Bug 261159 - (REGRESSION 267456@main) Loading https://www.dsogaming.com crashes at Box::cachedGeometryForLayoutState
Summary: (REGRESSION 267456@main) Loading https://www.dsogaming.com crashes at Box::ca...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: zalan
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-09-05 08:23 PDT by Ahmad Saleem
Modified: 2023-09-05 12:38 PDT (History)
6 users (show)

See Also:

Attachments
Full Crash Logs (48.34 KB, text/plain)
2023-09-05 08:24 PDT, Ahmad Saleem 		no flags Details
Test reduction (18.64 KB, text/html)
2023-09-05 08:55 PDT, zalan 		no flags Details
[fast-cq]Patch (4.70 KB, patch)
2023-09-05 10:02 PDT, zalan 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ahmad Saleem 2023-09-05 08:23:34 PDT 
Hi Team,

Based on 1-1 with Tim over Slack, he is also able to reproduce the crash on 'release' and 'assert' on debug.

ASSERT (from Tim):

ASSERTION FAILED: layoutBox.isDescendantOf(stayWithin)
/Volumes/Data/Code/Safari/OpenSource/Source/WebCore/layout/layouttree/LayoutContainingBlockChainIterator.h(88) : LayoutContainingBlockChainIteratorAdapter WebCore::Layout::containingBlockChain(const Box &, const ElementBox &)
1   0x13afe3068 WTFCrash
2   0x2a704c584 WTF::Vector<unsigned int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long)
3   0x2a89d99f8 WebCore::Layout::containingBlockChain(WebCore::Layout::Box const&, WebCore::Layout::ElementBox const&)
4   0x2a89d9710 WebCore::Layout::FloatingContext::mapTopLeftToFloatingStateRoot(WebCore::Layout::Box const&, WebCore::LayoutPoint) const
5   0x2a89d7b40 std::__1::optional<WebCore::Layout::FloatingContext::PositionWithClearance> WebCore::Layout::FloatingContext::verticalPositionWithClearance(WebCore::Layout::Box const&, WebCore::Layout::BoxGeometry const&) const::$_12::operator()<std::__1::optional<WebCore::LayoutUnit>>(std::__1::optional<WebCore::LayoutUnit>) const
6   0x2a89d784c WebCore::Layout::FloatingContext::verticalPositionWithClearance(WebCore::Layout::Box const&, WebCore::Layout::BoxGeometry const&) const
7   0x2a8a441e8 WebCore::Layout::InlineFormattingGeometry::logicalTopForNextLine(WebCore::Layout::LineLayoutResult const&, WebCore::Layout::InlineRect const&, WebCore::Layout::FloatingContext const&) const
8   0x2a8a43038 WebCore::Layout::InlineFormattingContext::lineLayout(WebCore::Layout::AbstractLineBuilder&, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::Layout::InlineItemRange, std::__1::optional<WebCore::Layout::PreviousLine>, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::Layout::InlineDamage const*)
9   0x2a8a42200 WebCore::Layout::InlineFormattingContext::layout(WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::Layout::InlineDamage const*)
10  0x2a8b16638 WebCore::LayoutIntegration::LineLayout::layout()
11  0x2a999e080 WebCore::RenderBlockFlow::layoutModernLines(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
12  0x2a999b4d4 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
13  0x2a9999880 WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
14  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
15  0x2a99796bc WebCore::RenderBlock::layout()
16  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
17  0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
18  0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
19  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
20  0x2a99796bc WebCore::RenderBlock::layout()
21  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
22  0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
23  0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
24  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
25  0x2a99796bc WebCore::RenderBlock::layout()
26  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
27  0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
28  0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
29  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
30  0x2a99796bc WebCore::RenderBlock::layout()
31  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
2023-09-05 17:05:27.727 MiniBrowser[47492:39123897] WebContent process crashed; reloading

and will attach my full crash log as well.

Thanks!
Comment 1 Ahmad Saleem 2023-09-05 08:24:24 PDT 
Created attachment 467554 [details]
Full Crash Logs
Comment 2 Radar WebKit Bug Importer 2023-09-05 08:25:10 PDT 
<rdar://problem/114984295>
Comment 3 zalan 2023-09-05 08:55:04 PDT 
Created attachment 467555 [details]
Test reduction
Comment 4 zalan 2023-09-05 10:02:47 PDT 
Created attachment 467557 [details]
[fast-cq]Patch
Comment 5 EWS 2023-09-05 12:38:29 PDT 
Committed 267644@main (af201f59b4cb): <https://commits.webkit.org/267644@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 467557 [details].