[Webkit-unassigned] [Bug 161318] New: Wrong containingBlock() calculation for a multicolumn element inside an SVG which is inside another multicolumn element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 29 11:08:19 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=161318

            Bug ID: 161318
           Summary: Wrong containingBlock() calculation for a multicolumn
                    element inside an SVG which is inside another
                    multicolumn element
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: SVG
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: sabouhallawa at apple.com
                CC: zimmermann at kde.org

Open the following test case in WK1 or on iOS.

<div style="-webkit-columns:2;">
    <svg style="position:absolute;">
        <foreignObject>
            <div style="-webkit-columns:2;">
                <div style="position:absolute;"></div>
            </div>
        </foreignObject>
    </svg>
</div>

Result: The following assertion fires.

#0    0x0000000104a521b4 in ::WTFCrash() at /Volumes/Data/WebKit/OpenSource/Source/WTF/wtf/Assertions.cpp:323
#1    0x0000000108a3270a in WebCore::RenderFlowThread::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&)
#2    0x0000000108aa5b8c in WebCore::RenderLayer::collectFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul>&, WebCore::RenderLayer const*, WebCore::LayoutRect const&, WebCore::RenderLayer::PaginationInclusionMode, WebCore::ClipRectsType, WebCore::OverlayScrollbarSizeRelevancy, WebCore::ShouldRespectOverflowClip, WebCore::LayoutSize const&, WebCore::LayoutRect const*, WebCore::ShouldApplyRootOffsetToFragments)
#3    0x0000000108aa2065 in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#4    0x0000000108aa17b5 in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#5    0x0000000108aa0121 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#6    0x0000000108aa62b1 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#7    0x0000000108aa236c in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#8    0x0000000108aa17b5 in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#9    0x0000000108aa0121 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#10    0x0000000108aa62b1 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#11    0x0000000108aa236c in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#12    0x0000000108aa17b5 in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#13    0x0000000108aa0121 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#14    0x0000000108aa62b1 in WebCore::RenderLayer::paintList(WTF::Vector<WebCore::RenderLayer*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#15    0x0000000108aa239c in WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#16    0x0000000108aa17b5 in WebCore::RenderLayer::paintLayerContentsAndReflection(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#17    0x0000000108aa0121 in WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, unsigned int)
#18    0x0000000108a9fa2f in WebCore::RenderLayer::paint(WebCore::GraphicsContext&, WebCore::LayoutRect const&, WebCore::LayoutSize const&, unsigned int, WebCore::RenderObject*, unsigned int)
#19    0x00000001078ed050 in WebCore::FrameView::paintContents(WebCore::GraphicsContext&, WebCore::IntRect const&)

This assertion happens when RenderFlowThread::invalidateRegions() was called but was not followed by running the layout and calling RenderFlowThread::validateRegions() which means the renderer is either dirty or its RenderFlowThread::invalidateRegions() was called by mistake.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160829/92d123c2/attachment-0001.html>

More information about the webkit-unassigned mailing list