Bug 224376

Created attachment 425628 [details] Patch

Created attachment 425640 [details] Patch

Created attachment 425642 [details] Patch

Committed r275793 (236364@main): <https://commits.webkit.org/236364@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 425642 [details].

<rdar://problem/76486699>

Re-opened since this is blocked by bug 224466

Visiting Facebook.com (logged in) is enough to trigger an assertion in debug: (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: 0x00000002c6fcd8de JavaScriptCore`::WTFCrash() at Assertions.cpp:305:35 frame #1: 0x00000002a92910fb WebCore`WTFCrashWithInfo((null)=1360, (null)="/Volumes/Data/Development/system/webkit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/Vector.h", (null)="void WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, 0, WTF::CrashOnOverflow, 16, WTF::FastMalloc>::uncheckedAppend(U &&) [T = WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>, inlineCapacity = 0, OverflowHandler = WTF::CrashOnOverflow, minCapacity = 16, Malloc = WTF::FastMalloc, U = WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode>>]", (null)=144) at Assertions.h:671:5 frame #2: 0x00000002abfc0961 WebCore`void WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::uncheckedAppend<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode> > >(this={ size = 2, capacity = 2 }, value=0x00007ffeee0eff60) at Vector.h:1360:5 frame #3: 0x00000002abf80680 WebCore`WTF::Vector<WTF::Ref<WebCore::CSSCalcExpressionNode, WTF::RawPtrTraits<WebCore::CSSCalcExpressionNode> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::uncheckedAppend(this={ size = 2, capacity = 2 }, value=0x00007ffeee0eff60) at Vector.h:781:47 frame #4: 0x00000002abf801f7 WebCore`WebCore::CSSCalcOperationNode::combineChildren(this=0x00000002d51611b8) at CSSCalculationValue.cpp:1145:37 frame #5: 0x00000002abf8163a WebCore`WebCore::CSSCalcOperationNode::simplifyNode(rootNode=0x00007ffeee0f0248, depth=3) at CSSCalculationValue.cpp:1248:31 frame #6: 0x00000002abf811cd WebCore`WebCore::CSSCalcOperationNode::simplifyRecursive(rootNode=0x00007ffeee0f0248, depth=3) at CSSCalculationValue.cpp:1215:12 frame #7: 0x00000002abf80fa2 WebCore`WebCore::CSSCalcOperationNode::simplifyRecursive(rootNode=0x00007ffeee0f0318, depth=2) at CSSCalculationValue.cpp:1197:28 frame #8: 0x00000002abf80fa2 WebCore`WebCore::CSSCalcOperationNode::simplifyRecursive(rootNode=0x00007ffeee0f03e8, depth=1) at CSSCalculationValue.cpp:1197:28 frame #9: 0x00000002abf80fa2 WebCore`WebCore::CSSCalcOperationNode::simplifyRecursive(rootNode=0x00007ffeee0f0508, depth=0) at CSSCalculationValue.cpp:1197:28 frame #10: 0x00000002abf80ec8 WebCore`WebCore::CSSCalcOperationNode::simplify(rootNode=0x00007ffeee0f0508) at CSSCalculationValue.cpp:1186:12 frame #11: 0x00000002abf83d3f WebCore`WebCore::CSSCalcExpressionNodeParser::parseCalc(this=0x00007ffeee0f0658, tokens=CSSParserTokenRange @ 0x00007ffeee0f0588, function=CSSValueMax) at CSSCalculationValue.cpp:1701:14 frame #12: 0x00000002abf8582d WebCore`WebCore::CSSCalcValue::create(function=CSSValueMax, tokens=0x00007ffeee0f06b0, destinationCategory=Length, range=ValueRangeNonNegative) at CSSCalculationValue.cpp:2130:30 frame #13: 0x00000002ac1c8f64 WebCore`WebCore::CSSPropertyParserHelpers::CalcParser::CalcParser(this=0x00007ffeee0f0788, range=0x00007ffeee0f0ef8, destinationCategory=Length, valueRange=ValueRangeNonNegative) at CSSPropertyParserHelpers.cpp:107:27 frame #14: 0x00000002ac1a523c WebCore`WebCore::CSSPropertyParserHelpers::CalcParser::CalcParser(this=0x00007ffeee0f0788, range=0x00007ffeee0f0ef8, destinationCategory=Length, valueRange=ValueRangeNonNegative) at CSSPropertyParserHelpers.cpp:103:5 frame #15: 0x00000002ac18fcfe WebCore`WebCore::CSSPropertyParserHelpers::consumeLengthOrPercent(range=0x00007ffeee0f0ef8, cssParserMode=HTMLStandardMode, valueRange=ValueRangeNonNegative, unitless=Forbid) at CSSPropertyParserHelpers.cpp:480:20 frame #16: 0x00000002ac1a4821 WebCore`WebCore::consumeRadii(horizontalRadii=0x00007ffeee0f0df0, verticalRadii=0x00007ffeee0f0dd0, range=0x00007ffeee0f0ef8, cssParserMode=HTMLStandardMode, useLegacyParsing=false) at CSSPropertyParser.cpp:2682:30 frame #17: 0x00000002ac18a860 WebCore`WebCore::CSSPropertyParser::parseShorthand(this=0x00007ffeee0f0ef8, property=CSSPropertyBorderRadius, important=false) at CSSPropertyParser.cpp:5991:14 frame #18: 0x00000002ac186643 WebCore`WebCore::CSSPropertyParser::parseValueStart(this=0x00007ffeee0f0ef8, propertyID=CSSPropertyBorderRadius, important=false) at CSSPropertyParser.cpp:311:13 frame #19: 0x00000002ac186055 WebCore`WebCore::CSSPropertyParser::parseValue(propertyID=CSSPropertyBorderRadius, important=false, range=0x00007ffeee0f0f70, context=0x00007ffeee0f21d8, parsedProperties={ size = 0, capacity = 256 }, ruleType=Style) at CSSPropertyParser.cpp:237:31 frame #20: 0x00000002ac16df4e WebCore`WebCore::CSSParserImpl::consumeDeclarationValue(this=0x00007ffeee0f1178, range=CSSParserTokenRange @ 0x00007ffeee0f0f70, propertyID=CSSPropertyBorderRadius, important=false, ruleType=Style) at CSSParserImpl.cpp:834:5 frame #21: 0x00000002ac171066 WebCore`WebCore::CSSParserImpl::consumeDeclaration(this=0x00007ffeee0f1178, range=CSSParserTokenRange @ 0x00007ffeee0f1070, ruleType=Style) at CSSParserImpl.cpp:817:9 frame #22: 0x00000002ac16e44d WebCore`WebCore::CSSParserImpl::consumeDeclarationList(this=0x00007ffeee0f1178, range=CSSParserTokenRange @ 0x00007ffeee0f1110, ruleType=Style) at CSSParserImpl.cpp:752:13 frame #23: 0x00000002ac167f95 WebCore`WebCore::CSSParserImpl::parseInlineStyleDeclaration(string={ length = 73, contents = 'border-radius:max(0px, min(8px, calc((100vw - 4px - 100%) * 9999))) / 8px' }, element=0x00000002d4b80900) at CSSParserImpl.cpp:170:12 frame #24: 0x00000002ac167e2b WebCore`WebCore::CSSParser::parseInlineStyleDeclaration(string={ length = 73, contents = 'border-radius:max(0px, min(8px, calc((100vw - 4px - 100%) * 9999))) / 8px' }, element=0x00000002d4b80900) at CSSParser.cpp:186:12 frame #25: 0x00000002ac53774e WebCore`WebCore::StyledElement::setInlineStyleFromString(this=0x00000002d4b80900, newStyleString={ length = 73, contents = 'border-radius:max(0px, min(8px, calc((100vw - 4px - 100%) * 9999))) / 8px' }) at StyledElement.cpp:185:23 frame #26: 0x00000002ac537603 WebCore`WebCore::StyledElement::styleAttributeChanged(this=0x00000002d4b80900, newStyleString={ length = 73, contents = 'border-radius:max(0px, min(8px, calc((100vw - 4px - 100%) * 9999))) / 8px' }, reason=ModifiedDirectly) at StyledElement.cpp:200:9 frame #27: 0x00000002ac53740b WebCore`WebCore::StyledElement::attributeChanged(this=0x00000002d4b80900, name=0x00000002d515db80, oldValue={ length = 0, contents = '' }, newValue={ length = 73, contents = 'border-radius:max(0px, min(8px, calc((100vw - 4px - 100%) * 9999))) / 8px' }, reason=ModifiedDirectly) at StyledElement.cpp:147:13 frame #28: 0x00000002ac3d1ccc WebCore`WebCore::Element::parserSetAttributes(this=0x00000002d4b80900, attributeVector={ size = 2, capacity = 2 }) at Element.cpp:2104:9 frame #29: 0x00000002aca48d3d WebCore`WebCore::setAttributes(element=0x00000002d4b80900, attributes={ size = 2, capacity = 2 }, parserContentPolicy=AllowScriptingContent) at HTMLConstructionSite.cpp:62:13 frame #30: 0x00000002aca45cf6 WebCore`WebCore::setAttributes(element=0x00000002d4b80900, token=0x00007ffeee0f3138, parserContentPolicy=AllowScriptingContent) at HTMLConstructionSite.cpp:67:5 frame #31: 0x00000002aca48aaa WebCore`WebCore::HTMLConstructionSite::createHTMLElementOrFindCustomElementInterface(this=0x00000002d0f3c270, token=0x00007ffeee0f3138, customElementInterface=0x0000000000000000) at HTMLConstructionSite.cpp:702:5 frame #32: 0x00000002aca47ad8 WebCore`WebCore::HTMLConstructionSite::createHTMLElement(this=0x00000002d0f3c270, token=0x00007ffeee0f3138) at HTMLConstructionSite.cpp:709:31 frame #33: 0x00000002aca48488 WebCore`WebCore::HTMLConstructionSite::insertHTMLElement(this=0x00000002d0f3c270, token=0x00007ffeee0f3138) at HTMLConstructionSite.cpp:496:20 frame #34: 0x00000002aca851fb WebCore`WebCore::HTMLTreeBuilder::processStartTagForInBody(this=0x00000002d0f3c250, token=0x00007ffeee0f3138) at HTMLTreeBuilder.cpp:632:16 frame #35: 0x00000002aca7f746 WebCore`WebCore::HTMLTreeBuilder::processStartTag(this=0x00000002d0f3c250, token=0x00007ffeee0f3138) at HTMLTreeBuilder.cpp:1096:9 frame #36: 0x00000002aca7eaa3 WebCore`WebCore::HTMLTreeBuilder::processToken(this=0x00000002d0f3c250, token=0x00007ffeee0f3138) at HTMLTreeBuilder.cpp:381:9 frame #37: 0x00000002aca7d8b8 WebCore`WebCore::HTMLTreeBuilder::constructTree(this=0x00000002d0f3c250, token=0x00007ffeee0f3138) at HTMLTreeBuilder.cpp:351:9 frame #38: 0x00000002aca4dcbb WebCore`WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(this=0x00000002d12f4100, rawToken=0x00007ffeee0f3218) at HTMLDocumentParser.cpp:368:20 frame #39: 0x00000002aca4d933 WebCore`WebCore::HTMLDocumentParser::pumpTokenizerLoop(this=0x00000002d12f4100, mode=AllowYield, parsingFragment=false, session=0x00007ffeee0f32d8) at HTMLDocumentParser.cpp:295:9 frame #40: 0x00000002aca4c9ff WebCore`WebCore::HTMLDocumentParser::pumpTokenizer(this=0x00000002d12f4100, mode=AllowYield) at HTMLDocumentParser.cpp:322:25

Committed r275869 (236434@main): <https://commits.webkit.org/236434@main>

Reopening to attach new patch.

Created attachment 426115 [details] Patch

Comment on attachment 426115 [details] Patch Need a new test result.

Created attachment 426125 [details] Patch

(In reply to Simon Fraser (smfr) from comment #11) > Comment on attachment 426115 [details] > Patch > > Need a new test result. D'oh. Updated patch has it.

Committed r276071 (236588@main): <https://commits.webkit.org/236588@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 426125 [details].