207296 – Nullptr crash in RenderStyle::isFlippedBlocksWritingMode when fragment flow gains a new in-flow descendant

Bug 207296 - Nullptr crash in RenderStyle::isFlippedBlocksWritingMode when fragment flow gains a new in-flow descendant

Summary: Nullptr crash in RenderStyle::isFlippedBlocksWritingMode when fragment flow g...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Duplicates (1):	208317 (view as bug list)
Depends on:
Blocks:

Reported:	2020-02-05 14:30 PST by Jack
Modified:	2020-03-07 19:57 PST (History)
CC List:	10 users (show)

See Also:

Attachments
Patch (4.58 KB, patch) 2020-02-05 15:57 PST, Jack	no flags	Details \| Formatted Diff \| Diff
Patch (5.39 KB, patch) 2020-02-18 12:29 PST, Jack	koivisto: review+ aakash_jain: commit-queue-	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jack 2020-02-05 14:30:06 PST

<rdar://56967115>

    #0 0x4b1c42ab1 in WebCore::RenderStyle::writingMode() const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x1c40ab1)
    #1 0x4b405e128 in WebCore::RenderStyle::isFlippedBlocksWritingMode() const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x405c128)
    #2 0x4b495d0fa in WebCore::RenderBox::flipForWritingMode(WebCore::LayoutPoint const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x495b0fa)
    #3 0x4b4bd811f in WebCore::RenderMultiColumnFlow::physicalTranslationFromFragmentToFlow(WebCore::RenderMultiColumnSet const*, WebCore::LayoutPoint const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4bd611f)
    #4 0x4b4bd7df6 in WebCore::RenderMultiColumnFlow::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4bd5df6)
    #5 0x4b49c5521 in WebCore::RenderBoxModelObject::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x49c3521)
    #6 0x4b49c5521 in WebCore::RenderBoxModelObject::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x49c3521)
    #7 0x4b49c5521 in WebCore::RenderBoxModelObject::mapAbsoluteToLocalPoint(unsigned int, WebCore::TransformState&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x49c3521)
    #8 0x4b4bfda9a in WebCore::RenderObject::absoluteToLocal(WebCore::FloatPoint const&, unsigned int) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x4bfba9a)
    #9 0x4b40670ea in WebCore::FrameView::convertFromContainingViewToRenderer(WebCore::RenderElement const*, WebCore::IntRect const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/Frameworks/WebCore.framework/Versions/A/WebCore:x86_64+0x40650ea)
    #10 0x4b4067ee8 in WebCore::FrameView::convertFromContainingView(WebCore::IntRect const&) const (Safari_ASAN_252152_93985f3693290f9e1b9273fb7bc493e9eb44c361.app/Contents/

Comment 1 Jack 2020-02-05 14:33:38 PST

Root cause analysis from Alan:

Without the [outer.style.transition = "1s”] this is what we end up with: 

before [range.extractContents] call
B-----L- --        DIV RenderBlock at (0,0) size 1222x0 renderer->(0x1360f9420) node->(0x12f59afc0)
B---YGL-           RenderMultiColumnFlowThread at (0,0) size 603x0 renderer->(0x1360f97b0) [Rs:0x0 Re:0x0]
BA----L- --            DIV RenderBlock at (8,8) size 304x154 renderer->(0x1360f9550) node->(0x12f59b050)
N------- --                 IFRAME RenderIFrame at (0,0) size 304x154 renderer->(0x1360f9680) node->(0x12f59b0e0)

after [range.extractContents] call
B------- -+        DIV RenderBlock at (0,0) size 1222x0 renderer->(0x1360f9420) node->(0x12f59afc0) layout->[self][normal child]
B------- -+          DIV RenderBlock at (8,8) size 304x154 renderer->(0x1360f9550) node->(0x12f59b050) layout->[self][normal child]
N------- -+            IFRAME RenderIFrame at (0,0) size 304x154 renderer->(0x1360f9680) node->(0x12f59b0e0) layout->[self]
^^Note that missing RenderMultiColumnFlowThread and the inner <div> is no longer absolutely positioned.

and when the [outer.style.transition = "1s”] is added back the after state is this ->
B-----L- -+        DIV RenderBlock at (0,0) size 1222x0 renderer->(0x1360f9420) node->(0x1360fbd60) layout->[self][normal child]
B---YGL-           RenderMultiColumnFlowThread at (0,0) size 603x0 renderer->(0x1360f97b0) [Rs:0x0 Re:0x0] layout->[self][normal child]
B------- -+            DIV RenderBlock at (8,8) size 304x154 renderer->(0x1360f9550) node->(0x1360fbdf0) [Rs:0x0 Re:0x0] layout->[self][normal child]
N------- -+              IFRAME RenderIFrame at (0,0) size 304x154 renderer->(0x1360f9680) node->(0x1360fa2a0) layout->[self]
^^the inner <div> is no longer absolutely positioned but we’ve still have a fragmented flow.

It looks like when the inner <div> goes from out-of-flow to in-flow, we don’t check if the enclosing fragmented flow needs a new set.

Comment 2 Jack 2020-02-05 15:57:54 PST

Created attachment 389894 [details]
Patch

Comment 3 Jack 2020-02-06 10:55:30 PST

EWS test "Mac-debug-wk1" fails because of <rdar://46103517>. Pending on investigation.

Comment 4 Ryosuke Niwa 2020-02-06 13:11:00 PST

Comment on attachment 389894 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=389894&action=review

> Source/WebCore/ChangeLog:10
> +        Reviewed by NOBODY (OOPS!).

This line should appear below URL but before the description (surrounded by blank lines as you did here).

Comment 5 Jack 2020-02-18 12:29:11 PST

Created attachment 391076 [details]
Patch

Comment 6 Jack 2020-02-18 13:13:42 PST

Submit the change with expected crash in layout test due to bug 202805.

Comment 7 Ryosuke Niwa 2020-02-19 18:59:39 PST

<rdar://problem/49687828>

Comment 8 Aakash Jain 2020-02-20 07:42:18 PST

Comment on attachment 391076 [details]
Patch

commit-queue still doesn't support security bugs. Please land manually. See: https://bugs.webkit.org/show_bug.cgi?id=201939

Comment 9 Ryosuke Niwa 2020-02-21 00:22:26 PST

This is not a security bug.

Comment 10 Ryosuke Niwa 2020-02-21 00:26:19 PST

Committed r257129: <https://trac.webkit.org/changeset/257129>

Comment 11 Ryosuke Niwa 2020-03-07 19:57:37 PST

*** Bug 208317 has been marked as a duplicate of this bug. ***