Testcase: ======= <style> .class2,aside { horizontal;float: right;-webkit-flow-from: } *:last-of-type { show;-webkit-columns: 1px auto;grid: single;-webkit-min-logical-height: 1em;margin-bottom: 8192px;row-gap: steps(5,jump-start),step-end;border-bottom-style: ridge;-webkit-text-combine: auto;column-gap: 1px;-webkit-text-combine: auto;height: 0%;font-variant: fit-content(512vmax);border-left-style: solid;-webkit-box-decoration-break: } #x42,.class2 { auto;-webkit-box-shadow: 232em 16px 16384px } </style> </dt> <code title="AAAAAAAAAAAAAAAAAAAA"> </audio> <p style="animation-fill-mode: bottom;-webkit-column-span: all;width: onblur="f4()"> <fieldset form="foo"> <label class="class2"> </label> <button formtarget="x66"> </select> </fieldset> </h3> <audio controls="" muted=""> Versions ======= First found on WebKit-54c72ce. Discovered by fuzzer WebKit-WebKitTestRunner-ASan-FreeDom (revision 1). Testcase ======= reduced-1-170680346905.html Crash Report ========== com.apple.WebKit.WebContent.Development-2024-02-01-084211.ips Stack Trace ========= frame #0: WebCore`bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::reserveCapacity<(WTF::FailureAction)0>(unsigned long)+0x3a4 frame #1: WebCore`WebCore::LayerFragment* WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::expandCapacity<(WTF::FailureAction)0>(unsigned long, WebCore::LayerFragment*)+0x194 frame #2: WebCore`bool WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::appendSlowCase<(WTF::FailureAction)0, WebCore::LayerFragment&>(WebCore::LayerFragment&)+0xac frame #3: WebCore`WebCore::RenderMultiColumnSet::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&)+0x1a7c frame #4: WebCore`WebCore::RenderFragmentedFlow::collectLayerFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::LayoutRect const&, WebCore::LayoutRect const&)+0x134 frame #5: WebCore`WebCore::RenderLayer::collectFragments(WTF::Vector<WebCore::LayerFragment, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WebCore::RenderLayer const*, WebCore::LayoutRect const&, WebCore::RenderLayer::PaginationInclusionMode, WebCore::ClipRectsType, WTF::OptionSet<WebCore::RenderLayer::ClipRectsOption>, WebCore::LayoutSize const&, WebCore::LayoutRect const*, WebCore::ShouldApplyRootOffsetToFragments)+0x312c frame #6: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1400 frame #7: WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1888 frame #8: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x36e4 frame #9: WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1888 frame #10: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x36e4 frame #11: WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1888 frame #12: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x36e4 frame #13: WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1888 frame #14: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x36e4 frame #15: WebCore`WebCore::RenderLayer::paintLayer(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x1888 frame #16: WebCore`WebCore::RenderLayer::paintLayerContents(WebCore::GraphicsContext&, WebCore::RenderLayer::LayerPaintingInfo const&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>)+0x36e4 frame #17: WebCore`WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RegionContext*)::$_14::operator()(WebCore::RenderLayer&, WTF::OptionSet<WebCore::RenderLayer::PaintLayerFlag>) const+0xdbc frame #18: WebCore`WebCore::RenderLayerBacking::paintIntoLayer(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::IntRect const&, WTF::OptionSet<WebCore::PaintBehavior>, WebCore::RegionContext*)+0x440 frame #19: WebCore`WebCore::RenderLayerBacking::paintContents(WebCore::GraphicsLayer const*, WebCore::GraphicsContext&, WebCore::FloatRect const&, WTF::OptionSet<WebCore::GraphicsLayerPaintBehavior>)+0x3c4 frame #20: WebCore`WebCore::GraphicsLayer::paintGraphicsLayerContents(WebCore::GraphicsContext&, WebCore::FloatRect const&, WTF::OptionSet<WebCore::GraphicsLayerPaintBehavior>)+0x23c frame #21: WebCore`WebCore::GraphicsLayerCA::platformCALayerPaintContents(WebCore::PlatformCALayer*, WebCore::GraphicsContext&, WebCore::FloatRect const&, WTF::OptionSet<WebCore::GraphicsLayerPaintBehavior>)+0x19c frame #22: WebCore`WebCore::PlatformCALayer::drawLayerContents(WebCore::GraphicsContext&, WebCore::PlatformCALayer*, WTF::Vector<WebCore::FloatRect, 5ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&, WTF::OptionSet<WebCore::GraphicsLayerPaintBehavior>)+0x380 frame #23: WebKit`WebKit::RemoteLayerBackingStore::drawInContext(WebCore::GraphicsContext&)+0x6b0 frame #24: WebKit`WebKit::RemoteLayerWithRemoteRenderingBackingStore::createContextAndPaintContents()+0x124 frame #25: WebKit`WebKit::RemoteLayerBackingStore::paintContents()+0x8f0 frame #26: WebKit`WebKit::RemoteLayerBackingStoreCollection::paintReachableBackingStoreContents()+0x2d0 frame #27: WebKit`WebKit::RemoteLayerTreeContext::buildTransaction(WebKit::RemoteLayerTreeTransaction&, WebCore::PlatformCALayer&, WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>>)+0x320 frame #28: WebKit`WebKit::RemoteLayerTreeDrawingArea::updateRendering()+0xc30 frame #29: WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal()+0x340 frame #30: WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*)+0xd4 frame #31: CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__+0x1c frame #32: CoreFoundation`__CFRunLoopDoTimer+0x3c8 frame #33: CoreFoundation`__CFRunLoopDoTimers+0x160 frame #34: CoreFoundation`__CFRunLoopRun+0x73c frame #35: CoreFoundation`CFRunLoopRunSpecific+0x25c frame #36: Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd0 frame #37: Foundation`-[NSRunLoop(NSRunLoop) run]+0x3c frame #38: libxpc.dylib`_xpc_objc_main+0x2a8 frame #39: libxpc.dylib`_xpc_main+0x140 frame #40: libxpc.dylib`xpc_main+0x3c frame #41: WebKit`WebKit::XPCServiceMain(int, char const**)+0x138 frame #42: `0x1815f50b4+ [tag] [reply] [−] Comment 1