Bug 298646
| Summary: | Anchoring a pseudo element to a slotted element in a Shadow DOM causes browser crash | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Zacky Ma <zacky> |
| Component: | CSS | Assignee: | Antti Koivisto <koivisto> |
| Status: | RESOLVED FIXED | ||
| Severity: | Critical | CC: | fantasai.bugs, kiet.ho, koivisto, simon.fraser, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari Technology Preview | ||
| Hardware: | All | ||
| OS: | All | ||
| See Also: | https://github.com/web-platform-tests/wpt/pull/54905 | ||
Zacky Ma
In a Shadow DOM, using CSS Anchor Positioning to anchor a pseudo element to a slotted element (with `::slotted(..)`) causes Safari TP 227 to crash.
Codepen to reproduce: https://codepen.io/marchbox/pen/gbayRPK
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/160291579>
Simon Fraser (smfr)
Thread 0 Crashed:
0 WebCore 0x1c71dbb5c WebCore::Style::AnchorPositionEvaluator::defaultAnchorForBox(WebCore::RenderBox const&) + 968
1 WebCore 0x1c71dd83c WebCore::Style::AnchorPositionEvaluator::evaluate(WebCore::Style::BuilderState&, std::__1::optional<WebCore::Style::ScopedName>, mpark::variant<WebCore::CSSValueID, double>) + 320
2 WebCore 0x1c5f0f378 WebCore::CSSCalc::evaluateWithoutFallback(WebCore::CSSCalc::Anchor const&, WebCore::CSSCalc::EvaluationOptions const&) + 180
3 WebCore 0x1c5f1cdb8 _ZZN7WebCore7CSSCalcL8evaluateERKNS0_5ChildERKNS0_17EvaluationOptionsEENK3$_0clINS0_12IndirectNodeINS0_6AnchorEEEEEDaRKT_ + 56
4 WebCore 0x1c5f0f2ac WebCore::CSSCalc::evaluate(WebCore::CSSCalc::Child const&, WebCore::CSSCalc::EvaluationOptions const&) + 1104
5 WebCore 0x1c5f1b3e8 WebCore::CSSCalcValue::computeLengthPx(WebCore::CSSToLengthConversionData const&, WebCore::CSSCalcSymbolTable const&) const + 132
6 WebCore 0x1c5e93630 double WebCore::CSSPrimitiveValue::resolveAsLength<double>(WebCore::CSSToLengthConversionData const&) const + 236
7 WebCore 0x1c55c9890 WebCore::Style::CSSValueConversion<WebCore::Style::InsetEdge>::operator()(WebCore::Style::BuilderState&, WebCore::CSSValue const&) + 184
8 WebCore 0x1c5506fa8 WebCore::Style::BuilderGenerated::applyProperty(WebCore::CSSPropertyID, WebCore::Style::BuilderState&, WebCore::CSSValue&, WebCore::Style::ApplyValueType) + 26608
9 WebCore 0x1c721efec WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask, WebCore::Style::CascadeLevel) + 356
10 WebCore 0x1c7242408 WebCore::Style::Resolver::applyMatchedProperties(WebCore::Style::Resolver::State&, WebCore::Style::MatchResult const&, WebCore::Style::PropertyCascade::IncludedProperties&&) + 1808
11 WebCore 0x1c7247d18 WebCore::Style::Resolver::styleForPseudoElement(WebCore::Element&, WebCore::Style::PseudoElementRequest const&, WebCore::Style::ResolutionContext const&) + 1096
12 WebCore 0x1c7266688 WebCore::Style::TreeResolver::resolvePseudoElement(WebCore::Element&, WebCore::Style::PseudoElementIdentifier const&, WebCore::Style::ElementUpdate const&, WebCore::Style::IsInDisplayNoneTree) + 772
13 WebCore 0x1c725d804 WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType) + 2232
14 WebCore 0x1c726a670 WebCore::Style::TreeResolver::resolve() + 3204
Antti Koivisto
Pull request: https://github.com/WebKit/WebKit/pull/50850
Antti Koivisto
Thanks for the reduced test case!
EWS
Committed 300086@main (ec6791966b1e): <https://commits.webkit.org/300086@main>
Reviewed commits have been landed. Closing PR #50850 and removing active labels.
Antti Koivisto
Submitted web-platform-tests pull request: https://github.com/web-platform-tests/wpt/pull/54905
EWS
Committed 297297.436@safari-7622-branch (fc59452adedb): <https://commits.webkit.org/297297.436@safari-7622-branch>
Reviewed commits have been landed. Closing PR #3667 and removing active labels.