Created attachment 236026 [details] Test case The failing test: <style> * { -webkit-transition:cubic-bezier(0,0,calc(0),calc(0)); } </style> Backtrace: ASSERTION FAILED: !m_parsedCalculation ../../Source/WebCore/css/CSSParser.cpp(9849) : bool WebCore::CSSParser::parseCalculation(WebCore::CSSParserValue*, WebCore::CalculationPermittedValueRange) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff96cc6700 (LWP 7904)] 0x00007ffff30185e8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329 329 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff30185e8 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329 #1 0x00007ffff33d2560 in WebCore::CSSParser::parseCalculation (this=0x7fffffffbf00, value=0x7f7cc0, range=WebCore::CalculationRangeAll) at ../../Source/WebCore/css/CSSParser.cpp:9849 #2 0x00007ffff33b1db0 in WebCore::CSSParser::validCalculationUnit (this=0x7fffffffbf00, value=0x7f7cc0, unitflags=WebCore::CSSParser::FNumber, releaseCalc=WebCore::CSSParser::DoNotReleaseParsedCalcValue) at ../../Source/WebCore/css/CSSParser.cpp:1571 #3 0x00007ffff33b1ffc in WebCore::CSSParser::validUnit (this=0x7fffffffbf00, value=0x7f7cc0, unitflags=WebCore::CSSParser::FNumber, cssParserMode=WebCore::CSSQuirksMode, releaseCalc=WebCore::CSSParser::DoNotReleaseParsedCalcValue) at ../../Source/WebCore/css/CSSParser.cpp:1623 #4 0x00007ffff33db328 in WebCore::CSSParser::validUnit (this=0x7fffffffbf00, value=0x7f7cc0, unitflags=WebCore::CSSParser::FNumber, releaseCalc=WebCore::CSSParser::DoNotReleaseParsedCalcValue) at ../../Source/WebCore/css/CSSParser.h:629 #5 0x00007ffff33be453 in WebCore::CSSParser::parseCubicBezierTimingFunctionValue (this=0x7fffffffbf00, args=@0x7fffffff9f18: 0x8ab970, result=@0x7fffffff9f38: 6.9533558066231601e-310) at ../../Source/WebCore/css/CSSParser.cpp:4546 #6 0x00007ffff33be905 in WebCore::CSSParser::parseAnimationTimingFunction (this=0x7fffffffbf00) at ../../Source/WebCore/css/CSSParser.cpp:4620 #7 0x00007ffff33bee9d in WebCore::CSSParser::parseAnimationProperty (this=0x7fffffffbf00, propId=WebCore::CSSPropertyWebkitTransitionTimingFunction, result=..., context=...) at ../../Source/WebCore/css/CSSParser.cpp:4698 #8 0x00007ffff33b8e12 in WebCore::CSSParser::parseTransitionShorthand (this=0x7fffffffbf00, propId=WebCore::CSSPropertyWebkitTransition, important=false) at ../../Source/WebCore/css/CSSParser.cpp:3414 #9 0x00007ffff33b65a7 in WebCore::CSSParser::parseValue (this=0x7fffffffbf00, propId=WebCore::CSSPropertyWebkitTransition, important=false) at ../../Source/WebCore/css/CSSParser.cpp:2859 #10 0x00007ffff42efc1d in cssyyparse (parser=0x7fffffffbf00) at /home/renifuzz/data/REPOS/webkit/WebKitBuild/Debug/DerivedSources/WebCore/CSSGrammar.y:1137 #11 0x00007ffff33ae8de in WebCore::CSSParser::parseSheet (this=0x7fffffffbf00, sheet=0x86cca0, string=..., startLineNumber=0, ruleSourceDataResult=0x0, logErrors=true) at ../../Source/WebCore/css/CSSParser.cpp:440 #12 0x00007ffff34d96a7 in WebCore::StyleSheetContents::parseStringAtLine (this=0x86cca0, sheetText=..., startLineNumber=0, createdByParser=true) at ../../Source/WebCore/css/StyleSheetContents.cpp:326 #13 0x00007ffff35bd77a in WebCore::InlineStyleSheetOwner::createSheet (this=0x86d0c8, element=..., text=...) at ../../Source/WebCore/dom/InlineStyleSheetOwner.cpp:147 #14 0x00007ffff35bd232 in WebCore::InlineStyleSheetOwner::createSheetFromTextContents (this=0x86d0c8, element=...) at ../../Source/WebCore/dom/InlineStyleSheetOwner.cpp:97 #15 0x00007ffff35bd1ef in WebCore::InlineStyleSheetOwner::finishParsingChildren (this=0x86d0c8, element=...) at ../../Source/WebCore/dom/InlineStyleSheetOwner.cpp:91 #16 0x00007ffff37ab07f in WebCore::HTMLStyleElement::finishParsingChildren (this=0x86d060) at ../../Source/WebCore/html/HTMLStyleElement.cpp:90 #17 0x00007ffff3848f3e in WebCore::HTMLElementStack::popCommon (this=0x872fc8) at ../../Source/WebCore/html/parser/HTMLElementStack.cpp:578 #18 0x00007ffff3847962 in WebCore::HTMLElementStack::pop (this=0x872fc8) at ../../Source/WebCore/html/parser/HTMLElementStack.cpp:214 #19 0x00007ffff3870feb in WebCore::HTMLTreeBuilder::processEndTag (this=0x872f90, token=0x7fffffffd350) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2179 #20 0x00007ffff38677e2 in WebCore::HTMLTreeBuilder::processToken (this=0x872f90, token=0x7fffffffd350) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:386 #21 0x00007ffff38675f4 in WebCore::HTMLTreeBuilder::constructTree (this=0x872f90, token=0x7fffffffd350) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:354 #22 0x00007ffff384110c in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken (this=0x8ba8f0, rawToken=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:356 #23 0x00007ffff3840d4f in WebCore::HTMLDocumentParser::pumpTokenizer (this=0x8ba8f0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:309 #24 0x00007ffff3840545 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible (this=0x8ba8f0, mode=WebCore::HTMLDocumentParser::AllowYield) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:189 #25 0x00007ffff38416d7 in WebCore::HTMLDocumentParser::append (this=0x8ba8f0, inputSource=...) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:440 #26 0x00007ffff3533a4f in WebCore::DecodedDataDocumentParser::flush (this=0x8ba8f0, writer=...) at ../../Source/WebCore/dom/DecodedDataDocumentParser.cpp:60 #27 0x00007ffff399082b in WebCore::DocumentWriter::end (this=0xac5440) at ../../Source/WebCore/loader/DocumentWriter.cpp:247 #28 0x00007ffff397d8bb in WebCore::DocumentLoader::finishedLoading (this=0xac53a0, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:441 #29 0x00007ffff397d624 in WebCore::DocumentLoader::notifyFinished (this=0xac53a0, resource=0x8c4220) at ../../Source/WebCore/loader/DocumentLoader.cpp:375 #30 0x00007ffff3a23eb9 in WebCore::CachedResource::checkNotify (this=0x8c4220) at ../../Source/WebCore/loader/cache/CachedResource.cpp:334 #31 0x00007ffff3a23fa0 in WebCore::CachedResource::finishLoading (this=0x8c4220) at ../../Source/WebCore/loader/cache/CachedResource.cpp:350 #32 0x00007ffff3a20f5a in WebCore::CachedRawResource::finishLoading (this=0x8c4220, data=0x6f09a0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:98 #33 0x00007ffff39d7bfa in WebCore::SubresourceLoader::didFinishLoading (this=0x7cfab0, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:310 ---Type <return> to continue, or q <return> to quit--- #34 0x00007ffff39d40e7 in WebCore::ResourceLoader::didFinishLoading (this=0x7cfab0, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:517 #35 0x00007ffff42968cb in WebCore::readCallback (asyncResult=0x8b9a10, data=0x8b7fd0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1302 #36 0x00007fffec1d92aa in async_ready_callback_wrapper (source_object=0xa469b0, res=0x8b9a10, user_data=0x8b7fd0) at ginputstream.c:519 #37 0x00007fffec1f8cab in g_task_return_now (task=0x8b9a10) at gtask.c:1108 #38 0x00007fffec1f8cc9 in complete_in_idle_cb (task=0x8b9a10) at gtask.c:1117 #39 0x00007fffeb46a296 in g_main_dispatch (context=0x678310) at gmain.c:3065 #40 g_main_context_dispatch (context=context@entry=0x678310) at gmain.c:3641 #41 0x00007fffeb46a5e8 in g_main_context_iterate (context=0x678310, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3712 #42 0x00007fffeb46a9ea in g_main_loop_run (loop=0x70fb50) at gmain.c:3906 #43 0x00007ffff3069576 in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59 #44 0x00007ffff2fa2a00 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffdb98) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #45 0x00007ffff2fa2865 in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffdb98) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73 #46 0x000000000040085d in main (argc=2, argv=0x7fffffffdb98) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32