Bug 163459

Summary: ASSERTION FAILED: m_fonts in &WebCore::FontCascade::primaryFont
Product: WebKit Reporter: Renata Hodovan <hodovan>
Component: CSSAssignee: Myles C. Maxfield <mmaxfield>
Status: RESOLVED FIXED    
Severity: Normal CC: dino, hodovan, jonlee, mmaxfield, simon.fraser, thorton, zalan
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Patch darin: review+

Description Renata Hodovan 2016-10-14 14:37:41 PDT 
Load the attached test with debug webkittestrunner.

Checked version: 2c9fa6e
OS: Darwin-15.6.0-x86_64-i386-64bit

<style>*{font-size:calc(6% - 7ch</style><math>

Backtrace:

ASSERTION FAILED: m_fonts
WebKit/Source/WebCore/platform/graphics/FontCascade.h(342) : const WebCore::Font &WebCore::FontCascade::primaryFont() const
1   0x10a6dc4f1 WTFCrash
2   0x10f030caa WebCore::FontCascade::primaryFont() const
3   0x10f030c35 WebCore::FontCascade::fontMetrics() const
4   0x113dd2585 WebCore::RenderStyle::fontMetrics() const
5   0x10f72c2b3 WebCore::CSSPrimitiveValue::computeNonCalcLengthDouble(WebCore::CSSToLengthConversionData const&, unsigned short, double)
6   0x10f72bd50 WebCore::CSSPrimitiveValue::computeLengthDouble(WebCore::CSSToLengthConversionData const&) const
7   0x10f72be6d float WebCore::CSSPrimitiveValue::computeLength<float>(WebCore::CSSToLengthConversionData const&) const
8   0x10f40d3ba WebCore::CSSCalcPrimitiveValue::createCalcExpression(WebCore::CSSToLengthConversionData const&) const
9   0x10f4111dc WebCore::CSSCalcBinaryOperation::createCalcExpression(WebCore::CSSToLengthConversionData const&) const
10  0x10ee90adf WebCore::CSSCalcValue::createCalculationValue(WebCore::CSSToLengthConversionData const&) const
11  0x11488b243 WebCore::StyleBuilderCustom::applyValueFontSize(WebCore::StyleResolver&, WebCore::CSSValue&)
12  0x11488093c WebCore::StyleBuilder::applyProperty(WebCore::CSSPropertyID, WebCore::StyleResolver&, WebCore::CSSValue&, bool, bool)
13  0x1149c18f2 WebCore::StyleResolver::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue*, WebCore::SelectorChecker::LinkMatchMask, WebCore::StyleResolver::MatchResult const*)
14  0x1149c799f WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&, WebCore::StyleResolver::MatchResult const*)
15  0x1149b6e97 WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int, WebCore::StyleResolver::MatchResult const*)
16  0x1149b42b9 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const&, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache)
17  0x1149b0a7a WebCore::StyleResolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*, WebCore::SelectorFilter const*)
18  0x114a3c1c2 WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&)
19  0x114a3cdff WebCore::Style::TreeResolver::resolveElement(WebCore::Element&)
20  0x114a40726 WebCore::Style::TreeResolver::resolveComposedTree()
21  0x114a4225a WebCore::Style::TreeResolver::resolve(WebCore::Style::Change)
22  0x10faff483 WebCore::Document::recalcStyle(WebCore::Style::Change)
23  0x10faea00b WebCore::Document::updateStyleIfNeeded()
24  0x10fb24a9a WebCore::Document::finishedParsing()
25  0x1107ab556 WebCore::HTMLConstructionSite::finishedParsing()
26  0x110aa35b8 WebCore::HTMLTreeBuilder::finished()
27  0x11081ecfc WebCore::HTMLDocumentParser::end()
28  0x11081a9e7 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
29  0x11081a64e WebCore::HTMLDocumentParser::prepareToStopParsing()
30  0x11081ed9c WebCore::HTMLDocumentParser::attemptToEnd()
31  0x11081edf4 WebCore::HTMLDocumentParser::finish()
ASAN:DEADLYSIGNAL
=================================================================
==8135==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010a6dc529 bp 0x7fff5edcaaf0 sp 0x7fff5edcaae0 T0)
    #0 0x10a6dc528 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528)
    #1 0x10f030ca9 in WebCore::FontCascade::primaryFont() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6bcca9)
    #2 0x10f030c34 in WebCore::FontCascade::fontMetrics() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6bcc34)
    #3 0x113dd2584 in WebCore::RenderStyle::fontMetrics() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x545e584)
    #4 0x10f72c2b2 in WebCore::CSSPrimitiveValue::computeNonCalcLengthDouble(WebCore::CSSToLengthConversionData const&, unsigned short, double) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xdb82b2)
    #5 0x10f72bd4f in WebCore::CSSPrimitiveValue::computeLengthDouble(WebCore::CSSToLengthConversionData const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xdb7d4f)
    #6 0x10f72be6c in float WebCore::CSSPrimitiveValue::computeLength<float>(WebCore::CSSToLengthConversionData const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xdb7e6c)
    #7 0x10f40d3b9 in WebCore::CSSCalcPrimitiveValue::createCalcExpression(WebCore::CSSToLengthConversionData const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xa993b9)
    #8 0x10f4111db in WebCore::CSSCalcBinaryOperation::createCalcExpression(WebCore::CSSToLengthConversionData const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xa9d1db)
    #9 0x10ee90ade in WebCore::CSSCalcValue::createCalculationValue(WebCore::CSSToLengthConversionData const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x51cade)
    #10 0x11488b242 in WebCore::StyleBuilderCustom::applyValueFontSize(WebCore::StyleResolver&, WebCore::CSSValue&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5f17242)
    #11 0x11488093b in WebCore::StyleBuilder::applyProperty(WebCore::CSSPropertyID, WebCore::StyleResolver&, WebCore::CSSValue&, bool, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5f0c93b)
    #12 0x1149c18f1 in WebCore::StyleResolver::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue*, WebCore::SelectorChecker::LinkMatchMask, WebCore::StyleResolver::MatchResult const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x604d8f1)
    #13 0x1149c799e in WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&, WebCore::StyleResolver::MatchResult const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x605399e)
    #14 0x1149b6e96 in WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int, WebCore::StyleResolver::MatchResult const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6042e96)
    #15 0x1149b42b8 in WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const&, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60402b8)
    #16 0x1149b0a79 in WebCore::StyleResolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*, WebCore::SelectorFilter const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x603ca79)
    #17 0x114a3c1c1 in WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60c81c1)
    #18 0x114a3cdfe in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60c8dfe)
    #19 0x114a40725 in WebCore::Style::TreeResolver::resolveComposedTree() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60cc725)
    #20 0x114a42259 in WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60ce259)
    #21 0x10faff482 in WebCore::Document::recalcStyle(WebCore::Style::Change) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118b482)
    #22 0x10faea00a in WebCore::Document::updateStyleIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x117600a)
    #23 0x10fb24a99 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11b0a99)
    #24 0x1107ab555 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e37555)
    #25 0x110aa35b7 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x212f5b7)
    #26 0x11081ecfb in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaacfb)
    #27 0x11081a9e6 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea69e6)
    #28 0x11081a64d in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea664d)
    #29 0x11081ed9b in WebCore::HTMLDocumentParser::attemptToEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaad9b)
    #30 0x11081edf3 in WebCore::HTMLDocumentParser::finish() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaadf3)
    #31 0x10fce997f in WebCore::DocumentWriter::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x137597f)
    #32 0x10fc43e56 in WebCore::DocumentLoader::finishedLoading(double) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12cfe56)
    #33 0x10fc4398a in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12cf98a)
    #34 0x10ef85b23 in WebCore::CachedResource::checkNotify() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x611b23)
    #35 0x10ef85d13 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x611d13)
    #36 0x10ef7ad54 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x606d54)
    #37 0x114a73e8e in WebCore::SubresourceLoader::didFinishLoading(double) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60ffe8e)
    #38 0x1028d043e in WebKit::WebResourceLoader::didFinishResourceLoad(double) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9143e)
    #39 0x1028de6ce in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9f6ce)
    #40 0x1028de374 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9f374)
    #41 0x1028db680 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9c680)
    #42 0x1028d9a10 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9aa10)
    #43 0x101602da9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c3da9)
    #44 0x101016fba in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d7fba)
    #45 0x100fff7c4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c07c4)
    #46 0x101017ca5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d8ca5)
    #47 0x10102825c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e925c)
    #48 0x101028188 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e9188)
    #49 0x10a760830 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d85830)
    #50 0x10a7aad50 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dcfd50)
    #51 0x10a7abb11 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dd0b11)
    #52 0x7fff80d30880 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa880)
    #53 0x7fff80d0ffbb in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89fbb)
    #54 0x7fff80d0f4de in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x894de)
    #55 0x7fff80d0eed7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88ed7)
    #56 0x7fff820ef934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #57 0x7fff820ef76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #58 0x7fff820ef5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #59 0x7fff8d754df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #60 0x7fff8d754225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #61 0x7fff8d748d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #62 0x7fff8d712367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #63 0x7fff9201a193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #64 0x7fff92018bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
    #65 0x100e21f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73)
    #66 0x7fff89c9e5ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #67 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) in WTFCrash
==8135==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 8135)
Comment 1 Myles C. Maxfield 2016-10-21 19:39:18 PDT 
StyleBuilderCustom::applyValueFontSize()

This is because <math> elements get their on font-family.

We apply font properties in-order, so font-family comes first, then font-size.

When we apply font-family, if the element's font family matches the parent's font family, we don't create a new StyleInheritedData (because both elements can share). However, because <math> gets its own font family, the families don't match, so a new inherited data is created. This new inherited data's font descriptor hasn't been update()d. Then, we try to apply font-size, which erroneously tries to read from the current element's un-update()d font.

Font-dependent units are supposed to be resolved relative to the parent font size. We do this correctly with simple things like font-size: 2ch. However, once we start using calc(), StyleBuilderCustom::applyValueFontSize() takes a different code path.
Comment 2 Myles C. Maxfield 2016-10-21 19:39:45 PDT 
Because of this, another reduction is

<style>div{font-size:calc(6% - 7ch</style><div style="font-family: 'Helvetica';">
Comment 3 Myles C. Maxfield 2016-10-21 20:04:30 PDT 
Created attachment 292451 [details]
Patch
Comment 4 Darin Adler 2016-10-21 23:17:56 PDT 
Comment on attachment 292451 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=292451&action=review

> Source/WebCore/css/StyleBuilderCustom.h:1591
> +            const CSSToLengthConversionData& conversionData = styleResolver.state().cssToLengthConversionData();

Can this use some form of auto instead of writing out the long type?

> Source/WebCore/css/StyleBuilderCustom.h:1592
> +            CSSToLengthConversionData parentConversionData(styleResolver.parentStyle(), conversionData.rootStyle(), styleResolver.document().renderView(), 1.0f, true);

I think this would read better with the modern { } style:

    CSSToLengthConversionData parentConversionData { styleResolver.parentStyle(), conversionData.rootStyle(), styleResolver.document().renderView(), 1.0f, true };

That way it’s more clear that it’s not a function call.
Comment 5 Myles C. Maxfield 2016-10-23 00:26:26 PDT 
Committed r207726: <http://trac.webkit.org/changeset/207726>