Bug 168440 - ASSERTION FAILED: tempSize >= 0 in WebCore::GridTrack::setTempSize
Summary: ASSERTION FAILED: tempSize >= 0 in WebCore::GridTrack::setTempSize
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Sergio Villar Senin
URL:
Keywords:
Depends on:
Blocks: 116980
  Show dependency treegraph
 
Reported: 2017-02-16 10:12 PST by Renata Hodovan
Modified: 2023-01-20 10:29 PST (History)
16 users (show)

See Also:

Attachments
Test (86 bytes, text/html)
2017-02-16 10:12 PST, Renata Hodovan 		no flags Details
Patch (3.29 KB, patch)
2017-02-20 10:53 PST, Sergio Villar Senin 		simon.fraser: review-
buildbot: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews106 for mac-elcapitan-wk2 (827.21 KB, application/zip)
2017-02-20 12:03 PST, Build Bot 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Renata Hodovan 2017-02-16 10:12:18 PST 
Created attachment 301778 [details]
Test

Load the attached test with debug WebKitTestRunner:

Checked version: f7953f1
OS: Darwin-16.4.0-x86_64-i386-64bit

<a>
<style>
* {
    grid: 0 / 0;
    zoom :9825555398;
    display:inline-grid;
}
</style>
</a>
Backtrace:

ASSERTION FAILED: tempSize >= 0
WebKit/Source/WebCore/rendering/RenderGrid.cpp(97) : void WebCore::GridTrack::setTempSize(const WebCore::LayoutUnit &)
1   0x112a7be51 WTFCrash
2   0x11cb0e7b4 WebCore::GridTrack::setTempSize(WebCore::LayoutUnit const&)
3   0x11cadd783 void WebCore::RenderGrid::distributeSpaceToTracks<(WebCore::TrackSizeComputationPhase)5>(WTF::Vector<WebCore::GridTrack*, 0ul, WTF::CrashOnOverflow, 16ul>&, WTF::Vector<WebCore::GridTrack*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::LayoutUnit&) const
4   0x11cad21b6 WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const
5   0x11cad0740 WebCore::RenderGrid::computeTrackSizesForDirection(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit)
6   0x11cad5788 WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit)
7   0x11c7444f4 WebCore::RenderBlock::layout()
8   0x118aa0d9c WebCore::RenderElement::layoutIfNeeded()
9   0x11cad8a59 WebCore::RenderGrid::layoutGridItems(WebCore::RenderGrid::GridSizingData&)
10  0x11cad6300 WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit)
11  0x11c7444f4 WebCore::RenderBlock::layout()
12  0x118aa0d9c WebCore::RenderElement::layoutIfNeeded()
13  0x11cad8a59 WebCore::RenderGrid::layoutGridItems(WebCore::RenderGrid::GridSizingData&)
14  0x11cad6300 WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit)
15  0x11c7444f4 WebCore::RenderBlock::layout()
16  0x118aa0d9c WebCore::RenderElement::layoutIfNeeded()
17  0x11cae2408 WebCore::RenderGrid::logicalHeightForChild(WebCore::RenderBox&) const
18  0x11cae3fa6 WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
19  0x11cae30be WebCore::RenderGrid::minSizeForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
20  0x11cae60bf WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForNonSpanningItems(WebCore::GridTrackSizingDirection, WebCore::GridSpan const&, WebCore::RenderBox&, WebCore::GridTrack&, WebCore::RenderGrid::GridSizingData&) const
21  0x11cadc7b8 WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const
22  0x11cad1c8f WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const
23  0x11cad7745 WebCore::RenderGrid::computeIntrinsicLogicalHeight(WebCore::RenderGrid::GridSizingData&)
24  0x11cad5844 WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit)
25  0x11c7444f4 WebCore::RenderBlock::layout()
26  0x11c806be4 WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)
27  0x11c7fd350 WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)
28  0x11c7f9528 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)
29  0x11c7444f4 WebCore::RenderBlock::layout()
30  0x11d168f06 WebCore::RenderView::layoutContent(WebCore::LayoutState const&)
31  0x11d16b366 WebCore::RenderView::layout()
ASAN:DEADLYSIGNAL
=================================================================
==3015==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x000112a7be89 bp 0x7fff5c3f7c80 sp 0x7fff5c3f7c70 T0)
    #0 0x112a7be88 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3375e88)
    #1 0x11cb0e7b3 in WebCore::GridTrack::setTempSize(WebCore::LayoutUnit const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57bf7b3)
    #2 0x11cadd782 in void WebCore::RenderGrid::distributeSpaceToTracks<(WebCore::TrackSizeComputationPhase)5>(WTF::Vector<WebCore::GridTrack*, 0ul, WTF::CrashOnOverflow, 16ul>&, WTF::Vector<WebCore::GridTrack*, 0ul, WTF::CrashOnOverflow, 16ul>*, WebCore::LayoutUnit&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x578e782)
    #3 0x11cad21b5 in WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57831b5)
    #4 0x11cad073f in WebCore::RenderGrid::computeTrackSizesForDirection(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x578173f)
    #5 0x11cad5787 in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5786787)
    #6 0x11c7444f3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53f54f3)
    #7 0x118aa0d9b in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1751d9b)
    #8 0x11cad8a58 in WebCore::RenderGrid::layoutGridItems(WebCore::RenderGrid::GridSizingData&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5789a58)
    #9 0x11cad62ff in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57872ff)
    #10 0x11c7444f3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53f54f3)
    #11 0x118aa0d9b in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1751d9b)
    #12 0x11cad8a58 in WebCore::RenderGrid::layoutGridItems(WebCore::RenderGrid::GridSizingData&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5789a58)
    #13 0x11cad62ff in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57872ff)
    #14 0x11c7444f3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53f54f3)
    #15 0x118aa0d9b in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1751d9b)
    #16 0x11cae2407 in WebCore::RenderGrid::logicalHeightForChild(WebCore::RenderBox&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5793407)
    #17 0x11cae3fa5 in WebCore::RenderGrid::minContentForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5794fa5)
    #18 0x11cae30bd in WebCore::RenderGrid::minSizeForChild(WebCore::RenderBox&, WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57940bd)
    #19 0x11cae60be in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctionsForNonSpanningItems(WebCore::GridTrackSizingDirection, WebCore::GridSpan const&, WebCore::RenderBox&, WebCore::GridTrack&, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57970be)
    #20 0x11cadc7b7 in WebCore::RenderGrid::resolveContentBasedTrackSizingFunctions(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x578d7b7)
    #21 0x11cad1c8e in WebCore::RenderGrid::computeUsedBreadthOfGridTracks(WebCore::GridTrackSizingDirection, WebCore::RenderGrid::GridSizingData&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5782c8e)
    #22 0x11cad7744 in WebCore::RenderGrid::computeIntrinsicLogicalHeight(WebCore::RenderGrid::GridSizingData&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5788744)
    #23 0x11cad5843 in WebCore::RenderGrid::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5786843)
    #24 0x11c7444f3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53f54f3)
    #25 0x11c806be3 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x54b7be3)
    #26 0x11c7fd34f in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x54ae34f)
    #27 0x11c7f9527 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x54aa527)
    #28 0x11c7444f3 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x53f54f3)
    #29 0x11d168f05 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e19f05)
    #30 0x11d16b365 in WebCore::RenderView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5e1c365)
    #31 0x118e38c2e in WebCore::FrameView::layout(bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ae9c2e)
    #32 0x118458549 in WebCore::Document::implicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1109549)
    #33 0x118da2562 in WebCore::FrameLoader::checkCallImplicitClose() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a53562)
    #34 0x118da1d5b in WebCore::FrameLoader::checkCompleted() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a52d5b)
    #35 0x118d9dfa6 in WebCore::FrameLoader::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1a4efa6)
    #36 0x118488a18 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1139a18)
    #37 0x11919c785 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e4d785)
    #38 0x1194c92a7 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x217a2a7)
    #39 0x11921631b in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec731b)
    #40 0x119210ac6 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec1ac6)
    #41 0x11921067d in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec167d)
    #42 0x11921643b in WebCore::HTMLDocumentParser::attemptToEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec743b)
    #43 0x119216573 in WebCore::HTMLDocumentParser::finish() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec7573)
    #44 0x118656aff in WebCore::DocumentWriter::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1307aff)
    #45 0x11859df32 in WebCore::DocumentLoader::finishedLoading(double) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x124ef32)
    #46 0x11859d8da in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x124e8da)
    #47 0x11795b7f3 in WebCore::CachedResource::checkNotify() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60c7f3)
    #48 0x11795be83 in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x60ce83)
    #49 0x11794da58 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5fea58)
    #50 0x11db8f6e2 in WebCore::SubresourceLoader::didFinishLoading(double) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x68406e2)
    #51 0x10558d549 in WebKit::WebResourceLoader::didFinishResourceLoad(double) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d76549)
    #52 0x10559d39e in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, 0ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>&&, std::__1::integer_sequence<unsigned long, 0ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d8639e)
    #53 0x10559d044 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double), std::__1::tuple<double>, std::__1::integer_sequence<unsigned long, 0ul> >(std::__1::tuple<double>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d86044)
    #54 0x10559a0f0 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d830f0)
    #55 0x10559825a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d8125a)
    #56 0x10409a859 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x883859)
    #57 0x103a08c1a in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f1c1a)
    #58 0x1039ed244 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d6244)
    #59 0x103a09905 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1f2905)
    #60 0x103a4a5ac in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2335ac)
    #61 0x103a4a4d8 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x2334d8)
    #62 0x112af8d20 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x33f2d20)
    #63 0x112b3e186 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3438186)
    #64 0x112b42e21 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x343ce21)
    #65 0x7fff8f2b3980 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xa7980)
    #66 0x7fff8f294a7c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88a7c)
    #67 0x7fff8f293f75 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87f75)
    #68 0x7fff8f293973 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x87973)
    #69 0x7fff8e81fa5b in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30a5b)
    #70 0x7fff8e81f890 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30890)
    #71 0x7fff8e81f6c5 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x306c5)
    #72 0x7fff8cdc55b3 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x475b3)
    #73 0x7fff8d53fd6a in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x7c1d6a)
    #74 0x7fff8cdb9f34 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3bf34)
    #75 0x7fff8cd8484f in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x684f)
    #76 0x7fffa4a4f8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x108c6)
    #77 0x7fffa4a4e2e3 in xpc_main (/usr/lib/system/libxpc.dylib+0xf2e3)
    #78 0x1037fc0a3 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x1000020a3)
    #79 0x7fffa47eb254 in start (/usr/lib/system/libdyld.dylib+0x5254)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3375e88) in WTFCrash
==3015==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 3015)
LEAK: 1 WebProcessPool
LEAK: 1 WebPageProxy
Comment 1 Sergio Villar Senin 2017-02-17 02:01:35 PST 
I'll take a look
Comment 2 Sergio Villar Senin 2017-02-20 10:53:20 PST 
Created attachment 302158 [details]
Patch
Comment 3 zalan 2017-02-20 11:04:32 PST 
Comment on attachment 302158 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=302158&action=review

> Source/WebCore/ChangeLog:10
> +        clamped to std::numeric_limits when converted to LayoutUnits. That is problematic as it
> +        triggers many different assertions (track lengths must not be negative for

How do you end up with negative LayoutUnit values? through overflow? -the other layout systems seem to be able to handle clamped LayoutUnit values just fine. (and you might end up with clamped values as the result of some other computations during layout which will be never caught by GridLength's c'tor.)
Comment 4 Build Bot 2017-02-20 12:03:11 PST 
Comment on attachment 302158 [details]
Patch

Attachment 302158 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/3160570

New failing tests:
fast/css-grid-layout/grid-huge-zoom-crash.html
Comment 5 Build Bot 2017-02-20 12:03:16 PST 
Created attachment 302162 [details]
Archive of layout-test-results from ews106 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 6 Sergio Villar Senin 2017-02-21 10:55:18 PST 
(In reply to comment #3)
> Comment on attachment 302158 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=302158&action=review
> 
> > Source/WebCore/ChangeLog:10
> > +        clamped to std::numeric_limits when converted to LayoutUnits. That is problematic as it
> > +        triggers many different assertions (track lengths must not be negative for
> 
> How do you end up with negative LayoutUnit values? through overflow? -the
> other layout systems seem to be able to handle clamped LayoutUnit values
> just fine. (and you might end up with clamped values as the result of some
> other computations during layout which will be never caught by GridLength's
> c'tor.)

So the sequence is more or less the following. The test case defines a really huge value of zoom which is used in nested elements making it even bigger.

It turns out that in StyleBuilderConverter::createGridTrackBreadth() we create a CSSToLengthConversionData which holds a m_zoom with value inf. Then we directly call CSSPrimitiveValue::convertToLength which ends up calling roundForImprecise conversion. The first thing it does it to add 0.01 to the zoom value making it overflow, and that's how we end up having a -nan value for LayoutUnit
Comment 7 Sergio Villar Senin 2017-02-27 01:42:48 PST 
(In reply to comment #6)
> (In reply to comment #3)
> > Comment on attachment 302158 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=302158&action=review
> > 
> > > Source/WebCore/ChangeLog:10
> > > +        clamped to std::numeric_limits when converted to LayoutUnits. That is problematic as it
> > > +        triggers many different assertions (track lengths must not be negative for
> > 
> > How do you end up with negative LayoutUnit values? through overflow? -the
> > other layout systems seem to be able to handle clamped LayoutUnit values
> > just fine. (and you might end up with clamped values as the result of some
> > other computations during layout which will be never caught by GridLength's
> > c'tor.)
> 
> So the sequence is more or less the following. The test case defines a
> really huge value of zoom which is used in nested elements making it even
> bigger.
> 
> It turns out that in StyleBuilderConverter::createGridTrackBreadth() we
> create a CSSToLengthConversionData which holds a m_zoom with value inf. Then
> we directly call CSSPrimitiveValue::convertToLength which ends up calling
> roundForImprecise conversion. The first thing it does it to add 0.01 to the
> zoom value making it overflow, and that's how we end up having a -nan value
> for LayoutUnit

Zalan ?
Comment 8 Simon Fraser (smfr) 2017-02-27 14:35:09 PST 
Comment on attachment 302158 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=302158&action=review

> Source/WebCore/rendering/style/GridLength.h:59
> +        // Abnormally huge values for <track-breadth> (or in combination with 'zoom' property) might
> +        // be computed as NaN. We should convert it to zero, otherwise converting a NaN Length to
> +        // LayoutUnit would be clamped to std::numeric_limits::min()|max()
> +        if (length.isFixed() || length.isPercent()) {
> +            ASSERT(!length.isNegative());
> +            if (std::isnan(length.value()))
> +                m_length = Length(0, Fixed);
> +        }

I think we should fix this higher up the stack, since it can affect all the layout systems, not just grid. We should avoid INF zoom values, and maybe not return 0 from roundForImpreciseConversion() when it overflows (otherwise we risk triggering divide by zero errors).
Comment 9 Ahmad Saleem 2023-01-20 10:29:26 PST 
Using MiniBrowser WK Debug based of 259136@main, I am not able to reproduce this ASSERT Failed using attached “Test” case, do we need to track it further?