Created attachment 229638 [details] Test case The failing test case: <script src="http://www.fuzzer.ateam.sed.hu/"> </script> <style> * { -webkit-transition-delay:1s; max-height:1px; } </style> The backtrace: #0 0x00007ffff58d8bb5 in WTFCrash () at /home/martin/Data/WebKit/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff09b523e in WebCore::Length::isZero (this=0x79e4e0) at /home/martin/Data/WebKit/Source/WebCore/platform/Length.h:372 #2 0x00007ffff10ceb62 in WebCore::Length::blend (this=0x826a00, from=..., progress=0) at /home/martin/Data/WebKit/Source/WebCore/platform/Length.h:419 #3 0x00007ffff10c991c in WebCore::blendFunc (from=..., to=..., progress=0) at /home/martin/Data/WebKit/Source/WebCore/page/animation/CSSPropertyAnimation.cpp:82 #4 0x00007ffff10d86b0 in WebCore::LengthPropertyWrapper<WebCore::Length>::blend (this=0x7bcbb0, anim=0x7bd450, dst=0x7c9600, a=0x79e1c0, b=0x7d6a80, progress=0) at /home/martin/Data/WebKit/Source/WebCore/page/animation/CSSPropertyAnimation.cpp:461 #5 0x00007ffff10ce6c5 in WebCore::CSSPropertyAnimation::blendProperties (anim=0x7bd450, prop=WebCore::CSSPropertyMaxHeight, dst=0x7c9600, a=0x79e1c0, b=0x7d6a80, progress=0) at /home/martin/Data/WebKit/Source/WebCore/page/animation/CSSPropertyAnimation.cpp:1370 #6 0x00007ffff10e360d in WebCore::ImplicitAnimation::animate (this=0x7bd450, targetStyle=0x7d6a80, animatedStyle=...) at /home/martin/Data/WebKit/Source/WebCore/page/animation/ImplicitAnimation.cpp:80 #7 0x00007ffff10db5dd in WebCore::CompositeAnimation::animate (this=0x7bd800, renderer=..., currentStyle=0x79e1c0, targetStyle=...) at /home/martin/Data/WebKit/Source/WebCore/page/animation/CompositeAnimation.cpp:312 #8 0x00007ffff10c2680 in WebCore::AnimationController::updateAnimations (this=0x6c0c10, renderer=..., newStyle=...) at /home/martin/Data/WebKit/Source/WebCore/page/animation/AnimationController.cpp:514 #9 0x00007ffff13a87df in WebCore::RenderElement::setAnimatableStyle (this=0x79e390, style=...) at /home/martin/Data/WebKit/Source/WebCore/rendering/RenderElement.cpp:467 #10 0x00007ffff15c371a in WebCore::Style::resolveLocal (current=..., renderingParentNode=..., renderTreePosition=..., inheritedChange=WebCore::Style::NoChange) at /home/martin/Data/WebKit/Source/WebCore/style/StyleResolveTree.cpp:736 #11 0x00007ffff15c3c93 in WebCore::Style::resolveTree (current=..., renderingParentNode=..., renderTreePosition=..., change=WebCore::Style::NoChange) at /home/martin/Data/WebKit/Source/WebCore/style/StyleResolveTree.cpp:886 #12 0x00007ffff15c418f in WebCore::Style::resolveTree (document=..., change=WebCore::Style::NoChange) at /home/martin/Data/WebKit/Source/WebCore/style/StyleResolveTree.cpp:963 #13 0x00007ffff0ac6afc in WebCore::Document::recalcStyle (this=0x6f5510, change=WebCore::Style::NoChange) at /home/martin/Data/WebKit/Source/WebCore/dom/Document.cpp:1769 #14 0x00007ffff0ac6db1 in WebCore::Document::updateStyleIfNeeded (this=0x6f5510) at /home/martin/Data/WebKit/Source/WebCore/dom/Document.cpp:1817 #15 0x00007ffff0ad06d7 in WebCore::Document::finishedParsing (this=0x6f5510) at /home/martin/Data/WebKit/Source/WebCore/dom/Document.cpp:4493 #16 0x00007ffff0dcd7d1 in WebCore::HTMLConstructionSite::finishedParsing (this=0x6d1d58) at /home/martin/Data/WebKit/Source/WebCore/html/parser/HTMLConstructionSite.cpp:395 #17 0x00007ffff0e0646d in WebCore::HTMLTreeBuilder::finished (this=0x6d1d40) at /home/martin/Data/WebKit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2997 #18 0x00007ffff0dd5270 in WebCore::HTMLDocumentParser::end (this=0x6e32f0) at /home/martin/Data/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:439 #19 0x00007ffff0dd535b in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x6e32f0) at /home/martin/Data/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:450 #20 0x00007ffff0dd3fa5 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x6e32f0) at /home/martin/Data/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:165 #21 0x00007ffff0dd5414 in WebCore::HTMLDocumentParser::endIfDelayed (this=0x6e32f0) at /home/martin/Data/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:475 #22 0x00007ffff0dd5670 in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution (this=0x6e32f0) at /home/martin/Data/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:532 #23 0x00007ffff0dd58f2 in WebCore::HTMLDocumentParser::notifyFinished (this=0x6e32f0, cachedResource=0x6dd170) at /home/martin/Data/WebKit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:571 #24 0x00007ffff0fc1450 in WebCore::CachedResource::checkNotify (this=0x6dd170) at /home/martin/Data/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:332 #25 0x00007ffff0fc15c3 in WebCore::CachedResource::error (this=0x6dd170, status=WebCore::CachedResource::LoadError) at /home/martin/Data/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:358 #26 0x00007ffff0f796e2 in WebCore::SubresourceLoader::didFail (this=0x6dd7f0, error=...) at /home/martin/Data/WebKit/Source/WebCore/loader/SubresourceLoader.cpp:338 #27 0x00007ffff0f7576d in WebCore::ResourceLoader::didFail (this=0x6dd7f0, error=...) at /home/martin/Data/WebKit/Source/WebCore/loader/ResourceLoader.cpp:515 #28 0x00007ffff1858e1c in WebCore::sendRequestCallback (result=0x7852b0, data=0x6ddc00) at /home/martin/Data/WebKit/Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:678 #29 0x00007fffebe2b47b in g_task_return_now (task=0x7852b0) at gtask.c:1108 #30 0x00007fffebe2b499 in complete_in_idle_cb (task=0x7852b0) at gtask.c:1117 #31 0x00007fffeb87b536 in g_main_dispatch (context=0x669000) at gmain.c:3065 #32 g_main_context_dispatch (context=context@entry=0x669000) at gmain.c:3641 #33 0x00007fffecb5c708 in _ecore_glib_select__locked (ecore_timeout=<optimized out>, efds=<optimized out>, wfds=0x7fffffffda20, rfds=0x7fffffffd9a0, ecore_fds=8, ctx=<optimized out>) at ecore_glib.c:171 #34 _ecore_glib_select (ecore_fds=8, rfds=0x7fffffffd9a0, wfds=0x7fffffffda20, efds=<optimized out>, ecore_timeout=<optimized out>) at ecore_glib.c:205 #35 0x00007fffecb56b37 in _ecore_main_select (timeout=<optimized out>) at ecore_main.c:1466 #36 0x00007fffecb576c5 in _ecore_main_loop_iterate_internal (once_only=once_only@entry=0) at ecore_main.c:1894 #37 0x00007fffecb579c7 in ecore_main_loop_begin () at ecore_main.c:956 #38 0x00007ffff766ae5f in WTF::RunLoop::run () at /home/martin/Data/WebKit/Source/WTF/wtf/efl/RunLoopEfl.cpp:51 #39 0x00007ffff75f4789 in WebKit::WebProcessMainEfl (argc=2, argv=0x7fffffffdea8) at /home/martin/Data/WebKit/Source/WebKit2/WebProcess/efl/WebProcessMainEfl.cpp:126 #40 0x0000000000400840 in main (argc=2, argv=0x7fffffffdea8) at /home/martin/Data/WebKit/Source/WebKit2/efl/MainEfl.cpp:30
Created attachment 229639 [details] Proposed patch The problem: In case the initial style of a -webkit-transition is not defined, a default RenderStyle object is used instead. This object has a StyleBoxData member called m_box, and its maxHeight attribute is needed while calculating the frames of the animation, namely blending the properties of the initial and final styles. But since the default StyleBoxData has an 'Undefined' maximum height, the blending is not possible. (Blending calculates percentage values and maxHeight is supposed to define 100% of the vertical length.) My recommendation is an early return before RenderElement::setAnimatableStyle, so we could ignore the transition in similar malformed cases (which would provide no sensible output anyway). Another solution could be setting the maxHeight of the default RenderStyle to 'Fixed' value, which normally gets updated later. This could be done by RenderStyle::initialMaxSize() if it returned with Length(Fixed), as its sibling function RenderStyle::initialMinSize() and every similar neighbouring functions do. Alternatively, we could set the maxHeight member of the initial style to the maxHeight value of the final style in similar cases. It might seem like a workaround, though.
Comment on attachment 229639 [details] Proposed patch Attachment 229639 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/5419634564005888 New failing tests: compositing/geometry/layer-due-to-layer-children-switch.html accessibility/radio-button-group-members.html compositing/framesets/composited-frame-alignment.html compositing/iframes/connect-compositing-iframe-delayed.html animations/added-while-suspended.html accessibility/text-role-with-aria-hidden-inside.html accessibility/visible-elements.html compositing/geometry/fixed-position-composited-switch.html compositing/iframes/become-overlapped-iframe.html accessibility/link-inside-button-accessible-text.html accessibility/meter-element.html accessibility/poorly-formed-aria-table.html compositing/animation/animation-compositing.html compositing/geometry/bounds-ignores-hidden-dynamic.html compositing/animation/computed-style-during-delay.html compositing/iframes/connect-compositing-iframe3.html compositing/geometry/layer-due-to-layer-children-deep-switch.html compositing/contents-scale/animating.html compositing/geometry/ancestor-overflow-change.html http/tests/css/shared-stylesheet-mutation-preconstruct.html compositing/animation/animated-composited-inside-hidden.html compositing/geometry/bounds-ignores-hidden-dynamic-negzindex.html compositing/iframes/become-composited-nested-iframes.html accessibility/aria-setsize-posinset.html compositing/contents-opaque/hidden-with-visible-text.html animations/3d/change-transform-in-end-event.html compositing/contents-scale/incremental-change.html compositing/background-color/background-color-padding-change.html accessibility/list-detection.html compositing/contents-opaque/visibility-hidden.html
Created attachment 229642 [details] Archive of layout-test-results from webkit-ews-14 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-14 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.5
Comment on attachment 229639 [details] Proposed patch Attachment 229639 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/6554479813984256 New failing tests: compositing/iframes/iframe-resize.html accessibility/radio-button-group-members.html compositing/framesets/composited-frame-alignment.html compositing/iframes/invisible-nested-iframe-show.html compositing/iframes/connect-compositing-iframe-delayed.html compositing/columns/composited-lr-paginated-repaint.html accessibility/text-role-with-aria-hidden-inside.html accessibility/visible-elements.html compositing/geometry/fixed-position-composited-switch.html compositing/iframes/iframe-content-flipping.html compositing/iframes/become-overlapped-iframe.html accessibility/link-inside-button-accessible-text.html accessibility/meter-element.html accessibility/poorly-formed-aria-table.html compositing/iframes/iframe-src-change.html compositing/geometry/bounds-ignores-hidden-dynamic.html compositing/iframes/connect-compositing-iframe3.html compositing/iframes/enter-compositing-iframe.html compositing/geometry/layer-due-to-layer-children-deep-switch.html compositing/geometry/ancestor-overflow-change.html compositing/animation/animated-composited-inside-hidden.html compositing/iframes/iframe-size-to-zero.html compositing/geometry/bounds-ignores-hidden-dynamic-negzindex.html compositing/iframes/connect-compositing-iframe.html compositing/iframes/become-composited-nested-iframes.html accessibility/aria-setsize-posinset.html compositing/contents-opaque/hidden-with-visible-text.html compositing/background-color/background-color-padding-change.html accessibility/list-detection.html compositing/contents-opaque/visibility-hidden.html
Created attachment 229643 [details] Archive of layout-test-results from webkit-ews-01 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-01 Port: mac-mountainlion Platform: Mac OS X 10.8.5
Comment on attachment 229639 [details] Proposed patch Attachment 229639 [details] did not pass mac-ews (mac): Output: http://webkit-queues.appspot.com/results/6270908893233152 New failing tests: compositing/iframes/iframe-resize.html accessibility/radio-button-group-members.html compositing/framesets/composited-frame-alignment.html compositing/iframes/invisible-nested-iframe-show.html compositing/iframes/connect-compositing-iframe-delayed.html compositing/columns/composited-lr-paginated-repaint.html accessibility/text-role-with-aria-hidden-inside.html accessibility/visible-elements.html compositing/geometry/fixed-position-composited-switch.html compositing/iframes/iframe-content-flipping.html compositing/iframes/become-overlapped-iframe.html accessibility/link-inside-button-accessible-text.html accessibility/meter-element.html accessibility/poorly-formed-aria-table.html compositing/iframes/iframe-src-change.html compositing/geometry/bounds-ignores-hidden-dynamic.html compositing/iframes/connect-compositing-iframe3.html compositing/iframes/enter-compositing-iframe.html compositing/geometry/layer-due-to-layer-children-deep-switch.html compositing/geometry/ancestor-overflow-change.html compositing/animation/animated-composited-inside-hidden.html compositing/iframes/iframe-size-to-zero.html compositing/geometry/bounds-ignores-hidden-dynamic-negzindex.html compositing/iframes/connect-compositing-iframe.html compositing/iframes/become-composited-nested-iframes.html accessibility/aria-setsize-posinset.html compositing/contents-opaque/hidden-with-visible-text.html compositing/background-color/background-color-padding-change.html accessibility/list-detection.html compositing/contents-opaque/visibility-hidden.html
Created attachment 229644 [details] Archive of layout-test-results from webkit-ews-05 for mac-mountainlion The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: webkit-ews-05 Port: mac-mountainlion Platform: Mac OS X 10.8.5
Comment on attachment 229639 [details] Proposed patch This patch seems fine, but breaks a number of tests. You need to assess whether the tests are invalid (and codify some kind of broken behavior). I suspect that there may be valid cases where maxHeight is not defined, and the tests are showing us that this change is not right.
Same as https://bugs.webkit.org/show_bug.cgi?id=114878
*** Bug 114878 has been marked as a duplicate of this bug. ***
I hit this assert in a debug WebKit build @r199827) after signing into blogger.com.
This reproduces in r204037.
<rdar://problem/27685754>
I can't reproduce this with 209438.