [outer.style.transition = "1s”] this is what we end up with: 

before [range.extractContents] call
B-----L- --        DIV RenderBlock at (0,0) size 1222x0 renderer->(0x1360f9420) node->(0x12f59afc0)
B---YGL-           RenderMultiColumnFlowThread at (0,0) size 603x0 renderer->(0x1360f97b0) [Rs:0x0 Re:0x0]
BA----L- --            DIV RenderBlock at (8,8) size 304x154 renderer->(0x1360f9550) node->(0x12f59b050)
N------- --                 IFRAME RenderIFrame at (0,0) size 304x154 renderer->(0x1360f9680) node->(0x12f59b0e0)

after [range.extractContents] call
B------- -+        DIV RenderBlock at (0,0) size 1222x0 renderer->(0x1360f9420) node->(0x12f59afc0) layout->[self][normal child]
B------- -+          DIV RenderBlock at (8,8) size 304x154 renderer->(0x1360f9550) node->(0x12f59b050) layout->[self][normal child]
N------- -+            IFRAME RenderIFrame at (0,0) size 304x154 renderer->(0x1360f9680) node->(0x12f59b0e0) layout->[self]
^^Note that missing RenderMultiColumnFlowThread and the inner <div> is no longer absolutely positioned.

and when the [outer.style.transition = "1s”] is added back the after state is this ->
B-----L- -+        DIV RenderBlock at (0,0) size 1222x0 renderer->(0x1360f9420) node->(0x1360fbd60) layout->[self][normal child]
B---YGL-           RenderMultiColumnFlowThread at (0,0) size 603x0 renderer->(0x1360f97b0) [Rs:0x0 Re:0x0] layout->[self][normal child]
B------- -+            DIV RenderBlock at (8,8) size 304x154 renderer->(0x1360f9550) node->(0x1360fbdf0) [Rs:0x0 Re:0x0] layout->[self][normal child]
N------- -+              IFRAME RenderIFrame at (0,0) size 304x154 renderer->(0x1360f9680) node->(0x1360fa2a0) layout->[self]
^^the inner <div> is no longer absolutely positioned but we’ve still have a fragmented flow.

It looks like when the inner <div> goes from out-of-flow to in-flow, we don’t check if the enclosing fragmented flow needs a new set.
Comment 2 Jack 2020-02-05 15:57:54 PST 
Created attachment 389894 [details]
Patch
Comment 3 Jack 2020-02-06 10:55:30 PST 
EWS test "Mac-debug-wk1" fails because of <rdar://46103517>. Pending on investigation.
Comment 4 Ryosuke Niwa 2020-02-06 13:11:00 PST 
Comment on attachment 389894 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=389894&action=review

> Source/WebCore/ChangeLog:10
> +        Reviewed by NOBODY (OOPS!).

This line should appear below URL but before the description (surrounded by blank lines as you did here).
Comment 5 Jack 2020-02-18 12:29:11 PST 
Created attachment 391076 [details]
Patch
Comment 6 Jack 2020-02-18 13:13:42 PST 
Submit the change with expected crash in layout test due to bug 202805.
Comment 7 Ryosuke Niwa 2020-02-19 18:59:39 PST 
<rdar://problem/49687828>
Comment 8 Aakash Jain 2020-02-20 07:42:18 PST 
Comment on attachment 391076 [details]
Patch

commit-queue still doesn't support security bugs. Please land manually. See: https://bugs.webkit.org/show_bug.cgi?id=201939
Comment 9 Ryosuke Niwa 2020-02-21 00:22:26 PST 
This is not a security bug.
Comment 10 Ryosuke Niwa 2020-02-21 00:26:19 PST 
Committed r257129: <https://trac.webkit.org/changeset/257129>
Comment 11 Ryosuke Niwa 2020-03-07 19:57:37 PST 
*** Bug 208317 has been marked as a duplicate of this bug. ***