[Webkit-unassigned] [Bug 249617] New: REGRESSION(257434 at main): Crash in RenderReplaced::computeIntrinsicSizesConstrainedByTransferredMinMaxSizes on https://gitlab.com/gnutls/gnutls/

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Dec 19 16:17:36 PST 2022 

https://bugs.webkit.org/show_bug.cgi?id=249617

            Bug ID: 249617
           Summary: REGRESSION(257434 at main): Crash in
                    RenderReplaced::computeIntrinsicSizesConstrainedByTran
                    sferredMinMaxSizes on
                    https://gitlab.com/gnutls/gnutls/
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org
                CC: bfulgham at webkit.org, bugs-noreply at webkitgtk.org,
                    simon.fraser at apple.com, zalan at apple.com

Using WebKitGTK 2.39.3 (257841 at main), visiting https://gitlab.com/gnutls/gnutls/ causes a web process crash 100% of the time. (But surprisingly, visiting other project pages on gitlab.com does not trigger the crash!) The crashing code was added in 257434 at main "Replaced elements with aspect ratio and size in one dimension should respect min-max constraints in opposite dimension" so I'll assume it's a regression from that commit. It's crashing on a libstdc++ assertion inside std::clamp, and the assertion text "!(__hi < __lo)" was helpfully included in the backtrace, so the crash happens because maxLogicalWidth is less than minLogicalWidth at RenderReplaced.cpp:480. The full version of the most interesting frame is:

#7  WebCore::RenderReplaced::computeIntrinsicSizesConstrainedByTransferredMinMaxSizes(WebCore::RenderBox*, WebCore::FloatSize&, WebCore::FloatSize&) const
    (this=this at entry=0x7f3811112880, intrinsicSize=..., intrinsicRatio=..., contentRenderer=0x0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderReplaced.cpp:460
        minLogicalWidth = <synthetic pointer>
        maxLogicalWidth = <synthetic pointer>
        minLogicalHeight = <synthetic pointer>
        maxLogicalHeight = <synthetic pointer>

Unfortunately, the backtrace does not show what the width and height values are, but note contentRenderer=0x0. The function *does* safely handle nullptr here in the sense that it won't dereference it, because it is only passed to computeAspectRatioInformationForRenderBox and that function checks for nullptr, but maybe there is a new logic error in that case.

Truncated short version of the backtrace:

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo at entry=6, no_tid=no_tid at entry=0)
    at pthread_kill.c:44
#1  0x00007f38ab2911f3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f38ab23f00e in __GI_raise (sig=sig at entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007f38ab2287fc in __GI_abort () at abort.c:79
#4  0x00007f38a74e200d in std::__glibcxx_assert_fail(char const*, int, char const*, char const*)
    (file=file at entry=0x7f38ae989798 "/usr/include/c++/12.1.0/bits/stl_algo.h", line=line at entry=3623, function=function at entry=0x7f38ae9f9990 "constexpr const _Tp& std::clamp(const _Tp&, const _Tp&, const _Tp&) [with _Tp = WebCore::LayoutUnit]", condition=condition at entry=0x7f38ae989ba8 "!(__hi < __lo)")
    at ../../../../../libstdc++-v3/src/c++11/debug.cc:60
#5  0x00007f38ae094467 in std::clamp<WebCore::LayoutUnit>(WebCore::LayoutUnit const&, WebCore::LayoutUnit const&, WebCore::LayoutUnit const&)Python Exception <class 'gdb.error'>: cannot use offset on synthetic pointer to register

    (__val=<optimized out>, __lo=<synthetic pointer>..., __hi=#6  std::clamp<WebCore::LayoutUnit>(WebCore::LayoutUnit const&, WebCore::LayoutUnit const&, WebCore::LayoutUnit const&)
    (__hi=<optimized out>, __lo=<optimized out>, __val=<optimized out>)
    at /usr/include/c++/12.1.0/bits/stl_algo.h:3621
#7  WebCore::RenderReplaced::computeIntrinsicSizesConstrainedByTransferredMinMaxSizes(WebCore::RenderBox*, WebCore::FloatSize&, WebCore::FloatSize&) const
     (this=this at entry=0x7f3811112880, intrinsicSize=..., intrinsicRatio=..., contentRenderer=0x0)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderReplaced.cpp:460
#8  0x00007f38ae096dfa in WebCore::RenderReplaced::computeIntrinsicSizesConstrainedByTransferredMinMaxSizes(WebCore::RenderBox*, WebCore::FloatSize&, WebCore::FloatSize&) const
    (intrinsicRatio=..., intrinsicSize=..., contentRenderer=0x0, this=0x7f3811112880)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderReplaced.cpp:442
#9  WebCore::RenderReplaced::computeReplacedLogicalWidth(WebCore::ShouldComputePreferred) const
    (this=0x7f3811112880, shouldComputePreferred=WebCore::ComputePreferred)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderReplaced.cpp:588
#10 0x00007f38ae093efe in WebCore::RenderReplaced::computePreferredLogicalWidths() (this=0x7f3811112880)
    at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderReplaced.cpp:706

Full backtrace attached.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20221220/e0d222c7/attachment-0001.htm>

More information about the webkit-unassigned mailing list