LibWeb: Stack overflow in WPT legend display test

[tcl3]

Summary

The following WPT test now crashes with a segfault due to a stack overflow: http://wpt.live/html/rendering/non-replaced-elements/the-fieldset-and-legend-elements/legend-display.html

Bisected to: a820308 and/or the followup commit c47d19d

Operating system

Linux

Steps to reproduce

1. Open http://wpt.live/html/rendering/non-replaced-elements/the-fieldset-and-legend-elements/legend-display.html
2. 💥

Expected behavior

No crash

Actual behavior

A segfault occurs

URL for a reduced test case

http://wpt.live/html/rendering/non-replaced-elements/the-fieldset-and-legend-elements/legend-display.html

HTML/SVG/etc. source for a reduced test case

N/A

Log output and (if possible) backtrace

#0  0x00007b054951d998 in fast_is<Web::Layout::TextNode> ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/TextNode.h:78
#1  is<Web::Layout::TextNode, Web::Layout::Node const> ()
    at /home/tim/repos/ladybird/AK/TypeCasts.h:21
#2  next_without_lookahead ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineLevelIterator.cpp:208
#3  0x00007b054951d928 in next ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineLevelIterator.cpp:140
#4  0x00007b054951b341 in generate_line_boxes ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineFormattingContext.cpp:266
#5  0x00007b054951b16c in run ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineFormattingContext.cpp:85
#6  0x00007b05494f7c79 in layout_inside ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/FormattingContext.cpp:244
#7  0x00007b054951c58d in dimension_box_on_line ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineFormattingContext.cpp:186
#8  0x00007b054951da47 in next_without_lookahead ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineLevelIterator.cpp:362
#9  0x00007b054951d928 in next ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineLevelIterator.cpp:140
#10 0x00007b054951b341 in generate_line_boxes ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineFormattingContext.cpp:266
#11 0x00007b054951b16c in run ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineFormattingContext.cpp:85
#12 0x00007b05494f7c79 in layout_inside ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/FormattingContext.cpp:244
#13 0x00007b054951c58d in dimension_box_on_line ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineFormattingContext.cpp:186
#14 0x00007b054951da47 in next_without_lookahead ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineLevelIterator.cpp:362
--Type <RET> for more, q to quit, c to continue without paging--
#15 0x00007b054951d928 in next ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineLevelIterator.cpp:140
#16 0x00007b054951b341 in generate_line_boxes ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineFormattingContext.cpp:266
#17 0x00007b054951b16c in run ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineFormattingContext.cpp:85
#18 0x00007b05494f7c79 in layout_inside ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/FormattingContext.cpp:244
#19 0x00007b054951c58d in dimension_box_on_line ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineFormattingContext.cpp:186
#20 0x00007b054951da47 in next_without_lookahead ()
    at /home/tim/repos/ladybird/Libraries/LibWeb/Layout/InlineLevelIterator.cpp:362
(33077 further stack frames omitted)

Screenshots or screen recordings

No response

Build flags or config settings

No response

Contribute a patch?

• I’ll contribute a patch for this myself.