Bug 223369

Summary: Nullopt in RenderFlexibleBox::layoutFlexItems in RenderFlexibleBox::layoutBlock via RenderMultiColumnFlow::layout
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Layout and RenderingAssignee: Sergio Villar Senin <svillar>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, cgarcia, ews-feeder, fred.wang, gpoo, jfernandez, koivisto, product-security, rbuis, simon.fraser, svillar, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test
none
Patch zalan: review+, ews-feeder: commit-queue-

Description Ryosuke Niwa 2021-03-17 01:41:30 PDT 
Created attachment 423454 [details]
Test

e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001345540fe WTF::Optional<WebCore::LayoutUnit>::value() && + 46 (Optional.h:555)
1   com.apple.WebCore             	0x000000013470fd3e WebCore::RenderFlexibleBox::computeInnerFlexBaseSizeForChild(WebCore::RenderBox&, WebCore::LayoutUnit) + 398 (RenderFlexibleBox.cpp:932)
2   com.apple.WebCore             	0x0000000134710bda WebCore::RenderFlexibleBox::constructFlexItem(WebCore::RenderBox&, bool) + 506 (RenderFlexibleBox.cpp:1319)
3   com.apple.WebCore             	0x0000000134707e32 WebCore::RenderFlexibleBox::layoutFlexItems(bool) + 626 (RenderFlexibleBox.cpp:974)
4   com.apple.WebCore             	0x0000000134707277 WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit) + 999 (RenderFlexibleBox.cpp:303)
5   com.apple.WebCore             	0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598)
6   com.apple.WebCore             	0x00000001344fadd7 WebCore::RenderElement::layoutIfNeeded() + 71 (RenderElement.h:124)
7   com.apple.WebCore             	0x00000001344f97d6 WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1030 (ComplexLineLayout.cpp:1783)
8   com.apple.WebCore             	0x00000001345f6760 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 368 (RenderBlockFlow.cpp:704)
9   com.apple.WebCore             	0x00000001345f4c1d WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1229 (RenderBlockFlow.cpp:523)
10  com.apple.WebCore             	0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598)
11  com.apple.WebCore             	0x0000000134723027 WebCore::RenderFragmentedFlow::layout() + 279 (RenderFragmentedFlow.cpp:153)
12  com.apple.WebCore             	0x0000000134885911 WebCore::RenderMultiColumnFlow::layout() + 177 (RenderMultiColumnFlow.cpp:128)
13  com.apple.WebCore             	0x000000013461b7c4 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 196 (RenderBlockFlow.cpp:3961)
14  com.apple.WebCore             	0x00000001345f69a3 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 467 (RenderBlockFlow.cpp:645)
15  com.apple.WebCore             	0x00000001345f4c28 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlockFlow.cpp:525)
16  com.apple.WebCore             	0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598)
17  com.apple.WebCore             	0x00000001345fa075 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1461 (RenderBlockFlow.cpp:762)
18  com.apple.WebCore             	0x00000001345f6a9e WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 718 (RenderBlockFlow.cpp:673)
19  com.apple.WebCore             	0x00000001345f4c28 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlockFlow.cpp:525)
20  com.apple.WebCore             	0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598)
21  com.apple.WebCore             	0x000000013496cd37 WebCore::RenderView::layout() + 1479 (RenderView.cpp:185)
22  com.apple.WebCore             	0x0000000133ae582a WebCore::FrameViewLayoutContext::layout() + 1354 (FrameViewLayoutContext.cpp:232)
23  com.apple.WebCore             	0x0000000132912f23 WebCore::Document::updateLayout() + 531 (Document.cpp:2189)
24  com.apple.WebCore             	0x0000000132915463 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 147 (Document.cpp:2203)
25  com.apple.WebCore             	0x0000000132a16c23 WebCore::Element::setScrollTop(int) + 195 (Element.cpp:1379)
26  com.apple.WebCore             	0x000000012fc2b263 WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)::'lambda'()::operator()() const + 131 (JSElement.cpp:2728)
27  com.apple.WebCore             	0x000000012fc2b1d9 std::__1::enable_if<std::is_same<void, decltype(fp1())>::value, void>::type WebCore::AttributeSetter::call<WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)::'lambda'()&&) + 9 (JSDOMAttribute.h:93)
28  com.apple.WebCore             	0x000000012fc2b12a WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue) + 346 (JSElement.cpp:2727)
29  com.apple.WebCore             	0x000000012faadab3 bool WebCore::IDLAttribute<WebCore::JSElement>::set<&(WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*) + 259 (JSDOMAttribute.h:50)
30  com.apple.WebCore             	0x000000012faad9a9 WebCore::setJSElement_scrollTop(JSC::JSGlobalObject*, long long, long long) + 9 (JSElement.cpp:2735)
31  com.apple.JavaScriptCore      	0x000000011ae66537 JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 231 (CustomGetterSetter.cpp:43)
32  com.apple.JavaScriptCore      	0x000000011b0da3a8 JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 2008 (JSObject.cpp:842)
33  com.apple.JavaScriptCore      	0x000000011a9c3d81 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1205 (JSObjectInlines.h:277) [inlined]
34  com.apple.JavaScriptCore      	0x000000011a9c3d81 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1296 (JSCellInlines.h:447) [inlined]
35  com.apple.JavaScriptCore      	0x000000011a9c3d81 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1336 (JSCJSValueInlines.h:1060) [inlined]
36  com.apple.JavaScriptCore      	0x000000011a9c3d81 llint_slow_path_put_by_id + 2577 (LLIntSlowPaths.cpp:907)
37  com.apple.JavaScriptCore      	0x0000000118e8b2a0 llint_entry + 41688 (LowLevelInterpreter64.asm:97)
38  com.apple.JavaScriptCore      	0x0000000118e9bdb1 llint_entry + 110057 (LowLevelInterpreter.asm:1093)
39  com.apple.JavaScriptCore      	0x0000000118e80dc9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:316)
40  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined]
41  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:907)
42  com.apple.JavaScriptCore      	0x000000011adb2d15 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57)
43  com.apple.JavaScriptCore      	0x000000011adb2e10 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64)
44  com.apple.JavaScriptCore      	0x000000011adb31cc JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 268 (CallData.cpp:85)
45  com.apple.WebCore             	0x00000001321318a9 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 233 (JSExecState.h:73)
46  com.apple.WebCore             	0x000000013215dbab WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 2731 (JSEventListener.cpp:186)
47  com.apple.WebCore             	0x0000000132a6b263 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 1315 (EventTarget.cpp:344)
48  com.apple.WebCore             	0x0000000132a6ab03 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 435 (EventTarget.cpp:276)
49  com.apple.WebCore             	0x0000000132a39428 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 856
50  com.apple.WebCore             	0x0000000132a3ab7d WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 285 (EventDispatcher.cpp:107)
51  com.apple.WebCore             	0x0000000132a39fae WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1342 (EventDispatcher.cpp:188)
52  com.apple.WebCore             	0x0000000132af3c49 WebCore::Node::dispatchEvent(WebCore::Event&) + 9 (Node.cpp:2374)
53  com.apple.WebCore             	0x0000000132b48318 WebCore::ScopedEventQueue::dispatchEvent(WebCore::ScopedEventQueue::ScopedEvent const&) const + 88 (ScopedEventQueue.cpp:59)
54  com.apple.WebCore             	0x0000000132b48458 WebCore::ScopedEventQueue::dispatchAllEvents() + 264 (ScopedEventQueue.cpp:66)
55  com.apple.WebCore             	0x0000000132b4861d WebCore::ScopedEventQueue::decrementScopingLevel() + 45 (ScopedEventQueue.cpp:79)
56  com.apple.WebCore             	0x0000000132970951 WebCore::EventQueueScope::~EventQueueScope() + 17 (ScopedEventQueue.h:75)
57  com.apple.WebCore             	0x00000001329103e9 WebCore::EventQueueScope::~EventQueueScope() + 9 (ScopedEventQueue.h:75)
58  com.apple.WebCore             	0x000000013293ddbf WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 271 (Document.cpp:5688)
59  com.apple.WebCore             	0x000000012fb23e6a WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) + 1130 (JSDocument.cpp:5890)
60  com.apple.WebCore             	0x000000012fb2395c long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 252 (JSDOMOperation.h:53)
61  com.apple.WebCore             	0x000000012fb0e239 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 9 (JSDocument.cpp:5895)
62  ???                           	0x00005217124011d8 0 + 90259043914200
63  com.apple.JavaScriptCore      	0x0000000118e9bf5a llint_entry + 110482 (LowLevelInterpreter.asm:1093)
64  com.apple.JavaScriptCore      	0x0000000118e9bdb1 llint_entry + 110057 (LowLevelInterpreter.asm:1093)
65  com.apple.JavaScriptCore      	0x0000000118e80dc9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:316)
66  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined]
67  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:907)
68  com.apple.JavaScriptCore      	0x000000011adb2d15 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57)
69  com.apple.JavaScriptCore      	0x000000011adb2e10 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64)
70  com.apple.JavaScriptCore      	0x000000011adb31cc JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 268 (CallData.cpp:85)
71  com.apple.WebCore             	0x00000001321318a9 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 233 (JSExecState.h:73)
72  com.apple.WebCore             	0x000000013215dbab WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 2731 (JSEventListener.cpp:186)
73  com.apple.WebCore             	0x0000000132a6b263 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 1315 (EventTarget.cpp:344)
74  com.apple.WebCore             	0x0000000132a6ab03 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 435 (EventTarget.cpp:276)
75  com.apple.WebCore             	0x0000000132a39428 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 856
76  com.apple.WebCore             	0x0000000132a3ab7d WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 285 (EventDispatcher.cpp:107)
77  com.apple.WebCore             	0x0000000132a39fae WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1342 (EventDispatcher.cpp:188)
78  com.apple.WebCore             	0x0000000132af3c49 WebCore::Node::dispatchEvent(WebCore::Event&) + 9 (Node.cpp:2374)
79  com.apple.WebCore             	0x0000000132f1cc3a WebCore::HTMLFormControlElement::checkValidity(WTF::Vector<WTF::RefPtr<WebCore::HTMLFormControlElement, WTF::RawPtrTraits<WebCore::HTMLFormControlElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLFormControlElement> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) + 394 (HTMLFormControlElement.cpp:495)
80  com.apple.WebCore             	0x0000000132f1d06e WebCore::HTMLFormControlElement::reportValidity() + 222 (HTMLFormControlElement.cpp:514)
81  com.apple.WebCore             	0x000000012feb2727 WebCore::jsHTMLInputElementPrototypeFunction_reportValidityBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLInputElement*) + 199 (JSHTMLInputElement.cpp:1919)
82  com.apple.WebCore             	0x000000012feb25b7 long long WebCore::IDLOperation<WebCore::JSHTMLInputElement>::call<&(WebCore::jsHTMLInputElementPrototypeFunction_reportValidityBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLInputElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 247 (JSDOMOperation.h:53)
83  com.apple.WebCore             	0x000000012feb1689 WebCore::jsHTMLInputElementPrototypeFunction_reportValidity(JSC::JSGlobalObject*, JSC::CallFrame*) + 9 (JSHTMLInputElement.cpp:1924)
84  ???                           	0x00005217124011d8 0 + 90259043914200
85  com.apple.JavaScriptCore      	0x0000000118e9bf5a llint_entry + 110482 (LowLevelInterpreter.asm:1093)
86  com.apple.JavaScriptCore      	0x0000000118e9bdb1 llint_entry + 110057 (LowLevelInterpreter.asm:1093)
87  com.apple.JavaScriptCore      	0x0000000118e80dc9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:316)
88  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined]
89  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:907)
90  com.apple.JavaScriptCore      	0x000000011adb2d15 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57)
91  com.apple.JavaScriptCore      	0x000000011adb2e10 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64)
92  com.apple.JavaScriptCore      	0x000000011adb31cc JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 268 (CallData.cpp:85)
93  com.apple.WebCore             	0x00000001321318a9 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 233 (JSExecState.h:73)
94  com.apple.WebCore             	0x000000013215dbab WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 2731 (JSEventListener.cpp:186)
95  com.apple.WebCore             	0x0000000132a6b263 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 1315 (EventTarget.cpp:344)
96  com.apple.WebCore             	0x0000000132a6ab03 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 435 (EventTarget.cpp:276)
97  com.apple.WebCore             	0x0000000132a39428 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 856
98  com.apple.WebCore             	0x0000000132a3ab7d WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 285 (EventDispatcher.cpp:107)
99  com.apple.WebCore             	0x0000000132a39fae WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1342 (EventDispatcher.cpp:188)
100 com.apple.WebCore             	0x0000000132af3c49 WebCore::Node::dispatchEvent(WebCore::Event&) + 9 (Node.cpp:2374)
101 com.apple.WebCore             	0x0000000132a28ace WebCore::Element::dispatchFocusEvent(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&&, WebCore::FocusDirection) + 574 (Element.cpp:3166)
102 com.apple.WebCore             	0x0000000133086bf3 WebCore::HTMLTextFormControlElement::dispatchFocusEvent(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&&, WebCore::FocusDirection) + 179 (HTMLTextFormControlElement.cpp:101)
103 com.apple.WebCore             	0x0000000132930f68 WebCore::Document::setFocusedElement(WebCore::Element*, WebCore::FocusDirection, WebCore::Document::FocusRemovalEventsMode) + 2312 (Document.cpp:4521)
104 com.apple.WebCore             	0x0000000133ad93ba WebCore::FocusController::setFocusedElement(WebCore::Element*, WebCore::Frame&, WebCore::FocusDirection) + 1498 (FocusController.cpp:876)
105 com.apple.WebCore             	0x0000000132a26cf3 WebCore::Element::focus(WebCore::SelectionRestorationMode, WebCore::FocusDirection) + 1315 (Element.cpp:3080)
106 com.apple.WebCore             	0x0000000132f3113f WebCore::HTMLFormControlElement::didAttachRenderers()::$_1::operator()() const + 79 (HTMLFormControlElement.cpp:261)
107 com.apple.WebCore             	0x0000000132f3103d WTF::Detail::CallableWrapper<WebCore::HTMLFormControlElement::didAttachRenderers()::$_1, void>::call() + 13 (Function.h:52)
108 com.apple.WebCore             	0x000000012f0925af WTF::Function<void ()>::operator()() const + 63 (Function.h:83)
109 com.apple.WebCore             	0x0000000134c28343 WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler() + 115 (StyleTreeResolver.cpp:658)
110 com.apple.WebCore             	0x0000000134c284c9 WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler() + 9 (StyleTreeResolver.cpp:652)
111 com.apple.WebCore             	0x00000001329199bd WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 2061 (Document.cpp:2091)
112 com.apple.WebCore             	0x000000013291aa9c WebCore::Document::updateStyleIfNeeded() + 572 (Document.cpp:2162)


<rdar://75330757>
Comment 1 Ryosuke Niwa 2021-03-17 01:42:41 PDT 
I can reproduce nullopt with DumpRenderTree at r274459 but encountering abort in CoreAnimation if I ran the test with WebKitTestRunner so you might need to either workaround that crash or use DumpRenderTree to debug this.
Comment 2 Sergio Villar Senin 2021-03-17 08:25:08 PDT 
I'll check it out, maybe it's just a dup of bug 222584
Comment 3 Sergio Villar Senin 2021-03-17 08:25:46 PDT 
(In reply to Sergio Villar Senin from comment #2)
> I'll check it out, maybe it's just a dup of bug 222584

Errr I mean bug 222854 :)
Comment 4 Sergio Villar Senin 2021-03-17 09:00:45 PDT 
Ryosuke, which revision are you using? I'm hitting an ASSERT but a totally different one.
Comment 5 Sergio Villar Senin 2021-03-17 14:01:14 PDT 
(In reply to Sergio Villar Senin from comment #4)
> Ryosuke, which revision are you using? I'm hitting an ASSERT but a totally
> different one.

OK I got the same trace in macOS. In Linux it hits an ASSERT in RenderLayer first. I'll upload a patch for the original issue tomorrow.
Comment 6 Sergio Villar Senin 2021-03-18 02:45:41 PDT 
Created attachment 423577 [details]
Patch
Comment 7 Sergio Villar Senin 2021-03-18 02:48:09 PDT 
I believe this is not a security issue. We were just hitting an ASSERT that checks that the content size suggestion of a flex item is not negative, basically because it does not make sense, but I doubt this could be exploitable in any way.

That's why I'm including a potential layout test that we could even upload to WPT as it's still useful for other engines even though they don't hit the assertion.
Comment 8 Sergio Villar Senin 2021-03-31 05:15:55 PDT 
Ping reviewers

BTW there must be something wrong with Release EWS as I don't get any failure locally when testing this on MacOS
Comment 9 Sergio Villar Senin 2021-04-27 03:19:21 PDT 
Thanks for the review. Waiting for upstream WPT to accept the test and then I'll land this one.
Comment 10 Sergio Villar Senin 2021-04-30 04:46:20 PDT 
Committed r276835 (237186@main): <https://commits.webkit.org/237186@main>