Bug 202910

Summary: Chromium test-case asserts with ASSERTION FAILED: hasLayer() and crashes optimized build near null
Product: WebKit Reporter: Emilio Cobos Álvarez (:emilio) <emilio>
Component: ScrollingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: mrobinson, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Emilio Cobos Álvarez (:emilio) 2019-10-13 14:32:01 PDT 
On master (247b0314320d499ae788b6ea993aa1d98e2d607e / r250962), WebKitGTK build.

Running this test-case: https://cs.chromium.org/chromium/src/third_party/blink/web_tests/fast/css/sticky/sticky-table-col-crash.html?rcl=753caf715d8f30f0c673f1b4b36dadfc75c3201f

Asserts with:

ASSERTION FAILED: hasLayer()
../../Source/WebCore/rendering/RenderBoxModelObject.cpp(563) : WebCore::LayoutSize WebCore::RenderBoxModelObject::stickyPositionOffset() const
1   0x7f9ceb98a3d3 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x9) [0x7f9ceb98a3d3]
2   0x7f9cf76335f2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF15CrashOnOverflow10overflowedEv+0) [0x7f9cf76335f2]
3   0x7f9cfa7d9874 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore20RenderBoxModelObject20stickyPositionOffsetEv+0x52) [0x7f9cfa7d9874]
4   0x7f9cfa7d995a /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore20RenderBoxModelObject23offsetForInFlowPositionEv+0x46) [0x7f9cfa7d995a]
5   0x7f9cfa7c8682 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore9RenderBox19offsetFromContainerERNS_13RenderElementERKNS_11LayoutPointEPb+0x9e) [0x7f9cfa7c8682]
6   0x7f9cfa7c7ffd /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore9RenderBox19mapLocalToContainerEPKNS_22RenderLayerModelObjectERNS_14TransformStateEjPb+0x279) [0x7f9cfa7c7ffd]
7   0x7f9cfa93dca9 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore12RenderObject15localToAbsoluteERKNS_10FloatPointEjPb+0x5f) [0x7f9cfa93dca9]
8   0x7f9cfa833151 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore13RenderElement16getLeadingCornerERNS_10FloatPointERb+0x8b) [0x7f9cfa833151]
9   0x7f9cfa8339ad /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore13RenderElement18absoluteAnchorRectEPb+0x53) [0x7f9cfa8339ad]
10  0x7f9cf9a6142c /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore7Element14scrollIntoViewEON3WTF8OptionalINS1_7VariantIJbNS_21ScrollIntoViewOptionsEEEEEE+0x74) [0x7f9cf9a6142c]
11  0x7f9cf873e440 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6e6440) [0x7f9cf873e440]
12  0x7f9cf8754da2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6fcda2) [0x7f9cf8754da2]
13  0x7f9cf873e473 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore40jsElementPrototypeFunctionScrollIntoViewEPN3JSC14JSGlobalObjectEPNS0_9CallFrameE+0x23) [0x7f9cf873e473]
14  0x7f9c95fce16b [0x7f9c95fce16b]

This also crashes Epiphany (and probably Safari).
Comment 1 Emilio Cobos Álvarez (:emilio) 2019-10-13 14:39:07 PDT 
Err, sorry. It's a nullptr crash, so not security-sensitive.
Comment 2 Emilio Cobos Álvarez (:emilio) 2019-10-13 14:47:34 PDT 
Disregard previous comment, I accidentally thought I had filed this as security.
Comment 3 Alexey Proskuryakov 2019-10-14 17:18:54 PDT 
This looks similar to:

rdar://problem/53667513
Comment 4 Martin Robinson 2021-08-20 04:17:47 PDT 

*** This bug has been marked as a duplicate of bug 205474 ***