Created attachment 243487 [details] Test case Test to reproduce: <style> * { font-size: calc( 10% - 1ch ); } </style> <math> Note: the assertion check (ASSERT(m_glyphs)) right before the crash is also firing. Backtrace: ASSERTION FAILED: m_glyphs ../../Source/WebCore/platform/graphics/Font.h(366) : const WebCore::SimpleFontData* WebCore::Font::primaryFont() const Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fff8bfff700 (LWP 1338)] 0x00007fffed9e041b in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 321 *(int *)(uintptr_t)0xbbadbeef = 0; #0 0x00007fffed9e041b in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321 #1 0x00007ffff32cdac9 in WebCore::Font::primaryFont (this=0x7ffff7ecdbb8) at ../../Source/WebCore/platform/graphics/Font.h:366 #2 0x00007ffff32cda7a in WebCore::Font::fontMetrics (this=0x7ffff7ecdbb8) at ../../Source/WebCore/platform/graphics/Font.h:175 #3 0x00007ffff3af50d2 in WebCore::RenderStyle::fontMetrics (this=0x7ffff7f20420) at ../../Source/WebCore/rendering/style/RenderStyle.cpp:1322 #4 0x00007ffff2e818dd in WebCore::CSSPrimitiveValue::computeLengthDouble (this=0x7ffff7eeb720, conversionData=...) at ../../Source/WebCore/css/CSSPrimitiveValue.cpp:620 #5 0x00007ffff2e8157b in WebCore::CSSPrimitiveValue::computeLength<float> (this=0x7ffff7eeb720, conversionData=...) at ../../Source/WebCore/css/CSSPrimitiveValue.cpp:581 #6 0x00007ffff2dac2d4 in WebCore::CSSCalcPrimitiveValue::createCalcExpression (this=0x7ffff7ef0460, conversionData=...) at ../../Source/WebCore/css/CSSCalculationValue.cpp:229 #7 0x00007ffff2dad336 in WebCore::CSSCalcBinaryOperation::createCalcExpression (this=0x7ffff7eb77b0, conversionData=...) at ../../Source/WebCore/css/CSSCalculationValue.cpp:432 #8 0x00007ffff2da1e2a in WebCore::CSSCalcValue::createCalculationValue (this=0x7ffff7ef0440, conversionData=...) at ../../Source/WebCore/css/CSSCalculationValue.h:122 #9 0x00007ffff2eb116c in WebCore::ApplyPropertyFontSize::applyValue (styleResolver=0x7ffff7ecc000, value=0x7ffff7eeb708) at ../../Source/WebCore/css/DeprecatedStyleBuilder.cpp:496 #10 0x00007ffff2f20511 in WebCore::PropertyHandler::applyValue (this=0x7ffff7dcab78 <WebCore::DeprecatedStyleBuilder::sharedStyleBuilder()::styleBuilderInstance+120>, propertyID=WebCore::CSSPropertyFontSize, styleResolver=0x7ffff7ecc000, value=0x7ffff7eeb708) at ../../Source/WebCore/css/DeprecatedStyleBuilder.h:49 #11 0x00007ffff2f15b80 in WebCore::StyleResolver::applyProperty (this=0x7ffff7ecc000, id=WebCore::CSSPropertyFontSize, value=0x7ffff7eeb708) at ../../Source/WebCore/css/StyleResolver.cpp:2135 #12 0x00007ffff2f1c6b3 in WebCore::StyleResolver::CascadedProperties::Property::apply (this=0x7fffffff8e20, resolver=...) at ../../Source/WebCore/css/StyleResolver.cpp:3809 #13 0x00007ffff2f1c828 in WebCore::StyleResolver::applyCascadedProperties (this=0x7ffff7ecc000, cascade=..., firstProperty=1, lastProperty=19) at ../../Source/WebCore/css/StyleResolver.cpp:3839 #14 0x00007ffff2f14331 in WebCore::StyleResolver::applyMatchedProperties (this=0x7ffff7ecc000, matchResult=..., element=0x7ffff7f24a28, shouldUseMatchedPropertiesCache=WebCore::StyleResolver::UseMatchedPropertiesCache) at ../../Source/WebCore/css/StyleResolver.cpp:1742 #15 0x00007ffff2f0fa62 in WebCore::StyleResolver::styleForElement (this=0x7ffff7ecc000, element=0x7ffff7f24a28, defaultParent=0x7ffff7f20360, sharingBehavior=WebCore::AllowStyleSharing, matchingBehavior=WebCore::MatchAllRules, regionForStyling=0x0) at ../../Source/WebCore/css/StyleResolver.cpp:800 #16 0x00007ffff3b8f0e6 in WebCore::Style::styleForElement (element=..., inheritedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:262 #17 0x00007ffff3b8f28d in WebCore::Style::createRendererIfNeeded (element=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:288 #18 0x00007ffff3b90910 in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:615 #19 0x00007ffff3b8ff8a in WebCore::Style::attachChildren (current=..., inheritedStyle=..., renderTreePosition=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:484 #20 0x00007ffff3b909e7 in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:629 #21 0x00007ffff3b8ff8a in WebCore::Style::attachChildren (current=..., inheritedStyle=..., renderTreePosition=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:484 #22 0x00007ffff3b909e7 in WebCore::Style::attachRenderTree (current=..., inheritedStyle=..., renderTreePosition=..., resolvedStyle=...) at ../../Source/WebCore/style/StyleResolveTree.cpp:629 #23 0x00007ffff3b91203 in WebCore::Style::resolveLocal (current=..., inheritedStyle=..., renderTreePosition=..., inheritedChange=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:756 #24 0x00007ffff3b9199a in WebCore::Style::resolveTree (current=..., inheritedStyle=..., renderTreePosition=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:918 #25 0x00007ffff3b91eaa in WebCore::Style::resolveTree (document=..., change=WebCore::Style::Force) at ../../Source/WebCore/style/StyleResolveTree.cpp:995 #26 0x00007ffff2fb6994 in WebCore::Document::recalcStyle (this=0x7fff987ca000, change=WebCore::Style::Force) at ../../Source/WebCore/dom/Document.cpp:1769 #27 0x00007ffff2fb6c8b in WebCore::Document::updateStyleIfNeeded (this=0x7fff987ca000) at ../../Source/WebCore/dom/Document.cpp:1817 #28 0x00007ffff2fc1e16 in WebCore::Document::finishedParsing (this=0x7fff987ca000) at ../../Source/WebCore/dom/Document.cpp:4593 #29 0x00007ffff33192bd in WebCore::HTMLConstructionSite::finishedParsing (this=0x7ffff7f32918) at ../../Source/WebCore/html/parser/HTMLConstructionSite.cpp:395 #30 0x00007ffff3356e8f in WebCore::HTMLTreeBuilder::finished (this=0x7ffff7f32900) at ../../Source/WebCore/html/parser/HTMLTreeBuilder.cpp:3009 #31 0x00007ffff3321f54 in WebCore::HTMLDocumentParser::end (this=0x7ffff7f17600) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:439 #32 0x00007ffff332203f in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd (this=0x7ffff7f17600) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:450 #33 0x00007ffff3320aed in WebCore::HTMLDocumentParser::prepareToStopParsing (this=0x7ffff7f17600) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:165 #34 0x00007ffff3322082 in WebCore::HTMLDocumentParser::attemptToEnd (this=0x7ffff7f17600) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:462 #35 0x00007ffff3322139 in WebCore::HTMLDocumentParser::finish (this=0x7ffff7f17600) at ../../Source/WebCore/html/parser/HTMLDocumentParser.cpp:490 #36 0x00007ffff348c067 in WebCore::DocumentWriter::end (this=0x7ffff7eb8aa0) at ../../Source/WebCore/loader/DocumentWriter.cpp:246 #37 0x00007ffff3477d4b in WebCore::DocumentLoader::finishedLoading (this=0x7ffff7eb8a00, finishTime=0) at ../../Source/WebCore/loader/DocumentLoader.cpp:440 #38 0x00007ffff3477ab4 in WebCore::DocumentLoader::notifyFinished (this=0x7ffff7eb8a00, resource=0x7ffff7ec5680) at ../../Source/WebCore/loader/DocumentLoader.cpp:374 #39 0x00007ffff35291ae in WebCore::CachedResource::checkNotify (this=0x7ffff7ec5680) at ../../Source/WebCore/loader/cache/CachedResource.cpp:293 #40 0x00007ffff35292ac in WebCore::CachedResource::finishLoading (this=0x7ffff7ec5680) at ../../Source/WebCore/loader/cache/CachedResource.cpp:309 #41 0x00007ffff35259b3 in WebCore::CachedRawResource::finishLoading (this=0x7ffff7ec5680, data=0x7fff987c35a0) at ../../Source/WebCore/loader/cache/CachedRawResource.cpp:104 #42 0x00007ffff34d993c in WebCore::SubresourceLoader::didFinishLoading (this=0x7ffff7ec5200, finishTime=0) at ../../Source/WebCore/loader/SubresourceLoader.cpp:306 #43 0x00007ffff34d56c9 in WebCore::ResourceLoader::didFinishLoading (this=0x7ffff7ec5200, finishTime=0) at ../../Source/WebCore/loader/ResourceLoader.cpp:508 #44 0x00007ffff3e8d921 in WebCore::readCallback (asyncResult=0x7181d0, data=0x7ffff7ef00e0) at ../../Source/WebCore/platform/network/soup/ResourceHandleSoup.cpp:1295 #45 0x00007fffeb5967d6 in async_ready_callback_wrapper (source_object=0x7c6ad0, res=0x7181d0, user_data=user_data@entry=0x7ffff7ef00e0) at ginputstream.c:523 #46 0x00007fffeb5bc0d5 in g_task_return_now (task=0x7181d0) at gtask.c:1077 #47 0x00007fffeb5bc0f9 in complete_in_idle_cb (task=0x7181d0) at gtask.c:1086 #48 0x00007fffea7fb9fd in g_main_dispatch (context=0x478380) at gmain.c:3064 #49 g_main_context_dispatch (context=context@entry=0x478380) at gmain.c:3663 #50 0x00007fffea7fbd68 in g_main_context_iterate (context=0x478380, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3734 #51 0x00007fffea7fc02a in g_main_loop_run (loop=0x901540) at gmain.c:3928 #52 0x00007ffff454635e in WTF::RunLoop::run () at ../../Source/WTF/wtf/gtk/RunLoopGtk.cpp:59 #53 0x00007ffff2a8ace8 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=2, argv=0x7fffffffd968) at ../../Source/WebKit2/Shared/unix/ChildProcessMain.h:61 #54 0x00007ffff2a8ab4d in WebKit::WebProcessMainUnix (argc=2, argv=0x7fffffffd968) at ../../Source/WebKit2/WebProcess/gtk/WebProcessMainGtk.cpp:73 #55 0x0000000000400891 in main (argc=2, argv=0x7fffffffd968) at ../../Source/WebKit2/WebProcess/EntryPoint/unix/WebProcessMain.cpp:44