RESOLVED FIXED287905
Flatenning may be triggered before tree is connected, and the function crashes when reaching a non-connected parent. 
https://bugs.webkit.org/show_bug.cgi?id=287905
Summary Flatenning may be triggered before tree is connected, and the function crashe...
Pedro Varangot
Reported 2025-02-18 15:55:11 PST
This requires some specific timing/layout like in this test: <html> <head> <style> .class7 { perspective: 0px; } :not(.active) { grid; white-space-collapse: preserve-breaks; container: a0 / inline-size; -webkit-mask-box-image: url(); } </style> <script> function runTest() { body = document.body; body.style.setProperty("border-bottom-width", "thin"); something = document.elementFromPoint(0, 0); htmlElement = document.documentElement; htmlElement.append(body); testRunner?.dumpAsText(); testRunner?.notifyDone(); } testRunner?.waitUntilDone(); </script> </head> <body onload=runTest()> <title>Title</title> <p>This test passes if webkit doesn't crash</p> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <form class="class7"> <keygen /> </form> <br /> <br /> <br /> <br /> </body> </html>
Attachments
Add attachment proposed patch, testcase, etc.
Pedro Varangot
Comment 1 2025-02-18 15:59:46 PST
<rdar://problem/143296083>
Alexey Proskuryakov
Comment 2 2025-02-19 09:35:44 PST
https://github.com/WebKit/WebKit/pull/40805
EWS
Comment 3 2025-02-21 00:19:15 PST
Committed 290774@main (4810d0915bd9): <https://commits.webkit.org/290774@main> Reviewed commits have been landed. Closing PR #40805 and removing active labels.
EWS
Comment 4 2025-05-07 12:45:14 PDT
Committed 289651.483@safari-7621-branch (43b00d11a701): <https://commits.webkit.org/289651.483@safari-7621-branch> Reviewed commits have been landed. Closing PR #3057 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.