Bug 209585 - Crash in RadioButtonGroups::requiredStateChanged
Summary: Crash in RadioButtonGroups::requiredStateChanged
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Forms (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-03-26 00:31 PDT by Ryosuke Niwa
Modified: 2020-03-26 14:26 PDT (History)
9 users (show)

See Also:


Attachments
Fixes the bug (4.15 KB, patch)
2020-03-26 00:55 PDT, Ryosuke Niwa
zalan: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2020-03-26 00:31:35 PDT
e.g.

1   0x6aa089a19 WTFCrash
2   0x68d1959bb WTFCrashWithInfo(int, char const*, char const*, int)
3   0x68fcb94f7 WebCore::RadioButtonGroups::requiredStateChanged(WebCore::HTMLInputElement&)
4   0x68fff8024 WebCore::HTMLInputElement::requiredStateChanged()
5   0x68ffafa87 WebCore::HTMLFormControlElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&)
6   0x6900eec5e WebCore::HTMLTextFormControlElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&)
7   0x68fff43f0 WebCore::HTMLInputElement::parseAttribute(WebCore::QualifiedName const&, WTF::AtomString const&)
8   0x68fb8ccf4 WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason)
9   0x68fd1accc WebCore::StyledElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason)
10  0x68fb934b2 WebCore::Element::didAddAttribute(WebCore::QualifiedName const&, WTF::AtomString const&)
11  0x68fb93400 WebCore::Element::addAttributeInternal(WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute)
12  0x68fb8c3f5 WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute)
13  0x68fb859c2 WebCore::Element::setAttribute(WebCore::QualifiedName const&, WTF::AtomString const&)
14  0x68fb85925 WebCore::Element::setBooleanAttribute(WebCore::QualifiedName const&, bool)
15  0x68ddda3be WebCore::setJSHTMLInputElementRequiredSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()::operator()() const
16  0x68ddda34d std::__1::enable_if<std::is_same<void, decltype(fp1())>::value, void>::type WebCore::AttributeSetter::call<WebCore::setJSHTMLInputElementRequiredSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSHTMLInputElementRequiredSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)::'lambda'()&&)
17  0x68ddda30a WebCore::setJSHTMLInputElementRequiredSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)
18  0x68dd2c854 bool WebCore::IDLAttribute<WebCore::JSHTMLInputElement>::set<&(WebCore::setJSHTMLInputElementRequiredSetter(JSC::JSGlobalObject&, WebCore::JSHTMLInputElement&, JSC::JSValue, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*)
19  0x68dd2c6fc WebCore::setJSHTMLInputElementRequired(JSC::JSGlobalObject*, long long, long long)
20  0x6ab74414e JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSValue, JSC::JSValue)
21  0x6ab744222 JSC::callCustomSetter(JSC::JSGlobalObject*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue)
22  0x6ab8c72de JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
23  0x6ab8c6c8e JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)
Comment 1 Ryosuke Niwa 2020-03-26 00:55:28 PDT
Created attachment 394584 [details]
Fixes the bug
Comment 2 Darin Adler 2020-03-26 10:26:43 PDT
Comment on attachment 394584 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=394584&action=review

> Source/WebCore/dom/RadioButtonGroups.cpp:241
> +        return; // FIXME: Update the radio button group before author script had a chance to run in didFinishInsertingNode().

I know this code pretty well, and I at least don’t understand what this comment asks us to fix.
Comment 3 Darin Adler 2020-03-26 10:26:44 PDT
Comment on attachment 394584 [details]
Fixes the bug

View in context: https://bugs.webkit.org/attachment.cgi?id=394584&action=review

> Source/WebCore/dom/RadioButtonGroups.cpp:241
> +        return; // FIXME: Update the radio button group before author script had a chance to run in didFinishInsertingNode().

I know this code pretty well, and I at least don’t understand what this comment asks us to fix.
Comment 4 Ryosuke Niwa 2020-03-26 12:10:22 PDT
(In reply to Darin Adler from comment #3)
> Comment on attachment 394584 [details]
> Fixes the bug
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=394584&action=review
> 
> > Source/WebCore/dom/RadioButtonGroups.cpp:241
> > +        return; // FIXME: Update the radio button group before author script had a chance to run in didFinishInsertingNode().
> 
> I know this code pretty well, and I at least don’t understand what this
> comment asks us to fix.

So the issue is that radio button groups are updated in didFinishInsertingNode() overrides but didFinishInsertingNode() calls on a node which appears earlier in the tree order could have ran arbitrary scripts and accessed this function. This FIXME can go away if we could update the radio button groups before running any author scripts in didFinishInsertingNode() somehow.

e.g.

#34	0x00000001166055c8 in WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) at /Volumes/Data/webkit/Source/WebCore/bindings/js/JSExecState.h:73
#35	0x000000011662232b in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) at /Volumes/Data/webkit/Source/WebCore/bindings/js/JSEventListener.cpp:180
#36	0x0000000116ce4ee7 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) at /Volumes/Data/webkit/Source/WebCore/dom/EventTarget.cpp:325
#37	0x0000000116ce1104 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) at /Volumes/Data/webkit/Source/WebCore/dom/EventTarget.cpp:257
#38	0x0000000116d6c442 in WebCore::Node::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) at /Volumes/Data/webkit/Source/WebCore/dom/Node.cpp:2364
#39	0x0000000116ccc281 in WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const at /Volumes/Data/webkit/Source/WebCore/dom/EventContext.cpp:55
#40	0x0000000116cccd6f in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) at /Volumes/Data/webkit/Source/WebCore/dom/EventDispatcher.cpp:100
#41	0x0000000116ccc8a7 in WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) at /Volumes/Data/webkit/Source/WebCore/dom/EventDispatcher.cpp:154
#42	0x0000000116d6c49d in WebCore::Node::dispatchEvent(WebCore::Event&) at /Volumes/Data/webkit/Source/WebCore/dom/Node.cpp:2374
#43	0x0000000117933b65 in WebCore::DOMWindow::dispatchLoadEvent() at /Volumes/Data/webkit/Source/WebCore/page/DOMWindow.cpp:2205
#44	0x0000000116bca998 in WebCore::Document::dispatchWindowLoadEvent() at /Volumes/Data/webkit/Source/WebCore/dom/Document.cpp:4762
#45	0x0000000116bca4f5 in WebCore::Document::implicitClose() at /Volumes/Data/webkit/Source/WebCore/dom/Document.cpp:3056
#46	0x000000011778037b in WebCore::FrameLoader::checkCallImplicitClose() at /Volumes/Data/webkit/Source/WebCore/loader/FrameLoader.cpp:957
#47	0x000000011777fe8a in WebCore::FrameLoader::checkCompleted() at /Volumes/Data/webkit/Source/WebCore/loader/FrameLoader.cpp:898
#48	0x000000011777e187 in WebCore::FrameLoader::finishedParsing() at /Volumes/Data/webkit/Source/WebCore/loader/FrameLoader.cpp:808
#49	0x0000000116bdd7e6 in WebCore::Document::finishedParsing() at /Volumes/Data/webkit/Source/WebCore/dom/Document.cpp:5823
#50	0x000000011735c418 in WebCore::HTMLConstructionSite::finishedParsing() at /Volumes/Data/webkit/Source/WebCore/html/parser/HTMLConstructionSite.cpp:419
#51	0x00000001173a4597 in WebCore::HTMLTreeBuilder::finished() at /Volumes/Data/webkit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2843
#52	0x0000000117363808 in WebCore::HTMLDocumentParser::end() at /Volumes/Data/webkit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:449
#53	0x00000001173616b8 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() at /Volumes/Data/webkit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:458
#54	0x00000001173613e7 in WebCore::HTMLDocumentParser::prepareToStopParsing() at /Volumes/Data/webkit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:153
#55	0x0000000117363872 in WebCore::HTMLDocumentParser::attemptToEnd() at /Volumes/Data/webkit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:470
#56	0x0000000117363949 in WebCore::HTMLDocumentParser::finish() at /Volumes/Data/webkit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:498
#57	0x00000001177185c2 in WebCore::DocumentWriter::end() at /Volumes/Data/webkit/Source/WebCore/loader/DocumentWriter.cpp:288
#58	0x000000011771756f in WebCore::DocumentLoader::finishedLoading() at /Volumes/Data/webkit/Source/WebCore/loader/DocumentLoader.cpp:449
#59	0x0000000117722c64 in WebCore::DocumentLoader::maybeLoadEmpty() at /Volumes/Data/webkit/Source/WebCore/loader/DocumentLoader.cpp:1793
#60	0x0000000117722df5 in WebCore::DocumentLoader::startLoadingMainResource() at /Volumes/Data/webkit/Source/WebCore/loader/DocumentLoader.cpp:1807
#61	0x00000001177b366c in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11::operator()() at /Volumes/Data/webkit/Source/WebCore/loader/FrameLoader.cpp:3547
#62	0x00000001177b2f7e in WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_11, void>::call() at /Volumes/Data/webkit/WebKitBuild/Debug/usr/local/include/wtf/Function.h:52
#63	0x00000001142a2362 in WTF::Function<void ()>::operator()() const at /Volumes/Data/webkit/WebKitBuild/Debug/usr/local/include/wtf/Function.h:84
#64	0x00000001143056ee in WTF::CompletionHandler<void ()>::operator()() at /Volumes/Data/webkit/WebKitBuild/Debug/usr/local/include/wtf/CompletionHandler.h:62
#65	0x0000000117789cba in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL) at /Volumes/Data/webkit/Source/WebCore/loader/FrameLoader.cpp:3551
#66	0x00000001177b0830 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WebCore::ShouldTreatAsContinuingLoad, WTF::CompletionHandler<void ()>&&)::$_8::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at /Volumes/Data/webkit/Source/WebCore/loader/FrameLoader.cpp:1647
#67	0x00000001177b06ec in WTF::Detail::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WebCore::ShouldTreatAsContinuingLoad, WTF::CompletionHandler<void ()>&&)::$_8, void, WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision>::call(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at /Volumes/Data/webkit/WebKitBuild/Debug/usr/local/include/wtf/Function.h:52
#68	0x00000001177eb9e1 in WTF::Function<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) const at /Volumes/Data/webkit/WebKitBuild/Debug/usr/local/include/wtf/Function.h:84
#69	0x00000001177de1d7 in WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision) at /Volumes/Data/webkit/WebKitBuild/Debug/usr/local/include/wtf/CompletionHandler.h:62
#70	0x00000001177eef3a in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_7::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) at /Volumes/Data/webkit/Source/WebCore/loader/PolicyChecker.cpp:237
#71	0x00000001177edcd7 in WTF::Detail::CallableWrapper<WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode)::$_7, void, WebCore::PolicyAction, WebCore::PolicyCheckIdentifier>::call(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) at /Volumes/Data/webkit/WebKitBuild/Debug/usr/local/include/wtf/Function.h:52
#72	0x000000011777c078 in WTF::Function<void (WebCore::PolicyAction, WebCore::PolicyCheckIdentifier)>::operator()(WebCore::PolicyAction, WebCore::PolicyCheckIdentifier) const at /Volumes/Data/webkit/WebKitBuild/Debug/usr/local/include/wtf/Function.h:84
#73	0x00000001177ddc64 in WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WebCore::DocumentLoader*, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState>&&, WebCore::NavigationPolicyDecision)>&&, WebCore::PolicyDecisionMode) at /Volumes/Data/webkit/Source/WebCore/loader/PolicyChecker.cpp:245
#74	0x0000000117788ad1 in WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WebCore::ShouldTreatAsContinuingLoad, WTF::CompletionHandler<void ()>&&) at /Volumes/Data/webkit/Source/WebCore/loader/FrameLoader.cpp:1646
#75	0x0000000117786b1e in WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction&&, WebCore::LockHistory, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::String const&, WTF::CompletionHandler<void ()>&&) at /Volumes/Data/webkit/Source/WebCore/loader/FrameLoader.cpp:1515
#76	0x0000000117782e07 in WebCore::FrameLoader::loadURL(WebCore::FrameLoadRequest&&, WTF::String const&, WebCore::FrameLoadType, WebCore::Event*, WTF::RefPtr<WebCore::FormState, WTF::DumbPtrTraits<WebCore::FormState> >&&, WTF::Optional<WebCore::AdClickAttribution>&&, WTF::CompletionHandler<void ()>&&) at /Volumes/Data/webkit/Source/WebCore/loader/FrameLoader.cpp:1423
#77	0x0000000117780d09 in WebCore::FrameLoader::loadURLIntoChildFrame(WTF::URL const&, WTF::String const&, WebCore::Frame*) at /Volumes/Data/webkit/Source/WebCore/loader/FrameLoader.cpp:990
#78	0x00000001132eaad7 in WebFrameLoaderClient::createFrame(WTF::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement&, WTF::String const&) at /Volumes/Data/webkit/Source/WebKitLegacy/mac/WebCoreSupport/WebFrameLoaderClient.mm:1641
#79	0x0000000117800e48 in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WTF::URL const&, WTF::String const&, WTF::String const&) at /Volumes/Data/webkit/Source/WebCore/loader/SubframeLoader.cpp:343
#80	0x00000001177ff743 in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WTF::URL const&, WTF::AtomString const&, WebCore::LockHistory, WebCore::LockBackForwardList) at /Volumes/Data/webkit/Source/WebCore/loader/SubframeLoader.cpp:310
#81	0x00000001177ff1b0 in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomString const&, WebCore::LockHistory, WebCore::LockBackForwardList) at /Volumes/Data/webkit/Source/WebCore/loader/SubframeLoader.cpp:99
#82	0x00000001170cc6c8 in WebCore::HTMLFrameElementBase::openURL(WebCore::LockHistory, WebCore::LockBackForwardList) at /Volumes/Data/webkit/Source/WebCore/html/HTMLFrameElementBase.cpp:102
#83	0x00000001170cc8f2 in WebCore::HTMLFrameElementBase::didFinishInsertingNode() at /Volumes/Data/webkit/Source/WebCore/html/HTMLFrameElementBase.cpp:142
Comment 5 Ryosuke Niwa 2020-03-26 12:53:53 PDT
(In reply to Ryosuke Niwa from comment #4)
> (In reply to Darin Adler from comment #3)
> > Comment on attachment 394584 [details]
> > Fixes the bug
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=394584&action=review
> > 
> > > Source/WebCore/dom/RadioButtonGroups.cpp:241
> > > +        return; // FIXME: Update the radio button group before author script had a chance to run in didFinishInsertingNode().
> > 
> > I know this code pretty well, and I at least don’t understand what this
> > comment asks us to fix.
> 
> So the issue is that radio button groups are updated in
> didFinishInsertingNode() overrides but didFinishInsertingNode() calls on a
> node which appears earlier in the tree order could have ran arbitrary
> scripts and accessed this function. This FIXME can go away if we could
> update the radio button groups before running any author scripts in
> didFinishInsertingNode() somehow.

Maybe we can rephrase it like this:

FIXME: Update the radio button groups before didFinishInsertingNode() on other nodes which appear earlier in the tree order could have ran scripts and mutated DOM

WDYT?
Comment 6 Darin Adler 2020-03-26 13:02:53 PDT
I don’t think this null check requires a FIXME. It makes total sense that if there’s no group we don’t update it, and doesn’t really "raise my eyebrows" much.

I do think we might want to add an assertion if we could resolve the FIXME. But this doesn’t seem super-important to me. Not sure we need to record it in the code at all. What we do need is a test case that exercises this!
Comment 7 Ryosuke Niwa 2020-03-26 13:05:50 PDT
(In reply to Darin Adler from comment #6)
> I don’t think this null check requires a FIXME. It makes total sense that if
> there’s no group we don’t update it, and doesn’t really "raise my eyebrows"
> much.
>
> I do think we might want to add an assertion if we could resolve the FIXME.
> But this doesn’t seem super-important to me. Not sure we need to record it
> in the code at all. What we do need is a test case that exercises this!

Sure. The newly added test does exercise this code path.
Comment 8 Ryosuke Niwa 2020-03-26 13:06:38 PDT
I'm gonna land the patch without FIXME.
Comment 9 Ryosuke Niwa 2020-03-26 14:25:23 PDT
Committed r259079: <https://trac.webkit.org/changeset/259079>
Comment 10 Radar WebKit Bug Importer 2020-03-26 14:26:14 PDT
<rdar://problem/60936486>