Bug 261110

Summary:	Crash in InlineDisplayContentBuilder::setGeometryForBlockLevelOutOfFlowBoxes
Product:	WebKit	Reporter:	Andrei Bucur <abucur>
Component:	Layout and Rendering	Assignee:	alan <zalan>
Status:	RESOLVED INVALID
Severity:	Normal	CC:	bfulgham, simon.fraser, webkit-bug-importer, zalan
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Andrei Bucur

Reported 2023-09-04 04:04:37 PDT

Steps to reproduce: 1. Navigate to https://new.express.adobe.com and login or create a new account. 2. Create a new document (Flyer for example). Expected: - The new document with a canvas is displayed. Actual: - Crash in InlineDisplayContentBuilder::setGeometryForBlockLevelOutOfFlowBoxes Call stack: #0 0x00000001393edba4 in ::WTFCrash() at /Users/abucur/GitPublic/WebKit/Source/WTF/wtf/Assertions.cpp:327 #1 0x0000000282bb2afc in WTF::CrashOnOverflow::crash() at /Users/abucur/GitPublic/WebKit/WebKitBuild/Debug/usr/local/include/wtf/CheckedArithmetic.h:109 #2 0x0000000282bb2c74 in WTF::CrashOnOverflow::overflowed() at /Users/abucur/GitPublic/WebKit/WebKitBuild/Debug/usr/local/include/wtf/CheckedArithmetic.h:102 #3 0x000000028319abc0 in WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::at(unsigned long) const at /Users/abucur/GitPublic/WebKit/WebKitBuild/Debug/usr/local/include/wtf/Vector.h:784 #4 0x000000028460c61c in WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator[](unsigned long) const at /Users/abucur/GitPublic/WebKit/WebKitBuild/Debug/usr/local/include/wtf/Vector.h:789 #5 0x00000002845f55f8 in WebCore::Layout::InlineDisplayContentBuilder::setGeometryForBlockLevelOutOfFlowBoxes(WTF::Vector<unsigned long, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::Layout::LineBox const&, WTF::Vector<WebCore::Layout::Line::Run, 10ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&)::$_12::operator()() const at /Users/abucur/GitPublic/WebKit/Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContentBuilder.cpp:902 #6 0x00000002845f34b8 in WebCore::Layout::InlineDisplayContentBuilder::setGeometryForBlockLevelOutOfFlowBoxes(WTF::Vector<unsigned long, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::Layout::LineBox const&, WTF::Vector<WebCore::Layout::Line::Run, 10ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<int, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) at /Users/abucur/GitPublic/WebKit/Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContentBuilder.cpp:911 #7 0x00000002845f50bc in WebCore::Layout::InlineDisplayContentBuilder::processBidiContent(WebCore::Layout::LineLayoutResult const&, WebCore::Layout::LineBox const&, WTF::Vector<WebCore::InlineDisplay::Box, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&)::$_1::operator()() const at /Users/abucur/GitPublic/WebKit/Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContentBuilder.cpp:789 #8 0x00000002845f02b4 in WebCore::Layout::InlineDisplayContentBuilder::processBidiContent(WebCore::Layout::LineLayoutResult const&, WebCore::Layout::LineBox const&, WTF::Vector<WebCore::InlineDisplay::Box, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) at /Users/abucur/GitPublic/WebKit/Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContentBuilder.cpp:791 #9 0x00000002845f002c in WebCore::Layout::InlineDisplayContentBuilder::build(WebCore::Layout::LineLayoutResult const&, WebCore::Layout::LineBox const&) at /Users/abucur/GitPublic/WebKit/Source/WebCore/layout/formattingContexts/inline/display/InlineDisplayContentBuilder.cpp:102 #10 0x000000028458e1b8 in WebCore::Layout::InlineFormattingContext::createDisplayContentForLine(unsigned long, WebCore::Layout::LineLayoutResult const&, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::InlineDisplay::Content&) at /Users/abucur/GitPublic/WebKit/Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:268 #11 0x000000028458d310 in WebCore::Layout::InlineFormattingContext::lineLayout(WebCore::Layout::AbstractLineBuilder&, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::Layout::InlineItemRange, std::__1::optional<WebCore::Layout::PreviousLine>, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::Layout::InlineDamage const*) at /Users/abucur/GitPublic/WebKit/Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:185 #12 0x000000028458c6ec in WebCore::Layout::InlineFormattingContext::layout(WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineLayoutState&, WebCore::Layout::InlineDamage const*) at /Users/abucur/GitPublic/WebKit/Source/WebCore/layout/formattingContexts/inline/InlineFormattingContext.cpp:114 #13 0x000000028465ddf8 in WebCore::LayoutIntegration::LineLayout::layout() at /Users/abucur/GitPublic/WebKit/Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:590

Attachments
Add attachment proposed patch, testcase, etc.

Andrei Bucur

Comment 1 2023-09-04 04:09:38 PDT

The crash is new and may be related to a very recent change https://github.com/WebKit/WebKit/commit/86bdc446a589be89d1762044237b660ea79564fb#diff-8b557795cfc06ab1c276ece8f0fc44d66e5f7d8c14d0d941468ca0f07a997188R902

Radar WebKit Bug Importer

Comment 2 2023-09-04 07:18:21 PDT

<rdar://problem/114935494>

alan

Comment 3 2023-09-05 10:37:17 PDT

I can't reproduce this :(

Andrei Bucur

Comment 4 2023-09-05 12:13:31 PDT

I'm no longer able to reproduce this issue on main or nightly. Likely fixed by one of the patches in this area, as it's being developed.

alan

Comment 5 2023-09-05 12:17:10 PDT

Thank you for confirming it!

Note You need to log in before you can comment on or make changes to this bug.