Bug 176151 - Crash in WebCore::CalculationValue::evaluate
Summary: Crash in WebCore::CalculationValue::evaluate
Status: RESOLVED DUPLICATE of bug 237389
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: Other
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-30 21:45 PDT by Michael Catanzaro
Modified: 2022-04-14 23:24 PDT (History)
3 users (show)

See Also:

Attachments
Backtrace (164.48 KB, text/plain)
2017-08-30 21:45 PDT, Michael Catanzaro 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2017-08-30 21:45:25 PDT 
Created attachment 319446 [details]
Backtrace

Crash in WebCore::CalculationValue::evaluate:

Truncated backtrace:
Thread no. 1 (10 frames)
 #0 std::unique_ptr<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::get at /usr/include/c++/6.3.1/bits/unique_ptr.h:308
 #1 std::unique_ptr<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::operator-> at /usr/include/c++/6.3.1/bits/unique_ptr.h:302
 #2 WebCore::CalculationValue::evaluate at /usr/src/debug/webkitgtk-2.16.3/Source/WebCore/platform/CalculationValue.cpp:56
 #3 WebCore::Length::nonNanCalculatedValue at /usr/src/debug/webkitgtk-2.16.3/Source/WebCore/platform/Length.cpp:276
 #4 WebCore::floatValueForLength at /usr/src/debug/webkitgtk-2.16.3/Source/WebCore/css/LengthFunctions.cpp:105
 #5 WebCore::TranslateTransformOperation::y at /usr/src/debug/webkitgtk-2.16.3/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h:53
 #6 WebCore::TranslateTransformOperation::apply at /usr/src/debug/webkitgtk-2.16.3/Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h:70
 #7 WebCore::RenderStyle::applyTransform at /usr/src/debug/webkitgtk-2.16.3/Source/WebCore/rendering/style/RenderStyle.cpp:1140
 #8 WebCore::RenderLayerBacking::updateTransform at /usr/src/debug/webkitgtk-2.16.3/Source/WebCore/rendering/RenderLayerBacking.cpp:363
 #9 WebCore::RenderLayerBacking::updateGeometry at /usr/src/debug/webkitgtk-2.16.3/Source/WebCore/rendering/RenderLayerBacking.cpp:843

I have only one report of this crash, so it's probably low priority. Better backtrace attached.
Comment 1 Michael Catanzaro 2017-08-30 21:52:09 PDT 
I found a second reporter, who says "I was listening to music at the website rcnmundo.com/lafm"
Comment 2 Bastien Nocera 2018-10-19 05:03:50 PDT 
(In reply to Michael Catanzaro from comment #1)
> I found a second reporter, who says "I was listening to music at the website
> rcnmundo.com/lafm"

I reproduced this in an online course, epiphany crashed multiple times trying to finish that course.

Truncated backtrace (gdb crashes with OOM when I try to print a backtrace):
#0  0x00007f6801abfa38 in std::__uniq_ptr_impl<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::_M_ptr() const (this=0x8)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/CalculationValue.cpp:63
#1  0x00007f6801abfa38 in std::unique_ptr<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::get() const (this=0x8) at /usr/include/c++/8/bits/unique_ptr.h:343
#2  0x00007f6801abfa38 in std::unique_ptr<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::operator->() const (this=0x8) at /usr/include/c++/8/bits/unique_ptr.h:337
#3  0x00007f6801abfa38 in WebCore::CalculationValue::evaluate(float) const (this=0x0, maxValue=356) at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/CalculationValue.cpp:63
#4  0x00007f6801accd30 in WebCore::Length::nonNanCalculatedValue(int) const (this=<optimized out>, maxValue=356) at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/Length.cpp:277


The "this" pointer in #2 looks suspiciously like a NULL pointer dereference.
Comment 3 Bastien Nocera 2018-10-19 05:34:13 PDT 
Full bt (for the crashing thread):
#0  0x00007f6801abfa38 in std::__uniq_ptr_impl<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::_M_ptr() const (this=0x8)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/CalculationValue.cpp:63
#1  0x00007f6801abfa38 in std::unique_ptr<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::get() const (this=0x8) at /usr/include/c++/8/bits/unique_ptr.h:343
#2  0x00007f6801abfa38 in std::unique_ptr<WebCore::CalcExpressionNode, std::default_delete<WebCore::CalcExpressionNode> >::operator->() const (this=0x8) at /usr/include/c++/8/bits/unique_ptr.h:337
#3  0x00007f6801abfa38 in WebCore::CalculationValue::evaluate(float) const (this=0x0, maxValue=356) at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/CalculationValue.cpp:63
#4  0x00007f6801accd30 in WebCore::Length::nonNanCalculatedValue(int) const (this=<optimized out>, maxValue=356) at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/Length.cpp:277
#5  0x00007f68013b432a in WebCore::TranslateTransformOperation::apply(WebCore::TransformationMatrix&, WebCore::FloatSize const&) const (this=0x7f66e7fdcb90, transform=..., borderBoxSize=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/FloatSize.h:71
#6  0x00007f6800d9be4b in WebCore::applyTransformAnimation (listsMatch=<optimized out>, boxSize=..., progress=<optimized out>, to=..., from=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/transforms/TransformOperations.h:84
#7  0x00007f6800d9be4b in WebCore::TextureMapperAnimation::applyInternal(WebCore::TextureMapperAnimation::ApplicationResult&, WebCore::AnimationValue const&, WebCore::AnimationValue const&, float) (this=this@entry=0x7f66f24dccc0, applicationResults=..., from=..., to=..., progress=<optimized out>) at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperAnimation.cpp:278
#8  0x00007f6800d9cb06 in WebCore::TextureMapperAnimation::apply(WebCore::TextureMapperAnimation::ApplicationResult&, WTF::MonotonicTime) (this=this@entry=0x7f66f24dccc0, applicationResults=..., time=..., 
    time@entry=...) at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperAnimation.cpp:237
#9  0x00007f6800d9cdd5 in WebCore::TextureMapperAnimations::apply(WebCore::TextureMapperAnimation::ApplicationResult&, WTF::MonotonicTime) (this=this@entry=0x7f66f24935b8, applicationResults=..., time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperAnimation.cpp:338
#10 0x00007f6800da090c in WebCore::TextureMapperLayer::syncAnimations(WTF::MonotonicTime) (this=this@entry=0x7f66f24933c0, time=..., time@entry=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:648
#11 0x00007f6800da0cfa in WebCore::TextureMapperLayer::applyAnimationsRecursively(WTF::MonotonicTime) (this=0x7f66f24933c0, time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:639
#12 0x00007f6800da0d21 in WebCore::TextureMapperLayer::applyAnimationsRecursively(WTF::MonotonicTime) (this=<optimized out>, time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:641
#13 0x00007f6800da0d21 in WebCore::TextureMapperLayer::applyAnimationsRecursively(WTF::MonotonicTime) (this=<optimized out>, time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:641
#14 0x00007f6800da0d21 in WebCore::TextureMapperLayer::applyAnimationsRecursively(WTF::MonotonicTime) (this=<optimized out>, time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:641
#15 0x00007f6800da0d21 in WebCore::TextureMapperLayer::applyAnimationsRecursively(WTF::MonotonicTime) (this=<optimized out>, time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:641
#16 0x00007f6800da0d21 in WebCore::TextureMapperLayer::applyAnimationsRecursively(WTF::MonotonicTime) (this=<optimized out>, time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:641
#17 0x00007f6800da0d21 in WebCore::TextureMapperLayer::applyAnimationsRecursively(WTF::MonotonicTime) (this=<optimized out>, time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:641
#18 0x00007f6800da0d21 in WebCore::TextureMapperLayer::applyAnimationsRecursively(WTF::MonotonicTime) (this=<optimized out>, time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:641
#19 0x00007f6800da0d21 in WebCore::TextureMapperLayer::applyAnimationsRecursively(WTF::MonotonicTime) (this=<optimized out>, time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:641
#20 0x00007f6800da0d21 in WebCore::TextureMapperLayer::applyAnimationsRecursively(WTF::MonotonicTime) (this=this@entry=0x7f66f246b000, time=...)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/texmap/TextureMapperLayer.cpp:641
#21 0x00007f6800a40fa9 in WebKit::CoordinatedGraphicsScene::paintToCurrentGLContext(WebCore::TransformationMatrix const&, float, WebCore::FloatRect const&, WebCore::Color const&, bool, unsigned int) (this=0x7f6703826000, matrix=..., opacity=1, clipRect=..., backgroundColor=..., drawsBackground=<optimized out>, PaintFlags=1)
    at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp:75
#22 0x00007f6800a4746d in WebKit::ThreadedCompositor::renderLayerTree() (this=0x7f670384ce58) at /usr/src/debug/webkit2gtk3-2.22.2-1.fc28.x86_64/Source/WebCore/platform/graphics/Color.h:446
#23 0x00007f67ff7c9d57 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) () at /lib64/libjavascriptcoregtk-4.0.so.18
#24 0x00007f67f7bf088d in g_main_context_dispatch () at /lib64/libglib-2.0.so.0
#25 0x00007f67f7bf0c58 in g_main_context_iterate.isra () at /lib64/libglib-2.0.so.0
#26 0x00007f67f7bf0f82 in g_main_loop_run () at /lib64/libglib-2.0.so.0
#27 0x00007f67ff7ca1e0 in WTF::RunLoop::run() () at /lib64/libjavascriptcoregtk-4.0.so.18
#28 0x00007f67ff7a19ef in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) () at /lib64/libjavascriptcoregtk-4.0.so.18
#29 0x00007f67ff7c823d in WTF::wtfThreadEntryPoint(void*) () at /lib64/libjavascriptcoregtk-4.0.so.18
#30 0x00007f67fc504594 in start_thread () at /lib64/libpthread.so.0
#31 0x00007f67f5243e6f in clone () at /lib64/libc.so.6
Comment 4 Michael Catanzaro 2018-10-19 08:33:02 PDT 
The Length class is way more complicated than it needs to be. There are a bunch of different LengthTypes:

enum LengthType {
    Auto, Relative, Percent, Fixed,
    Intrinsic, MinIntrinsic,
    MinContent, MaxContent, FillAvailable, FitContent,
    Calculated,
    Undefined
};

Calling calculationValue() for a non-Calculated length is illegal and would result in an assert in debug mode. That's what's happening here. So some higher level code is badly misusing the Length.
Comment 5 Martin Robinson 2022-04-14 23:24:39 PDT 

*** This bug has been marked as a duplicate of bug 237389 ***