Created attachment 242806 [details]
Test case

run this test with debug WK:

<!DOCTYPE html>
<dt><details open>
<style>
* {
    -webkit-flow-into:foo;
}
</style>


Note: If you put any of the required closing tags of <dt> or <details> element then we don't crash.


Backtrace:

ASSERTION FAILED: !m_mapNamedFlowContentElement.contains(&contentElement)
../../Source/WebCore/rendering/FlowThreadController.cpp(98) : void WebCore::FlowThreadController::registerNamedFlowContentElement(WebCore::Element&, WebCore::RenderNamedFlowThread&)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fff98927700 (LWP 24528)]
0x00007fffedbca36f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
321	    *(int *)(uintptr_t)0xbbadbeef = 0;
#0  0x00007fffedbca36f in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007ffff38ff2bd in WebCore::FlowThreadController::registerNamedFlowContentElement (this=0x7cfc50, contentElement=..., namedFlow=...) at ../../Source/WebCore/rendering/FlowThreadController.cpp:98
#2  0x00007ffff3c382c0 in WebCore::Style::moveToFlowThreadIfNeeded (element=..., style=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:273
#3  0x00007ffff3c383f2 in WebCore::Style::createRendererIfNeeded (element=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:292
#4  0x00007ffff3c39a57 in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:615
#5  0x00007ffff3c390d1 in WebCore::Style::attachChildren (current=..., inheritedStyle=..., renderTreePosition=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:484
#6  0x00007ffff3c39b2e in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:629
#7  0x00007ffff3c390d1 in WebCore::Style::attachChildren (current=..., inheritedStyle=..., renderTreePosition=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:484
#8  0x00007ffff3c39b2e in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:629
#9  0x00007ffff3c390d1 in WebCore::Style::attachChildren (current=..., inheritedStyle=..., renderTreePosition=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:484
#10 0x00007ffff3c39b2e in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:629
#11 0x00007ffff3c390d1 in WebCore::Style::attachChildren (current=..., inheritedStyle=..., renderTreePosition=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:484
#12 0x00007ffff3c39b2e in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:629
#13 0x00007ffff3c3a378 in WebCore::Style::resolveLocal (current=..., inheritedStyle=..., renderTreePosition=..., inheritedChange=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:756
#14 0x00007ffff3c3ab2f in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:918
#15 0x00007ffff3c3b099 in WebCore::Style::resolveTree (document=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:997
#16 0x00007ffff30657ff in WebCore::Document::recalcStyle (this=0x655fc0, change=WebCore::Style::Force) at ../../Source/WebCore/dom/Document.cpp:1796
#17 0x00007ffff3065b0a in WebCore::Document::updateStyleIfNeeded (this=0x655fc0) at ../../Source/WebCore/dom/Document.cpp:1841
#18 0x00007ffff3070c7d in WebCore::Document::finishedParsing (this=0x655fc0) at ../../Source/WebCore/dom/Document.cpp:4613
#19 0x00007ffff33c6039 in WebCore::HTMLConstructionSite::finishedParsing (this=0x7cfd98) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:395
#20 0x00007ffff3403a33 in WebCore::HTMLTreeBuilder::finished (this=0x7cfd80) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:3009
#21 0x00007ffff33ced4e in WebCore::HTMLDocumentParser::end (this=0x81df20) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:439
#22 0x00007ffff33cee39 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x81df20) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:450
#23 0x00007ffff33cd8e7 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x81df20) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:165
#24 0x00007ffff33cee7c in WebCore::HTMLDocumentParser::attemptToEnd (this=0x81df20) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:462
#25 0x00007ffff33cef33 in WebCore::HTMLDocumentParser::finish (this=0x81df20) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:490
#26 0x00007ffff3538b7f in WebCore::DocumentWriter::end (this=0x73c1a0) at ../../Source/WebCore/loader/DocumentWriter.cpp:246
#27 0x00007ffff35248db in WebCore::DocumentLoader::finishedLoading (this=0x73c100, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:440
#28 0x00007ffff3524644 in WebCore::DocumentLoader::notifyFinished (this=0x73c100, resource=0x8d3650) at ../../Source/WebCore/loader/DocumentLoader.cpp:374
#29 0x00007ffff35d5370 in WebCore::CachedResource::checkNotify (this=0x8d3650) at ../../Source/WebCore/loader/cache/CachedResource.cpp:293
#30 0x00007ffff35d546e in WebCore::CachedResource::finishLoading (this=0x8d3650) at ../../Source/WebCore/loader/cache/CachedResource.cpp:309
#31 0x00007ffff35d1b63 in WebCore::CachedRawResource::finishLoading (this=0x8d3650, data=0x7a0840) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:104
#32 0x00007ffff358594c in WebCore::SubresourceLoader::didFinishLoading (this=0x8d3d20, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:306
#33 0x00007ffff35816e1 in WebCore::ResourceLoader::didFinishLoading (this=0x8d3d20, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:508
#34 0x00007ffff3f303e1 in WebCore::readCallback (asyncResult=0x68b1d0, data=0x8d5000) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1300
#35 0x00007fffeb7ab7d6 in async_ready_callback_wrapper (source_object=0x7c66d0, res=0x68b1d0, user_data=user_data@entry=0x8d5000) at ginputstream.c:523
#36 0x00007fffeb7d10d5 in g_task_return_now (task=0x68b1d0) at gtask.c:1077
#37 0x00007fffeb7d10f9 in complete_in_idle_cb (task=0x68b1d0) at gtask.c:1086
#38 0x00007fffeaa10a1d in g_main_dispatch (context=0x4780a0) at gmain.c:3064
#39 g_main_context_dispatch (context=context@entry=0x4780a0) at gmain.c:3663
#40 0x00007fffeaa10d88 in g_main_context_iterate (context=0x4780a0, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734
#41 0x00007fffeaa1104a in g_main_loop_run (loop=0x8eb810) at gmain.c:3928
#42 0x00007ffff45df9dc in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#43 0x00007ffff2b44f82 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd978) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#44 0x00007ffff2b44de7 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd978) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73
#45 0x0000000000400891 in main (argc=2, argv=0x7fffffffd978) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44