Bug 211159 - Specific dom node order of Shadow DOM (re)projection causes crash
Summary: Specific dom node order of Shadow DOM (re)projection causes crash
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: Safari 13
Hardware: Mac macOS 10.15
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-04-28 17:55 PDT by Elliott Marquez
Modified: 2020-05-01 07:35 PDT (History)
10 users (show)

See Also:


Attachments
Reproduction of failure (4.50 KB, text/html)
2020-04-28 17:55 PDT, Elliott Marquez
no flags Details
patch (3.98 KB, patch)
2020-05-01 06:26 PDT, Antti Koivisto
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Elliott Marquez 2020-04-28 17:55:53 PDT
Created attachment 397914 [details]
Reproduction of failure

Hello, there seems to be some mix of issues projecting a <slot>'s default content into a shadow root that has both a named and nameless slot. I have attached a reproduction case and here is a JSbin for a live example:

https://jsbin.com/qicoganici/1/edit

Some quirks I've found:

Removing the named slot:

<div>
  <slot></slot>
</div>


moving it into the same div as the nameless slot:

<div>
  <slot name="named"></slot>
  <slot></slot>
</div>


or moving it after the nameless slot:

<div>
  <slot></slot>
</div>
<slot name="named"></slot>


seems to prevent this crash. Additionally, removing the default content (the text node "default" in this example):

<my-element-inner>
  <slot></slot>
  <div slot="named">named slot<div>
</my-element-inner>


wrapping the slot in the outer element with a span or div:

<my-element-inner>
  <span><slot>default</slot></span>
  <div slot="named">named slot<div>
</my-element-inner>


or actually projecting a value into the outer element:

<my-element-outer>projected</my-element-outer>


also seems to prevent this crash as well. Notably, simply wrapping the named slot in an element:

<div>
  <slot name="named"></slot>
</div>
<div>
  <slot></slot>
</div>

does not prevent this crash. Confirm this crash on Safari 13.1 (WK: 156609.1.20.111.8) and 13.2 (WK: 15610.1.10)
Comment 1 Alexey Proskuryakov 2020-04-29 17:57:52 PDT
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00007fff40c872a3 WebCore::RenderTreeBuilder::Block::attachIgnoringContinuation(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 67
1   com.apple.WebCore             	0x00007fff40c86f56 WebCore::RenderTreeBuilder::Block::attach(WebCore::RenderBlock&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 86
2   com.apple.WebCore             	0x00007fff40c8ae4a WebCore::RenderTreeBuilder::BlockFlow::attach(WebCore::RenderBlockFlow&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 298
3   com.apple.WebCore             	0x00007fff40c86d7b WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) + 1739
4   com.apple.WebCore             	0x00007fff40c96d08 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 5912
5   com.apple.WebCore             	0x00007fff4024f89c WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 1468
6   com.apple.WebCore             	0x00007fff3ef6d044 WebCore::Document::updateStyleIfNeeded() + 468
7   com.apple.WebCore             	0x00007fff3ef6cb0b WebCore::Document::finishedParsing() + 539
8   com.apple.WebCore             	0x00007fff3ef641b4 WebCore::HTMLDocumentParser::prepareToStopParsing() + 196
9   com.apple.WebCore             	0x00007fff3ef63ed4 WebCore::HTMLDocumentParser::finish() + 388
10  com.apple.WebCore             	0x00007fff406eff21 WebCore::DocumentLoader::finishedLoading() + 545
11  com.apple.WebCore             	0x00007fff3efce24c WebCore::CachedResource::checkNotify() + 92
12  com.apple.WebCore             	0x00007fff4077d099 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 1241
Comment 2 Radar WebKit Bug Importer 2020-04-29 17:58:04 PDT
<rdar://problem/62626920>
Comment 3 Antti Koivisto 2020-05-01 06:26:18 PDT
Created attachment 398176 [details]
patch
Comment 4 EWS 2020-05-01 07:35:16 PDT
Committed r260997: <https://trac.webkit.org/changeset/260997>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 398176 [details].