Bug 235567

Summary: ASSERTION FAILED: m_repaintRectsValid => m_repaintRects.outlineBoundsRect == renderer().outlineBoundsForRepaint(renderer().containerForRepaint())
Product: WebKit Reporter: A <alset0326>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: ahmad.saleem792, fred.wang, malikwaleedm268, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=244580
Attachments:
Description Flags
the html can make crash
none
Minimized testcase none

A
Reported 2022-01-25 04:14:24 PST
Created attachment 449909 [details] the html can make crash 1. build a debug webkit 2. open the html 3. crash ASSERTION FAILED: m_repaintRectsValid => m_repaintRects.outlineBoundsRect == renderer().outlineBoundsForRepaint(renderer().containerForRepaint()) ../../Source/WebCore/rendering/RenderLayer.cpp(1172) : void WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 1 0x7f944677c964 WTFReportBacktrace 2 0x7f944677cc01 WTFCrash 3 0x7f9469cbbaaf WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 4 0x7f9469cbbaee WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 5 0x7f9469cbbaee WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 6 0x7f9469cbbaee WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 7 0x7f9469de679f WebCore::RenderLayerScrollableArea::updateLayerPositionsAfterDocumentScroll() 8 0x7f9468a5a9f2 WebCore::FrameView::updateLayerPositionsAfterScrolling() 9 0x7f9468ec06fc WebCore::ScrollView::completeUpdatesAfterScrollTo(WebCore::IntSize const&) 10 0x7f9468ebfcf6 WebCore::ScrollView::handleDeferredScrollUpdateAfterContentSizeChange() 11 0x7f9468a482b2 WebCore::FrameView::didLayout(WTF::WeakPtr<WebCore::RenderElement, WTF::EmptyCounter>) 12 0x7f9468a7ce21 WebCore::FrameViewLayoutContext::layout() 13 0x7f9468a7e458 WebCore::FrameViewLayoutContext::layoutTimerFired() 14 0x7f9468ade7d8 void std::__invoke_impl<void, void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&>(std::__invoke_memfun_deref, void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&) 15 0x7f9468ade4ab std::__invoke_result<void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&>::type std::__invoke<void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&>(void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&) 16 0x7f9468adcd0d void std::_Bind<void (WebCore::FrameViewLayoutContext::*(WebCore::FrameViewLayoutContext*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) 17 0x7f9468adb944 void std::_Bind<void (WebCore::FrameViewLayoutContext::*(WebCore::FrameViewLayoutContext*))()>::operator()<, void>() 18 0x7f9468ada50c WTF::Detail::CallableWrapper<std::_Bind<void (WebCore::FrameViewLayoutContext::*(WebCore::FrameViewLayoutContext*))()>, void>::call() 19 0x7f946036ce95 WTF::Function<void ()>::operator()() const 20 0x7f946131201e WebCore::Timer::fired() 21 0x7f9468f100d4 WebCore::ThreadTimers::sharedTimerFiredInternal() 22 0x7f9468f0efdd /home/lxc/fuzz/webkit/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x1d2fdfdd) [0x7f9468f0efdd] 23 0x7f9468f15800 /home/lxc/fuzz/webkit/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x1d304800) [0x7f9468f15800] 24 0x7f946036ce95 WTF::Function<void ()>::operator()() const 25 0x7f9468e79457 WebCore::MainThreadSharedTimer::fired() 26 0x7f9468e93ef6 void std::__invoke_impl<void, void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&>(std::__invoke_memfun_deref, void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&) 27 0x7f9468e93d73 std::__invoke_result<void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&>::type std::__invoke<void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&>(void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&) 28 0x7f9468e93c9f void std::_Bind<void (WebCore::MainThreadSharedTimer::*(WebCore::MainThreadSharedTimer*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) 29 0x7f9468e93b72 void std::_Bind<void (WebCore::MainThreadSharedTimer::*(WebCore::MainThreadSharedTimer*))()>::operator()<, void>() 30 0x7f9468e93aa0 WTF::Detail::CallableWrapper<std::_Bind<void (WebCore::MainThreadSharedTimer::*(WebCore::MainThreadSharedTimer*))()>, void>::call() 31 0x7f946036ce95 WTF::Function<void ()>::operator()() const ** (MiniBrowser:917450): WARNING **: 17:21:37.584: WebProcess CRASHED
Attachments
the html can make crash (2.99 MB, application/zip)
2022-01-25 04:14 PST, A 		no flags
Details
Minimized testcase (414 bytes, text/html)
2022-10-25 08:17 PDT, Frédéric Wang (:fredw) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2022-02-01 04:15:18 PST
<rdar://problem/88321915>
Frédéric Wang (:fredw)
Comment 2 2022-10-25 08:17:17 PDT
Created attachment 463218 [details] Minimized testcase Attached is a minimized testcase obtained from the original one of bug 244580 (which apparently is generated by the same fuzzing framework). Reproduced at https://commits.webkit.org/255418@main with gtk debug build. Cannot reproduce with macos.
Ahmad Saleem
Comment 3 2023-09-09 05:27:35 PDT
It is reproducible on macOS WebKit TOT (debug build - 267826@main) and also on 'ProPakistani.pk' website.
Note You need to log in before you can comment on or make changes to this bug.