LibWeb: Crash on Google Colab when using position:sticky in shadow DOM

[aplefull]

Summary

Opening https://colab.research.google.com/ leads to a crash. See reduction below :)

Juging by a backtrace

ladybird/Libraries/LibWeb/Painting/ViewportPaintable.cpp

Line 184 in 39abd75

auto const& sticky_insets = sticky_box.sticky_insets();

is trying to access m_sticky_insets which is nullptr:

ladybird/Libraries/LibWeb/Painting/PaintableBox.h

Line 232 in 39abd75

StickyInsets const& sticky_insets() const { return *m_sticky_insets; }

On a side note, I tried simply returning early if it's nullptr to test it and I was able to use colab which is a pretty heavy app!

Operating system

Linux

Steps to reproduce

Go to https://colab.research.google.com/ or see example below

Expected behavior

N/A

Actual behavior

N/A

URL for a reduced test case

N/A

HTML/SVG/etc. source for a reduced test case

<!doctype html>
<html>
  <colab-output-info>
    <template shadowrootmode="open">
      <style>
        :host {
          position: sticky;
        }
      </style>
    </template>
  </colab-output-info>
</html>

Log output and (if possible) backtrace

(gdb) bt
#0  ak_trap () at /home/aplefull/Repos/ladybird/AK/Assertions.cpp:100
#1  0x00007e200ffa0f83 in ak_verification_failed () at /home/aplefull/Repos/ladybird/AK/Assertions.cpp:110
#2  0x00007e2011671a2c in AK::OwnPtr<Web::Painting::PaintableBox::StickyInsets, AK::DefaultDelete<Web::Painting::PaintableBox::StickyInsets> >::operator* ()
    at /home/aplefull/Repos/ladybird/AK/OwnPtr.h:145
#3  Web::Painting::PaintableBox::sticky_insets () at /home/aplefull/Repos/ladybird/Libraries/LibWeb/Painting/PaintableBox.h:232
#4  operator()<const AK::NonnullRefPtr<Web::Painting::ScrollFrame> > () at /home/aplefull/Repos/ladybird/Libraries/LibWeb/Painting/ViewportPaintable.cpp:184
#5  for_each_sticky_frame<Web::Painting::ViewportPaintable::refresh_scroll_state()::<lambda(auto:190&)> > ()
    at /home/aplefull/Repos/ladybird/Libraries/LibWeb/Painting/ScrollState.h:55
#6  Web::Painting::ViewportPaintable::refresh_scroll_state () at /home/aplefull/Repos/ladybird/Libraries/LibWeb/Painting/ViewportPaintable.cpp:182
#7  0x00007e201119d6ba in Web::DOM::Document::update_paint_and_hit_testing_properties_if_needed () at /home/aplefull/Repos/ladybird/Libraries/LibWeb/DOM/Document.cpp:1498
#8  0x00007e20111bea44 in Web::DOM::Document::update_layout () at /home/aplefull/Repos/ladybird/Libraries/LibWeb/DOM/Document.cpp:1330
#9  0x00007e20111e80bc in Web::DOM::Element::get_client_rects () at /home/aplefull/Repos/ladybird/Libraries/LibWeb/DOM/Element.cpp:958
#10 0x00007e20111e8ae6 in Web::DOM::Element::get_bounding_client_rect () at /home/aplefull/Repos/ladybird/Libraries/LibWeb/DOM/Element.cpp:919
#11 0x00007e2011be3398 in operator() () at /home/aplefull/Repos/ladybird/Build/release/Lagom/Libraries/LibWeb/Bindings/ElementPrototype.cpp:4798
#12 throw_dom_exception_if_needed<Web::Bindings::ElementPrototype::get_bounding_client_rect(JS::VM&)::<lambda()> > ()
    at /home/aplefull/Repos/ladybird/Libraries/LibWeb/Bindings/ExceptionOrUtils.h:110
#13 Web::Bindings::ElementPrototype::get_bounding_client_rect () at /home/aplefull/Repos/ladybird/Build/release/Lagom/Libraries/LibWeb/Bindings/ElementPrototype.cpp:4798
#14 0x00007e2010399661 in AK::Function<JS::ThrowCompletionOr<JS::Value> (JS::VM&)>::operator()(JS::VM&) const () at /home/aplefull/Repos/ladybird/AK/Function.h:120
#15 JS::NativeFunction::call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/NativeFunction.cpp:233
#16 0x00007e201039a4f4 in JS::NativeFunction::internal_call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/NativeFunction.cpp:164
#17 0x00007e20101b05a8 in JS::call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/AbstractOperations.h:114
#18 JS::Bytecode::perform_call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:1239
#19 0x00007e20101a2d14 in JS::Bytecode::Op::Call::execute_impl () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:2580
#20 0x00007e20101a9202 in JS::Bytecode::Interpreter::run_bytecode () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:573
#21 0x00007e20101abf61 in JS::Bytecode::Interpreter::run_executable () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:737
#22 0x00007e20102dd18c in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:815
#23 0x00007e20102de237 in JS::ECMAScriptFunctionObject::internal_call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:421
#24 0x00007e20101b05a8 in JS::call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/AbstractOperations.h:114
#25 JS::Bytecode::perform_call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:1239
#26 0x00007e20101a2d14 in JS::Bytecode::Op::Call::execute_impl () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:2580
#27 0x00007e20101a9202 in JS::Bytecode::Interpreter::run_bytecode () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:573
#28 0x00007e20101abf61 in JS::Bytecode::Interpreter::run_executable () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:737
#29 0x00007e20102dd18c in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:815
#30 0x00007e20102de237 in JS::ECMAScriptFunctionObject::internal_call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:421
#31 0x00007e20101b05a8 in JS::call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/AbstractOperations.h:114
#32 JS::Bytecode::perform_call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:1239
#33 0x00007e20101a2d14 in JS::Bytecode::Op::Call::execute_impl () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:2580
#34 0x00007e20101a9202 in JS::Bytecode::Interpreter::run_bytecode () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:573
#35 0x00007e20101abf61 in JS::Bytecode::Interpreter::run_executable () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:737
#36 0x00007e20102dd18c in JS::ECMAScriptFunctionObject::ordinary_call_evaluate_body () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:815
#37 0x00007e20102de237 in JS::ECMAScriptFunctionObject::internal_call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/ECMAScriptFunctionObject.cpp:421
#38 0x00007e20101b05a8 in JS::call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Runtime/AbstractOperations.h:114
#39 JS::Bytecode::perform_call () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:1239
#40 0x00007e20101a2d14 in JS::Bytecode::Op::Call::execute_impl () at /home/aplefull/Repos/ladybird/Libraries/LibJS/Bytecode/Interpreter.cpp:2580

Screenshots or screen recordings

No response

Build flags or config settings

No response

Contribute a patch?

• I’ll contribute a patch for this myself.

[shannonbooth]

Nice reduction, I believe this is duplicate or at least same root cause as #3133, though this definitely has other useful info in it, like a real site it fixes other than something I just noticed, and a diffent repro