Bug 254392 - css/css-values/hypot-pow-sqrt-computed.html WPT crashes
Summary: css/css-values/hypot-pow-sqrt-computed.html WPT crashes
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Rob Buis
URL: https://wpt.fyi/results/css/css-value...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-03-23 20:19 PDT by Tim Nguyen (:ntim)
Modified: 2023-04-24 16:15 PDT (History)
4 users (show)

See Also:

Attachments
Reduced testcase (1.85 KB, text/html)
2023-04-21 17:07 PDT, Tim Nguyen (:ntim) 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Radar WebKit Bug Importer 2023-03-23 20:20:03 PDT 
<rdar://problem/107168358>
Comment 2 Tim Nguyen (:ntim) 2023-04-21 17:07:24 PDT 
Created attachment 466039 [details]
Reduced testcase
Comment 3 Rob Buis 2023-04-22 00:46:54 PDT 
I get:
HOULD NEVER BE REACHED
css/calc/CSSCalcPrimitiveValueNode.cpp(179) : virtual double WebCore::CSSCalcPrimitiveValueNode::doubleValue(WebCore::CSSUnitType) const
1   0x13c260fa0 WTFCrash
2   0x2806816e0 WebCore::JSDOMWrapperConverterTraits<WebCore::ANGLEInstancedArrays>::WrapperClass* WebCore::createWrapper<WebCore::ANGLEInstancedArrays, WebCore::ANGLEInstancedArrays>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::ANGLEInstancedArrays, WTF::RawPtrTraits<WebCore::ANGLEInstancedArrays>>&&)
3   0x283845b68 WebCore::CSSCalcPrimitiveValueNode::doubleValue(WebCore::CSSUnitType) const
4   0x28385c598 auto WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3::operator()<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const>(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&) const
5   0x28385c3e4 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const
6   0x283847718 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<std::__1::invoke_result<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>::type, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const
7   0x283844d1c WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const
8   0x28385c598 auto WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3::operator()<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const>(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&) const
9   0x28385c3e4 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WTF::Vector<double, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const
10  0x283847718 std::__1::enable_if<std::is_invocable_v<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>, WTF::Vector<std::__1::invoke_result<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3, WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>> const&>::type, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>>::type WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::map<WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3>(WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const::$_3&&) const
11  0x283844d1c WebCore::CSSCalcOperationNode::doubleValue(WebCore::CSSUnitType) const
12  0x283844034 WebCore::CSSCalcOperationNode::combineChildren()
13  0x2838466b0 WebCore::CSSCalcOperationNode::simplifyNode(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&, int)
14  0x283846314 WebCore::CSSCalcOperationNode::simplifyRecursive(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&, int)
15  0x28383ec00 WebCore::CSSCalcOperationNode::simplify(WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>&&)
16  0x28383df70 WebCore::CSSCalcExpressionNodeParser::parseCalc(WebCore::CSSParserTokenRange, WebCore::CSSValueID, bool)
17  0x28385fd98 WebCore::CSSCalcValue::create(WebCore::CSSValueID, WebCore::CSSParserTokenRange const&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, bool)
18  0x283902d78 WebCore::CSSPropertyParserHelpers::CalcParser::CalcParser(WebCore::CSSParserTokenRange&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy)
19  0x2838d9b4c WebCore::CSSPropertyParserHelpers::CalcParser::CalcParser(WebCore::CSSParserTokenRange&, WebCore::CalculationCategory, WebCore::ValueRange, WebCore::CSSCalcSymbolTable const&, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy)
20  0x2838d993c WebCore::CSSPropertyParserHelpers::consumeLengthOrPercent(WebCore::CSSParserTokenRange&, WebCore::CSSParserMode, WebCore::ValueRange, WebCore::CSSPropertyParserHelpers::UnitlessQuirk, WebCore::CSSPropertyParserHelpers::UnitlessZeroQuirk, WebCore::CSSPropertyParserHelpers::NegativePercentagePolicy)
21  0x2838e40c8 WebCore::CSSPropertyParserHelpers::consumeAutoOrLengthOrPercent(WebCore::CSSParserTokenRange&, WebCore::CSSParserMode, WebCore::CSSPropertyParserHelpers::UnitlessQuirk)
22  0x2838e4024 WebCore::CSSPropertyParserHelpers::consumeMarginSide(WebCore::CSSParserTokenRange&, WebCore::CSSPropertyID, WebCore::CSSParserMode)
Comment 4 Rob Buis 2023-04-22 00:53:52 PDT 
This seems enough to ASSERT:
document.body.style.marginLeft = "hypot(0% + 772.35px)";
Comment 5 Rob Buis 2023-04-22 09:45:06 PDT 
Pull request: https://github.com/WebKit/WebKit-security/pull/36
Comment 6 Rob Buis 2023-04-24 11:11:35 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/13107
Comment 7 EWS 2023-04-24 16:15:25 PDT 
Committed 263345@main (1643a89b579b): <https://commits.webkit.org/263345@main>

Reviewed commits have been landed. Closing PR #13107 and removing active labels.