RESOLVED FIXED309006
RenderTheme::updateSliderTrackPart() may divides by zero when computing datalist tick ratios 
https://bugs.webkit.org/show_bug.cgi?id=309006
Summary RenderTheme::updateSliderTrackPart() may divides by zero when computing datal...
Nikolas Zimmermann
Reported 2026-03-02 13:23:04 PST
The tick ratio calculation divides by (maximum - minimum) without guarding against zero, unlike the thumb position calculation which already performs this check. When max == min (e.g. max="0"), this produces NaN values that propagate into SliderTrackPart::drawTicks() creating an unsorted FloatRect. This fixes a crash in imported/w3c/web-platform-tests/html/semantics/forms/the-input-element/invalid-datalist-options-crash.html for the GTK/WPE ports, where the unsorted rect triggers an assertion in SkCanvas::onDrawRect in SKIA_DEBUG enabled builds.
Attachments
Add attachment proposed patch, testcase, etc.
Nikolas Zimmermann
Comment 1 2026-03-02 13:25:23 PST
Pull request: https://github.com/WebKit/WebKit/pull/59738
EWS
Comment 2 2026-03-03 07:17:07 PST
Committed 308546@main (b859116b450c): <https://commits.webkit.org/308546@main> Reviewed commits have been landed. Closing PR #59738 and removing active labels.
Radar WebKit Bug Importer
Comment 3 2026-03-03 07:18:12 PST
<rdar://problem/171622143>
Note You need to log in before you can comment on or make changes to this bug.