Bug 186766

Summary:

[DEBUG] Crash under CSSPrimitiveValue::init() when transitioning background-position and reading the computed style

Product:

WebKit

Reporter:

Antoine Quint <graouts>

Component:

CSS

Assignee:

Nobody <webkit-unassigned>

Status:

NEW ---

Severity:

Normal

CC:

ap, koivisto, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Testcase	none

Description Antoine Quint 2018-06-18 08:12:22 PDT

Created attachment 342937 [details]
Testcase

See the attached test case which crashes upon reading the background-position-x property.

Comment 1 Alexey Proskuryakov 2018-06-18 23:26:46 PDT

I couldn't reproduce in Safari 11.1.1, so sounds like a regression from shipping?

Comment 2 Antoine Quint 2018-06-19 00:35:09 PDT

Sorry, I should say this is a debug assertion, so the crash won't reproduce with a release or production build.

Comment 3 Antoine Quint 2018-06-19 00:35:51 PDT

#0	0x000000024f993230 in ::WTFCrash() at /Source/WTF/wtf/Assertions.cpp:267
#1	0x0000000241bb0a55 in WebCore::CSSPrimitiveValue::init(WebCore::Length const&) at /Source/WebCore/css/CSSPrimitiveValue.cpp:416
#2	0x0000000241bb0801 in WebCore::CSSPrimitiveValue::CSSPrimitiveValue(WebCore::Length const&) at /Source/WebCore/css/CSSPrimitiveValue.cpp:334
#3	0x0000000241bb0add in WebCore::CSSPrimitiveValue::CSSPrimitiveValue(WebCore::Length const&) at /Source/WebCore/css/CSSPrimitiveValue.cpp:333
#4	0x0000000241b3b87e in WTF::Ref<WebCore::CSSPrimitiveValue, WTF::DumbPtrTraits<WebCore::CSSPrimitiveValue> > WebCore::CSSPrimitiveValue::create<WebCore::Length const&>(WebCore::Length const&&&) at /Source/WebCore/./css/CSSPrimitiveValue.h:388
#5	0x0000000241b1be24 in WTF::Ref<WebCore::CSSPrimitiveValue, WTF::DumbPtrTraits<WebCore::CSSPrimitiveValue> > WebCore::CSSValuePool::createValue<WebCore::Length const&>(WebCore::Length const&&&) at /Source/WebCore/css/CSSValuePool.h:67
#6	0x0000000241b10c04 in WebCore::ComputedStyleExtractor::valueForPropertyinStyle(WebCore::RenderStyle const&, WebCore::CSSPropertyID, WebCore::RenderElement*) at /Source/WebCore/css/CSSComputedStyleDeclaration.cpp:2818
#7	0x0000000241b0e86b in WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) at /Source/WebCore/css/CSSComputedStyleDeclaration.cpp:2708
#8	0x0000000241b0e475 in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const at /Source/WebCore/css/CSSComputedStyleDeclaration.cpp:2416
#9	0x0000000241b2899a in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValueInternal(WebCore::CSSPropertyID) at /Source/WebCore/css/CSSComputedStyleDeclaration.cpp:4296
#10	0x0000000241bca6c2 in WebCore::CSSStyleDeclaration::namedItem(WTF::AtomicString const&) at /Source/WebCore/css/CSSStyleDeclaration.cpp:264
#11	0x00000002403c59d8 in std::optional<WTF::Variant<WTF::String, double> > WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0::operator()<WebCore::JSCSSStyleDeclaration, JSC::PropertyName>(WebCore::JSCSSStyleDeclaration&, JSC::PropertyName) const at /Users/antoine/Builds/Debug/DerivedSources/WebCore/JSCSSStyleDeclaration.cpp:196
#12	0x00000002403b8673 in decltype(fp2(fp0fp1)) WebCore::accessVisibleNamedProperty<(WebCore::OverrideBuiltins)0, WebCore::JSCSSStyleDeclaration, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&>(JSC::ExecState&, WebCore::JSCSSStyleDeclaration&, JSC::PropertyName, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&&&) at /Source/WebCore/bindings/js/JSDOMAbstractOperations.h:97
#13	0x00000002403b769e in WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) at /Users/antoine/Builds/Debug/DerivedSources/WebCore/JSCSSStyleDeclaration.cpp:201
#14	0x000000024fab3602 in JSC::JSObject::getNonIndexPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) at /Source/JavaScriptCore/runtime/JSObjectInlines.h:150
#15	0x000000024fab2af6 in JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) at /Source/JavaScriptCore/runtime/JSObject.h:1407
#16	0x00000002502f6a72 in JSC::JSValue::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const at /Source/JavaScriptCore/runtime/JSCJSValueInlines.h:872
#17	0x00000002502de692 in JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const at /Source/JavaScriptCore/runtime/JSCJSValueInlines.h:826
#18	0x00000002509bb564 in ::llint_slow_path_get_by_id(JSC::ExecState *, JSC::Instruction *) at /Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:712
#19	0x000000024fa80a38 in llint_entry at /Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:58
#20	0x000000024fa7d282 in llintPCRangeStart at /Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:257
#21	0x00000002508d980a in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) at /Source/JavaScriptCore/jit/JITCodeInlines.h:38
#22	0x00000002508d9de0 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) at /Source/JavaScriptCore/interpreter/Interpreter.cpp:1023
#23	0x0000000250b67e6a in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) at /Source/JavaScriptCore/runtime/CallData.cpp:41
#24	0x0000000250b67f49 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) at /Source/JavaScriptCore/runtime/CallData.cpp:48
#25	0x0000000250b681ed in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) at /Source/JavaScriptCore/runtime/CallData.cpp:67
#26	0x00000002418d6d0b in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) at /Source/WebCore/bindings/js/JSMainThreadExecState.h:72
#27	0x0000000241959ac6 in WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) at /Source/WebCore/bindings/js/ScheduledAction.cpp:119
#28	0x0000000241959570 in WebCore::ScheduledAction::execute(WebCore::Document&) at /Source/WebCore/bindings/js/ScheduledAction.cpp:140
#29	0x0000000241959433 in WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext&) at /Source/WebCore/bindings/js/ScheduledAction.cpp:86
#30	0x00000002427382a9 in WebCore::DOMTimer::fired() at /Source/WebCore/page/DOMTimer.cpp:365
#31	0x000000024297c3c4 in WebCore::ThreadTimers::sharedTimerFiredInternal() at /Source/WebCore/platform/ThreadTimers.cpp:117
#32	0x0000000242991df1 in WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const at /Source/WebCore/platform/ThreadTimers.cpp:69
#33	0x0000000242991da9 in WTF::Function<void ()>::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>::call() at /Users/antoine/Builds/Debug/usr/local/include/wtf/Function.h:101
#34	0x000000024000f1fb in WTF::Function<void ()>::operator()() const at /Users/antoine/Builds/Debug/usr/local/include/wtf/Function.h:56
#35	0x0000000242954335 in WebCore::MainThreadSharedTimer::fired() at /Source/WebCore/platform/MainThreadSharedTimer.cpp:54
#36	0x00000002429f9519 in WebCore::timerFired(__CFRunLoopTimer*, void*) at /Source/WebCore/platform/cf/MainThreadSharedTimerCF.cpp:74

Comment 4 Radar WebKit Bug Importer 2018-06-19 09:32:34 PDT

<rdar://problem/41252365>