186766 2018-06-18 08:12:22 -0700 [DEBUG] Crash under CSSPrimitiveValue::init() when transitioning background-position and reading the computed style 2022-02-09 10:14:04 -0800 1 1 1 Unclassified WebKit CSS WebKit Nightly Build Unspecified Unspecified NEW InRadar P2 Normal --- 1 graouts webkit-unassigned ap koivisto webkit-bug-importer oldest_to_newest 1433998 0 342937 graouts 2018-06-18 08:12:22 -0700 Created attachment 342937 Testcase See the attached test case which crashes upon reading the background-position-x property. 1434302 1 ap 2018-06-18 23:26:46 -0700 I couldn't reproduce in Safari 11.1.1, so sounds like a regression from shipping? 1434314 2 graouts 2018-06-19 00:35:09 -0700 Sorry, I should say this is a debug assertion, so the crash won't reproduce with a release or production build. 1434315 3 graouts 2018-06-19 00:35:51 -0700 #0 0x000000024f993230 in ::WTFCrash() at /Source/WTF/wtf/Assertions.cpp:267 #1 0x0000000241bb0a55 in WebCore::CSSPrimitiveValue::init(WebCore::Length const&) at /Source/WebCore/css/CSSPrimitiveValue.cpp:416 #2 0x0000000241bb0801 in WebCore::CSSPrimitiveValue::CSSPrimitiveValue(WebCore::Length const&) at /Source/WebCore/css/CSSPrimitiveValue.cpp:334 #3 0x0000000241bb0add in WebCore::CSSPrimitiveValue::CSSPrimitiveValue(WebCore::Length const&) at /Source/WebCore/css/CSSPrimitiveValue.cpp:333 #4 0x0000000241b3b87e in WTF::Ref<WebCore::CSSPrimitiveValue, WTF::DumbPtrTraits<WebCore::CSSPrimitiveValue> > WebCore::CSSPrimitiveValue::create<WebCore::Length const&>(WebCore::Length const&&&) at /Source/WebCore/./css/CSSPrimitiveValue.h:388 #5 0x0000000241b1be24 in WTF::Ref<WebCore::CSSPrimitiveValue, WTF::DumbPtrTraits<WebCore::CSSPrimitiveValue> > WebCore::CSSValuePool::createValue<WebCore::Length const&>(WebCore::Length const&&&) at /Source/WebCore/css/CSSValuePool.h:67 #6 0x0000000241b10c04 in WebCore::ComputedStyleExtractor::valueForPropertyinStyle(WebCore::RenderStyle const&, WebCore::CSSPropertyID, WebCore::RenderElement*) at /Source/WebCore/css/CSSComputedStyleDeclaration.cpp:2818 #7 0x0000000241b0e86b in WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) at /Source/WebCore/css/CSSComputedStyleDeclaration.cpp:2708 #8 0x0000000241b0e475 in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const at /Source/WebCore/css/CSSComputedStyleDeclaration.cpp:2416 #9 0x0000000241b2899a in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValueInternal(WebCore::CSSPropertyID) at /Source/WebCore/css/CSSComputedStyleDeclaration.cpp:4296 #10 0x0000000241bca6c2 in WebCore::CSSStyleDeclaration::namedItem(WTF::AtomicString const&) at /Source/WebCore/css/CSSStyleDeclaration.cpp:264 #11 0x00000002403c59d8 in std::optional<WTF::Variant<WTF::String, double> > WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0::operator()<WebCore::JSCSSStyleDeclaration, JSC::PropertyName>(WebCore::JSCSSStyleDeclaration&, JSC::PropertyName) const at /Users/antoine/Builds/Debug/DerivedSources/WebCore/JSCSSStyleDeclaration.cpp:196 #12 0x00000002403b8673 in decltype(fp2(fp0fp1)) WebCore::accessVisibleNamedProperty<(WebCore::OverrideBuiltins)0, WebCore::JSCSSStyleDeclaration, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&>(JSC::ExecState&, WebCore::JSCSSStyleDeclaration&, JSC::PropertyName, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&&&) at /Source/WebCore/bindings/js/JSDOMAbstractOperations.h:97 #13 0x00000002403b769e in WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) at /Users/antoine/Builds/Debug/DerivedSources/WebCore/JSCSSStyleDeclaration.cpp:201 #14 0x000000024fab3602 in JSC::JSObject::getNonIndexPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) at /Source/JavaScriptCore/runtime/JSObjectInlines.h:150 #15 0x000000024fab2af6 in JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) at /Source/JavaScriptCore/runtime/JSObject.h:1407 #16 0x00000002502f6a72 in JSC::JSValue::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const at /Source/JavaScriptCore/runtime/JSCJSValueInlines.h:872 #17 0x00000002502de692 in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const at /Source/JavaScriptCore/runtime/JSCJSValueInlines.h:826 #18 0x00000002509bb564 in ::llint_slow_path_get_by_id(JSC::ExecState *, JSC::Instruction *) at /Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:712 #19 0x000000024fa80a38 in llint_entry at /Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:58 #20 0x000000024fa7d282 in llintPCRangeStart at /Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:257 #21 0x00000002508d980a in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) at /Source/JavaScriptCore/jit/JITCodeInlines.h:38 #22 0x00000002508d9de0 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) at /Source/JavaScriptCore/interpreter/Interpreter.cpp:1023 #23 0x0000000250b67e6a in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) at /Source/JavaScriptCore/runtime/CallData.cpp:41 #24 0x0000000250b67f49 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) at /Source/JavaScriptCore/runtime/CallData.cpp:48 #25 0x0000000250b681ed in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) at /Source/JavaScriptCore/runtime/CallData.cpp:67 #26 0x00000002418d6d0b in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) at /Source/WebCore/bindings/js/JSMainThreadExecState.h:72 #27 0x0000000241959ac6 in WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) at /Source/WebCore/bindings/js/ScheduledAction.cpp:119 #28 0x0000000241959570 in WebCore::ScheduledAction::execute(WebCore::Document&) at /Source/WebCore/bindings/js/ScheduledAction.cpp:140 #29 0x0000000241959433 in WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext&) at /Source/WebCore/bindings/js/ScheduledAction.cpp:86 #30 0x00000002427382a9 in WebCore::DOMTimer::fired() at /Source/WebCore/page/DOMTimer.cpp:365 #31 0x000000024297c3c4 in WebCore::ThreadTimers::sharedTimerFiredInternal() at /Source/WebCore/platform/ThreadTimers.cpp:117 #32 0x0000000242991df1 in WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const at /Source/WebCore/platform/ThreadTimers.cpp:69 #33 0x0000000242991da9 in WTF::Function<void ()>::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>::call() at /Users/antoine/Builds/Debug/usr/local/include/wtf/Function.h:101 #34 0x000000024000f1fb in WTF::Function<void ()>::operator()() const at /Users/antoine/Builds/Debug/usr/local/include/wtf/Function.h:56 #35 0x0000000242954335 in WebCore::MainThreadSharedTimer::fired() at /Source/WebCore/platform/MainThreadSharedTimer.cpp:54 #36 0x00000002429f9519 in WebCore::timerFired(__CFRunLoopTimer*, void*) at /Source/WebCore/platform/cf/MainThreadSharedTimerCF.cpp:74 1434416 4 webkit-bug-importer 2018-06-19 09:32:34 -0700 <rdar://problem/41252365> 342937 2018-06-18 08:12:22 -0700 2018-06-18 08:12:22 -0700 Testcase background-position-x-computed-style.html text/html 579 graouts PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgogICAgCiAgICB3aW5kb3cuYWRkRXZlbnRM aXN0ZW5lcigiRE9NQ29udGVudExvYWRlZCIsIGV2ZW50ID0+IHsKICAgICAgICBjb25zdCBlbGVt ZW50ID0gZG9jdW1lbnQuYm9keS5hcHBlbmRDaGlsZChkb2N1bWVudC5jcmVhdGVFbGVtZW50KCJk aXYiKSk7CgogICAgICAgIGVsZW1lbnQuc3R5bGUudHJhbnNpdGlvblByb3BlcnR5ID0gImJhY2tn cm91bmQtcG9zaXRpb24iOwogICAgICAgIGVsZW1lbnQuc3R5bGUudHJhbnNpdGlvbkR1cmF0aW9u ID0gIjFzIjsKCiAgICAgICAgd2luZG93LnNldFRpbWVvdXQoKCkgPT4gewogICAgICAgICAgICBl bGVtZW50LnN0eWxlLmJhY2tncm91bmRQb3NpdGlvbiA9ICJyaWdodCA4MHB4IGJvdHRvbSAxMDBw eCI7CiAgICAgICAgICAgIHdpbmRvdy5zZXRUaW1lb3V0KCgpID0+IHsKICAgICAgICAgICAgICAg IGNvbnNvbGUubG9nKHdpbmRvdy5nZXRDb21wdXRlZFN0eWxlKGVsZW1lbnQpLmJhY2tncm91bmRQ b3NpdGlvblgpOwogICAgICAgICAgICB9LCAxMDApOwogICAgICAgIH0pOwogICAgfSk7CiAgICAK PC9zY3JpcHQ+