Bug 202910 - Chromium test-case asserts with ASSERTION FAILED: hasLayer() and crashes optimized build near null
Summary: Chromium test-case asserts with ASSERTION FAILED: hasLayer() and crashes opti...
Status: RESOLVED DUPLICATE of bug 205474
Alias: None
Product: WebKit
Classification: Unclassified
Component: Scrolling (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-10-13 14:32 PDT by Emilio Cobos Álvarez (:emilio)
Modified: 2021-08-20 04:17 PDT (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Emilio Cobos Álvarez (:emilio) 2019-10-13 14:32:01 PDT 
On master (247b0314320d499ae788b6ea993aa1d98e2d607e / r250962), WebKitGTK build.

Running this test-case: https://cs.chromium.org/chromium/src/third_party/blink/web_tests/fast/css/sticky/sticky-table-col-crash.html?rcl=753caf715d8f30f0c673f1b4b36dadfc75c3201f

Asserts with:

ASSERTION FAILED: hasLayer()
../../Source/WebCore/rendering/RenderBoxModelObject.cpp(563) : WebCore::LayoutSize WebCore::RenderBoxModelObject::stickyPositionOffset() const
1   0x7f9ceb98a3d3 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x9) [0x7f9ceb98a3d3]
2   0x7f9cf76335f2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF15CrashOnOverflow10overflowedEv+0) [0x7f9cf76335f2]
3   0x7f9cfa7d9874 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore20RenderBoxModelObject20stickyPositionOffsetEv+0x52) [0x7f9cfa7d9874]
4   0x7f9cfa7d995a /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore20RenderBoxModelObject23offsetForInFlowPositionEv+0x46) [0x7f9cfa7d995a]
5   0x7f9cfa7c8682 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore9RenderBox19offsetFromContainerERNS_13RenderElementERKNS_11LayoutPointEPb+0x9e) [0x7f9cfa7c8682]
6   0x7f9cfa7c7ffd /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore9RenderBox19mapLocalToContainerEPKNS_22RenderLayerModelObjectERNS_14TransformStateEjPb+0x279) [0x7f9cfa7c7ffd]
7   0x7f9cfa93dca9 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore12RenderObject15localToAbsoluteERKNS_10FloatPointEjPb+0x5f) [0x7f9cfa93dca9]
8   0x7f9cfa833151 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore13RenderElement16getLeadingCornerERNS_10FloatPointERb+0x8b) [0x7f9cfa833151]
9   0x7f9cfa8339ad /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZNK7WebCore13RenderElement18absoluteAnchorRectEPb+0x53) [0x7f9cfa8339ad]
10  0x7f9cf9a6142c /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore7Element14scrollIntoViewEON3WTF8OptionalINS1_7VariantIJbNS_21ScrollIntoViewOptionsEEEEEE+0x74) [0x7f9cf9a6142c]
11  0x7f9cf873e440 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6e6440) [0x7f9cf873e440]
12  0x7f9cf8754da2 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0xb6fcda2) [0x7f9cf8754da2]
13  0x7f9cf873e473 /home/emilio/src/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore40jsElementPrototypeFunctionScrollIntoViewEPN3JSC14JSGlobalObjectEPNS0_9CallFrameE+0x23) [0x7f9cf873e473]
14  0x7f9c95fce16b [0x7f9c95fce16b]

This also crashes Epiphany (and probably Safari).
Comment 1 Emilio Cobos Álvarez (:emilio) 2019-10-13 14:39:07 PDT 
Err, sorry. It's a nullptr crash, so not security-sensitive.
Comment 2 Emilio Cobos Álvarez (:emilio) 2019-10-13 14:47:34 PDT 
Disregard previous comment, I accidentally thought I had filed this as security.
Comment 3 Alexey Proskuryakov 2019-10-14 17:18:54 PDT 
This looks similar to:

rdar://problem/53667513
Comment 4 Martin Robinson 2021-08-20 04:17:47 PDT 

*** This bug has been marked as a duplicate of bug 205474 ***