RESOLVED FIXED 138770
Assertion hit when setting a very large value to 'border-width' / 'font-size' CSS properties 
https://bugs.webkit.org/show_bug.cgi?id=138770
Summary Assertion hit when setting a very large value to 'border-width' / 'font-size'...
Chris Dumez
Reported 2014-11-15 18:40:13 PST
Assertion hit when setting a very large value to 'border-width' CSS property: SHOULD NEVER BE REACHED /Users/chris/WebKit/OpenSource/Source/WebCore/css/CSSPrimitiveValue.cpp(658) : double WebCore::CSSPrimitiveValue::computeLengthDouble(const WebCore::CSSToLengthConversionData &) const 1 0x11390a770 WTFCrash 2 0x1152b3b0d WebCore::CSSPrimitiveValue::computeLengthDouble(WebCore::CSSToLengthConversionData const&) const 3 0x1152b3d1d float WebCore::CSSPrimitiveValue::computeLength<float>(WebCore::CSSToLengthConversionData const&) const 4 0x116aefcbf float WebCore::StyleBuilderConverter::convertComputedLength<float>(WebCore::StyleResolver&, WebCore::CSSValue&) 5 0x116af9f67 float WebCore::StyleBuilderConverter::convertLineWidth<float>(WebCore::StyleResolver&, WebCore::CSSValue&) 6 0x116ae60ea WebCore::StyleBuilderFunctions::applyValueBorderBottomWidth(WebCore::StyleResolver&, WebCore::CSSValue&) 7 0x116ae1674 WebCore::StyleBuilder::applyProperty(WebCore::CSSPropertyID, WebCore::StyleResolver&, WebCore::CSSValue&, bool, bool) 8 0x116b2c093 WebCore::StyleResolver::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue*) 9 0x116b398b7 WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&) 10 0x116b2bb7a WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int) 11 0x116b2a2c7 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) 12 0x116b27f53 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) 13 0x116b595e3 WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) 14 0x116b58740 WebCore::Style::createRendererIfNeeded(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) 15 0x116b58307 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) 16 0x116b58d0b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) 17 0x116b583d9 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) 18 0x116b58d0b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) 19 0x116b583d9 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) 20 0x116b57650 WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) 21 0x116b54f8d WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) 22 0x116b54e48 WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) 23 0x1153dd6a6 WebCore::Document::recalcStyle(WebCore::Style::Change) 24 0x1153d988f WebCore::Document::updateStyleIfNeeded() 25 0x1153ea142 WebCore::Document::finishedParsing() 26 0x115884cd8 WebCore::HTMLConstructionSite::finishedParsing() 27 0x1159c27b7 WebCore::HTMLTreeBuilder::finished() 28 0x1158b3c0e WebCore::HTMLDocumentParser::end() 29 0x1158b1c73 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 30 0x1158b1a80 WebCore::HTMLDocumentParser::prepareToStopParsing() 31 0x1158b3c63 WebCore::HTMLDocumentParser::attemptToEnd() To reproduce: testDiv.style["border-width"] = "900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000px";
Attachments
Patch (5.50 KB, patch)
2014-11-15 19:17 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (5.55 KB, patch)
2014-11-15 19:38 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (6.55 KB, patch)
2014-11-15 20:00 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (6.58 KB, patch)
2014-11-15 20:03 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (6.63 KB, patch)
2014-11-16 20:51 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2014-11-15 19:17:00 PST
Created attachment 241672 [details] Patch
Chris Dumez
Comment 2 2014-11-15 19:38:58 PST
Created attachment 241673 [details] Patch
Chris Dumez
Comment 3 2014-11-15 20:00:41 PST
Created attachment 241674 [details] Patch
Chris Dumez
Comment 4 2014-11-15 20:03:03 PST
Created attachment 241675 [details] Patch
Darin Adler
Comment 5 2014-11-16 19:46:29 PST
Comment on attachment 241675 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=241675&action=review > Source/WebCore/css/CSSValuePool.cpp:92 > + ASSERT(!std::isinf(value)); If NaN is also illegal here, then I suggest we write: ASSERT(std::isfinite(value));
Chris Dumez
Comment 6 2014-11-16 20:51:50 PST
Created attachment 241688 [details] Patch
WebKit Commit Bot
Comment 7 2014-11-16 21:38:01 PST
Comment on attachment 241688 [details] Patch Clearing flags on attachment: 241688 Committed r176170: <http://trac.webkit.org/changeset/176170>
WebKit Commit Bot
Comment 8 2014-11-16 21:38:07 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.