138770 – Assertion hit when setting a very large value to 'border-width' / 'font-size' CSS properties

Bug 138770 - Assertion hit when setting a very large value to 'border-width' / 'font-size' CSS properties

Summary: Assertion hit when setting a very large value to 'border-width' / 'font-size'...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	CSS (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:

Depends on:
Blocks:	138778
	Show dependency tree / graph

Reported:	2014-11-15 18:40 PST by Chris Dumez
Modified:	2014-11-16 21:38 PST (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (5.50 KB, patch) 2014-11-15 19:17 PST, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (5.55 KB, patch) 2014-11-15 19:38 PST, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (6.55 KB, patch) 2014-11-15 20:00 PST, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (6.58 KB, patch) 2014-11-15 20:03 PST, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Patch (6.63 KB, patch) 2014-11-16 20:51 PST, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2014-11-15 18:40:13 PST

Assertion hit when setting a very large value to 'border-width' CSS property:
SHOULD NEVER BE REACHED
/Users/chris/WebKit/OpenSource/Source/WebCore/css/CSSPrimitiveValue.cpp(658) : double WebCore::CSSPrimitiveValue::computeLengthDouble(const WebCore::CSSToLengthConversionData &) const
1   0x11390a770 WTFCrash
2   0x1152b3b0d WebCore::CSSPrimitiveValue::computeLengthDouble(WebCore::CSSToLengthConversionData const&) const
3   0x1152b3d1d float WebCore::CSSPrimitiveValue::computeLength<float>(WebCore::CSSToLengthConversionData const&) const
4   0x116aefcbf float WebCore::StyleBuilderConverter::convertComputedLength<float>(WebCore::StyleResolver&, WebCore::CSSValue&)
5   0x116af9f67 float WebCore::StyleBuilderConverter::convertLineWidth<float>(WebCore::StyleResolver&, WebCore::CSSValue&)
6   0x116ae60ea WebCore::StyleBuilderFunctions::applyValueBorderBottomWidth(WebCore::StyleResolver&, WebCore::CSSValue&)
7   0x116ae1674 WebCore::StyleBuilder::applyProperty(WebCore::CSSPropertyID, WebCore::StyleResolver&, WebCore::CSSValue&, bool, bool)
8   0x116b2c093 WebCore::StyleResolver::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue*)
9   0x116b398b7 WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&)
10  0x116b2bb7a WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int)
11  0x116b2a2c7 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache)
12  0x116b27f53 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*)
13  0x116b595e3 WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&)
14  0x116b58740 WebCore::Style::createRendererIfNeeded(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>)
15  0x116b58307 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>)
16  0x116b58d0b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&)
17  0x116b583d9 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>)
18  0x116b58d0b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&)
19  0x116b583d9 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>)
20  0x116b57650 WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change)
21  0x116b54f8d WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change)
22  0x116b54e48 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change)
23  0x1153dd6a6 WebCore::Document::recalcStyle(WebCore::Style::Change)
24  0x1153d988f WebCore::Document::updateStyleIfNeeded()
25  0x1153ea142 WebCore::Document::finishedParsing()
26  0x115884cd8 WebCore::HTMLConstructionSite::finishedParsing()
27  0x1159c27b7 WebCore::HTMLTreeBuilder::finished()
28  0x1158b3c0e WebCore::HTMLDocumentParser::end()
29  0x1158b1c73 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
30  0x1158b1a80 WebCore::HTMLDocumentParser::prepareToStopParsing()
31  0x1158b3c63 WebCore::HTMLDocumentParser::attemptToEnd()

To reproduce:
testDiv.style["border-width"] = "900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000px";

Comment 1 Chris Dumez 2014-11-15 19:17:00 PST

Created attachment 241672 [details]
Patch

Comment 2 Chris Dumez 2014-11-15 19:38:58 PST

Created attachment 241673 [details]
Patch

Comment 3 Chris Dumez 2014-11-15 20:00:41 PST

Created attachment 241674 [details]
Patch

Comment 4 Chris Dumez 2014-11-15 20:03:03 PST

Created attachment 241675 [details]
Patch

Comment 5 Darin Adler 2014-11-16 19:46:29 PST

Comment on attachment 241675 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=241675&action=review

> Source/WebCore/css/CSSValuePool.cpp:92
> +    ASSERT(!std::isinf(value));

If NaN is also illegal here, then I suggest we write:

    ASSERT(std::isfinite(value));

Comment 6 Chris Dumez 2014-11-16 20:51:50 PST

Created attachment 241688 [details]
Patch

Comment 7 WebKit Commit Bot 2014-11-16 21:38:01 PST

Comment on attachment 241688 [details]
Patch

Clearing flags on attachment: 241688

Committed r176170: <http://trac.webkit.org/changeset/176170>

Comment 8 WebKit Commit Bot 2014-11-16 21:38:07 PST

All reviewed patches have been landed.  Closing bug.