RESOLVED FIXED 211159
Specific dom node order of Shadow DOM (re)projection causes crash 
https://bugs.webkit.org/show_bug.cgi?id=211159
Summary Specific dom node order of Shadow DOM (re)projection causes crash
Elliott Marquez
Reported 2020-04-28 17:55:53 PDT
Created attachment 397914 [details] Reproduction of failure Hello, there seems to be some mix of issues projecting a <slot>'s default content into a shadow root that has both a named and nameless slot. I have attached a reproduction case and here is a JSbin for a live example: https://jsbin.com/qicoganici/1/edit Some quirks I've found: Removing the named slot: <div> <slot></slot> </div> moving it into the same div as the nameless slot: <div> <slot name="named"></slot> <slot></slot> </div> or moving it after the nameless slot: <div> <slot></slot> </div> <slot name="named"></slot> seems to prevent this crash. Additionally, removing the default content (the text node "default" in this example): <my-element-inner> <slot></slot> <div slot="named">named slot<div> </my-element-inner> wrapping the slot in the outer element with a span or div: <my-element-inner> <span><slot>default</slot></span> <div slot="named">named slot<div> </my-element-inner> or actually projecting a value into the outer element: <my-element-outer>projected</my-element-outer> also seems to prevent this crash as well. Notably, simply wrapping the named slot in an element: <div> <slot name="named"></slot> </div> <div> <slot></slot> </div> does not prevent this crash. Confirm this crash on Safari 13.1 (WK: 156609.1.20.111.8) and 13.2 (WK: 15610.1.10)
Attachments
Reproduction of failure (4.50 KB, text/html)
2020-04-28 17:55 PDT, Elliott Marquez 		no flags
Details
patch (3.98 KB, patch)
2020-05-01 06:26 PDT, Antti Koivisto 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2020-04-29 17:57:52 PDT
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff40c872a3 WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 67 1 com.apple.WebCore 0x00007fff40c86f56 WebCore::RenderTreeBuilder::Block::attach(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 86 2 com.apple.WebCore 0x00007fff40c8ae4a WebCore::RenderTreeBuilder::BlockFlow::attach(WebCore::RenderBlockFlow&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 298 3 com.apple.WebCore 0x00007fff40c86d7b WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 1739 4 com.apple.WebCore 0x00007fff40c96d08 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 5912 5 com.apple.WebCore 0x00007fff4024f89c WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1468 6 com.apple.WebCore 0x00007fff3ef6d044 WebCore::Document::updateStyleIfNeeded() + 468 7 com.apple.WebCore 0x00007fff3ef6cb0b WebCore::Document::finishedParsing() + 539 8 com.apple.WebCore 0x00007fff3ef641b4 WebCore::HTMLDocumentParser::prepareToStopParsing() + 196 9 com.apple.WebCore 0x00007fff3ef63ed4 WebCore::HTMLDocumentParser::finish() + 388 10 com.apple.WebCore 0x00007fff406eff21 WebCore::DocumentLoader::finishedLoading() + 545 11 com.apple.WebCore 0x00007fff3efce24c WebCore::CachedResource::checkNotify() + 92 12 com.apple.WebCore 0x00007fff4077d099 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 1241
Radar WebKit Bug Importer
Comment 2 2020-04-29 17:58:04 PDT
<rdar://problem/62626920>
Antti Koivisto
Comment 3 2020-05-01 06:26:18 PDT
Created attachment 398176 [details] patch
EWS
Comment 4 2020-05-01 07:35:16 PDT
Committed r260997: <https://trac.webkit.org/changeset/260997> All reviewed patches have been landed. Closing bug and clearing flags on attachment 398176 [details].
Note You need to log in before you can comment on or make changes to this bug.