223369 – Nullopt in RenderFlexibleBox::layoutFlexItems in RenderFlexibleBox::layoutBlock via RenderMultiColumnFlow::layout

Bug 223369 - Nullopt in RenderFlexibleBox::layoutFlexItems in RenderFlexibleBox::layoutBlock via RenderMultiColumnFlow::layout

Summary: Nullopt in RenderFlexibleBox::layoutFlexItems in RenderFlexibleBox::layoutBlo...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Sergio Villar Senin

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-03-17 01:41 PDT by Ryosuke Niwa
Modified:	2021-04-30 04:46 PDT (History)
CC List:	14 users (show)

See Also:

Attachments
Test (513.87 KB, text/html) 2021-03-17 01:41 PDT, Ryosuke Niwa	no flags	Details
Patch (9.62 KB, patch) 2021-03-18 02:45 PDT, Sergio Villar Senin	zalan: review+ ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2021-03-17 01:41:30 PDT

Created attachment 423454 [details]
Test

e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001345540fe WTF::Optional<WebCore::LayoutUnit>::value() && + 46 (Optional.h:555)
1   com.apple.WebCore             	0x000000013470fd3e WebCore::RenderFlexibleBox::computeInnerFlexBaseSizeForChild(WebCore::RenderBox&, WebCore::LayoutUnit) + 398 (RenderFlexibleBox.cpp:932)
2   com.apple.WebCore             	0x0000000134710bda WebCore::RenderFlexibleBox::constructFlexItem(WebCore::RenderBox&, bool) + 506 (RenderFlexibleBox.cpp:1319)
3   com.apple.WebCore             	0x0000000134707e32 WebCore::RenderFlexibleBox::layoutFlexItems(bool) + 626 (RenderFlexibleBox.cpp:974)
4   com.apple.WebCore             	0x0000000134707277 WebCore::RenderFlexibleBox::layoutBlock(bool, WebCore::LayoutUnit) + 999 (RenderFlexibleBox.cpp:303)
5   com.apple.WebCore             	0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598)
6   com.apple.WebCore             	0x00000001344fadd7 WebCore::RenderElement::layoutIfNeeded() + 71 (RenderElement.h:124)
7   com.apple.WebCore             	0x00000001344f97d6 WebCore::ComplexLineLayout::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1030 (ComplexLineLayout.cpp:1783)
8   com.apple.WebCore             	0x00000001345f6760 WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 368 (RenderBlockFlow.cpp:704)
9   com.apple.WebCore             	0x00000001345f4c1d WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1229 (RenderBlockFlow.cpp:523)
10  com.apple.WebCore             	0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598)
11  com.apple.WebCore             	0x0000000134723027 WebCore::RenderFragmentedFlow::layout() + 279 (RenderFragmentedFlow.cpp:153)
12  com.apple.WebCore             	0x0000000134885911 WebCore::RenderMultiColumnFlow::layout() + 177 (RenderMultiColumnFlow.cpp:128)
13  com.apple.WebCore             	0x000000013461b7c4 WebCore::RenderBlockFlow::layoutExcludedChildren(bool) + 196 (RenderBlockFlow.cpp:3961)
14  com.apple.WebCore             	0x00000001345f69a3 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 467 (RenderBlockFlow.cpp:645)
15  com.apple.WebCore             	0x00000001345f4c28 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlockFlow.cpp:525)
16  com.apple.WebCore             	0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598)
17  com.apple.WebCore             	0x00000001345fa075 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) + 1461 (RenderBlockFlow.cpp:762)
18  com.apple.WebCore             	0x00000001345f6a9e WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) + 718 (RenderBlockFlow.cpp:673)
19  com.apple.WebCore             	0x00000001345f4c28 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) + 1240 (RenderBlockFlow.cpp:525)
20  com.apple.WebCore             	0x00000001345c4525 WebCore::RenderBlock::layout() + 277 (RenderBlock.cpp:598)
21  com.apple.WebCore             	0x000000013496cd37 WebCore::RenderView::layout() + 1479 (RenderView.cpp:185)
22  com.apple.WebCore             	0x0000000133ae582a WebCore::FrameViewLayoutContext::layout() + 1354 (FrameViewLayoutContext.cpp:232)
23  com.apple.WebCore             	0x0000000132912f23 WebCore::Document::updateLayout() + 531 (Document.cpp:2189)
24  com.apple.WebCore             	0x0000000132915463 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) + 147 (Document.cpp:2203)
25  com.apple.WebCore             	0x0000000132a16c23 WebCore::Element::setScrollTop(int) + 195 (Element.cpp:1379)
26  com.apple.WebCore             	0x000000012fc2b263 WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)::'lambda'()::operator()() const + 131 (JSElement.cpp:2728)
27  com.apple.WebCore             	0x000000012fc2b1d9 std::__1::enable_if<std::is_same<void, decltype(fp1())>::value, void>::type WebCore::AttributeSetter::call<WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)::'lambda'()&&) + 9 (JSDOMAttribute.h:93)
28  com.apple.WebCore             	0x000000012fc2b12a WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue) + 346 (JSElement.cpp:2727)
29  com.apple.WebCore             	0x000000012faadab3 bool WebCore::IDLAttribute<WebCore::JSElement>::set<&(WebCore::setJSElement_scrollTopSetter(JSC::JSGlobalObject&, WebCore::JSElement&, JSC::JSValue)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, char const*) + 259 (JSDOMAttribute.h:50)
30  com.apple.WebCore             	0x000000012faad9a9 WebCore::setJSElement_scrollTop(JSC::JSGlobalObject*, long long, long long) + 9 (JSElement.cpp:2735)
31  com.apple.JavaScriptCore      	0x000000011ae66537 JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long), bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 231 (CustomGetterSetter.cpp:43)
32  com.apple.JavaScriptCore      	0x000000011b0da3a8 JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 2008 (JSObject.cpp:842)
33  com.apple.JavaScriptCore      	0x000000011a9c3d81 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1205 (JSObjectInlines.h:277) [inlined]
34  com.apple.JavaScriptCore      	0x000000011a9c3d81 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1296 (JSCellInlines.h:447) [inlined]
35  com.apple.JavaScriptCore      	0x000000011a9c3d81 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1336 (JSCJSValueInlines.h:1060) [inlined]
36  com.apple.JavaScriptCore      	0x000000011a9c3d81 llint_slow_path_put_by_id + 2577 (LLIntSlowPaths.cpp:907)
37  com.apple.JavaScriptCore      	0x0000000118e8b2a0 llint_entry + 41688 (LowLevelInterpreter64.asm:97)
38  com.apple.JavaScriptCore      	0x0000000118e9bdb1 llint_entry + 110057 (LowLevelInterpreter.asm:1093)
39  com.apple.JavaScriptCore      	0x0000000118e80dc9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:316)
40  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined]
41  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:907)
42  com.apple.JavaScriptCore      	0x000000011adb2d15 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57)
43  com.apple.JavaScriptCore      	0x000000011adb2e10 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64)
44  com.apple.JavaScriptCore      	0x000000011adb31cc JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 268 (CallData.cpp:85)
45  com.apple.WebCore             	0x00000001321318a9 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 233 (JSExecState.h:73)
46  com.apple.WebCore             	0x000000013215dbab WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 2731 (JSEventListener.cpp:186)
47  com.apple.WebCore             	0x0000000132a6b263 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 1315 (EventTarget.cpp:344)
48  com.apple.WebCore             	0x0000000132a6ab03 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 435 (EventTarget.cpp:276)
49  com.apple.WebCore             	0x0000000132a39428 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 856
50  com.apple.WebCore             	0x0000000132a3ab7d WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 285 (EventDispatcher.cpp:107)
51  com.apple.WebCore             	0x0000000132a39fae WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1342 (EventDispatcher.cpp:188)
52  com.apple.WebCore             	0x0000000132af3c49 WebCore::Node::dispatchEvent(WebCore::Event&) + 9 (Node.cpp:2374)
53  com.apple.WebCore             	0x0000000132b48318 WebCore::ScopedEventQueue::dispatchEvent(WebCore::ScopedEventQueue::ScopedEvent const&) const + 88 (ScopedEventQueue.cpp:59)
54  com.apple.WebCore             	0x0000000132b48458 WebCore::ScopedEventQueue::dispatchAllEvents() + 264 (ScopedEventQueue.cpp:66)
55  com.apple.WebCore             	0x0000000132b4861d WebCore::ScopedEventQueue::decrementScopingLevel() + 45 (ScopedEventQueue.cpp:79)
56  com.apple.WebCore             	0x0000000132970951 WebCore::EventQueueScope::~EventQueueScope() + 17 (ScopedEventQueue.h:75)
57  com.apple.WebCore             	0x00000001329103e9 WebCore::EventQueueScope::~EventQueueScope() + 9 (ScopedEventQueue.h:75)
58  com.apple.WebCore             	0x000000013293ddbf WebCore::Document::execCommand(WTF::String const&, bool, WTF::String const&) + 271 (Document.cpp:5688)
59  com.apple.WebCore             	0x000000012fb23e6a WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) + 1130 (JSDocument.cpp:5890)
60  com.apple.WebCore             	0x000000012fb2395c long long WebCore::IDLOperation<WebCore::JSDocument>::call<&(WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 252 (JSDOMOperation.h:53)
61  com.apple.WebCore             	0x000000012fb0e239 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) + 9 (JSDocument.cpp:5895)
62  ???                           	0x00005217124011d8 0 + 90259043914200
63  com.apple.JavaScriptCore      	0x0000000118e9bf5a llint_entry + 110482 (LowLevelInterpreter.asm:1093)
64  com.apple.JavaScriptCore      	0x0000000118e9bdb1 llint_entry + 110057 (LowLevelInterpreter.asm:1093)
65  com.apple.JavaScriptCore      	0x0000000118e80dc9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:316)
66  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined]
67  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:907)
68  com.apple.JavaScriptCore      	0x000000011adb2d15 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57)
69  com.apple.JavaScriptCore      	0x000000011adb2e10 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64)
70  com.apple.JavaScriptCore      	0x000000011adb31cc JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 268 (CallData.cpp:85)
71  com.apple.WebCore             	0x00000001321318a9 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 233 (JSExecState.h:73)
72  com.apple.WebCore             	0x000000013215dbab WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 2731 (JSEventListener.cpp:186)
73  com.apple.WebCore             	0x0000000132a6b263 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 1315 (EventTarget.cpp:344)
74  com.apple.WebCore             	0x0000000132a6ab03 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 435 (EventTarget.cpp:276)
75  com.apple.WebCore             	0x0000000132a39428 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 856
76  com.apple.WebCore             	0x0000000132a3ab7d WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 285 (EventDispatcher.cpp:107)
77  com.apple.WebCore             	0x0000000132a39fae WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1342 (EventDispatcher.cpp:188)
78  com.apple.WebCore             	0x0000000132af3c49 WebCore::Node::dispatchEvent(WebCore::Event&) + 9 (Node.cpp:2374)
79  com.apple.WebCore             	0x0000000132f1cc3a WebCore::HTMLFormControlElement::checkValidity(WTF::Vector<WTF::RefPtr<WebCore::HTMLFormControlElement, WTF::RawPtrTraits<WebCore::HTMLFormControlElement>, WTF::DefaultRefDerefTraits<WebCore::HTMLFormControlElement> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) + 394 (HTMLFormControlElement.cpp:495)
80  com.apple.WebCore             	0x0000000132f1d06e WebCore::HTMLFormControlElement::reportValidity() + 222 (HTMLFormControlElement.cpp:514)
81  com.apple.WebCore             	0x000000012feb2727 WebCore::jsHTMLInputElementPrototypeFunction_reportValidityBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLInputElement*) + 199 (JSHTMLInputElement.cpp:1919)
82  com.apple.WebCore             	0x000000012feb25b7 long long WebCore::IDLOperation<WebCore::JSHTMLInputElement>::call<&(WebCore::jsHTMLInputElementPrototypeFunction_reportValidityBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSHTMLInputElement*)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) + 247 (JSDOMOperation.h:53)
83  com.apple.WebCore             	0x000000012feb1689 WebCore::jsHTMLInputElementPrototypeFunction_reportValidity(JSC::JSGlobalObject*, JSC::CallFrame*) + 9 (JSHTMLInputElement.cpp:1924)
84  ???                           	0x00005217124011d8 0 + 90259043914200
85  com.apple.JavaScriptCore      	0x0000000118e9bf5a llint_entry + 110482 (LowLevelInterpreter.asm:1093)
86  com.apple.JavaScriptCore      	0x0000000118e9bdb1 llint_entry + 110057 (LowLevelInterpreter.asm:1093)
87  com.apple.JavaScriptCore      	0x0000000118e80dc9 vmEntryToJavaScript + 216 (LowLevelInterpreter64.asm:316)
88  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 258 (JITCodeInlines.h:42) [inlined]
89  com.apple.JavaScriptCore      	0x000000011a6c97d2 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1554 (Interpreter.cpp:907)
90  com.apple.JavaScriptCore      	0x000000011adb2d15 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 101 (CallData.cpp:57)
91  com.apple.JavaScriptCore      	0x000000011adb2e10 JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 224 (CallData.cpp:64)
92  com.apple.JavaScriptCore      	0x000000011adb31cc JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 268 (CallData.cpp:85)
93  com.apple.WebCore             	0x00000001321318a9 WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 233 (JSExecState.h:73)
94  com.apple.WebCore             	0x000000013215dbab WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 2731 (JSEventListener.cpp:186)
95  com.apple.WebCore             	0x0000000132a6b263 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 1315 (EventTarget.cpp:344)
96  com.apple.WebCore             	0x0000000132a6ab03 WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 435 (EventTarget.cpp:276)
97  com.apple.WebCore             	0x0000000132a39428 WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const + 856
98  com.apple.WebCore             	0x0000000132a3ab7d WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 285 (EventDispatcher.cpp:107)
99  com.apple.WebCore             	0x0000000132a39fae WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1342 (EventDispatcher.cpp:188)
100 com.apple.WebCore             	0x0000000132af3c49 WebCore::Node::dispatchEvent(WebCore::Event&) + 9 (Node.cpp:2374)
101 com.apple.WebCore             	0x0000000132a28ace WebCore::Element::dispatchFocusEvent(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&&, WebCore::FocusDirection) + 574 (Element.cpp:3166)
102 com.apple.WebCore             	0x0000000133086bf3 WebCore::HTMLTextFormControlElement::dispatchFocusEvent(WTF::RefPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>, WTF::DefaultRefDerefTraits<WebCore::Element> >&&, WebCore::FocusDirection) + 179 (HTMLTextFormControlElement.cpp:101)
103 com.apple.WebCore             	0x0000000132930f68 WebCore::Document::setFocusedElement(WebCore::Element*, WebCore::FocusDirection, WebCore::Document::FocusRemovalEventsMode) + 2312 (Document.cpp:4521)
104 com.apple.WebCore             	0x0000000133ad93ba WebCore::FocusController::setFocusedElement(WebCore::Element*, WebCore::Frame&, WebCore::FocusDirection) + 1498 (FocusController.cpp:876)
105 com.apple.WebCore             	0x0000000132a26cf3 WebCore::Element::focus(WebCore::SelectionRestorationMode, WebCore::FocusDirection) + 1315 (Element.cpp:3080)
106 com.apple.WebCore             	0x0000000132f3113f WebCore::HTMLFormControlElement::didAttachRenderers()::$_1::operator()() const + 79 (HTMLFormControlElement.cpp:261)
107 com.apple.WebCore             	0x0000000132f3103d WTF::Detail::CallableWrapper<WebCore::HTMLFormControlElement::didAttachRenderers()::$_1, void>::call() + 13 (Function.h:52)
108 com.apple.WebCore             	0x000000012f0925af WTF::Function<void ()>::operator()() const + 63 (Function.h:83)
109 com.apple.WebCore             	0x0000000134c28343 WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler() + 115 (StyleTreeResolver.cpp:658)
110 com.apple.WebCore             	0x0000000134c284c9 WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler() + 9 (StyleTreeResolver.cpp:652)
111 com.apple.WebCore             	0x00000001329199bd WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 2061 (Document.cpp:2091)
112 com.apple.WebCore             	0x000000013291aa9c WebCore::Document::updateStyleIfNeeded() + 572 (Document.cpp:2162)


<rdar://75330757>

Comment 1 Ryosuke Niwa 2021-03-17 01:42:41 PDT

I can reproduce nullopt with DumpRenderTree at r274459 but encountering abort in CoreAnimation if I ran the test with WebKitTestRunner so you might need to either workaround that crash or use DumpRenderTree to debug this.

Comment 2 Sergio Villar Senin 2021-03-17 08:25:08 PDT

I'll check it out, maybe it's just a dup of bug 222584

Comment 3 Sergio Villar Senin 2021-03-17 08:25:46 PDT

(In reply to Sergio Villar Senin from comment #2)
> I'll check it out, maybe it's just a dup of bug 222584

Errr I mean bug 222854 :)

Comment 4 Sergio Villar Senin 2021-03-17 09:00:45 PDT

Ryosuke, which revision are you using? I'm hitting an ASSERT but a totally different one.

Comment 5 Sergio Villar Senin 2021-03-17 14:01:14 PDT

(In reply to Sergio Villar Senin from comment #4)
> Ryosuke, which revision are you using? I'm hitting an ASSERT but a totally
> different one.

OK I got the same trace in macOS. In Linux it hits an ASSERT in RenderLayer first. I'll upload a patch for the original issue tomorrow.

Comment 6 Sergio Villar Senin 2021-03-18 02:45:41 PDT

Created attachment 423577 [details]
Patch

Comment 7 Sergio Villar Senin 2021-03-18 02:48:09 PDT

I believe this is not a security issue. We were just hitting an ASSERT that checks that the content size suggestion of a flex item is not negative, basically because it does not make sense, but I doubt this could be exploitable in any way.

That's why I'm including a potential layout test that we could even upload to WPT as it's still useful for other engines even though they don't hit the assertion.

Comment 8 Sergio Villar Senin 2021-03-31 05:15:55 PDT

Ping reviewers

BTW there must be something wrong with Release EWS as I don't get any failure locally when testing this on MacOS

Comment 9 Sergio Villar Senin 2021-04-27 03:19:21 PDT

Thanks for the review. Waiting for upstream WPT to accept the test and then I'll land this one.

Comment 10 Sergio Villar Senin 2021-04-30 04:46:20 PDT

Committed r276835 (237186@main): <https://commits.webkit.org/237186@main>