Bug 255367

Summary: Crash in WebCore::Document::updateLayout
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: bfulgham, bugs-noreply, mcatanzaro, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=225677
Attachments:
Description Flags
Full backtrace none

Description Michael Catanzaro 2023-04-12 14:45:54 PDT 
Here's a random crash I encountered using WebKitGTK 2.41.1 (262320@main). It looks just like bug #225677.

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
    at pthread_kill.c:44
#1  0x00007feef92911f3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007feef923f00e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007feef92287fc in __GI_abort () at abort.c:79
#4  0x00007feef9ceb4af in WTFCrashWithInfo(int, char const*, char const*, int) () at WTF/Headers/wtf/Assertions.h:758
#5  0x00007feefb3bd6d1 in WebCore::Document::updateLayout() (this=0x7feee1109c00)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Document.cpp:2311
#6  0x00007feefb3bea18 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (this=0x7feee1109c00, runPostLayoutTasks=WebCore::Document::RunPostLayoutTasks::Asynchronously)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Document.cpp:2341
#7  0x00007feefb568aa5 in WebCore::VisiblePosition::canonicalPosition(WebCore::Position const&)
    (passedPosition=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/editing/VisiblePosition.cpp:553
#8  0x00007feefb5689c7 in WebCore::VisiblePosition::VisiblePosition(WebCore::Position const&, WebCore::Affinity)
    (this=0x2, position=..., affinity=(unknown: 0x6))
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/editing/VisiblePosition.cpp:59
#9  0x00007feefb518440 in WebCore::VisibleSelection::visibleStart() const (this=0x7feee939c0f8)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/editing/VisibleSelection.h:75
#10 WebCore::FrameSelection::recomputeCaretRect() (this=0x7feee939c0c0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/editing/FrameSelection.cpp:1796
#11 0x00007feefb513116 in WebCore::FrameSelection::updateAppearance() (this=0x7feee939c0c0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/editing/FrameSelection.cpp:2231
#12 0x00007feefb512ded in WebCore::FrameSelection::updateAndRevealSelection(WebCore::AXTextStateChangeIntent const&, WebCore::ScrollBehavior, WebCore::RevealExtentOption, WebCore::ForceCenterScrollOption)
    (this=0x2, intent=..., scrollBehavior=(WebCore::ScrollBehavior::Smooth | unknown: 0x4), revealExtent=(unknown: 0x84), forceCenterScroll=WebCore::DoNotForceCenterScroll)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/editing/FrameSelection.cpp:523
#13 0x00007feefba3c422 in WebCore::LocalFrameView::performPostLayoutTasks() (this=0x7fee66073610)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameView.cpp:3802
#14 0x00007feefba4662f in WebCore::LocalFrameViewLayoutContext::runAsynchronousTasks() (this=0x7fee66073740)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:316
#15 WebCore::LocalFrameViewLayoutContext::runOrScheduleAsynchronousTasks() (this=0x7fee66073740)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:302
#16 0x00007feefba46332 in WebCore::LocalFrameViewLayoutContext::performLayout() (this=0x7fee66073740)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:278
#17 0x00007feefba2b30d in WebCore::LocalFrameViewLayoutContext::layout() (this=0x2)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameViewLayoutContext.cpp:172
#18 0x00007feefbf63aa7 in WebCore::RenderWidget::updateWidgetPosition() (this=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderWidget.cpp:382
#19 0x00007feefba39b8f in WebCore::LocalFrameView::updateWidgetPositions() (this=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameView.cpp:5988
#20 0x00007feefba392d6 in WebCore::LocalFrameView::updateLayerPositionsAfterScrolling() (this=0x2)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameView.cpp:2973
#21 0x00007feefbb38c89 in WebCore::ScrollView::completeUpdatesAfterScrollTo(WebCore::IntSize const&)
    (this=0x7fee6605c740, scrollDelta=...)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/ScrollView.cpp:514
#22 WebCore::ScrollView::scrollTo(WebCore::IntPoint const&) (this=0x7fee6605c740, newPosition=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/ScrollView.cpp:509
#23 0x00007feefba3e291 in WebCore::LocalFrameView::scrollTo(WebCore::IntPoint const&)
    (this=0x7fee6605c740, newPosition=...)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameView.cpp:4251
--Type <RET> for more, q to quit, c to continue without paging--c
#24 0x00007feefbb387f4 in WebCore::ScrollView::setScrollOffset(WebCore::IntPoint const&) (this=0x7fee6605c740, offset=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/ScrollView.cpp:442
#25 0x00007feefbb3e18f in WebCore::ScrollableArea::scrollPositionChanged(WebCore::IntPoint const&) (this=0x7fee6605c780, position=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/ScrollableArea.cpp:201
#26 0x00007feefbb3e05b in WebCore::ScrollableArea::notifyScrollPositionChanged(WebCore::IntPoint const&) (this=0x2, position=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/ScrollableArea.cpp:193
#27 0x00007feefbadcc8b in WebCore::AsyncScrollingCoordinator::reconcileScrollingState(WebCore::LocalFrameView&, WebCore::FloatPoint const&, std::variant<std::optional<WebCore::FloatPoint>, std::optional<WebCore::FloatRect> > const&, WebCore::ScrollType, WebCore::ViewportRectStability, WebCore::ScrollingLayerPositionAction) (this=0x7feee910d780, frameView=..., scrollPosition=..., layoutViewportOriginOrOverrideRect=<optimized out>, scrollType=WebCore::ScrollType::Programmatic, viewportRectStability=WebCore::ViewportRectStability::Stable, scrollingLayerPositionAction=WebCore::ScrollingLayerPositionAction::Set) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp:631
#28 0x00007feefbadc9a2 in WebCore::AsyncScrollingCoordinator::updateScrollPositionAfterAsyncScroll(unsigned long, WebCore::FloatPoint const&, std::optional<WebCore::FloatPoint>, WebCore::ScrollingLayerPositionAction, WebCore::ScrollType) (this=0x7feee910d780, scrollingNodeID=5, scrollPosition=..., layoutViewportOrigin=<error reading variable: That operation is not available on integers of more than 8 bytes.>, scrollingLayerPositionAction=WebCore::ScrollingLayerPositionAction::Set, scrollType=WebCore::ScrollType::Programmatic) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp:591
#29 0x00007feefbadb9dc in WebCore::AsyncScrollingCoordinator::applyScrollUpdate(WebCore::ScrollUpdate&&, WebCore::ScrollType) (this=0x7feee910d780, update=..., scrollType=WebCore::ScrollType::Programmatic) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp:471
#30 WebCore::AsyncScrollingCoordinator::requestScrollPositionUpdate(WebCore::ScrollableArea&, WebCore::IntPoint const&, WebCore::ScrollType, WebCore::ScrollClamping) (this=0x7feee910d780, scrollableArea=<optimized out>, scrollPosition=..., scrollType=WebCore::ScrollType::Programmatic, clamping=WebCore::ScrollClamping::Clamped) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/scrolling/AsyncScrollingCoordinator.cpp:328
#31 0x00007feefba3a20e in WebCore::LocalFrameView::requestScrollPositionUpdate(WebCore::IntPoint const&, WebCore::ScrollType, WebCore::ScrollClamping) (this=<optimized out>, position=..., scrollType=WebCore::ScrollType::Programmatic, clamping=WebCore::ScrollClamping::Clamped) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameView.cpp:3088
#32 0x00007feefbb3915e in WebCore::ScrollView::setScrollPosition(WebCore::IntPoint const&, WebCore::ScrollPositionChangeOptions const&) (this=0x7fee6605c740, scrollPosition=..., options=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/platform/ScrollView.cpp:542
#33 0x00007feefba2b6a6 in WebCore::LocalFrameView::setScrollPosition(WebCore::IntPoint const&, WebCore::ScrollPositionChangeOptions const&) (this=0x7fee6605c740, scrollPosition=..., options=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameView.cpp:2459
#34 0x00007feefba38a63 in WebCore::LocalFrameView::scrollRectToVisibleInTopLevelView(WebCore::LayoutRect const&, bool, WebCore::ScrollRectToVisibleOptions const&) (this=0x7fee6605c740, absoluteRect=..., insideFixed=false, options=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameView.cpp:2756
#35 0x00007feefba37fbf in WebCore::LocalFrameView::scrollRectToVisible(WebCore::LayoutRect const&, WebCore::RenderObject const&, bool, WebCore::ScrollRectToVisibleOptions const&) (absoluteRect=..., renderer=..., insideFixed=false, options=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameView.cpp:2651
#36 0x00007feefba38441 in WebCore::LocalFrameView::scrollRectToVisibleInChildView(WebCore::LayoutRect const&, bool, WebCore::ScrollRectToVisibleOptions const&, WebCore::HTMLFrameOwnerElement const*) (this=0x7fee66073610, absoluteRect=..., insideFixed=false, options=..., ownerElement=0x7fee6606ade0) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameView.cpp:2704
#37 0x00007feefba37faa in WebCore::LocalFrameView::scrollRectToVisible(WebCore::LayoutRect const&, WebCore::RenderObject const&, bool, WebCore::ScrollRectToVisibleOptions const&) (absoluteRect=<optimized out>, renderer=..., insideFixed=false, options=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/page/LocalFrameView.cpp:2649
#38 0x00007feefb406c03 in WebCore::Element::scrollIntoView(std::optional<std::variant<bool, WebCore::ScrollIntoViewOptions> >&&) (this=0x7fee1232c930, arg=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Element.cpp:1108
#39 0x00007feefa7792be in WebCore::jsElementPrototypeFunction_scrollIntoViewBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::{lambda()#1}::operator()() const (this=<optimized out>) at WebCore/DerivedSources/JSElement.cpp:4092
#40 WebCore::toJS<WebCore::IDLUndefined, WebCore::jsElementPrototypeFunction_scrollIntoViewBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::{lambda()#1}>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsElementPrototypeFunction_scrollIntoViewBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*)::{lambda()#1}&&) (lexicalGlobalObject=<optimized out>, throwScope=<optimized out>, valueOrFunctor=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/bindings/js/JSDOMConvertBase.h:165
#41 WebCore::jsElementPrototypeFunction_scrollIntoViewBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSElement*) (lexicalGlobalObject=<optimized out>, callFrame=<optimized out>, castedThis=<optimized out>) at WebCore/DerivedSources/JSElement.cpp:4092
#42 WebCore::IDLOperation<WebCore::JSElement>::call<&WebCore::jsElementPrototypeFunction_scrollIntoViewBody, (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (lexicalGlobalObject=<optimized out>, callFrame=<optimized out>, operationName=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/bindings/js/JSDOMOperation.h:63
#43 WebCore::jsElementPrototypeFunction_scrollIntoView(JSC::JSGlobalObject*, JSC::CallFrame*) (lexicalGlobalObject=<optimized out>, callFrame=<optimized out>) at WebCore/DerivedSources/JSElement.cpp:4097
#44 0x00007fee940081b8 in  ()
#45 0x00007ffceb6df420 in  ()
#46 0x00007feef79a5b55 in op_call_slow_return_location () at /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-6.0.so.1
#47 0x0000000000000000 in  ()

I'll attach a full backtrace.
Comment 1 Michael Catanzaro 2023-04-12 14:55:33 PDT 
Created attachment 465872 [details]
Full backtrace
Comment 2 Alexey Proskuryakov 2023-04-12 17:11:11 PDT 
What is on this line in WebKitGTK 2.41.1? ToT doesn't have any assertion on line 2311.
Comment 3 Simon Fraser (smfr) 2023-04-12 17:35:51 PDT 
This is a ScriptDisallowedScope thing. We have similar bugs filed already.
Comment 4 Michael Catanzaro 2023-04-12 18:12:49 PDT 
RELEASE_ASSERT_WITH_SECURITY_IMPLICATION(isSafeToUpdateStyleOrLayout());

https://github.com/WebKit/WebKit/blob/8ea2748d6938792825176781e3d033f8c924e645/Source/WebCore/dom/Document.cpp#L2311
Comment 5 Radar WebKit Bug Importer 2023-04-19 14:46:21 PDT 
<rdar://problem/108282262>