Bug 261159

Summary: (REGRESSION 267456@main) Loading https://www.dsogaming.com crashes at Box::cachedGeometryForLayoutState
Product: WebKit Reporter: Ahmad Saleem <ahmad.saleem792>
Component: Layout and RenderingAssignee: zalan <zalan>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, koivisto, ntim, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Full Crash Logs
none
Test reduction
none
[fast-cq]Patch none

Description Ahmad Saleem 2023-09-05 08:23:34 PDT 
Hi Team,

Based on 1-1 with Tim over Slack, he is also able to reproduce the crash on 'release' and 'assert' on debug.

ASSERT (from Tim):

ASSERTION FAILED: layoutBox.isDescendantOf(stayWithin)
/Volumes/Data/Code/Safari/OpenSource/Source/WebCore/layout/layouttree/LayoutContainingBlockChainIterator.h(88) : LayoutContainingBlockChainIteratorAdapter WebCore::Layout::containingBlockChain(const Box &, const ElementBox &)
1   0x13afe3068 WTFCrash
2   0x2a704c584 WTF::Vector<unsigned int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long)
3   0x2a89d99f8 WebCore::Layout::containingBlockChain(WebCore::Layout::Box const&, WebCore::Layout::ElementBox const&)
4   0x2a89d9710 WebCore::Layout::FloatingContext::mapTopLeftToFloatingStateRoot(WebCore::Layout::Box const&, WebCore::LayoutPoint) const
5   0x2a89d7b40 std::__1::optional<WebCore::Layout::FloatingContext::PositionWithClearance> WebCore::Layout::FloatingContext::verticalPositionWithClearance(WebCore::Layout::Box const&, WebCore::Layout::BoxGeometry const&) const::$_12::operator()<std::__1::optional<WebCore::LayoutUnit>>(std::__1::optional<WebCore::LayoutUnit>) const
6   0x2a89d784c WebCore::Layout::FloatingContext::verticalPositionWithClearance(WebCore::Layout::Box const&, WebCore::Layout::BoxGeometry const&) const
7   0x2a8a441e8 WebCore::Layout::InlineFormattingGeometry::logicalTopForNextLine(WebCore::Layout::LineLayoutResult const&, WebCore::Layout::InlineRect const&, WebCore::Layout::FloatingContext const&) const
8   0x2a8a43038 WebCore::Layout::InlineFormattingContext::lineLayout(WebCore::Layout::AbstractLineBuilder&, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::Layout::InlineItemRange, std::__1::optional<WebCore::Layout::PreviousLine>, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::Layout::InlineDamage const*)
9   0x2a8a42200 WebCore::Layout::InlineFormattingContext::layout(WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::Layout::InlineDamage const*)
10  0x2a8b16638 WebCore::LayoutIntegration::LineLayout::layout()
11  0x2a999e080 WebCore::RenderBlockFlow::layoutModernLines(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
12  0x2a999b4d4 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
13  0x2a9999880 WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
14  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
15  0x2a99796bc WebCore::RenderBlock::layout()
16  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
17  0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
18  0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
19  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
20  0x2a99796bc WebCore::RenderBlock::layout()
21  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
22  0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
23  0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
24  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
25  0x2a99796bc WebCore::RenderBlock::layout()
26  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
27  0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
28  0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
29  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
30  0x2a99796bc WebCore::RenderBlock::layout()
31  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
2023-09-05 17:05:27.727 MiniBrowser[47492:39123897] WebContent process crashed; reloading

and will attach my full crash log as well.

Thanks!
Comment 1 Ahmad Saleem 2023-09-05 08:24:24 PDT 
Created attachment 467554 [details]
Full Crash Logs
Comment 2 Radar WebKit Bug Importer 2023-09-05 08:25:10 PDT 
<rdar://problem/114984295>
Comment 3 zalan 2023-09-05 08:55:04 PDT 
Created attachment 467555 [details]
Test reduction
Comment 4 zalan 2023-09-05 10:02:47 PDT 
Created attachment 467557 [details]
[fast-cq]Patch
Comment 5 EWS 2023-09-05 12:38:29 PDT 
Committed 267644@main (af201f59b4cb): <https://commits.webkit.org/267644@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 467557 [details].