Bug 187421

Summary:

ASSERTION FAILED: length.isCalculated() under WebCore::valueForImageSliceSide

Product:

WebKit

Reporter:

Ryan Haddad <ryanhaddad>

Component:

CSS

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

koivisto, realdawei, tsavell

Priority:

Version:

Other

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=187095

Attachments:

Description	Flags
Crash log	none

Ryan Haddad

Reported 2018-07-06 16:06:17 PDT

Created attachment 344476 [details] Crash log The following was seen in the "Other Crashes" section of https://build.webkit.org/results/Apple%20High%20Sierra%20Debug%20WK2%20(Tests)/r233586%20(4002)/results.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000019779d150 WTFCrash + 16 (Assertions.cpp:267) 1 com.apple.WebCore 0x0000000189b1d1da WebCore::valueForImageSliceSide(WebCore::Length const&) + 218 (CSSComputedStyleDeclaration.cpp:502) 2 com.apple.WebCore 0x0000000189b0baf2 WebCore::valueForNinePieceImageSlice(WebCore::NinePieceImage const&) + 66 (CSSComputedStyleDeclaration.cpp:510) 3 com.apple.WebCore 0x0000000189aff6a2 WebCore::ComputedStyleExtractor::valueForPropertyinStyle(WebCore::RenderStyle const&, WebCore::CSSPropertyID, WebCore::RenderElement*) + 33778 (CSSComputedStyleDeclaration.cpp:3662) 4 com.apple.WebCore 0x0000000189af5dd0 WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) + 992 (CSSComputedStyleDeclaration.cpp:2707) 5 com.apple.WebCore 0x0000000189af59d5 WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const + 117 (CSSComputedStyleDeclaration.cpp:2415) 6 com.apple.WebCore 0x0000000189b0fe9a WebCore::CSSComputedStyleDeclaration::getPropertyCSSValueInternal(WebCore::CSSPropertyID) + 58 (CSSComputedStyleDeclaration.cpp:4295) 7 com.apple.WebCore 0x0000000189bb1c52 WebCore::CSSStyleDeclaration::namedItem(WTF::AtomicString const&) + 114 (CSSStyleDeclaration.cpp:264) 8 com.apple.WebCore 0x00000001883da508 std::optional<WTF::Variant<WTF::String, double> > WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0::operator()<WebCore::JSCSSStyleDeclaration, JSC::PropertyName>(WebCore::JSCSSStyleDeclaration&, JSC::PropertyName) const + 88 (JSCSSStyleDeclaration.cpp:196) 9 com.apple.WebCore 0x00000001883cd8c3 decltype(fp2(fp0fp1)) WebCore::accessVisibleNamedProperty<(WebCore::OverrideBuiltins)0, WebCore::JSCSSStyleDeclaration, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&>(JSC::ExecState&, WebCore::JSCSSStyleDeclaration&, JSC::PropertyName, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&&&) + 115 (JSDOMAbstractOperations.h:97) 10 com.apple.WebCore 0x00000001883cc8ee WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 670 (JSCSSStyleDeclaration.cpp:201) 11 com.apple.JavaScriptCore 0x00000001978beea2 JSC::JSObject::getNonIndexPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 690 (JSObjectInlines.h:150) 12 com.apple.JavaScriptCore 0x00000001978be356 bool JSC::JSObject::getPropertySlot<false>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 246 (JSObject.h:1422) 13 com.apple.JavaScriptCore 0x0000000198105032 JSC::JSValue::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 594 (JSCJSValueInlines.h:866) 14 com.apple.JavaScriptCore 0x00000001980ecb42 JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 162 (JSCJSValueInlines.h:820) 15 com.apple.JavaScriptCore 0x00000001980e414d JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName) const + 93 (JSCJSValueInlines.h:814) 16 com.apple.JavaScriptCore 0x00000001987cb9f6 JSC::LLInt::getByVal(JSC::VM&, JSC::ExecState*, JSC::Instruction*, JSC::JSValue, JSC::JSValue) + 1430 (LLIntSlowPaths.cpp:942) 17 com.apple.JavaScriptCore 0x00000001987cb325 llint_slow_path_get_by_val + 325 (LLIntSlowPaths.cpp:948) 18 com.apple.JavaScriptCore 0x000000019788c772 llint_entry + 16529

Attachments
Crash log (102.88 KB, text/plain) 2018-07-06 16:06 PDT, Ryan Haddad	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Ryan Haddad

Comment 1 2018-07-06 16:09:52 PDT

The attached crashlog blames imported/w3c/canvas/type.replace.html, but no test is mentioned in some of the other examples I see on the debug bots.

Ryan Haddad

Comment 2 2018-07-06 16:11:15 PDT

Here is a DRT example: https://build.webkit.org/results/Apple%20Sierra%20Debug%20WK1%20(Tests)/r233591%20(8542)/DumpRenderTree-47189-crash-log.txt CRASHING TEST: http://localhost:8800/infrastructure/assumptions/html-elements.html

Ryan Haddad

Comment 3 2018-07-06 16:11:53 PDT

imported/w3c/web-platform-tests/infrastructure/assumptions/html-elements.html was added in https://trac.webkit.org/changeset/233463

Ryan Haddad

Comment 4 2018-07-06 16:12:50 PDT

Ah, the test is marked as [ Pass Crash ] https://bugs.webkit.org/show_bug.cgi?id=187093

Ryan Haddad

Comment 5 2018-07-06 16:13:34 PDT

*** This bug has been marked as a duplicate of bug 187093 ***

Note You need to log in before you can comment on or make changes to this bug.