[Webkit-unassigned] [Bug 271268] New: [f0e8689f5d5a20e4] ASAN_TRAP | WTF::Vector::reserveCapacity; WTF::Vector::expandCapacity; WTF::Vector::appendSlowCase

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Mar 19 13:55:12 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=271268

            Bug ID: 271268
           Summary: [f0e8689f5d5a20e4] ASAN_TRAP |
                    WTF::Vector::reserveCapacity;
                    WTF::Vector::expandCapacity;
                    WTF::Vector::appendSlowCase
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: WebKit2
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: abigail_fox at apple.com
                CC: kkinnunen at apple.com

Testcase:
=======

<style>
.class2,aside { horizontal;float: right;-webkit-flow-from: }
*:last-of-type { show;-webkit-columns: 1px auto;grid: single;-webkit-min-logical-height: 1em;margin-bottom: 8192px;row-gap: steps(5,jump-start),step-end;border-bottom-style: ridge;-webkit-text-combine: auto;column-gap: 1px;-webkit-text-combine: auto;height: 0%;font-variant: fit-content(512vmax);border-left-style: solid;-webkit-box-decoration-break: }
#x42,.class2 { auto;-webkit-box-shadow: 232em 16px 16384px }
</style>
</dt>
<code title="AAAAAAAAAAAAAAAAAAAA">
</audio>
<p style="animation-fill-mode: bottom;-webkit-column-span: all;width: onblur="f4()">
<fieldset form="foo">
<label class="class2">
</label>
<button formtarget="x66">
</select>
</fieldset>
</h3>
<audio controls="" muted="">


Versions
=======

First found on WebKit-54c72ce.
Discovered by fuzzer WebKit-WebKitTestRunner-ASan-FreeDom (revision 1).


Testcase
=======


reduced-1-170680346905.html


Crash Report
==========

com.apple.WebKit.WebContent.Development-2024-02-01-084211.ips


Stack Trace
=========

frame #0: WebCore`bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveCapacity<(WTF::FailureAction)0>(unsigned long)+0x3a4
frame #1: WebCore`WebCore::LayerFragment* WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity<(WTF::FailureAction)0>(unsigned long, WebCore::LayerFragment*)+0x194
frame #2: WebCore`bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::appendSlowCase<(WTF::FailureAction)0, WebCore::LayerFragment&>(WebCore::LayerFragment&)+0xac
frame #3: WebCore`WebCore::RenderMultiColumnSet::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&)+0x1a7c
frame #4: WebCore`WebCore::RenderFragmentedFlow::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&)+0x134
frame #5: WebCore`WebCore::RenderLayer::collectFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayer const*, WebCore::LayoutRect const&, WebCore::RenderLayer::PaginationInclusionMode, WebCore::ClipRectsType, WTF::OptionSet<WebCore::RenderLayer::ClipRectsOption>, WebCore::LayoutSize const&, WebCore::LayoutRect const*, WebCore::ShouldApplyRootOffsetToFragments)+0x312c
frame #6: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1400
frame #7: WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1888
frame #8: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x36e4
frame #9: WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1888
frame #10: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x36e4
frame #11: WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1888
frame #12: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x36e4
frame #13: WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1888
frame #14: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x36e4
frame #15: WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1888
frame #16: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x36e4
frame #17: WebCore`WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RegionContext*)::$_14::operator()(WebCore::RenderLayer&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) const+0xdbc
frame #18: WebCore`WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RegionContext*)+0x440
frame #19: WebCore`WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::FloatRect const&, WTF::OptionSet<WebCore::GraphicsLayerPaintBehavior>)+0x3c4
frame #20: WebCore`WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, WTF::OptionSet<WebCore::GraphicsLayerPaintBehavior>)+0x23c
frame #21: WebCore`WebCore::GraphicsLayerCA::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, WTF::OptionSet<WebCore::GraphicsLayerPaintBehavior>)+0x19c
frame #22: WebCore`WebCore::PlatformCALayer::drawLayerContents(WebCore::GraphicsContext&, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WTF::OptionSet<WebCore::GraphicsLayerPaintBehavior>)+0x380
frame #23: WebKit`WebKit::RemoteLayerBackingStore::drawInContext(WebCore::GraphicsContext&)+0x6b0
frame #24: WebKit`WebKit::RemoteLayerWithRemoteRenderingBackingStore::createContextAndPaintContents()+0x124
frame #25: WebKit`WebKit::RemoteLayerBackingStore::paintContents()+0x8f0
frame #26: WebKit`WebKit::RemoteLayerBackingStoreCollection::paintReachableBackingStoreContents()+0x2d0
frame #27: WebKit`WebKit::RemoteLayerTreeContext::buildTransaction(WebKit::RemoteLayerTreeTransaction&, WebCore::PlatformCALayer&, WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>>)+0x320
frame #28: WebKit`WebKit::RemoteLayerTreeDrawingArea::updateRendering()+0xc30
frame #29: WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal()+0x340
frame #30: WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*)+0xd4
frame #31: CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__+0x1c
frame #32: CoreFoundation`__CFRunLoopDoTimer+0x3c8
frame #33: CoreFoundation`__CFRunLoopDoTimers+0x160
frame #34: CoreFoundation`__CFRunLoopRun+0x73c
frame #35: CoreFoundation`CFRunLoopRunSpecific+0x25c
frame #36: Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd0
frame #37: Foundation`-[NSRunLoop(NSRunLoop) run]+0x3c
frame #38: libxpc.dylib`_xpc_objc_main+0x2a8
frame #39: libxpc.dylib`_xpc_main+0x140
frame #40: libxpc.dylib`xpc_main+0x3c
frame #41: WebKit`WebKit::XPCServiceMain(int, char const**)+0x138
frame #42: `0x1815f50b4+
[tag] [reply] [−] Comment 1

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240319/9965c2eb/attachment-0001.htm>

More information about the webkit-unassigned mailing list