Bug 220490

Summary:

[css-multicol] OOM with 1px height columns

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

REOPENED ---

Severity:

Normal

CC:

bfulgham, cgarcia, commit-queue, ews-feeder, fred.wang, gpoo, koivisto, rbuis, simon.fraser, svillar, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=221962

Bug Depends on:

224908

Bug Blocks:

Attachments:

Description	Flags
Test	none
Even smaller test case	none
Patch	none
Patch	rniwa: review+

Description Ryosuke Niwa 2021-01-08 17:43:21 PST

Created attachment 417322 [details]
Test

With a non-ASAN release build, we hit the following crash with the attached the test case:

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x000000054bbb644a bool WTF::VectorBufferBase<WebCore::LayerFragment, WTF::FastMalloc>::allocateBuffer<(WTF::FailureAction)0>(unsigned long) + 1 (Vector.h:293) [inlined]
1   com.apple.WebCore             	0x000000054bbb644a bool WTF::VectorBuffer<WebCore::LayerFragment, 1ul, WTF::FastMalloc>::allocateBuffer<(WTF::FailureAction)0>(unsigned long) + 1 (Vector.h:470) [inlined]
2   com.apple.WebCore             	0x000000054bbb644a bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveCapacity<(WTF::FailureAction)0>(unsigned long) + 266 (Vector.h:1195)
3   com.apple.WebCore             	0x000000054bbb6330 bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity<(WTF::FailureAction)0>(unsigned long) + 50 (Vector.h:1056) [inlined]
4   com.apple.WebCore             	0x000000054bbb6330 WebCore::LayerFragment* WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity<(WTF::FailureAction)0>(unsigned long, WebCore::LayerFragment*) + 144 (Vector.h:1065)
5   com.apple.WebCore             	0x000000054bbd3169 bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::appendSlowCase<(WTF::FailureAction)0, WebCore::LayerFragment&>(WebCore::LayerFragment&) + 18 (Vector.h:1317) [inlined]
6   com.apple.WebCore             	0x000000054bbd3169 bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::append<(WTF::FailureAction)0, WebCore::LayerFragment&>(WebCore::LayerFragment&) + 28 (Vector.h:1292) [inlined]
7   com.apple.WebCore             	0x000000054bbd3169 void WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::append<WebCore::LayerFragment&>(WebCore::LayerFragment&) + 28 (Vector.h:776) [inlined]
8   com.apple.WebCore             	0x000000054bbd3169 WebCore::RenderMultiColumnSet::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&) + 1865 (RenderMultiColumnSet.cpp:830)
9   com.apple.WebCore             	0x000000054bb50ba5 WebCore::RenderFragmentedFlow::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&) + 53 (RenderFragmentedFlow.cpp:857)
10  com.apple.WebCore             	0x000000054bb884cf WebCore::RenderLayer::collectFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayer const*, WebCore::LayoutRect const&, WebCore::RenderLayer::PaginationInclusionMode, WebCore::ClipRectsType, WebCore::OverlayScrollbarSizeRelevancy, WebCore::ShouldRespectOverflowClip, WebCore::LayoutSize const&, WebCore::LayoutRect const*, WebCore::ShouldApplyRootOffsetToFragments) + 1103 (RenderLayer.cpp:4947)
11  com.apple.WebCore             	0x000000054bb85f66 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 2790 (RenderLayer.cpp:4725)
12  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined]
13  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758)
14  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined]
15  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758)
16  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined]
17  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758)
18  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined]
19  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758)
20  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 63 (RenderLayer.cpp:4863) [inlined]
21  com.apple.WebCore             	0x000000054bb86266 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3558 (RenderLayer.cpp:4758)
22  com.apple.WebCore             	0x000000054bb862c3 WebCore::RenderLayer::paintList(WebCore::RenderLayer::LayerList, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 76 (RenderLayer.cpp:4863) [inlined]
23  com.apple.WebCore             	0x000000054bb862c3 WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) + 3651 (RenderLayer.cpp:4761)
24  com.apple.WebCore             	0x000000054bb83928 WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RenderObject*, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>, WebCore::RenderLayer::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 280 (RenderLayer.cpp:4222)
25  com.apple.WebCore             	0x000000054b7bc0dd WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 829 (FrameView.cpp:4326)
26  com.apple.WebCore             	0x000000054b87e81c WebCore::ScrollView::paint(WebCore::GraphicsContext&, WebCore::IntRect const&, WebCore::Widget::SecurityOriginPaintPolicy, WebCore::EventRegionContext*) + 684 (ScrollView.cpp:1277)
27  com.apple.WebCore             	0x000000054ba9faaf WebCore::ContentfulPaintChecker::qualifiesForContentfulPaint(WebCore::FrameView&) + 127 (ContentfulPaintChecker.cpp:42)
28  com.apple.WebCore             	0x000000054b1e57db WebCore::Document::enqueuePaintTimingEntryIfNeeded() + 187 (Document.cpp:3222)
29  com.apple.WebCore             	0x000000054b7d626e WTF::Function<void (WebCore::Document&)>::operator()(WebCore::Document&) const + 10 (Function.h:83) [inlined]
30  com.apple.WebCore             	0x000000054b7d626e WebCore::Page::forEachDocument(WTF::Function<void (WebCore::Document&)> const&) const + 334 (Page.cpp:3177)
31  com.apple.WebCore             	0x000000054b7db76d WebCore::Page::doAfterUpdateRendering() + 189 (Page.cpp:1596)
32  com.apple.WebCore             	0x000000054b7db573 WebCore::Page::updateRendering() + 1219 (Page.cpp:1559)
33  com.apple.WebKit              	0x00000005484b4f48 WebKit::TiledCoreAnimationDrawingArea::updateRendering(WebKit::TiledCoreAnimationDrawingArea::UpdateRenderingType) + 60 (TiledCoreAnimationDrawingArea.mm:448)
34  com.apple.WebKit              	0x00000005484b4ed8 WebKit::TiledCoreAnimationDrawingArea::forceRepaint() + 130 (TiledCoreAnimationDrawingArea.mm:171)
35  com.apple.WebKitTestRunner.InjectedBundle	0x0000000554de583d WTR::InjectedBundlePage::dump() + 37 (InjectedBundlePage.cpp:811)
36  com.apple.WebKit              	0x000000054855a54a WebKit::InjectedBundlePageLoaderClient::didFinishLoadForFrame(WebKit::WebPage&, WebKit::WebFrame&, WTF::RefPtr<API::Object, WTF::RawPtrTraits<API::Object>, WTF::DefaultRefDerefTraits<API::Object> >&) + 82 (InjectedBundlePageLoaderClient.cpp:140)
37  com.apple.WebKit              	0x00000005485ac486 WebKit::WebFrameLoaderClient::dispatchDidFinishLoad() + 110 (WebFrameLoaderClient.cpp:671)
38  com.apple.WebCore             	0x000000054b6d415b WebCore::FrameLoader::checkLoadCompleteForThisFrame() + 2075 (FrameLoader.cpp:2574)
39  com.apple.WebCore             	0x000000054b6ca65e WebCore::FrameLoader::checkLoadComplete() + 462 (FrameLoader.cpp:2729)
40  com.apple.WebCore             	0x000000054b6a3edb WebCore::DocumentLoader::finishedLoading() + 811 (DocumentLoader.cpp:487)
41  com.apple.WebCore             	0x000000054b73ab9f WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) + 95 (CachedResource.cpp:375)
42  com.apple.WebCore             	0x000000054b7386bf WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 24 (CachedResource.cpp:391) [inlined]
43  com.apple.WebCore             	0x000000054b7386bf WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&) + 799 (CachedRawResource.cpp:123)
44  com.apple.WebCore             	0x000000054b708ce3 WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 1203 (SubresourceLoader.cpp:733)
45  com.apple.WebKit              	0x00000005485776a4 WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) + 238 (WebResourceLoader.cpp:227)
46  com.apple.WebKit              	0x0000000548700e2b void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>&&, std::__1::integer_sequence<unsigned long, 0ul>) + 18 (HandleMessage.h:42) [inlined]
47  com.apple.WebKit              	0x0000000548700e2b void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::__1::tuple<WebCore::NetworkLoadMetrics>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) + 18 (HandleMessage.h:48) [inlined]
48  com.apple.WebKit              	0x0000000548700e2b void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) + 45 (HandleMessage.h:120) [inlined]
49  com.apple.WebKit              	0x0000000548700e2b WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) + 247 (WebResourceLoaderMessageReceiver.cpp:64)
50  com.apple.WebKit              	0x0000000548570077 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 91 (NetworkProcessConnection.cpp:93)
51  com.apple.WebKit              	0x000000054801f35a IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 152 (Connection.cpp:1139)
52  com.apple.WebKit              	0x000000054801f5a8 IPC::Connection::dispatchOneIncomingMessage() + 190 (Connection.cpp:1208)
53  com.apple.JavaScriptCore      	0x000000054ff8dfe1 WTF::Function<void ()>::operator()() const + 9 (Function.h:83) [inlined]
54  com.apple.JavaScriptCore      	0x000000054ff8dfe1 WTF::RunLoop::performWork() + 545 (RunLoop.cpp:128)

<rdar://problem/72425531>

Comment 1 Sergio Villar Senin 2021-01-13 04:13:44 PST

Created attachment 417523 [details]
Even smaller test case

It crashes for me even without the webkit-line stuff.

Comment 2 Sergio Villar Senin 2021-01-13 04:54:22 PST

It seems it's crashing due to an OOM situation caused by excesive allocations in a Vector of layer fragments. I've debugged a bit the issue and it looks like the problem is that the multicolumn code thinks that there are 10693 columns and thus create a layer fragment for each eventually making allocations fail.

Will provide more info as available.

Comment 3 Ryosuke Niwa 2021-01-13 13:05:06 PST

(In reply to Sergio Villar Senin from comment #2)
> It seems it's crashing due to an OOM situation caused by excesive
> allocations in a Vector of layer fragments. I've debugged a bit the issue
> and it looks like the problem is that the multicolumn code thinks that there
> are 10693 columns and thus create a layer fragment for each eventually
> making allocations fail.

LOL. That's hilarious. How is that possible given the document is basically empty?

Comment 4 Sergio Villar Senin 2021-01-14 04:45:26 PST

(In reply to Ryosuke Niwa from comment #3)
> (In reply to Sergio Villar Senin from comment #2)
> > It seems it's crashing due to an OOM situation caused by excesive
> > allocations in a Vector of layer fragments. I've debugged a bit the issue
> > and it looks like the problem is that the multicolumn code thinks that there
> > are 10693 columns and thus create a layer fragment for each eventually
> > making allocations fail.
> 
> LOL. That's hilarious. How is that possible given the document is basically
> empty?

That's why I'm figuring out ATM. We might be doing something wrong with overflows. Check out the overflow values for the top renderers:

B---YGL- --* RenderView at (0,0) size 1024x730 renderer->(0x6160002bcb80) (layout overflow 0,0 181782x730)
B-----L- --    HTML RenderBlock at (0,0) size 1x730 renderer->(0x612000366f40) node->(0x60c0002b63c0) (layout overflow 0,0 181782x730) (visual overflow 0,0 181782x730)
B---YGL- --      RenderMultiColumnFlowThread at (0,0) size 2x730 renderer->(0x615000286e80) (layout overflow 0,0 10694x730) (visual overflow 0,0 10694x730) [Rs:0x6140000a4e40 Re:0x6140000a4e40]
B-----L- --        HEAD RenderBlock at (0,0) size 1x730 renderer->(0x6120003670c0) node->(0x60c0002b6480) (layout overflow 0,0 10694x730) (visual overflow 0,0 10694x730) [Rs:0x6140000a4e40 Re:0x6140000a4e40]
B---YGL- --          RenderMultiColumnFlowThread at (0,0) size 1x730 renderer->(0x615000286c00) (layout overflow 0,0 630x730) (visual overflow 0,0 630x730) [Rs:0x6140000a4c40 Re:0x6140000a4c40]

Comment 5 Ryosuke Niwa 2021-01-14 17:35:01 PST

Hm... maybe things are messed with vertical writing mode & columns?

Comment 6 Sergio Villar Senin 2021-01-18 08:26:09 PST

Created attachment 417834 [details]
Patch

Comment 7 Sergio Villar Senin 2021-01-18 08:27:00 PST

I've attached a patch with test case because I think we could consider this as non-security issue.

Comment 8 Sergio Villar Senin 2021-01-19 00:49:18 PST

Created attachment 417862 [details]
Patch

Comment 9 Sergio Villar Senin 2021-01-20 02:59:47 PST

Committed r271644: <https://trac.webkit.org/changeset/271644>

Comment 10 zalan 2021-04-14 11:09:43 PDT

This has caused bug 221962

Comment 11 WebKit Commit Bot 2021-04-21 17:29:51 PDT

Re-opened since this is blocked by bug 224908

Comment 12 Ryosuke Niwa 2021-04-21 17:58:19 PDT

<rdar://76991040>