Bug 208850 - beta.music.apple.com hits RenderTreeNeedsLayoutChecker "post-layout: dirty renderer(s)" assert
Summary: beta.music.apple.com hits RenderTreeNeedsLayoutChecker "post-layout: dirty re...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-10 02:03 PDT by Antti Koivisto
Modified: 2020-06-04 11:03 PDT (History)
4 users (show)

See Also:

Attachments
render tree dump (1.17 MB, text/plain)
2020-03-10 02:06 PDT, Antti Koivisto 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Antti Koivisto 2020-03-10 02:03:54 PDT 
https://beta.music.apple.com/us/playlist/top-100-global/pl.d25f5d1181894928af76c85c967f8f31

2020-03-10 10:55:35.171 MiniBrowser[48648:10450454] WebContent process crashed; reloading
ERROR: post-layout: dirty renderer(s)
page/FrameViewLayoutContext.cpp(129) : auto WebCore::RenderTreeNeedsLayoutChecker::~RenderTreeNeedsLayoutChecker()::(anonymous class)::operator()(const WebCore::RenderObject &) const

<snipped too large dump>

SHOULD NEVER BE REACHED
page/FrameViewLayoutContext.cpp(131) : auto WebCore::RenderTreeNeedsLayoutChecker::~RenderTreeNeedsLayoutChecker()::(anonymous class)::operator()(const WebCore::RenderObject &) const
1   0x2fbe4ba19 WTFCrash
2   0x2e0f8ab8b WTFCrashWithInfo(int, char const*, char const*, int)
3   0x2e439bb4d WebCore::RenderTreeNeedsLayoutChecker::~RenderTreeNeedsLayoutChecker()::'lambda'(WebCore::RenderObject const&)::operator()(WebCore::RenderObject const&) const
4   0x2e439baa2 WebCore::RenderTreeNeedsLayoutChecker::~RenderTreeNeedsLayoutChecker()
5   0x2e4392785 WebCore::RenderTreeNeedsLayoutChecker::~RenderTreeNeedsLayoutChecker()
6   0x2e4391da5 WebCore::FrameViewLayoutContext::layout()
7   0x2e432ef25 WebCore::FrameView::updateLayoutAndStyleIfNeededRecursive()
8   0x2e43b73ce WebCore::Page::layoutIfNeeded()
9   0x2e43b747a WebCore::Page::updateRendering()
10  0x10b7e26f6 WebKit::WebPage::updateRendering()
11  0x10b228d44 WebKit::TiledCoreAnimationDrawingArea::updateRendering(WebKit::TiledCoreAnimationDrawingArea::UpdateRenderingType)
12  0x10b22d2ad WebKit::TiledCoreAnimationDrawingArea::updateRenderingRunLoopCallback()
13  0x10b23cfb8 WebKit::TiledCoreAnimationDrawingArea::TiledCoreAnimationDrawingArea(WebKit::WebPage&, WebKit::WebPageCreationParameters const&)::$_0::operator()() const
14  0x10b23cf6e WTF::Detail::CallableWrapper<WebKit::TiledCoreAnimationDrawingArea::TiledCoreAnimationDrawingArea(WebKit::WebPage&, WebKit::WebPageCreationParameters const&)::$_0, void>::call()
15  0x2e0f9d3b2 WTF::Function<void ()>::operator()() const
16  0x2e4620cc0 WebCore::RunLoopObserver::runLoopObserverFired()
17  0x2e4620c20 WebCore::RunLoopObserver::runLoopObserverFired(__CFRunLoopObserver*, unsigned long, void*)
18  0x7fff2e86e6a5 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__
19  0x7fff2e86e5d7 __CFRunLoopDoObservers
20  0x7fff2e86d1e9 CFRunLoopRunSpecific
21  0x7fff30f012a8 -[NSRunLoop(NSRunLoop) runMode:beforeDate:]
22  0x7fff30fb3d2f -[NSRunLoop(NSRunLoop) run]
23  0x7fff6889151a _xpc_objc_main.cold.4
24  0x7fff68891460 _xpc_objc_main
25  0x7fff68890f93 _xpc_copy_xpcservice_dictionary
26  0x10a7f9af9 WebKit::XPCServiceMain(int, char const**)
27  0x10bb66a7b WKXPCServiceMain
28  0x109f59eb2 main
29  0x7fff68643cc9 start
30  0x1
2020-03-10 10:55:59.869 MiniBrowser[48648:10450454] WebContent process crashed; reloading
Comment 1 Antti Koivisto 2020-03-10 02:06:33 PDT 
Created attachment 393127 [details]
render tree dump
Comment 2 Alexey Proskuryakov 2020-03-11 09:36:02 PDT 
Adding "RenderTreeNeedsLayoutChecker" to the title for ease of finding.
Comment 3 Tyler Wilcock 2020-04-20 15:06:14 PDT 
Hello!

Starting from a snapshot of https://beta.music.apple.com/us/playlist/top-100-global/pl.d25f5d1181894928af76c85c967f8f31, I used Lithium[1] to get this minimal reproduction of a crash.

<html>
<head>
  <style>
    .visuallyhidden {
      position: absolute;
      width: 1px;
    }
    .product-page {
      display: flex;
    }
    .product-lockup__artwork {
      position: relative;
    }
    .shelf-grid__list {
      display: grid;
      overflow-x: auto;
      min-height: 140px;
    }
  </style>
</head>
<body>
  <div class="product-page">
    <div class="product-lockup__artwork">
      <span class="visuallyhidden">
        <ul class="shelf-grid__list">
          <button type="button"></button>
        </ul>
      </span>
    </div>
  </div>
</body>
</html>

ERROR: post-layout: dirty renderer(s)
../../Source/WebCore/page/FrameViewLayoutContext.cpp(129) : WebCore::RenderTreeNeedsLayoutChecker::~RenderTreeNeedsLayoutChecker()::<lambda(const WebCore::RenderObject&)>

(B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, (C)omposited, (+)Dirty style, (+)Dirty layout
B---YGL- --  RenderView at (0,0) size 800x558 renderer->(0x7fe3e40591c0)
B-----L- --    HTML RenderBlock at (0,0) size 800x558 renderer->(0x7fe3e4059620) node->(0x7fe3e4059470)
B------- --      BODY RenderBody at (8,8) size 784x542 renderer->(0x7fe3e4059740) node->(0x7fe3e4059590)
B------- --        DIV RenderFlexibleBox at (0,0) size 784x0 renderer->(0x7fe3e405aeb0) node->(0x7fe3e405aa80)
BR----L- -+*         DIV RenderBlock at (0,0) size 0x0 renderer->(0x7fe3e405b060) node->(0x7fe3e405ab70) layout->[positioned child]
BA----L- -+            SPAN RenderBlock at (0,0) size 1x172 renderer->(0x7fe3e405b180) node->(0x7fe3e405ac60) layout->[normal child]
B--O--L- --              UL RenderGrid at (0,16) size 40x140 renderer->(0x7fe3e405b2a0) node->(0x7fe3e405ad50)
B------- --                BUTTON RenderButton at (42,2) size 16x136 renderer->(0x7fe3e405b5d0) node->(0x7fe3e405ade0)

SHOULD NEVER BE REACHED
../../Source/WebCore/page/FrameViewLayoutContext.cpp(131) : WebCore::RenderTreeNeedsLayoutChecker::~RenderTreeNeedsLayoutChecker()::<lambda(const WebCore::RenderObject&)>
1   0x7fe3ef115d79 WTFCrash
2   0x7fe3fc1cf8f7 WTF::CrashOnOverflow::overflowed()
3   0x7fe3ff437273 /app/webkit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xe9f3273) [0x7fe3ff437273]
4   0x7fe3ff4372fd WebCore::RenderTreeNeedsLayoutChecker::~RenderTreeNeedsLayoutChecker()
5   0x7fe3ff42d45b WebCore::FrameViewLayoutContext::layout()
6   0x7fe3fe9b488b WebCore::Document::implicitClose()
7   0x7fe3ff23f85d WebCore::FrameLoader::checkCallImplicitClose()
8   0x7fe3ff23f59d WebCore::FrameLoader::checkCompleted()
9   0x7fe3ff23f232 WebCore::FrameLoader::finishedParsing()
10  0x7fe3fe9c1bf0 WebCore::Document::finishedParsing()
11  0x7fe3fef703a3 WebCore::HTMLConstructionSite::finishedParsing()
12  0x7fe3fefac832 WebCore::HTMLTreeBuilder::finished()
13  0x7fe3fef7482a WebCore::HTMLDocumentParser::end()
14  0x7fe3fef74902 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
15  0x7fe3fef7337c WebCore::HTMLDocumentParser::prepareToStopParsing()
16  0x7fe3fef7493d WebCore::HTMLDocumentParser::attemptToEnd()
17  0x7fe3fef749ed WebCore::HTMLDocumentParser::finish()
18  0x7fe3ff22fe4e WebCore::DocumentWriter::end()
19  0x7fe3ff1faf67 WebCore::DocumentLoader::finishedLoading()
20  0x7fe3ff1fa9cb WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&)
21  0x7fe3ff312003 WebCore::CachedResource::checkNotify()
22  0x7fe3ff31210a WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*)
23  0x7fe3ff30dbf8 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*)
24  0x7fe3ff2bc59b WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)
25  0x7fe3fd13f153 WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&)
26  0x7fe3fc5f2ce2 void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::tuple<WebCore::NetworkLoadMetrics>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::tuple<WebCore::NetworkLoadMetrics>&&, std::integer_sequence<unsigned long, 0ul>)
27  0x7fe3fc5f23cc void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&), std::tuple<WebCore::NetworkLoadMetrics>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebCore::NetworkLoadMetrics>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&))
28  0x7fe3fc5f194a void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&))
29  0x7fe3fc5f0c1e WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&)
30  0x7fe3fd0fd019 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)
31  0x7fe3fc969da7 IPC::Connection::dispatchMessage(IPC::Decoder&)

[1]: https://github.com/MozillaSecurity/lithium/
Comment 4 Simon Fraser (smfr) 2020-06-04 11:03:47 PDT 
Thanks for the reduction!