Bug 254392

Summary:

css/css-values/hypot-pow-sqrt-computed.html WPT crashes

Product:

WebKit

Reporter:

Tim Nguyen (:ntim) <ntim>

Component:

CSS

Assignee:

Rob Buis <rbuis>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, nmouchtaris, rbuis, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

URL:

https://wpt.fyi/results/css/css-values/hypot-pow-sqrt-computed.html?label=experimental&label=master&product=chrome&product=firefox&product=safari&aligned&view=interop&q=label%3Ainterop-2023-mathfunctions

Attachments:

Description	Flags
Reduced testcase	none

Description Tim Nguyen (:ntim) 2023-03-23 20:19:51 PDT

https://wpt.fyi/results/css/css-values/hypot-pow-sqrt-computed.html?label=experimental&label=master&product=chrome&product=firefox&product=safari&aligned&view=interop&q=label%3Ainterop-2023-mathfunctions

If you open http://wpt.live/css/css-values/hypot-pow-sqrt-computed.html in Safari, it crashes.

Comment 1 Radar WebKit Bug Importer 2023-03-23 20:20:03 PDT

<rdar://problem/107168358>

Comment 2 Tim Nguyen (:ntim) 2023-04-21 17:07:24 PDT

Created attachment 466039 [details]
Reduced testcase

Comment 3 Rob Buis 2023-04-22 00:46:54 PDT

I get:
HOULD NEVER BE REACHED
css/calc/CSSCalcPrimitiveValueNode.cpp(179) : virtual double WebCore::CSSCalcPrimitiveValueNode::doubleValue(WebCore::CSSUnitType) const
1   0x13c260fa0 WTFCrash
2   0x2806816e0 WebCore::JSDOMWrapperConverterTraits<WebCore::ANGLEInstancedArrays>::WrapperClass* WebCore::createWrapper<WebCore::ANGLEInstancedArrays, WebCore::ANGLEInstancedArrays>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::ANGLEInstancedArrays, WTF::RawPtrTraits<WebCore::ANGLEInstancedArrays>>&&)
3   0x283845b68 WebCore::CSSCalcPrimitiveValueNode::doubleValue(WebCore::CSSUnitType) const
4   0x28385c598 auto WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3::operator()<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const>(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&) const
5   0x28385c3e4 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const
6   0x283847718 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<std::__1::invoke_result<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>::type, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const
7   0x283844d1c WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const
8   0x28385c598 auto WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3::operator()<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const>(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&) const
9   0x28385c3e4 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const
10  0x283847718 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<std::__1::invoke_result<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>::type, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const
11  0x283844d1c WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const
12  0x283844034 WebCore::CSSCalcOperationNode::combineChildren()
13  0x2838466b0 WebCore::CSSCalcOperationNode::simplifyNode(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&, int)
14  0x283846314 WebCore::CSSCalcOperationNode::simplifyRecursive(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&, int)
15  0x28383ec00 WebCore::CSSCalcOperationNode::simplify(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&)
16  0x28383df70 WebCore::CSSCalcExpressionNodeParser::parseCalc(WebCore::CSSParserTokenRange, WebCore::CSSValueID, bool)
17  0x28385fd98 WebCore::CSSCalcValue::create(WebCore::CSSValueID, WebCore::CSSParserTokenRange const&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, bool)
18  0x283902d78 WebCore::CSSPropertyParserHelpers::CalcParser::CalcParser(WebCore::CSSParserTokenRange&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy)
19  0x2838d9b4c WebCore::CSSPropertyParserHelpers::CalcParser::CalcParser(WebCore::CSSParserTokenRange&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy)
20  0x2838d993c WebCore::CSSPropertyParserHelpers::consumeLengthOrPercent(WebCore::CSSParserTokenRange&, WebCore::CSSParserMode, WebCore::ValueRange, WebCore::CSSPropertyParserHelpers::UnitlessQuirk, WebCore::CSSPropertyParserHelpers::UnitlessZeroQuirk, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy)
21  0x2838e40c8 WebCore::CSSPropertyParserHelpers::consumeAutoOrLengthOrPercent(WebCore::CSSParserTokenRange&, WebCore::CSSParserMode, WebCore::CSSPropertyParserHelpers::UnitlessQuirk)
22  0x2838e4024 WebCore::CSSPropertyParserHelpers::consumeMarginSide(WebCore::CSSParserTokenRange&, WebCore::CSSPropertyID, WebCore::CSSParserMode)

Comment 4 Rob Buis 2023-04-22 00:53:52 PDT

This seems enough to ASSERT:
document.body.style.marginLeft = "hypot(0% + 772.35px)";

Comment 5 Rob Buis 2023-04-22 09:45:06 PDT

Pull request: https://github.com/WebKit/WebKit-security/pull/36

Comment 6 Rob Buis 2023-04-24 11:11:35 PDT

Pull request: https://github.com/WebKit/WebKit/pull/13107

Comment 7 EWS 2023-04-24 16:15:25 PDT

Committed 263345@main (1643a89b579b): <https://commits.webkit.org/263345@main>

Reviewed commits have been landed. Closing PR #13107 and removing active labels.