[Webkit-unassigned] [Bug 224546] New: WebKit with LAYOUT_FORMATTING_CONTEXT enabled crashes when select the text

Wed Apr 14 07:47:01 PDT 2021

https://bugs.webkit.org/show_bug.cgi?id=224546

            Bug ID: 224546
           Summary: WebKit with LAYOUT_FORMATTING_CONTEXT enabled crashes
                    when select the text
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: cathiechen at igalia.com
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

Created attachment 425979

  --> https://bugs.webkit.org/attachment.cgi?id=425979&action=review

selection-crash.html

This issue occurs on the Debug building with LAYOUT_FORMATTING_CONTEXT enabled.
The code is updated to commit 80e1bf3d759003a97b3e676d78fca630407fdd35.

The test case contains inline-block box and text.
The height of body is 35px, but others are 24px.

It crashes when select the text.

Debug a bit:
  - During layout, in RenderBlockFlow::layoutInlineChildren, it uses layoutModernLines() to layout lines. The logical height is 35.
  - During select, in RenderBlockFlow::ensureLineBoxes, it calls complexLineLayout.layoutLineBoxes. The logical height is 24.
  - Then it fails `ASSERT(didNeedLayout || ceilf(logicalHeight()) == ceilf(oldHeight));` in RenderBlockFlow::ensureLineBoxes.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210414/d7498735/attachment.htm>