[Webkit-unassigned] [Bug 211159] New: Specific dom node order of Shadow DOM (re)projection causes segfault

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Apr 28 17:55:53 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=211159

            Bug ID: 211159
           Summary: Specific dom node order of Shadow DOM (re)projection
                    causes segfault
           Product: WebKit
           Version: Safari 13
          Hardware: Macintosh
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: emarquez at google.com

Created attachment 397914

  --> https://bugs.webkit.org/attachment.cgi?id=397914&action=review

Reproduction of failure

Hello, there seems to be some mix of issues projecting a <slot>'s default content into a shadow root that has both a named and nameless slot. I have attached a reproduction case and here is a JSbin for a live example:

https://jsbin.com/qicoganici/1/edit

Some quirks I've found:

Removing the named slot:

<div>
  <slot></slot>
</div>


moving it into the same div as the nameless slot:

<div>
  <slot name="named"></slot>
  <slot></slot>
</div>


or moving it after the nameless slot:

<div>
  <slot></slot>
</div>
<slot name="named"></slot>


seems to prevent this crash. Additionally, removing the default content (the text node "default" in this example):

<my-element-inner>
  <slot></slot>
  <div slot="named">named slot<div>
</my-element-inner>


wrapping the slot in the outer element with a span or div:

<my-element-inner>
  <span><slot>default</slot></span>
  <div slot="named">named slot<div>
</my-element-inner>


or actually projecting a value into the outer element:

<my-element-outer>projected</my-element-outer>


also seems to prevent this crash as well. Notably, simply wrapping the named slot in an element:

<div>
  <slot name="named"></slot>
</div>
<div>
  <slot></slot>
</div>

does not prevent this crash. Confirm this crash on Safari 13.1 (WK: 156609.1.20.111.8) and 13.2 (WK: 15610.1.10)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200429/3cdc7264/attachment.htm>

More information about the webkit-unassigned mailing list