[Webkit-unassigned] [Bug 164185] New: ASSERTION FAILED: m_endLine > 0 in WebCore::GridSpan::translate

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Oct 29 11:56:11 PDT 2016


https://bugs.webkit.org/show_bug.cgi?id=164185

            Bug ID: 164185
           Summary: ASSERTION FAILED: m_endLine > 0 in
                    WebCore::GridSpan::translate
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: hodovan at inf.u-szeged.hu
                CC: simon.fraser at apple.com

Load the attached test with debug WebKitTestRunner:

Checked version: 8af8b44
OS: Darwin-15.6.0-x86_64-i386-64bit

<style>{}*|*,a{grid-row-end:2168081754 span}*{display:inline-grid;grid-area:i

Backtrace:

ASSERTION FAILED: m_endLine > 0
WebKit/Source/WebCore/rendering/style/GridArea.h(147) : void WebCore::GridSpan::translate(unsigned int)
1   0x10a3b14f1 WTFCrash
2   0x1137142c9 WebCore::GridSpan::translate(unsigned int)
3   0x1136e2b49 WebCore::RenderGrid::placeItemsOnGrid(WebCore::RenderGrid::SizingOperation)
4   0x1136e134e WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit)
5   0x1133551b2 WebCore::RenderBlock::layout()
6   0x1134163e4 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
7   0x11340ef50 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
8   0x11340b808 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
9   0x1133551b2 WebCore::RenderBlock::layout()
10  0x113d9c3b6 WebCore::RenderView::layoutContent(WebCore::LayoutState const&)
11  0x113d9e816 WebCore::RenderView::layout()
12  0x1101506a2 WebCore::FrameView::layout(bool)
13  0x10f7d06fa WebCore::Document::updateLayout()
14  0x10f7d8fc1 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks)
15  0x11045b6ec WebCore::HTMLBodyElement::scrollHeight()
16  0x11169c73a WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)
17  0x1116675b8 long long WebCore::BindingCaller<WebCore::JSElement>::attribute<&(WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, char const*)
18  0x11166725b WebCore::jsElementScrollHeight(JSC::ExecState*, long long, JSC::PropertyName)
19  0x109e8d62a JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const
20  0x107a79673 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const
21  0x107a78dbd JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const
22  0x109a041ff llint_slow_path_get_by_id
23  0x109a326b6 llint_entry
24  0x109a2f4ae vmEntryToJavaScript
25  0x10945d2be JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
26  0x1093286f1 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
27  0x107e0971b JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
28  0x107e09c38 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
29  0x107e0a6ae JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
30  0x110fd91f1 WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
31  0x1116eebed WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*)
ASAN:DEADLYSIGNAL
=================================================================
==9513==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010a3b1529 bp 0x7fff5f0fabe0 sp 0x7fff5f0fabd0 T0)
    #0 0x10a3b1528 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528)
    #1 0x1137142c8 in WebCore::GridSpan::translate(unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50c82c8)
    #2 0x1136e2b48 in WebCore::RenderGrid::placeItemsOnGrid(WebCore::RenderGrid::SizingOperation) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5096b48)
    #3 0x1136e134d in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509534d)
    #4 0x1133551b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #5 0x1134163e3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dca3e3)
    #6 0x11340ef4f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc2f4f)
    #7 0x11340b807 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf807)
    #8 0x1133551b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
    #9 0x113d9c3b5 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57503b5)
    #10 0x113d9e815 in WebCore::RenderView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5752815)
    #11 0x1101506a1 in WebCore::FrameView::layout(bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b046a1)
    #12 0x10f7d06f9 in WebCore::Document::updateLayout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11846f9)
    #13 0x10f7d8fc0 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118cfc0)
    #14 0x11045b6eb in WebCore::HTMLBodyElement::scrollHeight() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e0f6eb)
    #15 0x11169c739 in WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x3050739)
    #16 0x1116675b7 in long long WebCore::BindingCaller<WebCore::JSElement>::attribute<&(WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, char const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x301b5b7)
    #17 0x11166725a in WebCore::jsElementScrollHeight(JSC::ExecState*, long long, JSC::PropertyName) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x301b25a)
    #18 0x109e8d629 in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x27dd629)
    #19 0x107a79672 in JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3c9672)
    #20 0x107a78dbc in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3c8dbc)
    #21 0x109a041fe in llint_slow_path_get_by_id (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x23541fe)
    #22 0x109a326b5 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x23826b5)
    #23 0x109a2f4ad in vmEntryToJavaScript (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x237f4ad)
    #24 0x10945d2bd in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1dad2bd)
    #25 0x1093286f0 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1c786f0)
    #26 0x107e0971a in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x75971a)
    #27 0x107e09c37 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x759c37)
    #28 0x107e0a6ad in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x75a6ad)
    #29 0x110fd91f0 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x298d1f0)
    #30 0x1116eebec in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x30a2bec)
    #31 0x10fc663c8 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x161a3c8)
    #32 0x10fc65c15 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1619c15)
    #33 0x10fa3d92a in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x13f192a)
    #34 0x10fa54344 in WebCore::DOMWindow::dispatchLoadEvent() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1408344)
    #35 0x10f7e2ad1 in WebCore::Document::dispatchWindowLoadEvent() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1196ad1)
    #36 0x10f7d854c in WebCore::Document::implicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118c54c)
    #37 0x1100be1e2 in WebCore::FrameLoader::checkCallImplicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a721e2)
    #38 0x1100bdccb in WebCore::FrameLoader::checkCompleted() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a71ccb)
    #39 0x1100bdde4 in WebCore::FrameLoader::loadDone() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a71de4)
    #40 0x10ec9221e in WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x64621e)
    #41 0x11474f339 in WebCore::SubresourceLoader::notifyDone() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6103339)
    #42 0x11474fa9a in WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6103a9a)
    #43 0x1025a56d0 in WebKit::WebResourceLoader::didFailResourceLoad(WebCore::ResourceError const&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a916d0)
    #44 0x1025b3e09 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&), std::__1::tuple<WebCore::ResourceError>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&), std::__1::tuple<WebCore::ResourceError>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9fe09)
    #45 0x1025b3a14 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&), std::__1::tuple<WebCore::ResourceError>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::ResourceError>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9fa14)
    #46 0x1025b0a93 in void IPC::handleMessage<Messages::WebResourceLoader::DidFailResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9ca93)
    #47 0x1025aec4b in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9ac4b)
    #48 0x1012d7da9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c3da9)
    #49 0x100cebfba in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d7fba)
    #50 0x100cd47c4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c07c4)
    #51 0x100cecca5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d8ca5)
    #52 0x100cfd25c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e925c)
    #53 0x100cfd188 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e9188)
    #54 0x10a435830 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d85830)
    #55 0x10a47fc46 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dcfc46)
    #56 0x10a480b11 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dd0b11)
    #57 0x7fff81c1f880 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa880)
    #58 0x7fff81bfefbb in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89fbb)
    #59 0x7fff81bfe4de in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x894de)
    #60 0x7fff81bfded7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88ed7)
    #61 0x7fff82fde934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #62 0x7fff82fde76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #63 0x7fff82fde5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #64 0x7fff8e643df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #65 0x7fff8e643225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #66 0x7fff8e637d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #67 0x7fff8e601367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #68 0x7fff92f09193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #69 0x7fff92f07bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
    #70 0x100afbf73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73)
    #71 0x7fff8ab8d5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #72 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) in WTFCrash
==9513==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 9513)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161029/5030af2a/attachment-0001.html>


More information about the webkit-unassigned mailing list