Bug 131480 - REGRESSION (r166860): ASSERTION FAILED: !isCalculated() on fast/css/image-set-value-not-removed-crash.html
Summary: REGRESSION (r166860): ASSERTION FAILED: !isCalculated() on fast/css/image-set...
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Darin Adler
Depends on:
Reported: 2014-04-09 23:37 PDT by Alexey Proskuryakov
Modified: 2015-12-08 14:06 PST (History)
10 users (show)

See Also:

Patch (9.98 KB, patch)
2014-04-12 12:02 PDT, Darin Adler
kling: review+
kling: commit-queue-
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2014-04-09 23:37:04 PDT
Starting with <http://trac.webkit.org/r166860>, debug WK1 bots are hitting an assertion almost every time:

ASSERTION FAILED: !isCalculated()
/Volumes/Data/slave/mountainlion-debug/build/Source/WebCore/platform/Length.h(246) : float WebCore::Length::value() const
1   0x10bccc0c0 WTFCrash
2   0x10d71b619 WebCore::Length::value() const
3   0x10d9cae02 WebCore::valueForNinePieceImageSlice(WebCore::NinePieceImage const&)
4   0x10d9c37d6 WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const
5   0x10d9cd7fe WebCore::ComputedStyleExtractor::copyPropertiesInSet(WebCore::CSSPropertyID const*, unsigned int) const
6   0x10d9c6ef8 WebCore::ComputedStyleExtractor::copyProperties() const
7   0x10dd3da81 WebCore::copyPropertiesFromComputedStyle(WebCore::ComputedStyleExtractor&, WebCore::EditingStyle::PropertiesToInclude)
8   0x10dd3d345 WebCore::EditingStyle::init(WebCore::Node*, WebCore::EditingStyle::PropertiesToInclude)
9   0x10dd3d23b WebCore::EditingStyle::EditingStyle(WebCore::Node*, WebCore::EditingStyle::PropertiesToInclude)
10  0x10dd3d1d3 WebCore::EditingStyle::EditingStyle(WebCore::Node*, WebCore::EditingStyle::PropertiesToInclude)
11  0x10d7cc8ff WebCore::EditingStyle::create(WebCore::Node*, WebCore::EditingStyle::PropertiesToInclude)
12  0x10dd3f135 WebCore::EditingStyle::styleAtSelectionStart(WebCore::VisibleSelection const&, bool)
13  0x10dd500c8 WebCore::Editor::selectionStartHasStyle(WebCore::CSSPropertyID, WTF::String const&) const
14  0x10dd69d6d WebCore::executeToggleStyle(WebCore::Frame&, WebCore::EditorCommandSource, WebCore::EditAction, WebCore::CSSPropertyID, char const*, char const*)
Comment 1 Alexey Proskuryakov 2014-04-09 23:40:38 PDT
Skipped the test in debug builds in <http://trac.webkit.org/r167070>.
Comment 2 Darin Adler 2014-04-10 16:09:01 PDT
What’s new here is the assertion. The bug isn’t new. I’ll fix this.
Comment 3 Darin Adler 2014-04-11 10:41:47 PDT
I wonder why it’s *almost* every time instead of every time.
Comment 4 Darin Adler 2014-04-11 10:42:49 PDT
It’s bizarre; this test case does not involve calculated values. I wonder how a calculated value gets in there.
Comment 5 Alexey Proskuryakov 2014-04-11 10:49:20 PDT
FWIW, it's reproducible for me locally.
Comment 6 Alexey Proskuryakov 2014-04-11 10:50:56 PDT
Looking at the flakiness dashboard results more closely, I think that it's actually every time - some of the runs are shown as timeouts, but I'm pretty certain that it's a tools bug, and we just fail to detect a crash that happened.
Comment 7 Darin Adler 2014-04-12 10:07:37 PDT
The calculation here is created as part of animation. We are animating from the value 26829% to the value 2, so during the animation the current value of the property is a combination of both. The CSSComputedStyle code doesn’t know how to serialize something that is neither a percentage nor a number. I imagine there are a lot more cases like this in computed style.
Comment 8 Darin Adler 2014-04-12 10:08:04 PDT
Because the code depends on the timing of the animation, I imagine it won’t always crash the same way every time.
Comment 9 Darin Adler 2014-04-12 12:02:42 PDT
Created attachment 229209 [details]
Comment 10 Andreas Kling 2014-04-12 22:05:08 PDT
Comment on attachment 229209 [details]

r=me, but you should also unskip the test.
Comment 11 Darin Adler 2014-04-13 01:06:25 PDT
Committed r167192: <http://trac.webkit.org/changeset/167192>
Comment 12 Brent Fulgham 2015-12-08 13:57:36 PST
Part of the fix for CVE-2014-4410.