202910 2019-10-13 14:32:01 -0700 Chromium test-case asserts with ASSERTION FAILED: hasLayer() and crashes optimized build near null 2021-08-20 04:17:47 -0700 1 1 1 Unclassified WebKit Scrolling WebKit Nightly Build Unspecified Unspecified RESOLVED DUPLICATE 205474 InRadar P2 Normal --- 1 emilio webkit-unassigned mrobinson simon.fraser webkit-bug-importer zalan oldest_to_newest 1579526 0 emilio 2019-10-13 14:32:01 -0700 On master (247b0314320d499ae788b6ea993aa1d98e2d607e / r250962), WebKitGTK build. Running this test-case: https://cs.chromium.org/chromium/src/third_party/blink/web_tests/fast/css/sticky/sticky-table-col-crash.html?rcl=753caf715d8f30f0c673f1b4b36dadfc75c3201f Asserts with: ASSERTION FAILED: hasLayer() ../../Source/WebCore/rendering/RenderBoxModelObject.cpp(563) : WebCore::LayoutSize WebCore::RenderBoxModelObject::stickyPositionOffset() const 1 0x7f9ceb98a3d3 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x9) [0x7f9ceb98a3d3] 2 0x7f9cf76335f2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF15CrashOnOverflow10overflowedEv+0) [0x7f9cf76335f2] 3 0x7f9cfa7d9874 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore20RenderBoxModelObject20stickyPositionOffsetEv+0x52) [0x7f9cfa7d9874] 4 0x7f9cfa7d995a /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore20RenderBoxModelObject23offsetForInFlowPositionEv+0x46) [0x7f9cfa7d995a] 5 0x7f9cfa7c8682 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore9RenderBox19offsetFromContainerERNS_13RenderElementERKNS_11LayoutPointEPb+0x9e) [0x7f9cfa7c8682] 6 0x7f9cfa7c7ffd /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore9RenderBox19mapLocalToContainerEPKNS_22RenderLayerModelObjectERNS_14TransformStateEjPb+0x279) [0x7f9cfa7c7ffd] 7 0x7f9cfa93dca9 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore12RenderObject15localToAbsoluteERKNS_10FloatPointEjPb+0x5f) [0x7f9cfa93dca9] 8 0x7f9cfa833151 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore13RenderElement16getLeadingCornerERNS_10FloatPointERb+0x8b) [0x7f9cfa833151] 9 0x7f9cfa8339ad /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore13RenderElement18absoluteAnchorRectEPb+0x53) [0x7f9cfa8339ad] 10 0x7f9cf9a6142c /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore7Element14scrollIntoViewEON3WTF8OptionalINS1_7VariantIJbNS_21ScrollIntoViewOptionsEEEEEE+0x74) [0x7f9cf9a6142c] 11 0x7f9cf873e440 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6e6440) [0x7f9cf873e440] 12 0x7f9cf8754da2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6fcda2) [0x7f9cf8754da2] 13 0x7f9cf873e473 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore40jsElementPrototypeFunctionScrollIntoViewEPN3JSC14JSGlobalObjectEPNS0_9CallFrameE+0x23) [0x7f9cf873e473] 14 0x7f9c95fce16b [0x7f9c95fce16b] This also crashes Epiphany (and probably Safari). 1579527 1 emilio 2019-10-13 14:39:07 -0700 Err, sorry. It's a nullptr crash, so not security-sensitive. 1579532 2 emilio 2019-10-13 14:47:34 -0700 Disregard previous comment, I accidentally thought I had filed this as security. 1579915 3 ap 2019-10-14 17:18:54 -0700 This looks similar to: rdar://problem/53667513 1785779 4 mrobinson 2021-08-20 04:17:47 -0700 *** This bug has been marked as a duplicate of bug 205474 ***