[Webkit-unassigned] [Bug 261159] New: Crash on 'https://www.dsogaming.com' on WebKit ToT (267629 at main)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 5 08:23:34 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=261159

            Bug ID: 261159
           Summary: Crash on 'https://www.dsogaming.com' on WebKit ToT
                    (267629 at main)
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ahmad.saleem792 at gmail.com
                CC: bfulgham at webkit.org, ntim at apple.com,
                    simon.fraser at apple.com, zalan at apple.com

Hi Team,

Based on 1-1 with Tim over Slack, he is also able to reproduce the crash on 'release' and 'assert' on debug.

ASSERT (from Tim):

ASSERTION FAILED: layoutBox.isDescendantOf(stayWithin)
/Volumes/Data/Code/Safari/OpenSource/Source/WebCore/layout/layouttree/LayoutContainingBlockChainIterator.h(88) : LayoutContainingBlockChainIteratorAdapter WebCore::Layout::containingBlockChain(const Box &, const ElementBox &)
1   0x13afe3068 WTFCrash
2   0x2a704c584 WTF::Vector<unsigned int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long)
3   0x2a89d99f8 WebCore::Layout::containingBlockChain(WebCore::Layout::Box const&, WebCore::Layout::ElementBox const&)
4   0x2a89d9710 WebCore::Layout::FloatingContext::mapTopLeftToFloatingStateRoot(WebCore::Layout::Box const&, WebCore::LayoutPoint) const
5   0x2a89d7b40 std::__1::optional<WebCore::Layout::FloatingContext::PositionWithClearance> WebCore::Layout::FloatingContext::verticalPositionWithClearance(WebCore::Layout::Box const&, WebCore::Layout::BoxGeometry const&) const::$_12::operator()<std::__1::optional<WebCore::LayoutUnit>>(std::__1::optional<WebCore::LayoutUnit>) const
6   0x2a89d784c WebCore::Layout::FloatingContext::verticalPositionWithClearance(WebCore::Layout::Box const&, WebCore::Layout::BoxGeometry const&) const
7   0x2a8a441e8 WebCore::Layout::InlineFormattingGeometry::logicalTopForNextLine(WebCore::Layout::LineLayoutResult const&, WebCore::Layout::InlineRect const&, WebCore::Layout::FloatingContext const&) const
8   0x2a8a43038 WebCore::Layout::InlineFormattingContext::lineLayout(WebCore::Layout::AbstractLineBuilder&, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::Layout::InlineItemRange, std::__1::optional<WebCore::Layout::PreviousLine>, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::Layout::InlineDamage const*)
9   0x2a8a42200 WebCore::Layout::InlineFormattingContext::layout(WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::Layout::InlineDamage const*)
10  0x2a8b16638 WebCore::LayoutIntegration::LineLayout::layout()
11  0x2a999e080 WebCore::RenderBlockFlow::layoutModernLines(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
12  0x2a999b4d4 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
13  0x2a9999880 WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
14  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
15  0x2a99796bc WebCore::RenderBlock::layout()
16  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
17  0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
18  0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
19  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
20  0x2a99796bc WebCore::RenderBlock::layout()
21  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
22  0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
23  0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
24  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
25  0x2a99796bc WebCore::RenderBlock::layout()
26  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
27  0x2a999b86c WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
28  0x2a99998bc WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
29  0x2a99988dc WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
30  0x2a99796bc WebCore::RenderBlock::layout()
31  0x2a999c7f0 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
2023-09-05 17:05:27.727 MiniBrowser[47492:39123897] WebContent process crashed; reloading

and will attach my full crash log as well.

Thanks!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230905/882952cb/attachment.htm>

More information about the webkit-unassigned mailing list