New issue
Advanced search Search tips

Issue 843512 link

Starred by 1 user
Status: Fixed
Owner:
dgro...@chromium.org
Closed: May 2018
Cc:
atotic@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug



Sign in to add a comment

[LayoutNG] external/wpt/css/CSS2/floats-clear/clear-applies-to-015.xht crashes

Project Member Reported by mstensho@chromium.org, May 16 2018 
100% reproduction rate if I run just that test. More flaky if I test the entire directory.

STDERR: [4:4:0516/134604.987826:FATAL:ng_physical_fragment.h(147)] Check failed: is_placed_. this=0x367c0254c3d0 for layout object LayoutNGTableCaption	div id="caption"
STDERR: #0 0x7fb35818959c base::debug::StackTrace::StackTrace()
STDERR: #1 0x7fb3580bb0c0 logging::LogMessage::~LogMessage()
STDERR: #2 0x7fb3524ac3c3 blink::NGPhysicalFragment::Offset()
STDERR: #3 0x7fb3524ac8b2 blink::LayoutNGMixin<>::NodeAtPoint()
STDERR: #4 0x7fb35240007b blink::LayoutTable::NodeAtPoint()
STDERR: #5 0x7fb3523188a2 blink::LayoutBlock::HitTestChildren()
STDERR: #6 0x7fb352337408 blink::LayoutBlockFlow::HitTestChildren()
STDERR: #7 0x7fb35234b110 blink::LayoutBox::NodeAtPoint()
STDERR: #8 0x7fb3524ac929 blink::LayoutNGMixin<>::NodeAtPoint()
STDERR: #9 0x7fb3523188a2 blink::LayoutBlock::HitTestChildren()
STDERR: #10 0x7fb352337408 blink::LayoutBlockFlow::HitTestChildren()
STDERR: #11 0x7fb35234b110 blink::LayoutBox::NodeAtPoint()
STDERR: #12 0x7fb3524ac929 blink::LayoutNGMixin<>::NodeAtPoint()
STDERR: #13 0x7fb3523e1b0c blink::LayoutObject::HitTestAllPhases()
STDERR: #14 0x7fb352337bb9 blink::LayoutBox::HitTestAllPhases()
STDERR: #15 0x7fb352695360 blink::PaintLayer::HitTestContents()
STDERR: #16 0x7fb352695042 blink::PaintLayer::HitTestContentsForFragments()
STDERR: #17 0x7fb352692ad4 blink::PaintLayer::HitTestLayer()
STDERR: #18 0x7fb352694a50 blink::PaintLayer::HitTestChildren()
STDERR: #19 0x7fb3526925f3 blink::PaintLayer::HitTestLayer()
STDERR: #20 0x7fb352691c0c blink::PaintLayer::HitTest()
STDERR: #21 0x7fb352441da3 blink::LayoutView::HitTestNoLifecycleUpdate()
STDERR: #22 0x7fb352441a83 blink::LayoutView::HitTest()
STDERR: #23 0x7fb351c583a6 blink::Document::PerformMouseEventHitTest()
STDERR: #24 0x7fb3521ea27c blink::EventHandlingUtil::PerformMouseEventHitTest()
STDERR: #25 0x7fb3521e9913 blink::EventHandler::HandleMouseMoveOrLeaveEvent()
STDERR: #26 0x7fb3521e92e4 blink::EventHandler::HandleMouseMoveEvent()
STDERR: #27 0x7fb3525e2ed4 blink::PageWidgetEventHandler::HandleMouseMove()
STDERR: #28 0x7fb3525e2d13 blink::PageWidgetDelegate::HandleInputEvent()
STDERR: #29 0x7fb351eff9bc blink::WebViewImpl::HandleInputEvent()
STDERR: #30 0x7fb35201ec28 blink::WebViewFrameWidget::HandleInputEvent()
STDERR: #31 0x7fb3575cca9e content::RenderWidgetInputHandler::HandleInputEvent()

So I guess LayoutNGTableCaption::UpdateBlockLayout() needs to place it, after all?

Comment 1 by mstensho@chromium.org, May 16 2018 

More in fast/table:

NEEDBUG fast/table/backgr_border-table-collapsed-border.html [ Crash ]
NEEDBUG fast/table/backgr_border-table-quirks-collapsed-border.html [ Crash ]
NEEDBUG fast/table/backgr_layers-show-collapsed-border.html [ Crash ]
NEEDBUG fast/table/backgr_simple-table-cell-collapsed-border.html [ Crash ]

Comment 2 by dgro...@chromium.org, May 16 2018 

atotic pointed out that

fast/table/click-near-anonymous-table.html
external/wpt/pointerevents/pointerevent_touch-action-table-test_touch-manual.html

also crash after https://chromium-review.googlesource.com/c/chromium/src/+/1054002/14/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.cc landed yesterday.

Comment 3 by dgro...@chromium.org, May 17 2018

Cc: atotic@chromium.org
LayoutNGMixin::NodeAtPoint uses fragments for hit testing when the Mixin has a PaintFragment set.
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/layout/ng/la
yout_ng_mixin.cc?type=cs&sq=package:chromium&g=0&l=230

Paint does something similar but has a further check in NGBoxFragmentPainter::Paint that uses position info from LayoutBox if !PhysicalFragment().IsPlacedByLayoutNG(), which checks that the parent is also LayoutNG.
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/paint/ng/ng_box_fragment_painter.cc?type=cs&q=NGBoxFragmentPainter::Paint&g=0&l=80

Potential solutions:

(1) override LayoutNGTableCaption::SetPaintFragment to do nothing so that legacy hit testing is used
 - this would also make legacy painting be used instead of NGBlockFlowPainter

(2) Augment the `PaintFragment() ? fragments : legacy` check in LayoutNGMixin<Base>::NodeAtPoint to also use legacy if !PhysicalFragment().IsPlacedByLayoutNG():
`(PaintFragment() && PhysicalFragment().IsPlacedByLayoutNG()) ? fragments : legacy`

(3) Make legacy table layout set the caption fragment's offset the same time it sets caption.SetLogicalLocation.
https://cs.chromium.org/chromium/src/third_party/blink/renderer/core/layout/layout_table.cc?q=file:layout_table++lang:c%2B%2B&sq=package:chromium&dr&l=471

Or, equivalently, set the offset from LayoutTableCaption in an overridden SetLogicalLocation method. Oh, LayoutBox::SetLogicalLocation isn't virtual so that's out.


+atotic, who recommended (3), to see if he still recommends it in light of the (1) or (2) hacks.

(3) Doesnt seem hard, it looks like just repackaging the positioning logic at the end of LayoutNGBlockFlow::UpdateBlockLayout.


Aside:
LayoutTableCell sets a fragment position that is known to be wrong, so I don't know why its hit testing tests didn't go from pass to fail when https://chromium-review.googlesource.com/c/chromium/src/+/1054002/14/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.cc landed.

Comment 4 by atotic@chromium.org, May 17 2018 

Thanks for presenting all the options. #2 is my favorite. There are probably other places in Legacy where Offset will not be set, and that will handle them all.

What surprised me was that PhysicalFragment was not placed after UpdateLayout(). Might want to add a comment to PhysicalFragment::Offset declaration:

"Offset is not guaranteed to be set after Layout for all fragments.
Fragments that are IsPlacedByLayoutNG() are guaranteed to have offset.
Use GetLayoutObject()->Location for fragments !IsPlacedByLayoutNG()"

also notify LayoutNG devs. I think "Offset is always valid after layout" is a common assumption.
Project Member

Comment 5 by bugdroid1@chromium.org, May 17 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f964dc1f567b431d77fd4fd8669f16b61557fd47

commit f964dc1f567b431d77fd4fd8669f16b61557fd47
Author: Aleks Totic <atotic@chromium.org>
Date: Thu May 17 19:30:53 2018

[LayoutNG] Fix NodeAtPoint offset crashes

Fragments not placed by LayoutNG are not guaranteed to have an Offset().
Use Location instead.

Bug:  843512 
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_layout_ng
Change-Id: Ie43f2e0ab8f01258db8ea91fc71c1466abd11457
Reviewed-on: https://chromium-review.googlesource.com/1064597
Commit-Queue: Aleks Totic <atotic@chromium.org>
Reviewed-by: David Grogan <dgrogan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#559640}
[modify] https://crrev.com/f964dc1f567b431d77fd4fd8669f16b61557fd47/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG
[modify] https://crrev.com/f964dc1f567b431d77fd4fd8669f16b61557fd47/third_party/blink/renderer/core/layout/ng/layout_ng_mixin.cc

Comment 6 by e...@chromium.org, May 17 2018

Status: Fixed (was: Assigned)

Sign in to add a comment