[Webkit-unassigned] [Bug 191473] New: [css-grid] Crash on debug changing the style of a positioned element

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 9 09:49:30 PST 2018 

https://bugs.webkit.org/show_bug.cgi?id=191473

            Bug ID: 191473
           Summary: [css-grid] Crash on debug changing the style of a
                    positioned element
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jfernandez at igalia.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

Created attachment 354352

  --> https://bugs.webkit.org/attachment.cgi?id=354352&action=review

Test case to reproduce the issue

Load the attached test case. The browser crashes with the following backtrace:


ASSERTION FAILED: m_gridItemArea.contains(&item)
#0  WTF::jscSignalHandler (sig=1, info=0xffffffff, ucontext=0x7f5c17d19540) at ../../Source/WTF/wtf/threads/Signals.cpp:285
#1  <signal handler called>
#2  0x00007f5c19795a6a in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:255
#3  0x00007f5c298992bf in WebCore::Grid::gridItemArea (this=0x7f4795e006f0, item=...) at ../../Source/WebCore/rendering/Grid.cpp:92
#4  0x00007f5c29899715 in WebCore::Grid::gridItemSpan (this=0x7f4795e006f0, gridItem=..., direction=WebCore::ForColumns) at ../../Source/WebCore/rendering/Grid.cpp:145
#5  0x00007f5c29a0865c in WebCore::RenderGrid::gridAreaBreadthForChildIncludingAlignmentOffsets (this=0x7f4795e00600, child=..., direction=WebCore::ForColumns)
    at ../../Source/WebCore/rendering/RenderGrid.cpp:942
#6  0x00007f5c29a08160 in WebCore::RenderGrid::layoutGridItems (this=0x7f4795e00600) at ../../Source/WebCore/rendering/RenderGrid.cpp:870
#7  0x00007f5c29a04e33 in WebCore::RenderGrid::layoutBlock (this=0x7f4795e00600, relayoutChildren=false) at ../../Source/WebCore/rendering/RenderGrid.cpp:275
#8  0x00007f5c298f14db in WebCore::RenderBlock::layout (this=0x7f4795e00600) at ../../Source/WebCore/rendering/RenderBlock.cpp:600
#9  0x00007f5c298a4719 in WebCore::RenderElement::layoutIfNeeded (this=0x7f4795e00600) at ../../Source/WebCore/rendering/RenderElement.h:123
#10 0x00007f5c2994baf3 in WebCore::RenderBlockFlow::layoutLineBoxes (this=0x7f47bee007a8, relayoutChildren=false, repaintLogicalTop=..., repaintLogicalBottom=...)
    at ../../Source/WebCore/rendering/RenderBlockLineLayout.cpp:1708
#11 0x00007f5c29902f1d in WebCore::RenderBlockFlow::layoutInlineChildren (this=0x7f47bee007a8, relayoutChildren=false, repaintLogicalTop=..., repaintLogicalBottom=...)
    at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:672
#12 0x00007f5c299022c0 in WebCore::RenderBlockFlow::layoutBlock (this=0x7f47bee007a8, relayoutChildren=false, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:503
#13 0x00007f5c298f14db in WebCore::RenderBlock::layout (this=0x7f47bee007a8) at ../../Source/WebCore/rendering/RenderBlock.cpp:600
#14 0x00007f5c299032c5 in WebCore::RenderBlockFlow::layoutBlockChild (this=0x7f5c00700768, child=..., marginInfo=..., previousFloatLogicalBottom=..., maxFloatLogicalBottom=...)
    at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:730
#15 0x00007f5c29902e29 in WebCore::RenderBlockFlow::layoutBlockChildren (this=0x7f5c00700768, relayoutChildren=false, maxFloatLogicalBottom=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:653
#16 0x00007f5c299022e4 in WebCore::RenderBlockFlow::layoutBlock (this=0x7f5c00700768, relayoutChildren=false, pageLogicalHeight=...) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:505
#17 0x00007f5c298f14db in WebCore::RenderBlock::layout (this=0x7f5c00700768) at ../../Source/WebCore/rendering/RenderBlock.cpp:600
#18 0x00007f5c29b50c52 in WebCore::RenderView::layout (this=0x7f5c00700768) at ../../Source/WebCore/rendering/RenderView.cpp:241

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181109/ccfb2fd5/attachment-0001.html>

More information about the webkit-unassigned mailing list