Bug 163459

Summary: ASSERTION FAILED: m_fonts in &WebCore::FontCascade::primaryFont
Product: WebKit Reporter: Renata Hodovan <hodovan>
Component: CSSAssignee: Myles C. Maxfield <mmaxfield>
Status: RESOLVED FIXED    
Severity: Normal CC: dino, hodovan, jonlee, mmaxfield, simon.fraser, thorton, zalan
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Patch darin: review+

Renata Hodovan
Reported 2016-10-14 14:37:41 PDT
Load the attached test with debug webkittestrunner. Checked version: 2c9fa6e OS: Darwin-15.6.0-x86_64-i386-64bit <style>*{font-size:calc(6% - 7ch</style><math> Backtrace: ASSERTION FAILED: m_fonts WebKit/Source/WebCore/platform/graphics/FontCascade.h(342) : const WebCore::Font &WebCore::FontCascade::primaryFont() const 1 0x10a6dc4f1 WTFCrash 2 0x10f030caa WebCore::FontCascade::primaryFont() const 3 0x10f030c35 WebCore::FontCascade::fontMetrics() const 4 0x113dd2585 WebCore::RenderStyle::fontMetrics() const 5 0x10f72c2b3 WebCore::CSSPrimitiveValue::computeNonCalcLengthDouble(WebCore::CSSToLengthConversionData const&, unsigned short, double) 6 0x10f72bd50 WebCore::CSSPrimitiveValue::computeLengthDouble(WebCore::CSSToLengthConversionData const&) const 7 0x10f72be6d float WebCore::CSSPrimitiveValue::computeLength<float>(WebCore::CSSToLengthConversionData const&) const 8 0x10f40d3ba WebCore::CSSCalcPrimitiveValue::createCalcExpression(WebCore::CSSToLengthConversionData const&) const 9 0x10f4111dc WebCore::CSSCalcBinaryOperation::createCalcExpression(WebCore::CSSToLengthConversionData const&) const 10 0x10ee90adf WebCore::CSSCalcValue::createCalculationValue(WebCore::CSSToLengthConversionData const&) const 11 0x11488b243 WebCore::StyleBuilderCustom::applyValueFontSize(WebCore::StyleResolver&, WebCore::CSSValue&) 12 0x11488093c WebCore::StyleBuilder::applyProperty(WebCore::CSSPropertyID, WebCore::StyleResolver&, WebCore::CSSValue&, bool, bool) 13 0x1149c18f2 WebCore::StyleResolver::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue*, WebCore::SelectorChecker::LinkMatchMask, WebCore::StyleResolver::MatchResult const*) 14 0x1149c799f WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&, WebCore::StyleResolver::MatchResult const*) 15 0x1149b6e97 WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int, WebCore::StyleResolver::MatchResult const*) 16 0x1149b42b9 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const&, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) 17 0x1149b0a7a WebCore::StyleResolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*, WebCore::SelectorFilter const*) 18 0x114a3c1c2 WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&) 19 0x114a3cdff WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) 20 0x114a40726 WebCore::Style::TreeResolver::resolveComposedTree() 21 0x114a4225a WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) 22 0x10faff483 WebCore::Document::recalcStyle(WebCore::Style::Change) 23 0x10faea00b WebCore::Document::updateStyleIfNeeded() 24 0x10fb24a9a WebCore::Document::finishedParsing() 25 0x1107ab556 WebCore::HTMLConstructionSite::finishedParsing() 26 0x110aa35b8 WebCore::HTMLTreeBuilder::finished() 27 0x11081ecfc WebCore::HTMLDocumentParser::end() 28 0x11081a9e7 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 29 0x11081a64e WebCore::HTMLDocumentParser::prepareToStopParsing() 30 0x11081ed9c WebCore::HTMLDocumentParser::attemptToEnd() 31 0x11081edf4 WebCore::HTMLDocumentParser::finish() ASAN:DEADLYSIGNAL ================================================================= ==8135==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00010a6dc529 bp 0x7fff5edcaaf0 sp 0x7fff5edcaae0 T0) #0 0x10a6dc528 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) #1 0x10f030ca9 in WebCore::FontCascade::primaryFont() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6bcca9) #2 0x10f030c34 in WebCore::FontCascade::fontMetrics() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6bcc34) #3 0x113dd2584 in WebCore::RenderStyle::fontMetrics() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x545e584) #4 0x10f72c2b2 in WebCore::CSSPrimitiveValue::computeNonCalcLengthDouble(WebCore::CSSToLengthConversionData const&, unsigned short, double) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xdb82b2) #5 0x10f72bd4f in WebCore::CSSPrimitiveValue::computeLengthDouble(WebCore::CSSToLengthConversionData const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xdb7d4f) #6 0x10f72be6c in float WebCore::CSSPrimitiveValue::computeLength<float>(WebCore::CSSToLengthConversionData const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xdb7e6c) #7 0x10f40d3b9 in WebCore::CSSCalcPrimitiveValue::createCalcExpression(WebCore::CSSToLengthConversionData const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xa993b9) #8 0x10f4111db in WebCore::CSSCalcBinaryOperation::createCalcExpression(WebCore::CSSToLengthConversionData const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xa9d1db) #9 0x10ee90ade in WebCore::CSSCalcValue::createCalculationValue(WebCore::CSSToLengthConversionData const&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x51cade) #10 0x11488b242 in WebCore::StyleBuilderCustom::applyValueFontSize(WebCore::StyleResolver&, WebCore::CSSValue&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5f17242) #11 0x11488093b in WebCore::StyleBuilder::applyProperty(WebCore::CSSPropertyID, WebCore::StyleResolver&, WebCore::CSSValue&, bool, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5f0c93b) #12 0x1149c18f1 in WebCore::StyleResolver::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue*, WebCore::SelectorChecker::LinkMatchMask, WebCore::StyleResolver::MatchResult const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x604d8f1) #13 0x1149c799e in WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&, WebCore::StyleResolver::MatchResult const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x605399e) #14 0x1149b6e96 in WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int, WebCore::StyleResolver::MatchResult const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6042e96) #15 0x1149b42b8 in WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const&, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60402b8) #16 0x1149b0a79 in WebCore::StyleResolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*, WebCore::SelectorFilter const*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x603ca79) #17 0x114a3c1c1 in WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60c81c1) #18 0x114a3cdfe in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60c8dfe) #19 0x114a40725 in WebCore::Style::TreeResolver::resolveComposedTree() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60cc725) #20 0x114a42259 in WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60ce259) #21 0x10faff482 in WebCore::Document::recalcStyle(WebCore::Style::Change) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118b482) #22 0x10faea00a in WebCore::Document::updateStyleIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x117600a) #23 0x10fb24a99 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11b0a99) #24 0x1107ab555 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e37555) #25 0x110aa35b7 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x212f5b7) #26 0x11081ecfb in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaacfb) #27 0x11081a9e6 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea69e6) #28 0x11081a64d in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea664d) #29 0x11081ed9b in WebCore::HTMLDocumentParser::attemptToEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaad9b) #30 0x11081edf3 in WebCore::HTMLDocumentParser::finish() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaadf3) #31 0x10fce997f in WebCore::DocumentWriter::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x137597f) #32 0x10fc43e56 in WebCore::DocumentLoader::finishedLoading(double) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12cfe56) #33 0x10fc4398a in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12cf98a) #34 0x10ef85b23 in WebCore::CachedResource::checkNotify() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x611b23) #35 0x10ef85d13 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x611d13) #36 0x10ef7ad54 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x606d54) #37 0x114a73e8e in WebCore::SubresourceLoader::didFinishLoading(double) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60ffe8e) #38 0x1028d043e in WebKit::WebResourceLoader::didFinishResourceLoad(double) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9143e) #39 0x1028de6ce in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9f6ce) #40 0x1028de374 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9f374) #41 0x1028db680 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9c680) #42 0x1028d9a10 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9aa10) #43 0x101602da9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c3da9) #44 0x101016fba in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d7fba) #45 0x100fff7c4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c07c4) #46 0x101017ca5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d8ca5) #47 0x10102825c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e925c) #48 0x101028188 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e9188) #49 0x10a760830 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d85830) #50 0x10a7aad50 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dcfd50) #51 0x10a7abb11 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dd0b11) #52 0x7fff80d30880 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa880) #53 0x7fff80d0ffbb in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89fbb) #54 0x7fff80d0f4de in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x894de) #55 0x7fff80d0eed7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88ed7) #56 0x7fff820ef934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934) #57 0x7fff820ef76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e) #58 0x7fff820ef5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae) #59 0x7fff8d754df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5) #60 0x7fff8d754225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225) #61 0x7fff8d748d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f) #62 0x7fff8d712367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367) #63 0x7fff9201a193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193) #64 0x7fff92018bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd) #65 0x100e21f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73) #66 0x7fff89c9e5ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #67 0x0 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) in WTFCrash ==8135==ABORTING #CRASHED - com.apple.WebKit.WebContent.Development (pid 8135)
Attachments
Patch (4.09 KB, patch)
2016-10-21 20:04 PDT, Myles C. Maxfield 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Myles C. Maxfield
Comment 1 2016-10-21 19:39:18 PDT
StyleBuilderCustom::applyValueFontSize() This is because <math> elements get their on font-family. We apply font properties in-order, so font-family comes first, then font-size. When we apply font-family, if the element's font family matches the parent's font family, we don't create a new StyleInheritedData (because both elements can share). However, because <math> gets its own font family, the families don't match, so a new inherited data is created. This new inherited data's font descriptor hasn't been update()d. Then, we try to apply font-size, which erroneously tries to read from the current element's un-update()d font. Font-dependent units are supposed to be resolved relative to the parent font size. We do this correctly with simple things like font-size: 2ch. However, once we start using calc(), StyleBuilderCustom::applyValueFontSize() takes a different code path.
Myles C. Maxfield
Comment 2 2016-10-21 19:39:45 PDT
Because of this, another reduction is <style>div{font-size:calc(6% - 7ch</style><div style="font-family: 'Helvetica';">
Myles C. Maxfield
Comment 3 2016-10-21 20:04:30 PDT
Created attachment 292451 [details] Patch
Darin Adler
Comment 4 2016-10-21 23:17:56 PDT
Comment on attachment 292451 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=292451&action=review > Source/WebCore/css/StyleBuilderCustom.h:1591 > + const CSSToLengthConversionData& conversionData = styleResolver.state().cssToLengthConversionData(); Can this use some form of auto instead of writing out the long type? > Source/WebCore/css/StyleBuilderCustom.h:1592 > + CSSToLengthConversionData parentConversionData(styleResolver.parentStyle(), conversionData.rootStyle(), styleResolver.document().renderView(), 1.0f, true); I think this would read better with the modern { } style: CSSToLengthConversionData parentConversionData { styleResolver.parentStyle(), conversionData.rootStyle(), styleResolver.document().renderView(), 1.0f, true }; That way it’s more clear that it’s not a function call.
Myles C. Maxfield
Comment 5 2016-10-23 00:26:26 PDT
Committed r207726: <http://trac.webkit.org/changeset/207726>
Note You need to log in before you can comment on or make changes to this bug.