Bug 153333

Summary: WebKitCSSMatrix transformList with calculated relative length crashes Safari.
Product: WebKit Reporter: William Chen <wchen>
Component: CSSAssignee: Dean Jackson <dino>
Status: REOPENED    
Severity: Normal CC: ahmad.saleem792, bdakin, commit-queue, dino, mathias, mmaxfield, simon.fraser, webkit-bug-importer, zalan
Priority: P2 Keywords: InRadar
Version: Safari 9   
Hardware: Mac   
OS: OS X 10.11   
Bug Depends on: 154380    
Bug Blocks:    
Attachments:
Description Flags
Test case
none
Patch simon.fraser: review+

William Chen
Reported 2016-01-21 16:29:16 PST
Created attachment 269516 [details] Test case See attachment.
Attachments
Test case (111 bytes, text/html)
2016-01-21 16:29 PST, William Chen 		no flags
Details
Patch (16.03 KB, patch)
2016-02-17 17:40 PST, Dean Jackson 		simon.fraser: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2016-01-25 15:45:01 PST
<rdar://problem/17198383> Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff96e86464 WebCore::RenderStyle::fontDescription() const + 4 1 com.apple.WebCore 0x00007fff9720ce85 WebCore::CSSPrimitiveValue::computeNonCalcLengthDouble(WebCore::CSSToLengthConversionData const&, unsigned short, double) + 85 2 com.apple.WebCore 0x00007fff971ceb13 WebCore::CSSCalcValue::computeLengthPx(WebCore::CSSToLengthConversionData const&) const + 19 3 com.apple.WebCore 0x00007fff97b77a27 WebCore::Length WebCore::CSSPrimitiveValue::convertToLength<26>(WebCore::CSSToLengthConversionData const&) const + 87 4 com.apple.WebCore 0x00007fff97c6661e WebCore::transformsForValue(WebCore::CSSValue&, WebCore::CSSToLengthConversionData const&, WebCore::TransformOperations&) + 3742 5 com.apple.WebCore 0x00007fff9701c77e WebCore::WebKitCSSMatrix::setMatrixValue(WTF::String const&, int&) + 270 6 com.apple.WebCore 0x00007fff9701c4d0 WebCore::JSWebKitCSSMatrixConstructor::constructJSWebKitCSSMatrix(JSC::ExecState*) + 208
Mike Taylor
Comment 2 2016-01-27 11:44:54 PST
Edge throws a Syntax Error and that's what Gecko is planning on doing too, for caclated values in a transformList.
Myles C. Maxfield
Comment 3 2016-02-02 22:14:06 PST
Spec says "If parsing is not successful or any <transform-function> has <length> values without absolute length units, throw a SyntaxError exception." https://drafts.fxtf.org/geometry/#dom-dommatrix-dommatrix-transformlist
Dean Jackson
Comment 4 2016-02-17 17:40:54 PST
Created attachment 271609 [details] Patch
Simon Fraser (smfr)
Comment 5 2016-02-17 17:49:55 PST
Comment on attachment 271609 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=271609&action=review > Source/WebCore/ChangeLog:10 > + using absolute length. lengths. > Source/WebCore/css/StyleBuilderConverter.h:358 > + transformsForValue(value, styleResolver.state().cssToLengthConversionData(), false, operations); boolean trap! > Source/WebCore/css/WebKitCSSMatrix.cpp:70 > + if (!transformsForValue(*value, CSSToLengthConversionData(), true, operations)) { Ick. I think i want an enum here.
Dean Jackson
Comment 6 2016-02-17 18:14:18 PST
Committed r196738: <http://trac.webkit.org/changeset/196738>
WebKit Commit Bot
Comment 7 2016-02-17 21:12:07 PST
Re-opened since this is blocked by bug 154380
Ahmad Saleem
Comment 8 2022-09-30 14:56:35 PDT
Safari 16 does not crash on the test case but show following warning in console: [Error] SyntaxError: The string did not match the expected pattern. DOMMatrix (attachment.cgi:5) Global Code (attachment.cgi:5) While Chrome Canary 108 show following in console: attachment.cgi?id=269516:5 Uncaught DOMException: Failed to construct 'DOMMatrix': Lengths must be absolute, not relative at https://bug-153333-attachments.webkit.org/attachment.cgi?id=269516:5:9 In Firefox Nightly 107, we get following: Uncaught DOMException: An invalid or illegal string was specified ______ From Comment 01, it seems that it is expected rather than crash. Should we mark this as "RESOLVED CONFIGURATION CHANGED" since now we are doing right thing? Thanks!
Note You need to log in before you can comment on or make changes to this bug.