WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
NEW
235567
ASSERTION FAILED: m_repaintRectsValid => m_repaintRects.outlineBoundsRect == renderer().outlineBoundsForRepaint(renderer().containerForRepaint())
https://bugs.webkit.org/show_bug.cgi?id=235567
Summary
ASSERTION FAILED: m_repaintRectsValid => m_repaintRects.outlineBoundsRect == ...
A
Reported
2022-01-25 04:14:24 PST
Created
attachment 449909
[details]
the html can make crash 1. build a debug webkit 2. open the html 3. crash ASSERTION FAILED: m_repaintRectsValid => m_repaintRects.outlineBoundsRect == renderer().outlineBoundsForRepaint(renderer().containerForRepaint()) ../../Source/WebCore/rendering/RenderLayer.cpp(1172) : void WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 1 0x7f944677c964 WTFReportBacktrace 2 0x7f944677cc01 WTFCrash 3 0x7f9469cbbaaf WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 4 0x7f9469cbbaee WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 5 0x7f9469cbbaee WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 6 0x7f9469cbbaee WebCore::RenderLayer::updateLayerPositionsAfterScroll(WebCore::RenderGeometryMap*, WTF::OptionSet<WebCore::RenderLayer::UpdateLayerPositionsAfterScrollFlag>) 7 0x7f9469de679f WebCore::RenderLayerScrollableArea::updateLayerPositionsAfterDocumentScroll() 8 0x7f9468a5a9f2 WebCore::FrameView::updateLayerPositionsAfterScrolling() 9 0x7f9468ec06fc WebCore::ScrollView::completeUpdatesAfterScrollTo(WebCore::IntSize const&) 10 0x7f9468ebfcf6 WebCore::ScrollView::handleDeferredScrollUpdateAfterContentSizeChange() 11 0x7f9468a482b2 WebCore::FrameView::didLayout(WTF::WeakPtr<WebCore::RenderElement, WTF::EmptyCounter>) 12 0x7f9468a7ce21 WebCore::FrameViewLayoutContext::layout() 13 0x7f9468a7e458 WebCore::FrameViewLayoutContext::layoutTimerFired() 14 0x7f9468ade7d8 void std::__invoke_impl<void, void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&>(std::__invoke_memfun_deref, void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&) 15 0x7f9468ade4ab std::__invoke_result<void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&>::type std::__invoke<void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&>(void (WebCore::FrameViewLayoutContext::*&)(), WebCore::FrameViewLayoutContext*&) 16 0x7f9468adcd0d void std::_Bind<void (WebCore::FrameViewLayoutContext::*(WebCore::FrameViewLayoutContext*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) 17 0x7f9468adb944 void std::_Bind<void (WebCore::FrameViewLayoutContext::*(WebCore::FrameViewLayoutContext*))()>::operator()<, void>() 18 0x7f9468ada50c WTF::Detail::CallableWrapper<std::_Bind<void (WebCore::FrameViewLayoutContext::*(WebCore::FrameViewLayoutContext*))()>, void>::call() 19 0x7f946036ce95 WTF::Function<void ()>::operator()() const 20 0x7f946131201e WebCore::Timer::fired() 21 0x7f9468f100d4 WebCore::ThreadTimers::sharedTimerFiredInternal() 22 0x7f9468f0efdd /home/lxc/fuzz/webkit/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x1d2fdfdd) [0x7f9468f0efdd] 23 0x7f9468f15800 /home/lxc/fuzz/webkit/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x1d304800) [0x7f9468f15800] 24 0x7f946036ce95 WTF::Function<void ()>::operator()() const 25 0x7f9468e79457 WebCore::MainThreadSharedTimer::fired() 26 0x7f9468e93ef6 void std::__invoke_impl<void, void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&>(std::__invoke_memfun_deref, void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&) 27 0x7f9468e93d73 std::__invoke_result<void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&>::type std::__invoke<void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&>(void (WebCore::MainThreadSharedTimer::*&)(), WebCore::MainThreadSharedTimer*&) 28 0x7f9468e93c9f void std::_Bind<void (WebCore::MainThreadSharedTimer::*(WebCore::MainThreadSharedTimer*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) 29 0x7f9468e93b72 void std::_Bind<void (WebCore::MainThreadSharedTimer::*(WebCore::MainThreadSharedTimer*))()>::operator()<, void>() 30 0x7f9468e93aa0 WTF::Detail::CallableWrapper<std::_Bind<void (WebCore::MainThreadSharedTimer::*(WebCore::MainThreadSharedTimer*))()>, void>::call() 31 0x7f946036ce95 WTF::Function<void ()>::operator()() const ** (MiniBrowser:917450): WARNING **: 17:21:37.584: WebProcess CRASHED
Attachments
the html can make crash
(2.99 MB, application/zip)
2022-01-25 04:14 PST
,
A
no flags
Details
Minimized testcase
(414 bytes, text/html)
2022-10-25 08:17 PDT
,
Frédéric Wang (:fredw)
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2022-02-01 04:15:18 PST
<
rdar://problem/88321915
>
Frédéric Wang (:fredw)
Comment 2
2022-10-25 08:17:17 PDT
Created
attachment 463218
[details]
Minimized testcase Attached is a minimized testcase obtained from the original one of
bug 244580
(which apparently is generated by the same fuzzing framework). Reproduced at
https://commits.webkit.org/255418@main
with gtk debug build. Cannot reproduce with macos.
Ahmad Saleem
Comment 3
2023-09-09 05:27:35 PDT
It is reproducible on macOS WebKit TOT (debug build -
267826@main
) and also on 'ProPakistani.pk' website.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug