Created attachment 355234 [details] Test Load the attached test with debug WebKitTestRunner / MiniBrowser: <audio controls style="padding: 119vh 71vh 33vh"> The failure can be triggered both with Mac and GTK builds. Checked revision: bd74428d9fb Backtrace: SHOULD NEVER BE REACHED ./rendering/RenderElement.cpp(1267) : virtual void WebCore::RenderElement::visibleInViewportStateChanged() 1 0x1388e0d39 WTFCrash 2 0x117ac00b0 WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul>::Vector() 3 0x1200b3cc4 WebCore::RenderElement::visibleInViewportStateChanged() 4 0x1200b3c5b WebCore::RenderElement::setVisibleInViewportState(WebCore::VisibleInViewportState) 5 0x12070df94 WebCore::RenderView::updateVisibleViewportRect(WebCore::IntRect const&) 6 0x11ec13c4b WebCore::FrameView::viewportContentsChanged()::$_2::operator()(WebCore::FrameView&, WebCore::IntRect const&) const 7 0x11ec13b54 WTF::Function<void (WebCore::FrameView&, WebCore::IntRect const&)>::CallableWrapper<WebCore::FrameView::viewportContentsChanged()::$_2>::call(WebCore::FrameView&, WebCore::IntRect const&) 8 0x11eb93efc WTF::Function<void (WebCore::FrameView&, WebCore::IntRect const&)>::operator()(WebCore::FrameView&, WebCore::IntRect const&) const 9 0x11eb8ae8a WebCore::FrameView::applyRecursivelyWithVisibleRect(WTF::Function<void (WebCore::FrameView&, WebCore::IntRect const&)> const&) 10 0x11eb670d4 WebCore::FrameView::viewportContentsChanged() 11 0x11eb9a465 WebCore::FrameView::performPostLayoutTasks() 12 0x11ebc1cbb WebCore::FrameViewLayoutContext::runAsynchronousTasks() 13 0x11ebc2ce2 WebCore::FrameViewLayoutContext::runOrScheduleAsynchronousTasks() 14 0x11eb57a2c WebCore::FrameViewLayoutContext::layout() 15 0x11eb95e8d WebCore::FrameView::updateContentsSize() 16 0x11f078c23 WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) 17 0x11f07f74c WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) 18 0x11eb64d6e WebCore::FrameView::setContentsSize(WebCore::IntSize const&) 19 0x11eb50822 WebCore::FrameView::adjustViewSize() 20 0x11eb577ab WebCore::FrameViewLayoutContext::layout() 21 0x11d163663 WebCore::Document::updateLayout() 22 0x11d166fda WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) 23 0x11ca39c0f WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) 24 0x11ca3957e WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const 25 0x11ca77c7a WebCore::CSSComputedStyleDeclaration::getPropertyCSSValueInternal(WebCore::CSSPropertyID) 26 0x11cc3f6b5 WebCore::CSSStyleDeclaration::namedItem(WTF::AtomicString const&) 27 0x1186e628d std::optional<WTF::Variant<WTF::String, double> > WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0::operator()<WebCore::JSCSSStyleDeclaration, JSC::PropertyName>(WebCore::JSCSSStyleDeclaration&, JSC::PropertyName) const 28 0x1186b7ed9 decltype(fp2(fp0, fp1)) WebCore::accessVisibleNamedProperty<(WebCore::OverrideBuiltins)0, WebCore::JSCSSStyleDeclaration, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&>(JSC::ExecState&, WebCore::JSCSSStyleDeclaration&, JSC::PropertyName, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&&&) 29 0x1186b4e88 WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 30 0x1398fde3c JSC::JSObject::getNonIndexPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 31 0x1398fb93f bool JSC::JSObject::getPropertySlot<false>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)