Created attachment 238370 [details]
Test case

The test:

<style>
*  {
    tab-size:-webkit-calc(2);
}
</style>

The assertion failure is triggered only with a few CSS properties like tab-size, z-index, etc.

The backtrace:

SHOULD NEVER BE REACHED
../../Source/WebCore/css/CSSPrimitiveValueMappings.h(97) : WebCore::CSSPrimitiveValue::operator T() const [with T = int]

0x00007fffedbf3127 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329
329	    *(int *)(uintptr_t)0xbbadbeef = 0;
#0  0x00007fffedbf3127 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:329
#1  0x00007ffff2f2b47f in WebCore::CSSPrimitiveValue::operator int<int>() const (this=0x7a5240) at ../../Source/WebCore/css/CSSPrimitiveValueMappings.h:97
#2  0x00007ffff2f649e1 in WebCore::ApplyPropertyAuto<int, &(WebCore::RenderStyle::zIndex() const), &WebCore::RenderStyle::setZIndex, &(WebCore::RenderStyle::hasAutoZIndex() const), &WebCore::RenderStyle::setHasAutoZIndex, (WebCore::AutoValueType)0, 268>::applyValue (styleResolver=0xa39620, value=0x7a5240) at ../../Source/WebCore/css/DeprecatedStyleBuilder.cpp:223
#3  0x00007ffff2fd31f1 in WebCore::PropertyHandler::applyValue (this=0x7ffff7dcbd98 <WebCore::DeprecatedStyleBuilder::sharedStyleBuilder()::styleBuilderInstance+4056>, propertyID=WebCore::CSSPropertyZIndex, styleResolver=0xa39620, value=0x7a5240) at ../../Source/WebCore/css/DeprecatedStyleBuilder.h:49
#4  0x00007ffff2fc6d9a in WebCore::StyleResolver::applyProperty (this=0xa39620, id=WebCore::CSSPropertyZIndex, value=0x7a5240) at ../../Source/WebCore/css/StyleResolver.cpp:2129
#5  0x00007ffff2fcf05f in WebCore::StyleResolver::CascadedProperties::Property::apply (this=0x7fffffffa540, resolver=...) at ../../Source/WebCore/css/StyleResolver.cpp:3951
#6  0x00007ffff2fcf1d4 in WebCore::StyleResolver::applyCascadedProperties (this=0xa39620, cascade=..., firstProperty=0x15, lastProperty=0x1a4) at ../../Source/WebCore/css/StyleResolver.cpp:3981
#7  0x00007ffff2fc56e1 in WebCore::StyleResolver::applyMatchedProperties (this=0xa39620, matchResult=..., element=0x85b6b0, shouldUseMatchedPropertiesCache=WebCore::StyleResolver::UseMatchedPropertiesCache) at ../../Source/WebCore/css/StyleResolver.cpp:1754
#8  0x00007ffff2fc0c3e in WebCore::StyleResolver::styleForElement (this=0xa39620, element=0x85b6b0, defaultParent=0x9e0710, sharingBehavior=WebCore::AllowStyleSharing, matchingBehavior=WebCore::MatchAllRules, regionForStyling=0x0) at ../../Source/WebCore/css/StyleResolver.cpp:799
#9  0x00007ffff3c1f747 in WebCore::Style::styleForElement (element=..., inheritedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:264
#10 0x00007ffff3c1f8ff in WebCore::Style::createRendererIfNeeded (element=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:290
#11 0x00007ffff3c20fdf in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:619
#12 0x00007ffff3c218d0 in WebCore::Style::resolveLocal (current=..., inheritedStyle=..., renderTreePosition=..., inheritedChange=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:759
#13 0x00007ffff3c22068 in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:921
#14 0x00007ffff3c225d2 in WebCore::Style::resolveTree (document=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:1000
#15 0x00007ffff305ed91 in WebCore::Document::recalcStyle (this=0xabf430, change=WebCore::Style::Force) at ../../Source/WebCore/dom/Document.cpp:1751
#16 0x00007ffff305f09c in WebCore::Document::updateStyleIfNeeded (this=0xabf430) at ../../Source/WebCore/dom/Document.cpp:1796
#17 0x00007ffff3069e3b in WebCore::Document::finishedParsing (this=0xabf430) at ../../Source/WebCore/dom/Document.cpp:4522
#18 0x00007ffff33bd667 in WebCore::HTMLConstructionSite::finishedParsing (this=0x85a6a8) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:395
#19 0x00007ffff33fb1dd in WebCore::HTMLTreeBuilder::finished (this=0x85a690) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:2997
#20 0x00007ffff33c60d0 in WebCore::HTMLDocumentParser::end (this=0xa3a6a0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:439
#21 0x00007ffff33c61bb in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0xa3a6a0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:450
#22 0x00007ffff33c4c69 in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0xa3a6a0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:165
#23 0x00007ffff33c61fe in WebCore::HTMLDocumentParser::attemptToEnd (this=0xa3a6a0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:462
#24 0x00007ffff33c62b5 in WebCore::HTMLDocumentParser::finish (this=0xa3a6a0) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:490
#25 0x00007ffff35322d1 in WebCore::DocumentWriter::end (this=0xabaa60) at ../../Source/WebCore/loader/DocumentWriter.cpp:246
#26 0x00007ffff351d9ad in WebCore::DocumentLoader::finishedLoading (this=0xaba9c0, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:441
#27 0x00007ffff351d716 in WebCore::DocumentLoader::notifyFinished (this=0xaba9c0, resource=0x882aa0) at ../../Source/WebCore/loader/DocumentLoader.cpp:375
#28 0x00007ffff35d47c4 in WebCore::CachedResource::checkNotify (this=0x882aa0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:347
#29 0x00007ffff35d48ce in WebCore::CachedResource::finishLoading (this=0x882aa0) at ../../Source/WebCore/loader/cache/CachedResource.cpp:363
#30 0x00007ffff35d11f4 in WebCore::CachedRawResource::finishLoading (this=0x882aa0, data=0x85a3e0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:101
#31 0x00007ffff3580a50 in WebCore::SubresourceLoader::didFinishLoading (this=0x883010, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:309
#32 0x00007ffff357c73b in WebCore::ResourceLoader::didFinishLoading (this=0x883010, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:512
#33 0x00007ffff3eecb0f in WebCore::readCallback (asyncResult=0x9e09a0, data=0x7a2be0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1302
#34 0x00007fffebac72ea in async_ready_callback_wrapper (source_object=0xa3bb30, res=0x9e09a0, user_data=0x7a2be0) at ginputstream.c:519
#35 0x00007fffebae6ceb in g_task_return_now (task=0x9e09a0) at gtask.c:1108
#36 0x00007fffebae6d09 in complete_in_idle_cb (task=0x9e09a0) at gtask.c:1117
#37 0x00007fffead3d2e6 in g_main_dispatch (context=0x677bb0) at gmain.c:3065
#38 g_main_context_dispatch (context=context@entry=0x677bb0) at gmain.c:3641
#39 0x00007fffead3d638 in g_main_context_iterate (context=0x677bb0, block=block@entry=0x1, dispatch=dispatch@entry=0x1, self=<optimized out>) at gmain.c:3712
#40 0x00007fffead3da3a in g_main_loop_run (loop=0xafe620) at gmain.c:3906
#41 0x00007ffff45e062e in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59
#42 0x00007ffff2b1c1e2 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=0x2, argv=0x7fffffffd938) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61
#43 0x00007ffff2b1c047 in WebKit::WebProcessMainUnix (argc=0x2, argv=0x7fffffffd938) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73
#44 0x000000000040080d in main (argc=0x2, argv=0x7fffffffd938) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:32