Bug 262268

Summary:

ASSERTION FAILED: newFloatItem.layoutBox() => m_floats.findIf([&] (auto& entry) { return entry.layoutBox() == newFloatItem.layoutBox(); }) == notFound

Product:

WebKit

Reporter:

djinn <1319794503>

Component:

Layout and Rendering

Assignee:

alan <zalan>

Status:

NEW

Severity:

Normal

CC:

ahmad.saleem792, bfulgham, simon.fraser, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

OS:

Linux

Attachments:

Description	Flags
testcase to trigger the crash	none

djinn

Reported 2023-09-27 22:25:11 PDT

Created attachment 467941 [details] testcase to trigger the crash ASSERTION FAILED: newFloatItem.layoutBox() => m_floats.findIf([&] (auto& entry) { return entry.layoutBox() == newFloatItem.layoutBox(); }) == notFound /app/webkit/Source/WebCore/layout/floats/FloatingState.cpp(82) : void WebCore::Layout::FloatingState::append(FloatItem) The minimized testcase will be uploaded as soon as possilble.

Attachments
testcase to trigger the crash (473.57 KB, text/html) 2023-09-27 22:25 PDT, djinn	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-10-04 22:26:13 PDT

<rdar://problem/116504229>

djinn

Comment 2 2023-11-03 23:03:28 PDT

Hello, I would like to ask if a previously submitted bug is still not processed or unconfirmed, was it submitted in the wrong way? Or is it something else? Should I offer more info?

Ahmad Saleem

Comment 3 2025-02-06 23:56:43 PST

We hit this on following three css/CSS2/floats as well: imported/w3c/web-platform-tests/css/CSS2/floats/float-nowrap-9.html imported/w3c/web-platform-tests/css/CSS2/floats/floats-line-wrap-shifted-001.html imported/w3c/web-platform-tests/css/CSS2/floats/line-pushed-by-floats-crash.html ^ below: ASSERTION FAILED: newFloatItem.layoutBox() => m_list.findIf([&] (auto& entry) { return entry.layoutBox() == newFloatItem.layoutBox(); }) == notFound /Volumes/Data/worker/macOS-Sequoia-Debug-Build-EWS/build/Source/WebCore/layout/floats/PlacedFloats.cpp(85) : void WebCore::Layout::PlacedFloats::append(Item) 1 0x305722620 WebCore::Layout::PlacedFloats::append(WebCore::Layout::PlacedFloats::Item) 2 0x3057c3764 WebCore::Layout::LineBuilder::tryPlacingFloatBox(WebCore::Layout::Box const&, WebCore::Layout::LineBuilder::MayOverConstrainLine)::$_3::operator()() const 3 0x3057c31ac WebCore::Layout::LineBuilder::tryPlacingFloatBox(WebCore::Layout::Box const&, WebCore::Layout::LineBuilder::MayOverConstrainLine) 4 0x3057bf4c8 WebCore::Layout::LineBuilder::placeInlineAndFloatContent(WebCore::Layout::InlineItemRange const&)::$_0::operator()() const 5 0x3057be0e0 WebCore::Layout::LineBuilder::placeInlineAndFloatContent(WebCore::Layout::InlineItemRange const&) 6 0x3057bd6f0 WebCore::Layout::LineBuilder::layoutInlineContent(WebCore::Layout::LineInput const&, std::__1::optional<WebCore::Layout::PreviousLine> const&) 7 0x3057743dc WebCore::Layout::InlineFormattingContext::lineLayout(WebCore::Layout::AbstractLineBuilder&, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::Layout::InlineItemRange, std::__1::optional<WebCore::Layout::PreviousLine>, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineDamage const*) 8 0x3057734a0 WebCore::Layout::InlineFormattingContext::layout(WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineDamage*) 9 0x30587d81c WebCore::LayoutIntegration::LineLayout::layout() 10 0x306a124a0 WebCore::RenderBlockFlow::layoutInlineContent(WebCore::RelayoutChildren, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 11 0x306a0ff4c WebCore::RenderBlockFlow::layoutInlineChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 12 0x306a0e8ac WebCore::RenderBlockFlow::layoutInFlowChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 13 0x306a0d724 WebCore::RenderBlockFlow::layoutBlock(WebCore::RelayoutChildren, WebCore::LayoutUnit) 14 0x3069ef710 WebCore::RenderBlock::layout() 15 0x306a10ef0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 16 0x306a10310 WebCore::RenderBlockFlow::layoutBlockChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&) 17 0x306a0e8f4 WebCore::RenderBlockFlow::layoutInFlowChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 18 0x306a0d724 WebCore::RenderBlockFlow::layoutBlock(WebCore::RelayoutChildren, WebCore::LayoutUnit) 19 0x3069ef710 WebCore::RenderBlock::layout() 20 0x306a10ef0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 21 0x306a10310 WebCore::RenderBlockFlow::layoutBlockChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&) 22 0x306a0e8f4 WebCore::RenderBlockFlow::layoutInFlowChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 23 0x306a0d724 WebCore::RenderBlockFlow::layoutBlock(WebCore::RelayoutChildren, WebCore::LayoutUnit) 24 0x3069ef710 WebCore::RenderBlock::layout() 25 0x306a10ef0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 26 0x306a10310 WebCore::RenderBlockFlow::layoutBlockChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&) 27 0x306a0e8f4 WebCore::RenderBlockFlow::layoutInFlowChildren(WebCore::RelayoutChildren, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 28 0x306a0d724 WebCore::RenderBlockFlow::layoutBlock(WebCore::RelayoutChildren, WebCore::LayoutUnit) 29 0x3069ef710 WebCore::RenderBlock::layout() 30 0x306cac994 WebCore::RenderView::layout() 31 0x305ccab80 WebCore::LocalFrameViewLayoutContext::performLayout(bool) com.apple.WebKit.WebContent.Development terminated (pid 11732) for reason: crash LEAK: 1 WebPageProxy

Note You need to log in before you can comment on or make changes to this bug.