<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - ASSERTION FAILED: m_endLine > 0 in WebCore::GridSpan::translate"
href="https://bugs.webkit.org/show_bug.cgi?id=164185">164185</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>ASSERTION FAILED: m_endLine > 0 in WebCore::GridSpan::translate
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Local Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>Layout and Rendering
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>hodovan@inf.u-szeged.hu
</td>
</tr>
<tr>
<th>CC</th>
<td>simon.fraser@apple.com
</td>
</tr></table>
<p>
<div>
<pre>Load the attached test with debug WebKitTestRunner:
Checked version: 8af8b44
OS: Darwin-15.6.0-x86_64-i386-64bit
<style>{}*|*,a{grid-row-end:2168081754 span}*{display:inline-grid;grid-area:i
Backtrace:
ASSERTION FAILED: m_endLine > 0
WebKit/Source/WebCore/rendering/style/GridArea.h(147) : void WebCore::GridSpan::translate(unsigned int)
1 0x10a3b14f1 WTFCrash
2 0x1137142c9 WebCore::GridSpan::translate(unsigned int)
3 0x1136e2b49 WebCore::RenderGrid::placeItemsOnGrid(WebCore::RenderGrid::SizingOperation)
4 0x1136e134e WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit)
5 0x1133551b2 WebCore::RenderBlock::layout()
6 0x1134163e4 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
7 0x11340ef50 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
8 0x11340b808 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
9 0x1133551b2 WebCore::RenderBlock::layout()
10 0x113d9c3b6 WebCore::RenderView::layoutContent(WebCore::LayoutState const&)
11 0x113d9e816 WebCore::RenderView::layout()
12 0x1101506a2 WebCore::FrameView::layout(bool)
13 0x10f7d06fa WebCore::Document::updateLayout()
14 0x10f7d8fc1 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks)
15 0x11045b6ec WebCore::HTMLBodyElement::scrollHeight()
16 0x11169c73a WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)
17 0x1116675b8 long long WebCore::BindingCaller<WebCore::JSElement>::attribute<&(WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, char const*)
18 0x11166725b WebCore::jsElementScrollHeight(JSC::ExecState*, long long, JSC::PropertyName)
19 0x109e8d62a JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const
20 0x107a79673 JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const
21 0x107a78dbd JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const
22 0x109a041ff llint_slow_path_get_by_id
23 0x109a326b6 llint_entry
24 0x109a2f4ae vmEntryToJavaScript
25 0x10945d2be JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
26 0x1093286f1 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
27 0x107e0971b JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
28 0x107e09c38 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
29 0x107e0a6ae JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
30 0x110fd91f1 WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)
31 0x1116eebed WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*)
ASAN:DEADLYSIGNAL
=================================================================
==9513==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010a3b1529 bp 0x7fff5f0fabe0 sp 0x7fff5f0fabd0 T0)
#0 0x10a3b1528 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528)
#1 0x1137142c8 in WebCore::GridSpan::translate(unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x50c82c8)
#2 0x1136e2b48 in WebCore::RenderGrid::placeItemsOnGrid(WebCore::RenderGrid::SizingOperation) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5096b48)
#3 0x1136e134d in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x509534d)
#4 0x1133551b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
#5 0x1134163e3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dca3e3)
#6 0x11340ef4f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc2f4f)
#7 0x11340b807 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf807)
#8 0x1133551b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1)
#9 0x113d9c3b5 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57503b5)
#10 0x113d9e815 in WebCore::RenderView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5752815)
#11 0x1101506a1 in WebCore::FrameView::layout(bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b046a1)
#12 0x10f7d06f9 in WebCore::Document::updateLayout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11846f9)
#13 0x10f7d8fc0 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118cfc0)
#14 0x11045b6eb in WebCore::HTMLBodyElement::scrollHeight() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e0f6eb)
#15 0x11169c739 in WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x3050739)
#16 0x1116675b7 in long long WebCore::BindingCaller<WebCore::JSElement>::attribute<&(WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState*, long long, char const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x301b5b7)
#17 0x11166725a in WebCore::jsElementScrollHeight(JSC::ExecState*, long long, JSC::PropertyName) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x301b25a)
#18 0x109e8d629 in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x27dd629)
#19 0x107a79672 in JSC::PropertySlot::getValue(JSC::ExecState*, JSC::PropertyName) const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3c9672)
#20 0x107a78dbc in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3c8dbc)
#21 0x109a041fe in llint_slow_path_get_by_id (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x23541fe)
#22 0x109a326b5 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x23826b5)
#23 0x109a2f4ad in vmEntryToJavaScript (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x237f4ad)
#24 0x10945d2bd in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1dad2bd)
#25 0x1093286f0 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1c786f0)
#26 0x107e0971a in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x75971a)
#27 0x107e09c37 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x759c37)
#28 0x107e0a6ad in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x75a6ad)
#29 0x110fd91f0 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x298d1f0)
#30 0x1116eebec in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x30a2bec)
#31 0x10fc663c8 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x161a3c8)
#32 0x10fc65c15 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1619c15)
#33 0x10fa3d92a in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x13f192a)
#34 0x10fa54344 in WebCore::DOMWindow::dispatchLoadEvent() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1408344)
#35 0x10f7e2ad1 in WebCore::Document::dispatchWindowLoadEvent() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1196ad1)
#36 0x10f7d854c in WebCore::Document::implicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118c54c)
#37 0x1100be1e2 in WebCore::FrameLoader::checkCallImplicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a721e2)
#38 0x1100bdccb in WebCore::FrameLoader::checkCompleted() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a71ccb)
#39 0x1100bdde4 in WebCore::FrameLoader::loadDone() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a71de4)
#40 0x10ec9221e in WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x64621e)
#41 0x11474f339 in WebCore::SubresourceLoader::notifyDone() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6103339)
#42 0x11474fa9a in WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6103a9a)
#43 0x1025a56d0 in WebKit::WebResourceLoader::didFailResourceLoad(WebCore::ResourceError const&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a916d0)
#44 0x1025b3e09 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&), std::__1::tuple<WebCore::ResourceError>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&), std::__1::tuple<WebCore::ResourceError>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9fe09)
#45 0x1025b3a14 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&), std::__1::tuple<WebCore::ResourceError>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<WebCore::ResourceError>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9fa14)
#46 0x1025b0a93 in void IPC::handleMessage<Messages::WebResourceLoader::DidFailResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::ResourceError const&)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9ca93)
#47 0x1025aec4b in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9ac4b)
#48 0x1012d7da9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c3da9)
#49 0x100cebfba in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d7fba)
#50 0x100cd47c4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c07c4)
#51 0x100cecca5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d8ca5)
#52 0x100cfd25c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e925c)
#53 0x100cfd188 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e9188)
#54 0x10a435830 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d85830)
#55 0x10a47fc46 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dcfc46)
#56 0x10a480b11 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dd0b11)
#57 0x7fff81c1f880 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa880)
#58 0x7fff81bfefbb in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89fbb)
#59 0x7fff81bfe4de in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x894de)
#60 0x7fff81bfded7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88ed7)
#61 0x7fff82fde934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
#62 0x7fff82fde76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
#63 0x7fff82fde5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
#64 0x7fff8e643df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
#65 0x7fff8e643225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
#66 0x7fff8e637d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
#67 0x7fff8e601367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
#68 0x7fff92f09193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
#69 0x7fff92f07bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
#70 0x100afbf73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73)
#71 0x7fff8ab8d5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
#72 0x0 (<unknown module>)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) in WTFCrash
==9513==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 9513)</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>