Bug 261159

Summary: (REGRESSION 267456@main) Loading https://www.dsogaming.com crashes at Box::cachedGeometryForLayoutState
Product: WebKit Reporter: Ahmad Saleem <ahmad.saleem792>
Component: Layout and RenderingAssignee: alan <zalan>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, koivisto, ntim, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Full Crash Logs
none
Test reduction
none
[fast-cq]Patch none

Ahmad Saleem
Reported 2023-09-05 08:23:34 PDT
Hi Team, Based on 1-1 with Tim over Slack, he is also able to reproduce the crash on 'release' and 'assert' on debug. ASSERT (from Tim): ASSERTION FAILED: layoutBox.isDescendantOf(stayWithin) /Volumes/Data/Code/Safari/OpenSource/Source/WebCore/layout/layouttree/LayoutContainingBlockChainIterator.h(88) : LayoutContainingBlockChainIteratorAdapter WebCore::Layout::containingBlockChain(const Box &, const ElementBox &) 1 0x13afe3068 WTFCrash 2 0x2a704c584 WTF::Vector<unsigned int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) 3 0x2a89d99f8 WebCore::Layout::containingBlockChain(WebCore::Layout::Box const&, WebCore::Layout::ElementBox const&) 4 0x2a89d9710 WebCore::Layout::FloatingContext::mapTopLeftToFloatingStateRoot(WebCore::Layout::Box const&, WebCore::LayoutPoint) const 5 0x2a89d7b40 std::__1::optional<WebCore::Layout::FloatingContext::PositionWithClearance> WebCore::Layout::FloatingContext::verticalPositionWithClearance(WebCore::Layout::Box const&, WebCore::Layout::BoxGeometry const&) const::$_12::operator()<std::__1::optional<WebCore::LayoutUnit>>(std::__1::optional<WebCore::LayoutUnit>) const 6 0x2a89d784c WebCore::Layout::FloatingContext::verticalPositionWithClearance(WebCore::Layout::Box const&, WebCore::Layout::BoxGeometry const&) const 7 0x2a8a441e8 WebCore::Layout::InlineFormattingGeometry::logicalTopForNextLine(WebCore::Layout::LineLayoutResult const&, WebCore::Layout::InlineRect const&, WebCore::Layout::FloatingContext const&) const 8 0x2a8a43038 WebCore::Layout::InlineFormattingContext::lineLayout(WebCore::Layout::AbstractLineBuilder&, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::Layout::InlineItemRange, std::__1::optional<WebCore::Layout::PreviousLine>, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::Layout::InlineDamage const*) 9 0x2a8a42200 WebCore::Layout::InlineFormattingContext::layout(WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::Layout::InlineDamage const*) 10 0x2a8b16638 WebCore::LayoutIntegration::LineLayout::layout() 11 0x2a999e080 WebCore::RenderBlockFlow::layoutModernLines(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 12 0x2a999b4d4 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 13 0x2a9999880 WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 14 0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 15 0x2a99796bc WebCore::RenderBlock::layout() 16 0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 17 0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 18 0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 19 0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 20 0x2a99796bc WebCore::RenderBlock::layout() 21 0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 22 0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 23 0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 24 0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 25 0x2a99796bc WebCore::RenderBlock::layout() 26 0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 27 0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) 28 0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 29 0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 30 0x2a99796bc WebCore::RenderBlock::layout() 31 0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 2023-09-05 17:05:27.727 MiniBrowser[47492:39123897] WebContent process crashed; reloading and will attach my full crash log as well. Thanks!
Attachments
Full Crash Logs (48.34 KB, text/plain)
2023-09-05 08:24 PDT, Ahmad Saleem 		no flags
Details
Test reduction (18.64 KB, text/html)
2023-09-05 08:55 PDT, alan 		no flags
Details
[fast-cq]Patch (4.70 KB, patch)
2023-09-05 10:02 PDT, alan 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ahmad Saleem
Comment 1 2023-09-05 08:24:24 PDT
Created attachment 467554 [details] Full Crash Logs
Radar WebKit Bug Importer
Comment 2 2023-09-05 08:25:10 PDT
<rdar://problem/114984295>
alan
Comment 3 2023-09-05 08:55:04 PDT
Created attachment 467555 [details] Test reduction
alan
Comment 4 2023-09-05 10:02:47 PDT
Created attachment 467557 [details] [fast-cq]Patch
EWS
Comment 5 2023-09-05 12:38:29 PDT
Committed 267644@main (af201f59b4cb): <https://commits.webkit.org/267644@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 467557 [details].
Note You need to log in before you can comment on or make changes to this bug.