Bug 69275

Summary: Crash in IsolateTracker::addFakeRunIfNecessary(), preceded by assertion failure (m_nestedIsolateCount >= 1) in IsolateTracker::exitIsolate()
Product: WebKit Reporter: mitz
Component: Layout and RenderingAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: eric, leviw, rniwa, xji
Priority: P1 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
URL: data:text/html,%3Cspan%20style=%22unicode-bidi:%20-webkit-isolate;%22%3E%3Cspan%20style=%22unicode-bidi:%20-webkit-isolate;%22%3Ea%3C/span%3E%3C/span%3E%3Cbr%3E
Bug Depends on:    
Bug Blocks: 69267    
Attachments:
Description Flags
fixes the bug eric: review+

mitz
Reported 2011-10-03 11:54:24 PDT
To reproduce, navigate to the URL. Results: ASSERTION FAILED: m_nestedIsolateCount >= 1 Source/WebCore/rendering/InlineIterator.h(430) : void WebCore::IsolateTracker::exitIsolate() 1 WebCore::IsolateTracker::exitIsolate() 2 _ZN7WebCoreL28notifyObserverWillExitObjectINS_14IsolateTrackerEEEvPT_PNS_12RenderObjectE 3 _ZN7WebCoreL14bidiNextSharedINS_14IsolateTrackerEEEPNS_12RenderObjectES3_S3_PT_NS_19EmptyInlineBehaviorEPb 4 _ZN7WebCoreL28bidiNextSkippingEmptyInlinesINS_14IsolateTrackerEEEPNS_12RenderObjectES3_S3_PT_ 5 WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::appendRun() 6 WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::createBidiRunsForLine(WebCore::InlineIterator const&, WebCore::VisualDirectionOverride, bool) 7 _ZN7WebCoreL17constructBidiRunsERNS_12BidiResolverINS_14InlineIteratorENS_7BidiRunEEERNS_11BidiRunListIS2_EERKS1_NS_23VisualDirectionOverrideEb 8 WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) 9 WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) 10 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) 11 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 12 WebCore::RenderBlock::layout() 13 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) 14 WebCore::RenderBlock::layoutBlockChildren(bool, int&) 15 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 16 WebCore::RenderBlock::layout() 17 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) 18 WebCore::RenderBlock::layoutBlockChildren(bool, int&) 19 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) 20 WebCore::RenderBlock::layout() 21 WebCore::RenderView::layout() 22 WebCore::FrameView::layout(bool) 23 WebCore::Document::implicitClose() 24 WebCore::FrameLoader::checkCallImplicitClose() 25 WebCore::FrameLoader::checkCompleted() 26 WebCore::FrameLoader::finishedParsing() 27 WebCore::Document::finishedParsing() 28 WebCore::HTMLTreeBuilder::finished() 29 WebCore::HTMLDocumentParser::end() 30 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 31 WebCore::HTMLDocumentParser::prepareToStopParsing()
Attachments
fixes the bug (4.77 KB, patch)
2011-11-28 16:07 PST, Ryosuke Niwa 		eric: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2011-10-03 12:03:16 PDT
It’s not clear to me why IsolateTracker initializes m_nestedIsolateCount to 1 regardless of the number of enclosing isolating inlines.
mitz
Comment 2 2011-10-03 12:07:29 PDT
In release builds, this ends up crashing in IsolateTracker::addFakeRunIfNecessary(): Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000010 0 com.apple.WebCore 0x0000000107adc69d WebCore::IsolateTracker::addFakeRunIfNecessary(WebCore::RenderObject*, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&) + 113 1 com.apple.WebCore 0x00000001071a7536 WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::appendRun() + 724 2 com.apple.WebCore 0x00000001071a701e WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>::createBidiRunsForLine(WebCore::InlineIterator const&, WebCore::VisualDirectionOverride, bool) + 3626 3 com.apple.WebCore 0x0000000107adae75 WebCore::RenderBlock::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolver<WebCore::InlineIterator, WebCore::BidiRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) + 1271 4 com.apple.WebCore 0x0000000107adbdde WebCore::RenderBlock::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) + 1238 5 com.apple.WebCore 0x00000001071a1391 WebCore::RenderBlock::layoutInlineChildren(bool, int&, int&) + 425 6 com.apple.WebCore 0x0000000107ad25d7 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 1655 7 com.apple.WebCore 0x000000010719cab8 WebCore::RenderBlock::layout() + 42 8 com.apple.WebCore 0x000000010719f5f2 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 838 9 com.apple.WebCore 0x000000010719e60a WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 668 10 com.apple.WebCore 0x0000000107ad25f5 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 1685 11 com.apple.WebCore 0x000000010719cab8 WebCore::RenderBlock::layout() + 42 12 com.apple.WebCore 0x000000010719f5f2 WebCore::RenderBlock::layoutBlockChild(WebCore::RenderBox*, WebCore::RenderBlock::MarginInfo&, int&, int&) + 838 13 com.apple.WebCore 0x000000010719e60a WebCore::RenderBlock::layoutBlockChildren(bool, int&) + 668 14 com.apple.WebCore 0x0000000107ad25f5 WebCore::RenderBlock::layoutBlock(bool, int, WebCore::RenderBlock::BlockLayoutPass) + 1685 15 com.apple.WebCore 0x000000010719cab8 WebCore::RenderBlock::layout() + 42 16 com.apple.WebCore 0x000000010719ca1f WebCore::RenderView::layout() + 579
mitz
Comment 3 2011-10-03 12:09:03 PDT
<rdar://problem/10212881>
Eric Seidel (no email)
Comment 4 2011-10-03 13:17:32 PDT
Thank you.
Eric Seidel (no email)
Comment 5 2011-10-04 04:10:43 PDT
(In reply to comment #1) > It’s not clear to me why IsolateTracker initializes m_nestedIsolateCount to 1 regardless of the number of enclosing isolating inlines. It's probably wrong. We simply don't have enough isolate test cases yet.
Ryosuke Niwa
Comment 6 2011-11-28 11:44:30 PST
Hm... I can't reproduce this crash on ToT.
Ryosuke Niwa
Comment 7 2011-11-28 16:02:07 PST
(In reply to comment #6) > Hm... I can't reproduce this crash on ToT. Apparently, I was doing it wrong. A patch coming in a minute.
Ryosuke Niwa
Comment 8 2011-11-28 16:07:47 PST
Created attachment 116847 [details] fixes the bug
Ryosuke Niwa
Comment 9 2011-11-28 16:08:30 PST
Comment on attachment 116847 [details] fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=116847&action=review > Source/WebCore/ChangeLog:9 > + The crash was caused by our false assumption that at most one isolated container exits between the start s/exits/exists/
Levi Weintraub
Comment 10 2011-11-28 16:12:18 PST
Comment on attachment 116847 [details] fixes the bug Looks right to me :)
Eric Seidel (no email)
Comment 11 2011-11-28 18:47:25 PST
Comment on attachment 116847 [details] fixes the bug Seems fine to me. I'm not sure I remember why I had that assumption. Clearly I designed the system to accommodate more than one. More test coverage will tell us if this is the right code design or not. :)
Ryosuke Niwa
Comment 12 2011-11-29 12:37:30 PST
Committed r101406: <http://trac.webkit.org/changeset/101406>
Note You need to log in before you can comment on or make changes to this bug.