WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
254392
css/css-values/hypot-pow-sqrt-computed.html WPT crashes
https://bugs.webkit.org/show_bug.cgi?id=254392
Summary
css/css-values/hypot-pow-sqrt-computed.html WPT crashes
Tim Nguyen (:ntim)
Reported
2023-03-23 20:19:51 PDT
https://wpt.fyi/results/css/css-values/hypot-pow-sqrt-computed.html?label=experimental&label=master&product=chrome&product=firefox&product=safari&aligned&view=interop&q=label%3Ainterop-2023-mathfunctions
If you open
http://wpt.live/css/css-values/hypot-pow-sqrt-computed.html
in Safari, it crashes.
Attachments
Reduced testcase
(1.85 KB, text/html)
2023-04-21 17:07 PDT
,
Tim Nguyen (:ntim)
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2023-03-23 20:20:03 PDT
<
rdar://problem/107168358
>
Tim Nguyen (:ntim)
Comment 2
2023-04-21 17:07:24 PDT
Created
attachment 466039
[details]
Reduced testcase
Rob Buis
Comment 3
2023-04-22 00:46:54 PDT
I get: HOULD NEVER BE REACHED css/calc/CSSCalcPrimitiveValueNode.cpp(179) : virtual double WebCore::CSSCalcPrimitiveValueNode::doubleValue(WebCore::CSSUnitType) const 1 0x13c260fa0 WTFCrash 2 0x2806816e0 WebCore::JSDOMWrapperConverterTraits<WebCore::ANGLEInstancedArrays>::WrapperClass* WebCore::createWrapper<WebCore::ANGLEInstancedArrays, WebCore::ANGLEInstancedArrays>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::ANGLEInstancedArrays, WTF::RawPtrTraits<WebCore::ANGLEInstancedArrays>>&&) 3 0x283845b68 WebCore::CSSCalcPrimitiveValueNode::doubleValue(WebCore::CSSUnitType) const 4 0x28385c598 auto WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3::operator()<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const>(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&) const 5 0x28385c3e4 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const 6 0x283847718 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<std::__1::invoke_result<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>::type, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const 7 0x283844d1c WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const 8 0x28385c598 auto WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3::operator()<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const>(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&) const 9 0x28385c3e4 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const 10 0x283847718 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<std::__1::invoke_result<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>::type, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const 11 0x283844d1c WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const 12 0x283844034 WebCore::CSSCalcOperationNode::combineChildren() 13 0x2838466b0 WebCore::CSSCalcOperationNode::simplifyNode(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&, int) 14 0x283846314 WebCore::CSSCalcOperationNode::simplifyRecursive(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&, int) 15 0x28383ec00 WebCore::CSSCalcOperationNode::simplify(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&) 16 0x28383df70 WebCore::CSSCalcExpressionNodeParser::parseCalc(WebCore::CSSParserTokenRange, WebCore::CSSValueID, bool) 17 0x28385fd98 WebCore::CSSCalcValue::create(WebCore::CSSValueID, WebCore::CSSParserTokenRange const&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, bool) 18 0x283902d78 WebCore::CSSPropertyParserHelpers::CalcParser::CalcParser(WebCore::CSSParserTokenRange&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy) 19 0x2838d9b4c WebCore::CSSPropertyParserHelpers::CalcParser::CalcParser(WebCore::CSSParserTokenRange&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy) 20 0x2838d993c WebCore::CSSPropertyParserHelpers::consumeLengthOrPercent(WebCore::CSSParserTokenRange&, WebCore::CSSParserMode, WebCore::ValueRange, WebCore::CSSPropertyParserHelpers::UnitlessQuirk, WebCore::CSSPropertyParserHelpers::UnitlessZeroQuirk, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy) 21 0x2838e40c8 WebCore::CSSPropertyParserHelpers::consumeAutoOrLengthOrPercent(WebCore::CSSParserTokenRange&, WebCore::CSSParserMode, WebCore::CSSPropertyParserHelpers::UnitlessQuirk) 22 0x2838e4024 WebCore::CSSPropertyParserHelpers::consumeMarginSide(WebCore::CSSParserTokenRange&, WebCore::CSSPropertyID, WebCore::CSSParserMode)
Rob Buis
Comment 4
2023-04-22 00:53:52 PDT
This seems enough to ASSERT: document.body.style.marginLeft = "hypot(0% + 772.35px)";
Rob Buis
Comment 5
2023-04-22 09:45:06 PDT
Pull request:
https://github.com/WebKit/WebKit-security/pull/36
Rob Buis
Comment 6
2023-04-24 11:11:35 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/13107
EWS
Comment 7
2023-04-24 16:15:25 PDT
Committed
263345@main
(1643a89b579b): <
https://commits.webkit.org/263345@main
> Reviewed commits have been landed. Closing PR #13107 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug