Bug 219702

Summary: REGRESSION (r270544): [iOS] Crash in WebCore::LayoutIntegration::LineLayout::collectOverflow
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: Layout and RenderingAssignee: Antti Koivisto <koivisto>
Status: RESOLVED CONFIGURATION CHANGED    
Severity: Normal CC: bfulgham, koivisto, simon.fraser, webkit-bot-watchers-bugzilla, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=219639
Attachments:
Description Flags
crash log none

Description Ryan Haddad 2020-12-09 12:00:36 PST 
editing/deleting/delete-start-block.html and editing/execCommand/infinite-recursion-computeRectForRepaint.html are consistently crashing on iOS bots with the following backtrace

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x0000000771530c98 WebCore::LayoutIntegration::LineLayout::collectOverflow() + 24 (LayoutIntegrationLineLayout.cpp:297)
1   com.apple.WebCore             	0x00000007719865c1 WebCore::RenderBlock::addOverflowFromChildren() + 129 (RenderBlock.cpp:660)
2   com.apple.WebCore             	0x000000077198667b WebCore::RenderBlock::computeOverflow(WebCore::LayoutUnit, bool) + 107 (RenderBlock.cpp:673)
3   com.apple.WebCore             	0x00000007719a7dd7 WebCore::RenderBlockFlow::computeOverflow(WebCore::LayoutUnit, bool) + 23 (RenderBlockFlow.cpp:2201)
4   com.apple.WebCore             	0x000000077199eaf9 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 2521 (RenderBlockFlow.cpp:561)
5   com.apple.WebCore             	0x000000077198635a WebCore::RenderBlock::layout() + 42 (RenderBlock.cpp:602)
6   com.apple.WebCore             	0x00000007719a0f63 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1139
7   com.apple.WebCore             	0x000000077199f5b5 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 517 (RenderBlockFlow.cpp:661)
8   com.apple.WebCore             	0x000000077199e558 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1080
9   com.apple.WebCore             	0x000000077198635a WebCore::RenderBlock::layout() + 42 (RenderBlock.cpp:602)
10  com.apple.WebCore             	0x00000007719a0f63 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1139
11  com.apple.WebCore             	0x000000077199f5b5 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 517 (RenderBlockFlow.cpp:661)
12  com.apple.WebCore             	0x000000077199e558 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1080
13  com.apple.WebCore             	0x000000077198635a WebCore::RenderBlock::layout() + 42 (RenderBlock.cpp:602)
14  com.apple.WebCore             	0x00000007719a0f63 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1139
15  com.apple.WebCore             	0x000000077199f5b5 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 517 (RenderBlockFlow.cpp:661)
16  com.apple.WebCore             	0x000000077199e558 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1080
17  com.apple.WebCore             	0x000000077198635a WebCore::RenderBlock::layout() + 42 (RenderBlock.cpp:602)
18  com.apple.WebCore             	0x0000000771af0632 WebCore::RenderView::layout() + 594 (RenderView.cpp:191)
19  com.apple.WebCore             	0x0000000771669241 WebCore::FrameViewLayoutContext::layout() + 1185 (FrameViewLayoutContext.cpp:234)
20  com.apple.WebCore             	0x0000000771044675 WebCore::Document::updateLayout() + 325
21  com.apple.WebCore             	0x0000000771045931 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 129 (Document.cpp:2169)
22  com.apple.WebCore             	0x0000000771153959 WebCore::DeleteSelectionCommand::fixupWhitespace() + 25 (DeleteSelectionCommand.cpp:663)
23  com.apple.WebCore             	0x00000007711564a3 WebCore::DeleteSelectionCommand::doApply() + 1331 (DeleteSelectionCommand.cpp:943)
24  com.apple.WebCore             	0x000000077114380b WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::EditCommand, WTF::RawPtrTraits<WebCore::EditCommand> >&&) + 43 (CompositeEditCommand.cpp:467)
25  com.apple.WebCore             	0x0000000771141583 WebCore::CompositeEditCommand::deleteSelection(bool, bool, bool, bool, bool) + 147 (CompositeEditCommand.cpp:832)
26  com.apple.WebCore             	0x000000077119909e WebCore::InsertParagraphSeparatorCommand::doApply() + 254 (InsertParagraphSeparatorCommand.cpp:160)
27  com.apple.WebCore             	0x000000077114380b WebCore::CompositeEditCommand::applyCommandToComposite(WTF::Ref<WebCore::EditCommand, WTF::RawPtrTraits<WebCore::EditCommand> >&&) + 43 (CompositeEditCommand.cpp:467)
28  com.apple.WebCore             	0x00000007711cdf51 WebCore::TypingCommand::insertParagraphSeparator() + 209 (TypingCommand.cpp:572)
29  com.apple.WebCore             	0x00000007711cc960 WebCore::TypingCommand::insertParagraphSeparatorAndNotifyAccessibility() + 48 (TypingCommand.cpp:580)
30  com.apple.WebCore             	0x00000007711326c7 WebCore::CompositeEditCommand::apply() + 327 (CompositeEditCommand.cpp:376)
31  com.apple.WebCore             	0x00000007711cc891 WebCore::TypingCommand::insertParagraphSeparator(WebCore::Document&, unsigned int) + 161 (TypingCommand.cpp:297)
32  com.apple.WebCore             	0x000000077118fc62 WebCore::executeInsertParagraph(WebCore::Frame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) + 18 (EditorCommand.cpp:514)
33  com.apple.WebCore             	0x00000007710588cc WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 76 (Document.cpp:5623)
34  com.apple.WebCore             	0x000000077044d185 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 469 (JSDocument.cpp:5852)
35  ???                           	0x00003cca3e201178 0 + 66839323349368
36  com.apple.JavaScriptCore      	0x000000010f67d699 llint_entry + 108286
37  com.apple.JavaScriptCore      	0x000000010f67d699 llint_entry + 108286
38  com.apple.JavaScriptCore      	0x000000010f662da6 vmEntryToJavaScript + 216
Comment 1 Ryan Haddad 2020-12-09 12:00:49 PST 
Created attachment 415782 [details]
crash log
Comment 2 Ryan Haddad 2020-12-09 12:01:22 PST 
It looks like this started with https://trac.webkit.org/changeset/270544
Comment 3 Radar WebKit Bug Importer 2020-12-09 12:01:48 PST 
<rdar://problem/72147288>
Comment 4 Ryan Haddad 2020-12-09 12:13:42 PST 
Reverted in https://trac.webkit.org/changeset/270594