Bug 254392

Summary:

css/css-values/hypot-pow-sqrt-computed.html WPT crashes

Product:

WebKit

Reporter:

Tim Nguyen (:ntim) <ntim>

Component:

CSS

Assignee:

Rob Buis <rbuis>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, nmouchtaris, rbuis, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

URL:

Attachments:

Description	Flags
Reduced testcase	none

Tim Nguyen (:ntim)

Reported 2023-03-23 20:19:51 PDT

https://wpt.fyi/results/css/css-values/hypot-pow-sqrt-computed.html?label=experimental&label=master&product=chrome&product=firefox&product=safari&aligned&view=interop&q=label%3Ainterop-2023-mathfunctions If you open http://wpt.live/css/css-values/hypot-pow-sqrt-computed.html in Safari, it crashes.

Attachments
Reduced testcase (1.85 KB, text/html) 2023-04-21 17:07 PDT, Tim Nguyen (:ntim)	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-03-23 20:20:03 PDT

<rdar://problem/107168358>

Tim Nguyen (:ntim)

Comment 2 2023-04-21 17:07:24 PDT

Created attachment 466039 [details] Reduced testcase

Rob Buis

Comment 3 2023-04-22 00:46:54 PDT

I get: HOULD NEVER BE REACHED css/calc/CSSCalcPrimitiveValueNode.cpp(179) : virtual double WebCore::CSSCalcPrimitiveValueNode::doubleValue(WebCore::CSSUnitType) const 1 0x13c260fa0 WTFCrash 2 0x2806816e0 WebCore::JSDOMWrapperConverterTraits<WebCore::ANGLEInstancedArrays>::WrapperClass* WebCore::createWrapper<WebCore::ANGLEInstancedArrays, WebCore::ANGLEInstancedArrays>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::ANGLEInstancedArrays, WTF::RawPtrTraits<WebCore::ANGLEInstancedArrays>>&&) 3 0x283845b68 WebCore::CSSCalcPrimitiveValueNode::doubleValue(WebCore::CSSUnitType) const 4 0x28385c598 auto WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3::operator()<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const>(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&) const 5 0x28385c3e4 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const 6 0x283847718 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<std::__1::invoke_result<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>::type, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const 7 0x283844d1c WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const 8 0x28385c598 auto WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3::operator()<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const>(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&) const 9 0x28385c3e4 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const 10 0x283847718 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<std::__1::invoke_result<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>::type, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const 11 0x283844d1c WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const 12 0x283844034 WebCore::CSSCalcOperationNode::combineChildren() 13 0x2838466b0 WebCore::CSSCalcOperationNode::simplifyNode(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&, int) 14 0x283846314 WebCore::CSSCalcOperationNode::simplifyRecursive(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&, int) 15 0x28383ec00 WebCore::CSSCalcOperationNode::simplify(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&) 16 0x28383df70 WebCore::CSSCalcExpressionNodeParser::parseCalc(WebCore::CSSParserTokenRange, WebCore::CSSValueID, bool) 17 0x28385fd98 WebCore::CSSCalcValue::create(WebCore::CSSValueID, WebCore::CSSParserTokenRange const&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, bool) 18 0x283902d78 WebCore::CSSPropertyParserHelpers::CalcParser::CalcParser(WebCore::CSSParserTokenRange&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy) 19 0x2838d9b4c WebCore::CSSPropertyParserHelpers::CalcParser::CalcParser(WebCore::CSSParserTokenRange&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy) 20 0x2838d993c WebCore::CSSPropertyParserHelpers::consumeLengthOrPercent(WebCore::CSSParserTokenRange&, WebCore::CSSParserMode, WebCore::ValueRange, WebCore::CSSPropertyParserHelpers::UnitlessQuirk, WebCore::CSSPropertyParserHelpers::UnitlessZeroQuirk, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy) 21 0x2838e40c8 WebCore::CSSPropertyParserHelpers::consumeAutoOrLengthOrPercent(WebCore::CSSParserTokenRange&, WebCore::CSSParserMode, WebCore::CSSPropertyParserHelpers::UnitlessQuirk) 22 0x2838e4024 WebCore::CSSPropertyParserHelpers::consumeMarginSide(WebCore::CSSParserTokenRange&, WebCore::CSSPropertyID, WebCore::CSSParserMode)

Rob Buis

Comment 4 2023-04-22 00:53:52 PDT

This seems enough to ASSERT: document.body.style.marginLeft = "hypot(0% + 772.35px)";

Rob Buis

Comment 5 2023-04-22 09:45:06 PDT

Pull request: https://github.com/WebKit/WebKit-security/pull/36

Rob Buis

Comment 6 2023-04-24 11:11:35 PDT

Pull request: https://github.com/WebKit/WebKit/pull/13107

EWS

Comment 7 2023-04-24 16:15:25 PDT

Committed 263345@main (1643a89b579b): <https://commits.webkit.org/263345@main> Reviewed commits have been landed. Closing PR #13107 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.