search

LadybirdBrowser / ladybird

Truly independent web browser
https://ladybird.org
BSD 2-Clause "Simplified" License
22.28k stars 989 forks source link

LibWeb: Crash on https://godotengine.org #1249

Open HolonProduction opened 2 months ago

HolonProduction commented 2 months ago

https://godotengine.org/ crashes with this error when scrolling down

VERIFICATION FAILED: !height.might_be_saturated() at ~/ladybird/Userland/Libraries/LibWeb/Layout/LayoutState.cpp:563

This seems to be caused by this svg. More specifically the svg contains a rect with height 1e30.

Both Chrome and Firefox just seem to clamp the height to some arbitrary value instead of crashing.

Edit:

Attached the problematic svg, in case the site gets updated: cross-platform

ChaseKnowlden commented 1 month ago

frame #0: 0x0000000105850ab8 liblagom-ak.0.dylib`::ak_verification_failed() at Assertions.cpp:102:5 [opt] frame #1: 0x0000000108a586bc liblagom-web.0.dylib`::set_content_height() at LayoutState.cpp:587:5 [opt] frame #2: 0x0000000108a6a6b8 liblagom-web.0.dylib`::layout_path_like_element() at SVGFormattingContext.cpp:393:24 [opt] frame #3: 0x0000000108a69d3c liblagom-web.0.dylib`::layout_graphics_element() at SVGFormattingContext.cpp:414:9 [opt] frame #4: 0x0000000108a697d0 liblagom-web.0.dylib`::layout_svg_element() at SVGFormattingContext.cpp:277:9 [opt] [artificial] frame #5: 0x0000000108a6a934 liblagom-web.0.dylib`::layout_container_element() [inlined] operator() at SVGFormattingContext.cpp:473:9 [opt] frame #6: 0x0000000108a6a8fc liblagom-web.0.dylib`::layout_container_element() [inlined] for_each_child_of_type<Web::Layout::Box, (lambda at /Users/chase/dev/ladybird/Userland/Libraries/LibWeb/Layout/SVGFormattingContext.cpp:469:43)> at TreeNode.h:239:21 [opt] frame #7: 0x0000000108a6a89c liblagom-web.0.dylib`::layout_container_element() [inlined] for_each_child_of_type<Web::Layout::Box, (lambda at /Users/chase/dev/ladybird/Userland/Libraries/LibWeb/Layout/SVGFormattingContext.cpp:469:43)> at TreeNode.h:248:54 [opt] frame #8: 0x0000000108a6a89c liblagom-web.0.dylib`::layout_container_element() at SVGFormattingContext.cpp:469:15 [opt] frame #9: 0x0000000108a69d24 liblagom-web.0.dylib`::layout_graphics_element() at SVGFormattingContext.cpp:409:9 [opt] frame #10: 0x0000000108a697d0 liblagom-web.0.dylib`::layout_svg_element() at SVGFormattingContext.cpp:277:9 [opt] [artificial] frame #11: 0x0000000108a69250 liblagom-web.0.dylib`::run() [inlined] operator() at SVGFormattingContext.cpp:258:9 [opt] frame #12: 0x0000000108a69244 liblagom-web.0.dylib`::run() [inlined] for_each_child_of_type<Web::Layout::Box, (lambda at /Users/chase/dev/ladybird/Userland/Libraries/LibWeb/Layout/SVGFormattingContext.cpp:257:47)> at TreeNode.h:239:21 [opt] frame #13: 0x0000000108a69214 liblagom-web.0.dylib`::run() [inlined] for_each_child_of_type<Web::Layout::Box, (lambda at /Users/chase/dev/ladybird/Userland/Libraries/LibWeb/Layout/SVGFormattingContext.cpp:257:47)> at TreeNode.h:248:54 [opt] frame #14: 0x0000000108a69214 liblagom-web.0.dylib`::run() at SVGFormattingContext.cpp:257:19 [opt] frame #15: 0x0000000108a1d120 liblagom-web.0.dylib`::layout_viewport() at BlockFormattingContext.cpp:1000:33 [opt] frame #16: 0x00000001087f6bb0 liblagom-web.0.dylib`::update_layout() at Document.cpp:1199:33 [opt] frame #17: 0x0000000108b10cdc liblagom-web.0.dylib`::render() at SVGDecodedImageData.cpp:93:17 [opt] frame #18: 0x0000000108b10f48 liblagom-web.0.dylib`::bitmap() at SVGDecodedImageData.cpp:127:59 [opt] frame #19: 0x0000000108ab854c liblagom-web.0.dylib`::paint() at ImagePaintable.cpp:70:51 [opt] frame #20: 0x0000000108ace2ec liblagom-web.0.dylib`::paint_node_as_stacking_context() [inlined] paint_node at StackingContext.cpp:29:15 [opt] frame #21: 0x0000000108ace2bc liblagom-web.0.dylib`::paint_node_as_stacking_context() at StackingContext.cpp:89:5 [opt] frame #22: 0x0000000108acf420 liblagom-web.0.dylib`::paint_internal() at StackingContext.cpp:227:13 [opt] frame #23: 0x0000000108acef60 liblagom-web.0.dylib`::paint() at StackingContext.cpp:335:5 [opt] frame #24: 0x0000000108ace6c0 liblagom-web.0.dylib`::paint_child() at StackingContext.cpp:183:11 [opt] frame #25: 0x0000000108ace5b4 liblagom-web.0.dylib`::for_each_child<(lambda at /Users/chase/dev/ladybird/Userland/Libraries/LibWeb/Painting/StackingContext.cpp:100:30)>() [inlined] for_each_child<(lambda at /Users/chase/dev/ladybird/Userland/Libraries/LibWeb/Painting/StackingContext.cpp:100:30)> at TreeNode.h:229:17 [opt] frame #26: 0x0000000108ace5a0 liblagom-web.0.dylib`::for_each_child<(lambda at /Users/chase/dev/ladybird/Userland/Libraries/LibWeb/Painting/StackingContext.cpp:100:30)>() at TreeNode.h:222:45 [opt] frame #27: 0x0000000108acf38c liblagom-web.0.dylib`::paint_internal() [inlined] for_each_child<(lambda at /Users/chase/dev/ladybird/Userland/Libraries/LibWeb/Painting/StackingContext.cpp:100:30)> at TreeNode.h:222:45 [opt] frame #28: 0x0000000108acf380 liblagom-web.0.dylib`::paint_internal() [inlined] paint_descendants at StackingContext.cpp:100:15 [opt] frame #29: 0x0000000108acf364 liblagom-web.0.dylib`::paint_internal() at StackingContext.cpp:211:5 [opt] frame #30: 0x0000000108acef60 liblagom-web.0.dylib`::paint() at StackingContext.cpp:335:5 [opt] frame #31: 0x0000000108806f34 liblagom-web.0.dylib`::record_display_list() at Document.cpp:5577:24 [opt] frame #32: 0x00000001089f2c6c liblagom-web.0.dylib`::paint() at TraversableNavigable.cpp:1364:35 [opt] frame #33: 0x0000000105051c30 WebContent`::paint_next_frame() [inlined] paint at PageClient.cpp:209:37 [opt] frame #34: 0x0000000105051c08 WebContent`::paint_next_frame() at PageClient.cpp:197:5 [opt] frame #35: 0x00000001088ea3d4 liblagom-web.0.dylib`::call() [inlined] operator() at EventLoop.cpp:377:39 [opt] frame #36: 0x00000001088e9fec liblagom-web.0.dylib`::call() at Function.h:187:20 [opt] frame #37: 0x000000010869ed30 liblagom-web.0.dylib`::operator()() at Function.h:120:25 [opt] frame #38: 0x00000001088e8c4c liblagom-web.0.dylib`::process() at EventLoop.cpp:171:22 [opt] frame #39: 0x0000000108adf428 liblagom-web.0.dylib`::call() [inlined] operator() at SafeFunction.h:85:25 [opt] frame #40: 0x0000000108adf40c liblagom-web.0.dylib`::call() [inlined] operator() at TimerSerenity.cpp:23:13 [opt] frame #41: 0x0000000108adf3e4 liblagom-web.0.dylib`::call() at Function.h:187:20 [opt] frame #42: 0x00000001054f95c8 liblagom-core.0.dylib`::operator()() at Function.h:120:25 [opt] frame #43: 0x00000001054fe690 liblagom-core.0.dylib`::dispatch_event() at EventReceiver.cpp:162:17 [opt] frame #44: 0x0000000104ffbdb4 WebContent`::impl() [inlined] qt_timer_fired at EventLoopImplementationQt.cpp:227:12 [opt] frame #45: 0x0000000104ffbd6c WebContent`::impl() [inlined] operator() at EventLoopImplementationQt.cpp:241:9 [opt] frame #46: 0x0000000104ffbd34 WebContent`::impl() [inlined] call at qobjectdefs_impl.h:137:13 [opt] frame #47: 0x0000000104ffbd34 WebContent`::impl() [inlined] call<QtPrivate::List<>, void> at qobjectdefs_impl.h:345:13 [opt] frame #48: 0x0000000104ffbd34 WebContent`::impl() at qobjectdefs_impl.h:555:21 [opt] frame #49: 0x00000001065d2180 QtCore`void doActivate<false>(QObject*, int, void**) + 1204 frame #50: 0x00000001065e11f0 QtCore`QTimer::timerEvent(QTimerEvent*) + 136 frame #51: 0x00000001065ccbc8 QtCore`QObject::event(QEvent*) + 616 frame #52: 0x0000000106596334 QtCore`QCoreApplication::notifyInternal2(QObject*, QEvent*) + 204 frame #53: 0x00000001066bdc38 QtCore`QTimerInfoList::activateTimers() + 568 frame #54: 0x00000001066c0abc QtCore`QEventDispatcherUNIX::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) + 752 frame #55: 0x000000010659dae4 QtCore`QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) + 448 frame #56: 0x00000001054f6d3c liblagom-core.0.dylib`::exec() at EventLoop.cpp:88:20 [opt] frame #57: 0x0000000105005fa0 WebContent`::serenity_main() at main.cpp:209:23 [opt] frame #58: 0x0000000105098358 WebContent`main at Main.cpp:39:19 [opt] frame #59: 0x000000018fa58274 dyld`start + 2840

shlyakpavel commented 2 weeks ago

After two months now, I can confirm the issue persists. Here's my stack trace (via lldb):

* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=1, subcode=0x103087118)
  * frame #0: 0x0000000103087118 liblagom-ak.0.0.0.dylib`::ak_verification_failed() at Assertions.cpp:102:5 [opt]
    frame #1: 0x0000000105065c60 liblagom-web.0.0.0.dylib`::set_content_height() at LayoutState.cpp:607:5 [opt]
    frame #2: 0x000000010507859c liblagom-web.0.0.0.dylib`::layout_path_like_element() at SVGFormattingContext.cpp:393:24 [opt]
    frame #3: 0x0000000105077c20 liblagom-web.0.0.0.dylib`::layout_graphics_element() at SVGFormattingContext.cpp:414:9 [opt]
    frame #4: 0x00000001050776b4 liblagom-web.0.0.0.dylib`::layout_svg_element() at SVGFormattingContext.cpp:277:9 [opt] [artificial]
    frame #5: 0x0000000105078818 liblagom-web.0.0.0.dylib`::layout_container_element() [inlined] operator() at SVGFormattingContext.cpp:473:9 [opt]
    frame #6: 0x00000001050787e0 liblagom-web.0.0.0.dylib`::layout_container_element() [inlined] for_each_child_of_type<Web::Layout::Box, (lambda at /Users/pavel/Develop/ladybird/Userland/Libraries/LibWeb/Layout/SVGFormattingContext.cpp:469:43)> at TreeNode.h:239:21 [opt]
    frame #7: 0x0000000105078780 liblagom-web.0.0.0.dylib`::layout_container_element() [inlined] for_each_child_of_type<Web::Layout::Box, (lambda at /Users/pavel/Develop/ladybird/Userland/Libraries/LibWeb/Layout/SVGFormattingContext.cpp:469:43)> at TreeNode.h:248:54 [opt]
    frame #8: 0x0000000105078780 liblagom-web.0.0.0.dylib`::layout_container_element() at SVGFormattingContext.cpp:469:15 [opt]
    frame #9: 0x0000000105077c08 liblagom-web.0.0.0.dylib`::layout_graphics_element() at SVGFormattingContext.cpp:409:9 [opt]
    frame #10: 0x00000001050776b4 liblagom-web.0.0.0.dylib`::layout_svg_element() at SVGFormattingContext.cpp:277:9 [opt] [artificial]
    frame #11: 0x0000000105077134 liblagom-web.0.0.0.dylib`::run() [inlined] operator() at SVGFormattingContext.cpp:258:9 [opt]
    frame #12: 0x0000000105077128 liblagom-web.0.0.0.dylib`::run() [inlined] for_each_child_of_type<Web::Layout::Box, (lambda at /Users/pavel/Develop/ladybird/Userland/Libraries/LibWeb/Layout/SVGFormattingContext.cpp:257:47)> at TreeNode.h:239:21 [opt]
    frame #13: 0x00000001050770f8 liblagom-web.0.0.0.dylib`::run() [inlined] for_each_child_of_type<Web::Layout::Box, (lambda at /Users/pavel/Develop/ladybird/Userland/Libraries/LibWeb/Layout/SVGFormattingContext.cpp:257:47)> at TreeNode.h:248:54 [opt]
    frame #14: 0x00000001050770f8 liblagom-web.0.0.0.dylib`::run() at SVGFormattingContext.cpp:257:19 [opt]
    frame #15: 0x00000001050297c0 liblagom-web.0.0.0.dylib`::layout_viewport() at BlockFormattingContext.cpp:1000:33 [opt]
    frame #16: 0x0000000104dfccb0 liblagom-web.0.0.0.dylib`::update_layout() at Document.cpp:1213:33 [opt]
    frame #17: 0x0000000105120f58 liblagom-web.0.0.0.dylib`::render() at SVGDecodedImageData.cpp:93:17 [opt]
    frame #18: 0x00000001051211c4 liblagom-web.0.0.0.dylib`::bitmap() at SVGDecodedImageData.cpp:127:59 [opt]
    frame #19: 0x00000001050c774c liblagom-web.0.0.0.dylib`::paint() at ImagePaintable.cpp:70:51 [opt]
    frame #20: 0x00000001050d99d4 liblagom-web.0.0.0.dylib`::paint_node_as_stacking_context() [inlined] paint_node at StackingContext.cpp:26:15 [opt]
    frame #21: 0x00000001050d99a4 liblagom-web.0.0.0.dylib`::paint_node_as_stacking_context() at StackingContext.cpp:91:5 [opt]
    frame #22: 0x00000001050dacb0 liblagom-web.0.0.0.dylib`::paint_internal() at StackingContext.cpp:248:13 [opt]
    frame #23: 0x00000001050da694 liblagom-web.0.0.0.dylib`::paint() at StackingContext.cpp:355:5 [opt]
    frame #24: 0x00000001050d9ed4 liblagom-web.0.0.0.dylib`::paint_child() at StackingContext.cpp:197:11 [opt]
    frame #25: 0x00000001050daca0 liblagom-web.0.0.0.dylib`::paint_internal() at StackingContext.cpp:246:13 [opt]
    frame #26: 0x00000001050da694 liblagom-web.0.0.0.dylib`::paint() at StackingContext.cpp:355:5 [opt]
    frame #27: 0x00000001050d9ed4 liblagom-web.0.0.0.dylib`::paint_child() at StackingContext.cpp:197:11 [opt]
    frame #28: 0x00000001050daca0 liblagom-web.0.0.0.dylib`::paint_internal() at StackingContext.cpp:246:13 [opt]
    frame #29: 0x00000001050da694 liblagom-web.0.0.0.dylib`::paint() at StackingContext.cpp:355:5 [opt]
    frame #30: 0x0000000104e0db14 liblagom-web.0.0.0.dylib`::record_display_list() at Document.cpp:5656:24 [opt]
    frame #31: 0x0000000104ffe1b8 liblagom-web.0.0.0.dylib`::paint() at TraversableNavigable.cpp:1389:35 [opt]
    frame #32: 0x000000010293e648 WebContent`::paint_next_frame() [inlined] paint at PageClient.cpp:212:37 [opt]
    frame #33: 0x000000010293e620 WebContent`::paint_next_frame() at PageClient.cpp:200:5 [opt]
    frame #34: 0x0000000104ef2378 liblagom-web.0.0.0.dylib`::update_the_rendering() at EventLoop.cpp:388:31 [opt]
    frame #35: 0x0000000104c748c8 liblagom-web.0.0.0.dylib`::operator()() at Function.h:120:25 [opt]
    frame #36: 0x0000000104ef1a8c liblagom-web.0.0.0.dylib`::process() at EventLoop.cpp:177:22 [opt]
    frame #37: 0x0000000104c748c8 liblagom-web.0.0.0.dylib`::operator()() at Function.h:120:25 [opt]
    frame #38: 0x0000000102ca6708 liblagom-core.0.0.0.dylib`::operator()() at Function.h:120:25 [opt]
    frame #39: 0x0000000102cab7d0 liblagom-core.0.0.0.dylib`::dispatch_event() at EventReceiver.cpp:162:17 [opt]
    frame #40: 0x0000000102cba2bc liblagom-core.0.0.0.dylib`::process() at ThreadEventQueue.cpp:121:23 [opt]
    frame #41: 0x0000000102ca562c liblagom-core.0.0.0.dylib`::exec() [inlined] pump at EventLoopImplementationUnix.cpp:324:40 [opt]
    frame #42: 0x0000000102ca5618 liblagom-core.0.0.0.dylib`::exec() at EventLoopImplementationUnix.cpp:316:9 [opt]
    frame #43: 0x0000000102ca3e7c liblagom-core.0.0.0.dylib`::exec() at EventLoop.cpp:88:20 [opt]
    frame #44: 0x00000001028f48c4 WebContent`::serenity_main() at main.cpp:208:23 [opt]
    frame #45: 0x000000010298c508 WebContent`main at Main.cpp:39:19 [opt]
    frame #46: 0x0000000194090274 dyld`start + 2840
shlyakpavel commented 2 days ago

It still crashes as of f638f84185938c74a47f5691e8d7c5e1d4dca07c