Bug 223369

Summary: Nullopt in RenderFlexibleBox::layoutFlexItems in RenderFlexibleBox::layoutBlock via RenderMultiColumnFlow::layout
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Layout and RenderingAssignee: Sergio Villar Senin <svillar>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, cgarcia, ews-feeder, fred.wang, gpoo, jfernandez, koivisto, product-security, rbuis, simon.fraser, svillar, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Test
none
Patch zalan: review+, ews-feeder: commit-queue-

Ryosuke Niwa
Reported 2021-03-17 01:41:30 PDT
Created attachment 423454 [details] Test e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001345540fe WTF::Optional<WebCore::LayoutUnit>::value() && + 46 (Optional.h:555) 1 com.apple.WebCore 0x000000013470fd3e WebCore::RenderFlexibleBox::computeInnerFlexBaseSizeForChild(WebCore::RenderBox&, WebCore::LayoutUnit) + 398 (RenderFlexibleBox.cpp:932) 2 com.apple.WebCore 0x0000000134710bda WebCore::RenderFlexibleBox::constructFlexItem(WebCore::RenderBox&, bool) + 506 (RenderFlexibleBox.cpp:1319) 3 com.apple.WebCore 0x0000000134707e32 WebCore::RenderFlexibleBox::layoutFlexItems(bool) + 626 (RenderFlexibleBox.cpp:974) 4 com.apple.WebCore 0x0000000134707277 WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit) + 999 (RenderFlexibleBox.cpp:303) 5 com.apple.WebCore 0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598) 6 com.apple.WebCore 0x00000001344fadd7 WebCore::RenderElement::layoutIfNeeded() + 71 (RenderElement.h:124) 7 com.apple.WebCore 0x00000001344f97d6 WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1030 (ComplexLineLayout.cpp:1783) 8 com.apple.WebCore 0x00000001345f6760 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 368 (RenderBlockFlow.cpp:704) 9 com.apple.WebCore 0x00000001345f4c1d WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1229 (RenderBlockFlow.cpp:523) 10 com.apple.WebCore 0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598) 11 com.apple.WebCore 0x0000000134723027 WebCore::RenderFragmentedFlow::layout() + 279 (RenderFragmentedFlow.cpp:153) 12 com.apple.WebCore 0x0000000134885911 WebCore::RenderMultiColumnFlow::layout() + 177 (RenderMultiColumnFlow.cpp:128) 13 com.apple.WebCore 0x000000013461b7c4 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 196 (RenderBlockFlow.cpp:3961) 14 com.apple.WebCore 0x00000001345f69a3 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 467 (RenderBlockFlow.cpp:645) 15 com.apple.WebCore 0x00000001345f4c28 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlockFlow.cpp:525) 16 com.apple.WebCore 0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598) 17 com.apple.WebCore 0x00000001345fa075 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1461 (RenderBlockFlow.cpp:762) 18 com.apple.WebCore 0x00000001345f6a9e WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 718 (RenderBlockFlow.cpp:673) 19 com.apple.WebCore 0x00000001345f4c28 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlockFlow.cpp:525) 20 com.apple.WebCore 0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598) 21 com.apple.WebCore 0x000000013496cd37 WebCore::RenderView::layout() + 1479 (RenderView.cpp:185) 22 com.apple.WebCore 0x0000000133ae582a WebCore::FrameViewLayoutContext::layout() + 1354 (FrameViewLayoutContext.cpp:232) 23 com.apple.WebCore 0x0000000132912f23 WebCore::Document::updateLayout() + 531 (Document.cpp:2189) 24 com.apple.WebCore 0x0000000132915463 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 147 (Document.cpp:2203) 25 com.apple.WebCore 0x0000000132a16c23 WebCore::Element::setScrollTop(int) + 195 (Element.cpp:1379) 26 com.apple.WebCore 0x000000012fc2b263 WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)::'lambda'()::operator()() const + 131 (JSElement.cpp:2728) 27 com.apple.WebCore 0x000000012fc2b1d9 std::__1::enable_if<std::is_same<void, decltype(fp1())>::value, void>::type WebCore::AttributeSetter::call<WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)::'lambda'()&&) + 9 (JSDOMAttribute.h:93) 28 com.apple.WebCore 0x000000012fc2b12a WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue) + 346 (JSElement.cpp:2727) 29 com.apple.WebCore 0x000000012faadab3 bool WebCore::IDLAttribute<WebCore::JSElement>::set<&(WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*) + 259 (JSDOMAttribute.h:50) 30 com.apple.WebCore 0x000000012faad9a9 WebCore::setJSElement_scrollTop(JSC::JSGlobalObject*, long long, long long) + 9 (JSElement.cpp:2735) 31 com.apple.JavaScriptCore 0x000000011ae66537 JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 231 (CustomGetterSetter.cpp:43) 32 com.apple.JavaScriptCore 0x000000011b0da3a8 JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 2008 (JSObject.cpp:842) 33 com.apple.JavaScriptCore 0x000000011a9c3d81 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1205 (JSObjectInlines.h:277) [inlined] 34 com.apple.JavaScriptCore 0x000000011a9c3d81 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1296 (JSCellInlines.h:447) [inlined] 35 com.apple.JavaScriptCore 0x000000011a9c3d81 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1336 (JSCJSValueInlines.h:1060) [inlined] 36 com.apple.JavaScriptCore 0x000000011a9c3d81 llint_slow_path_put_by_id + 2577 (LLIntSlowPaths.cpp:907) 37 com.apple.JavaScriptCore 0x0000000118e8b2a0 llint_entry + 41688 (LowLevelInterpreter64.asm:97) 38 com.apple.JavaScriptCore 0x0000000118e9bdb1 llint_entry + 110057 (LowLevelInterpreter.asm:1093) 39 com.apple.JavaScriptCore 0x0000000118e80dc9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:316) 40 com.apple.JavaScriptCore 0x000000011a6c97d2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined] 41 com.apple.JavaScriptCore 0x000000011a6c97d2 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:907) 42 com.apple.JavaScriptCore 0x000000011adb2d15 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57) 43 com.apple.JavaScriptCore 0x000000011adb2e10 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64) 44 com.apple.JavaScriptCore 0x000000011adb31cc JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 268 (CallData.cpp:85) 45 com.apple.WebCore 0x00000001321318a9 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 233 (JSExecState.h:73) 46 com.apple.WebCore 0x000000013215dbab WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 2731 (JSEventListener.cpp:186) 47 com.apple.WebCore 0x0000000132a6b263 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 1315 (EventTarget.cpp:344) 48 com.apple.WebCore 0x0000000132a6ab03 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 435 (EventTarget.cpp:276) 49 com.apple.WebCore 0x0000000132a39428 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 856 50 com.apple.WebCore 0x0000000132a3ab7d WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 285 (EventDispatcher.cpp:107) 51 com.apple.WebCore 0x0000000132a39fae WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1342 (EventDispatcher.cpp:188) 52 com.apple.WebCore 0x0000000132af3c49 WebCore::Node::dispatchEvent(WebCore::Event&) + 9 (Node.cpp:2374) 53 com.apple.WebCore 0x0000000132b48318 WebCore::ScopedEventQueue::dispatchEvent(WebCore::ScopedEventQueue::ScopedEvent const&) const + 88 (ScopedEventQueue.cpp:59) 54 com.apple.WebCore 0x0000000132b48458 WebCore::ScopedEventQueue::dispatchAllEvents() + 264 (ScopedEventQueue.cpp:66) 55 com.apple.WebCore 0x0000000132b4861d WebCore::ScopedEventQueue::decrementScopingLevel() + 45 (ScopedEventQueue.cpp:79) 56 com.apple.WebCore 0x0000000132970951 WebCore::EventQueueScope::~EventQueueScope() + 17 (ScopedEventQueue.h:75) 57 com.apple.WebCore 0x00000001329103e9 WebCore::EventQueueScope::~EventQueueScope() + 9 (ScopedEventQueue.h:75) 58 com.apple.WebCore 0x000000013293ddbf WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 271 (Document.cpp:5688) 59 com.apple.WebCore 0x000000012fb23e6a WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) + 1130 (JSDocument.cpp:5890) 60 com.apple.WebCore 0x000000012fb2395c long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 252 (JSDOMOperation.h:53) 61 com.apple.WebCore 0x000000012fb0e239 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 9 (JSDocument.cpp:5895) 62 ??? 0x00005217124011d8 0 + 90259043914200 63 com.apple.JavaScriptCore 0x0000000118e9bf5a llint_entry + 110482 (LowLevelInterpreter.asm:1093) 64 com.apple.JavaScriptCore 0x0000000118e9bdb1 llint_entry + 110057 (LowLevelInterpreter.asm:1093) 65 com.apple.JavaScriptCore 0x0000000118e80dc9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:316) 66 com.apple.JavaScriptCore 0x000000011a6c97d2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined] 67 com.apple.JavaScriptCore 0x000000011a6c97d2 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:907) 68 com.apple.JavaScriptCore 0x000000011adb2d15 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57) 69 com.apple.JavaScriptCore 0x000000011adb2e10 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64) 70 com.apple.JavaScriptCore 0x000000011adb31cc JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 268 (CallData.cpp:85) 71 com.apple.WebCore 0x00000001321318a9 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 233 (JSExecState.h:73) 72 com.apple.WebCore 0x000000013215dbab WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 2731 (JSEventListener.cpp:186) 73 com.apple.WebCore 0x0000000132a6b263 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 1315 (EventTarget.cpp:344) 74 com.apple.WebCore 0x0000000132a6ab03 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 435 (EventTarget.cpp:276) 75 com.apple.WebCore 0x0000000132a39428 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 856 76 com.apple.WebCore 0x0000000132a3ab7d WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 285 (EventDispatcher.cpp:107) 77 com.apple.WebCore 0x0000000132a39fae WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1342 (EventDispatcher.cpp:188) 78 com.apple.WebCore 0x0000000132af3c49 WebCore::Node::dispatchEvent(WebCore::Event&) + 9 (Node.cpp:2374) 79 com.apple.WebCore 0x0000000132f1cc3a WebCore::HTMLFormControlElement::checkValidity(WTF::Vector<WTF::RefPtr<WebCore::HTMLFormControlElement, WTF::RawPtrTraits<WebCore::HTMLFormControlElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLFormControlElement> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) + 394 (HTMLFormControlElement.cpp:495) 80 com.apple.WebCore 0x0000000132f1d06e WebCore::HTMLFormControlElement::reportValidity() + 222 (HTMLFormControlElement.cpp:514) 81 com.apple.WebCore 0x000000012feb2727 WebCore::jsHTMLInputElementPrototypeFunction_reportValidityBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLInputElement*) + 199 (JSHTMLInputElement.cpp:1919) 82 com.apple.WebCore 0x000000012feb25b7 long long WebCore::IDLOperation<WebCore::JSHTMLInputElement>::call<&(WebCore::jsHTMLInputElementPrototypeFunction_reportValidityBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLInputElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 247 (JSDOMOperation.h:53) 83 com.apple.WebCore 0x000000012feb1689 WebCore::jsHTMLInputElementPrototypeFunction_reportValidity(JSC::JSGlobalObject*, JSC::CallFrame*) + 9 (JSHTMLInputElement.cpp:1924) 84 ??? 0x00005217124011d8 0 + 90259043914200 85 com.apple.JavaScriptCore 0x0000000118e9bf5a llint_entry + 110482 (LowLevelInterpreter.asm:1093) 86 com.apple.JavaScriptCore 0x0000000118e9bdb1 llint_entry + 110057 (LowLevelInterpreter.asm:1093) 87 com.apple.JavaScriptCore 0x0000000118e80dc9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:316) 88 com.apple.JavaScriptCore 0x000000011a6c97d2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined] 89 com.apple.JavaScriptCore 0x000000011a6c97d2 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:907) 90 com.apple.JavaScriptCore 0x000000011adb2d15 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57) 91 com.apple.JavaScriptCore 0x000000011adb2e10 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64) 92 com.apple.JavaScriptCore 0x000000011adb31cc JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 268 (CallData.cpp:85) 93 com.apple.WebCore 0x00000001321318a9 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 233 (JSExecState.h:73) 94 com.apple.WebCore 0x000000013215dbab WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 2731 (JSEventListener.cpp:186) 95 com.apple.WebCore 0x0000000132a6b263 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 1315 (EventTarget.cpp:344) 96 com.apple.WebCore 0x0000000132a6ab03 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 435 (EventTarget.cpp:276) 97 com.apple.WebCore 0x0000000132a39428 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 856 98 com.apple.WebCore 0x0000000132a3ab7d WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 285 (EventDispatcher.cpp:107) 99 com.apple.WebCore 0x0000000132a39fae WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1342 (EventDispatcher.cpp:188) 100 com.apple.WebCore 0x0000000132af3c49 WebCore::Node::dispatchEvent(WebCore::Event&) + 9 (Node.cpp:2374) 101 com.apple.WebCore 0x0000000132a28ace WebCore::Element::dispatchFocusEvent(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&&, WebCore::FocusDirection) + 574 (Element.cpp:3166) 102 com.apple.WebCore 0x0000000133086bf3 WebCore::HTMLTextFormControlElement::dispatchFocusEvent(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&&, WebCore::FocusDirection) + 179 (HTMLTextFormControlElement.cpp:101) 103 com.apple.WebCore 0x0000000132930f68 WebCore::Document::setFocusedElement(WebCore::Element*, WebCore::FocusDirection, WebCore::Document::FocusRemovalEventsMode) + 2312 (Document.cpp:4521) 104 com.apple.WebCore 0x0000000133ad93ba WebCore::FocusController::setFocusedElement(WebCore::Element*, WebCore::Frame&, WebCore::FocusDirection) + 1498 (FocusController.cpp:876) 105 com.apple.WebCore 0x0000000132a26cf3 WebCore::Element::focus(WebCore::SelectionRestorationMode, WebCore::FocusDirection) + 1315 (Element.cpp:3080) 106 com.apple.WebCore 0x0000000132f3113f WebCore::HTMLFormControlElement::didAttachRenderers()::$_1::operator()() const + 79 (HTMLFormControlElement.cpp:261) 107 com.apple.WebCore 0x0000000132f3103d WTF::Detail::CallableWrapper<WebCore::HTMLFormControlElement::didAttachRenderers()::$_1, void>::call() + 13 (Function.h:52) 108 com.apple.WebCore 0x000000012f0925af WTF::Function<void ()>::operator()() const + 63 (Function.h:83) 109 com.apple.WebCore 0x0000000134c28343 WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler() + 115 (StyleTreeResolver.cpp:658) 110 com.apple.WebCore 0x0000000134c284c9 WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler() + 9 (StyleTreeResolver.cpp:652) 111 com.apple.WebCore 0x00000001329199bd WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 2061 (Document.cpp:2091) 112 com.apple.WebCore 0x000000013291aa9c WebCore::Document::updateStyleIfNeeded() + 572 (Document.cpp:2162) <rdar://75330757>
Attachments
Test (513.87 KB, text/html)
2021-03-17 01:41 PDT, Ryosuke Niwa 		no flags
Details
Patch (9.62 KB, patch)
2021-03-18 02:45 PDT, Sergio Villar Senin 		zalan: review+
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2021-03-17 01:42:41 PDT
I can reproduce nullopt with DumpRenderTree at r274459 but encountering abort in CoreAnimation if I ran the test with WebKitTestRunner so you might need to either workaround that crash or use DumpRenderTree to debug this.
Sergio Villar Senin
Comment 2 2021-03-17 08:25:08 PDT
I'll check it out, maybe it's just a dup of bug 222584
Sergio Villar Senin
Comment 3 2021-03-17 08:25:46 PDT
(In reply to Sergio Villar Senin from comment #2) > I'll check it out, maybe it's just a dup of bug 222584 Errr I mean bug 222854 :)
Sergio Villar Senin
Comment 4 2021-03-17 09:00:45 PDT
Ryosuke, which revision are you using? I'm hitting an ASSERT but a totally different one.
Sergio Villar Senin
Comment 5 2021-03-17 14:01:14 PDT
(In reply to Sergio Villar Senin from comment #4) > Ryosuke, which revision are you using? I'm hitting an ASSERT but a totally > different one. OK I got the same trace in macOS. In Linux it hits an ASSERT in RenderLayer first. I'll upload a patch for the original issue tomorrow.
Sergio Villar Senin
Comment 6 2021-03-18 02:45:41 PDT
Created attachment 423577 [details] Patch
Sergio Villar Senin
Comment 7 2021-03-18 02:48:09 PDT
I believe this is not a security issue. We were just hitting an ASSERT that checks that the content size suggestion of a flex item is not negative, basically because it does not make sense, but I doubt this could be exploitable in any way. That's why I'm including a potential layout test that we could even upload to WPT as it's still useful for other engines even though they don't hit the assertion.
Sergio Villar Senin
Comment 8 2021-03-31 05:15:55 PDT
Ping reviewers BTW there must be something wrong with Release EWS as I don't get any failure locally when testing this on MacOS
Sergio Villar Senin
Comment 9 2021-04-27 03:19:21 PDT
Thanks for the review. Waiting for upstream WPT to accept the test and then I'll land this one.
Sergio Villar Senin
Comment 10 2021-04-30 04:46:20 PDT
Committed r276835 (237186@main): <https://commits.webkit.org/237186@main>
Note You need to log in before you can comment on or make changes to this bug.