RESOLVED FIXED Bug 131480
REGRESSION (r166860): ASSERTION FAILED: !isCalculated() on fast/css/image-set-value-not-removed-crash.html 
https://bugs.webkit.org/show_bug.cgi?id=131480
Summary REGRESSION (r166860): ASSERTION FAILED: !isCalculated() on fast/css/image-set...
Alexey Proskuryakov
Reported 2014-04-09 23:37:04 PDT
Starting with <http://trac.webkit.org/r166860>, debug WK1 bots are hitting an assertion almost every time: ASSERTION FAILED: !isCalculated() /Volumes/Data/slave/mountainlion-debug/build/Source/WebCore/platform/Length.h(246) : float WebCore::Length::value() const 1 0x10bccc0c0 WTFCrash 2 0x10d71b619 WebCore::Length::value() const 3 0x10d9cae02 WebCore::valueForNinePieceImageSlice(WebCore::NinePieceImage const&) 4 0x10d9c37d6 WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const 5 0x10d9cd7fe WebCore::ComputedStyleExtractor::copyPropertiesInSet(WebCore::CSSPropertyID const*, unsigned int) const 6 0x10d9c6ef8 WebCore::ComputedStyleExtractor::copyProperties() const 7 0x10dd3da81 WebCore::copyPropertiesFromComputedStyle(WebCore::ComputedStyleExtractor&, WebCore::EditingStyle::PropertiesToInclude) 8 0x10dd3d345 WebCore::EditingStyle::init(WebCore::Node*, WebCore::EditingStyle::PropertiesToInclude) 9 0x10dd3d23b WebCore::EditingStyle::EditingStyle(WebCore::Node*, WebCore::EditingStyle::PropertiesToInclude) 10 0x10dd3d1d3 WebCore::EditingStyle::EditingStyle(WebCore::Node*, WebCore::EditingStyle::PropertiesToInclude) 11 0x10d7cc8ff WebCore::EditingStyle::create(WebCore::Node*, WebCore::EditingStyle::PropertiesToInclude) 12 0x10dd3f135 WebCore::EditingStyle::styleAtSelectionStart(WebCore::VisibleSelection const&, bool) 13 0x10dd500c8 WebCore::Editor::selectionStartHasStyle(WebCore::CSSPropertyID, WTF::String const&) const 14 0x10dd69d6d WebCore::executeToggleStyle(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WebCore::CSSPropertyID, char const*, char const*)
Attachments
Patch (9.98 KB, patch)
2014-04-12 12:02 PDT, Darin Adler 		kling: review+
kling: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2014-04-09 23:40:38 PDT
Skipped the test in debug builds in <http://trac.webkit.org/r167070>.
Darin Adler
Comment 2 2014-04-10 16:09:01 PDT
What’s new here is the assertion. The bug isn’t new. I’ll fix this.
Darin Adler
Comment 3 2014-04-11 10:41:47 PDT
I wonder why it’s *almost* every time instead of every time.
Darin Adler
Comment 4 2014-04-11 10:42:49 PDT
It’s bizarre; this test case does not involve calculated values. I wonder how a calculated value gets in there.
Alexey Proskuryakov
Comment 5 2014-04-11 10:49:20 PDT
FWIW, it's reproducible for me locally.
Alexey Proskuryakov
Comment 6 2014-04-11 10:50:56 PDT
Looking at the flakiness dashboard results more closely, I think that it's actually every time - some of the runs are shown as timeouts, but I'm pretty certain that it's a tools bug, and we just fail to detect a crash that happened.
Darin Adler
Comment 7 2014-04-12 10:07:37 PDT
The calculation here is created as part of animation. We are animating from the value 26829% to the value 2, so during the animation the current value of the property is a combination of both. The CSSComputedStyle code doesn’t know how to serialize something that is neither a percentage nor a number. I imagine there are a lot more cases like this in computed style.
Darin Adler
Comment 8 2014-04-12 10:08:04 PDT
Because the code depends on the timing of the animation, I imagine it won’t always crash the same way every time.
Darin Adler
Comment 9 2014-04-12 12:02:42 PDT
Created attachment 229209 [details] Patch
Andreas Kling
Comment 10 2014-04-12 22:05:08 PDT
Comment on attachment 229209 [details] Patch r=me, but you should also unskip the test.
Darin Adler
Comment 11 2014-04-13 01:06:25 PDT
Committed r167192: <http://trac.webkit.org/changeset/167192>
Brent Fulgham
Comment 12 2015-12-08 13:57:36 PST
Part of the fix for CVE-2014-4410.
Note You need to log in before you can comment on or make changes to this bug.