Bug 202910

Summary: Chromium test-case asserts with ASSERTION FAILED: hasLayer() and crashes optimized build near null
Product: WebKit Reporter: Emilio Cobos Álvarez (:emilio) <emilio>
Component: ScrollingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: mrobinson, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Emilio Cobos Álvarez (:emilio)
Reported 2019-10-13 14:32:01 PDT
On master (247b0314320d499ae788b6ea993aa1d98e2d607e / r250962), WebKitGTK build. Running this test-case: https://cs.chromium.org/chromium/src/third_party/blink/web_tests/fast/css/sticky/sticky-table-col-crash.html?rcl=753caf715d8f30f0c673f1b4b36dadfc75c3201f Asserts with: ASSERTION FAILED: hasLayer() ../../Source/WebCore/rendering/RenderBoxModelObject.cpp(563) : WebCore::LayoutSize WebCore::RenderBoxModelObject::stickyPositionOffset() const 1 0x7f9ceb98a3d3 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x9) [0x7f9ceb98a3d3] 2 0x7f9cf76335f2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF15CrashOnOverflow10overflowedEv+0) [0x7f9cf76335f2] 3 0x7f9cfa7d9874 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore20RenderBoxModelObject20stickyPositionOffsetEv+0x52) [0x7f9cfa7d9874] 4 0x7f9cfa7d995a /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore20RenderBoxModelObject23offsetForInFlowPositionEv+0x46) [0x7f9cfa7d995a] 5 0x7f9cfa7c8682 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore9RenderBox19offsetFromContainerERNS_13RenderElementERKNS_11LayoutPointEPb+0x9e) [0x7f9cfa7c8682] 6 0x7f9cfa7c7ffd /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore9RenderBox19mapLocalToContainerEPKNS_22RenderLayerModelObjectERNS_14TransformStateEjPb+0x279) [0x7f9cfa7c7ffd] 7 0x7f9cfa93dca9 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore12RenderObject15localToAbsoluteERKNS_10FloatPointEjPb+0x5f) [0x7f9cfa93dca9] 8 0x7f9cfa833151 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore13RenderElement16getLeadingCornerERNS_10FloatPointERb+0x8b) [0x7f9cfa833151] 9 0x7f9cfa8339ad /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore13RenderElement18absoluteAnchorRectEPb+0x53) [0x7f9cfa8339ad] 10 0x7f9cf9a6142c /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore7Element14scrollIntoViewEON3WTF8OptionalINS1_7VariantIJbNS_21ScrollIntoViewOptionsEEEEEE+0x74) [0x7f9cf9a6142c] 11 0x7f9cf873e440 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6e6440) [0x7f9cf873e440] 12 0x7f9cf8754da2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6fcda2) [0x7f9cf8754da2] 13 0x7f9cf873e473 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore40jsElementPrototypeFunctionScrollIntoViewEPN3JSC14JSGlobalObjectEPNS0_9CallFrameE+0x23) [0x7f9cf873e473] 14 0x7f9c95fce16b [0x7f9c95fce16b] This also crashes Epiphany (and probably Safari).
Attachments
Add attachment proposed patch, testcase, etc.
Emilio Cobos Álvarez (:emilio)
Comment 1 2019-10-13 14:39:07 PDT
Err, sorry. It's a nullptr crash, so not security-sensitive.
Emilio Cobos Álvarez (:emilio)
Comment 2 2019-10-13 14:47:34 PDT
Disregard previous comment, I accidentally thought I had filed this as security.
Alexey Proskuryakov
Comment 3 2019-10-14 17:18:54 PDT
This looks similar to: rdar://problem/53667513
Martin Robinson
Comment 4 2021-08-20 04:17:47 PDT
*** This bug has been marked as a duplicate of bug 205474 ***
Note You need to log in before you can comment on or make changes to this bug.