RESOLVED FIXED 296687
REGRESSION(297834@main): [Grid] vimeo.com/watch not loading, crashing webprocess 
https://bugs.webkit.org/show_bug.cgi?id=296687
Summary REGRESSION(297834@main): [Grid] vimeo.com/watch not loading, crashing webprocess
Philippe Normand
Reported 2025-07-30 02:15:59 PDT
ASSERTION FAILED: !currentGrid().needsItemsPlacement() /var/home/phil/WebKit/Source/WebCore/rendering/RenderGrid.cpp(2526) : unsigned int WebCore::RenderGrid::numTracks(Style::GridTrackSizingDirection) const 1 0x7f519ddea13c WebCore::RenderGrid::numTracks(WebCore::Style::GridTrackSizingDirection) const 2 0x7f519ddf6529 WebCore::RenderGrid::gridAreaRangeForOutOfFlow(WebCore::RenderBox const&, WebCore::Style::GridTrackSizingDirection) const 3 0x7f519dd1527f WebCore::PositionedLayoutConstraints::captureGridArea() 4 0x7f519dd14580 WebCore::PositionedLayoutConstraints::PositionedLayoutConstraints(WebCore::RenderBox const&, WebCore::RenderStyle const&, WebCore::LogicalBoxAxis) 5 0x7f519dd70fd5 WebCore::RenderBox::computePositionedLogicalHeight(WebCore::RenderBox::LogicalExtentComputedValues&) const 6 0x7f519dd6f8b2 WebCore::RenderBox::computeLogicalHeight(WebCore::LayoutUnit, WebCore::LayoutUnit) const 7 0x7f519dd3bdc1 WebCore::RenderBlock::availableLogicalHeightForPercentageComputation() const 8 0x7f519dd7c236 WebCore::RenderBox::hasAutoHeightOrContainingBlockWithAutoHeight(WebCore::RenderBox::UpdatePercentageHeightDescendants) const 9 0x7f519deb3daa WebCore::RenderReplaced::setNeedsLayoutIfNeededAfterIntrinsicSizeChange() 10 0x7f519de00ad1 WebCore::RenderImage::repaintOrMarkForLayout(WebCore::ImageSizeChangeType, WebCore::IntRect const*) 11 0x7f519de011c3 WebCore::RenderImage::imageChanged(void const*, WebCore::IntRect const*) 12 0x7f519d584b20 WebCore::CachedImage::didAddClient(WebCore::CachedResourceClient&) 13 0x7f519de0519e WebCore::RenderImageResource::setCachedImage(WebCore::CachedResourceHandle<WebCore::CachedImage>&&) 14 0x7f519d03578e WebCore::HTMLImageElement::didAttachRenderers() 15 0x7f519e081470 WebCore::RenderTreeUpdater::popParent() 16 0x7f519e07f888 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) 17 0x7f519e07d5e2 WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) 18 0x7f519cc0a239 WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) 19 0x7f519cc0a8ea WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) 20 0x7f519cc0b406 WebCore::Document::updateStyleIfNeeded() 21 0x7f519cc5dae6 WTF::Detail::CallableWrapper<WebCore::Document::Document(WebCore::LocalFrame*, WebCore::Settings const&, WTF::URL const&, WTF::OptionSet<WebCore::DocumentClass>, WTF::OptionSet<WebCore::Document::ConstructionFlag>, std::optional<WebCore::ProcessQualified<WTF::UUID> >)::$_0, void>::call() 22 0x7f519d893593 WebCore::ThreadTimers::sharedTimerFiredInternal() 23 0x7f5194e10b22 WTF::RunLoop::TimerBase::TimerBase(WTF::Ref<WTF::RunLoop, WTF::RawPtrTraits<WTF::RunLoop>, WTF::DefaultRefDerefTraits<WTF::RunLoop> >&&, WTF::ASCIILiteral)::$_0::__invoke(void*) 24 0x7f5194e0fa3d WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) 25 0x7f5191eeb880 g_main_context_dispatch_unlocked.lto_priv.0 26 0x7f5191ef47c8 g_main_context_iterate_unlocked.isra.0 27 0x7f5191ef4a6f g_main_loop_run 28 0x7f5194e0ff95 WTF::RunLoop::run() 29 0x7f519acebc36 WebKit::WebProcessMain(int, char**) 30 0x7f518f1235f5 __libc_start_call_main 31 0x7f518f1236a8 __libc_start_main After commenting out this assert, the webprocess still crashes. #0 0x00007f625f6ee239 in WTFCrash () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libjavascriptcoregtk-6.0.so.1 #1 0x00007f62649be3f9 in WTF::CrashOnOverflow::crash() () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #2 0x00007f62649be3e9 in WTF::CrashOnOverflow::overflowed() () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #3 0x00007f62689f65d9 in WebCore::RenderGrid::gridAreaRangeForOutOfFlow(WebCore::RenderBox const&, WebCore::Style::GridTrackSizingDirection) const () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #4 0x00007f626891527f in WebCore::PositionedLayoutConstraints::captureGridArea() () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #5 0x00007f6268914580 in WebCore::PositionedLayoutConstraints::PositionedLayoutConstraints(WebCore::RenderBox const&, WebCore::RenderStyle const&, WebCore::LogicalBoxAxis) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #6 0x00007f6268970fd5 in WebCore::RenderBox::computePositionedLogicalHeight(WebCore::RenderBox::LogicalExtentComputedValues&) const () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #7 0x00007f626896f8b2 in WebCore::RenderBox::computeLogicalHeight(WebCore::LayoutUnit, WebCore::LayoutUnit) const () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #8 0x00007f626893bdc1 in WebCore::RenderBlock::availableLogicalHeightForPercentageComputation() const () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #9 0x00007f626897c236 in WebCore::RenderBox::hasAutoHeightOrContainingBlockWithAutoHeight(WebCore::RenderBox::UpdatePercentageHeightDescendants) const () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #10 0x00007f6268ab3b9a in WebCore::RenderReplaced::setNeedsLayoutIfNeededAfterIntrinsicSizeChange() () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #11 0x00007f6268a008c1 in WebCore::RenderImage::repaintOrMarkForLayout(WebCore::ImageSizeChangeType, WebCore::IntRect const*) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #12 0x00007f6268a00fb3 in WebCore::RenderImage::imageChanged(void const*, WebCore::IntRect const*) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #13 0x00007f6268184b20 in WebCore::CachedImage::didAddClient(WebCore::CachedResourceClient&) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #14 0x00007f6268a04f8e in WebCore::RenderImageResource::setCachedImage(WebCore::CachedResourceHandle<WebCore::CachedImage>&&) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #15 0x00007f6267c3578e in WebCore::HTMLImageElement::didAttachRenderers() () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #16 0x00007f6268c81260 in WebCore::RenderTreeUpdater::popParent() () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #17 0x00007f6268c7f678 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #18 0x00007f6268c7d3d2 in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #19 0x00007f626780a239 in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #20 0x00007f626780a8ea in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #21 0x00007f626780b406 in WebCore::Document::updateStyleIfNeeded() () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #22 0x00007f626785dae6 in WTF::Detail::CallableWrapper<WebCore::Document::Document(WebCore::LocalFrame*, WebCore::Settings const&, WTF::URL const&, WTF::OptionSet<WebCore::DocumentClass>, WTF::OptionSet<WebCore::Document::ConstructionFlag>, std::optional<WebCore::ProcessQualified<WTF::UUID> >)::$_0, void>::call() () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #23 0x00007f6268493593 in WebCore::ThreadTimers::sharedTimerFiredInternal() () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libwebkitgtk-6.0.so.4 #24 0x00007f625f810b22 in WTF::RunLoop::TimerBase::TimerBase(WTF::Ref<WTF::RunLoop, WTF::RawPtrTraits<WTF::RunLoop>, WTF::DefaultRefDerefTraits<WTF::RunLoop> >&&, WTF::ASCIILiteral)::$_0::__invoke(void*) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libjavascriptcoregtk-6.0.so.1 #25 0x00007f625f80fa3d in WTF::RunLoop::$_0::__invoke(_GSource*, int (*)(void*), void*) () at /var/home/phil/WebKit/local-build-gtk/WebKitBuild/GTK/Release/lib/libjavascriptcoregtk-6.0.so.1 #26 0x00007f625a4eb880 in g_main_dispatch (context=0x3c389720) at ../glib/gmain.c:3398
Attachments
Add attachment proposed patch, testcase, etc.
Philippe Normand
Comment 1 2025-07-30 02:46:05 PDT
Claudio reports, MiniBrowser crashes from main, stable Safari doesn't.
Claudio Saavedra
Comment 2 2025-07-30 03:00:54 PDT
Pull request: https://github.com/WebKit/WebKit/pull/48711
EWS
Comment 3 2025-07-30 05:02:41 PDT
Committed 298027@main (13150084c749): <https://commits.webkit.org/298027@main> Reviewed commits have been landed. Closing PR #48711 and removing active labels.
Radar WebKit Bug Importer
Comment 4 2025-07-30 05:03:19 PDT
<rdar://problem/157104909>
fantasai
Comment 5 2025-07-31 13:35:56 PDT
For future reference, this line in availableLogicalHeightForPercentageComputation() is hiding a lot of work: if (isOutOfFlowPositionedWithSpecifiedHeight) { // Don't allow this to affect the block' size() member variable, since this // can get called while the block is still laying out its kids. return std::max(0_lu, computeLogicalHeight(logicalHeight(), 0_lu).m_extent - borderAndPaddingLogicalHeight() - scrollbarLogicalHeight()); } I think it should probably be doing a lot less work.
Note You need to log in before you can comment on or make changes to this bug.