WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED DUPLICATE of
bug 187093
Bug 187421
ASSERTION FAILED: length.isCalculated() under WebCore::valueForImageSliceSide
https://bugs.webkit.org/show_bug.cgi?id=187421
Summary
ASSERTION FAILED: length.isCalculated() under WebCore::valueForImageSliceSide
Ryan Haddad
Reported
2018-07-06 16:06:17 PDT
Created
attachment 344476
[details]
Crash log The following was seen in the "Other Crashes" section of
https://build.webkit.org/results/Apple%20High%20Sierra%20Debug%20WK2%20(Tests)/r233586%20(4002)/results.html
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000019779d150 WTFCrash + 16 (Assertions.cpp:267) 1 com.apple.WebCore 0x0000000189b1d1da WebCore::valueForImageSliceSide(WebCore::Length const&) + 218 (CSSComputedStyleDeclaration.cpp:502) 2 com.apple.WebCore 0x0000000189b0baf2 WebCore::valueForNinePieceImageSlice(WebCore::NinePieceImage const&) + 66 (CSSComputedStyleDeclaration.cpp:510) 3 com.apple.WebCore 0x0000000189aff6a2 WebCore::ComputedStyleExtractor::valueForPropertyinStyle(WebCore::RenderStyle const&, WebCore::CSSPropertyID, WebCore::RenderElement*) + 33778 (CSSComputedStyleDeclaration.cpp:3662) 4 com.apple.WebCore 0x0000000189af5dd0 WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) + 992 (CSSComputedStyleDeclaration.cpp:2707) 5 com.apple.WebCore 0x0000000189af59d5 WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const + 117 (CSSComputedStyleDeclaration.cpp:2415) 6 com.apple.WebCore 0x0000000189b0fe9a WebCore::CSSComputedStyleDeclaration::getPropertyCSSValueInternal(WebCore::CSSPropertyID) + 58 (CSSComputedStyleDeclaration.cpp:4295) 7 com.apple.WebCore 0x0000000189bb1c52 WebCore::CSSStyleDeclaration::namedItem(WTF::AtomicString const&) + 114 (CSSStyleDeclaration.cpp:264) 8 com.apple.WebCore 0x00000001883da508 std::optional<WTF::Variant<WTF::String, double> > WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0::operator()<WebCore::JSCSSStyleDeclaration, JSC::PropertyName>(WebCore::JSCSSStyleDeclaration&, JSC::PropertyName) const + 88 (JSCSSStyleDeclaration.cpp:196) 9 com.apple.WebCore 0x00000001883cd8c3 decltype(fp2(fp0fp1)) WebCore::accessVisibleNamedProperty<(WebCore::OverrideBuiltins)0, WebCore::JSCSSStyleDeclaration, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&>(JSC::ExecState&, WebCore::JSCSSStyleDeclaration&, JSC::PropertyName, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)::$_0&&&) + 115 (JSDOMAbstractOperations.h:97) 10 com.apple.WebCore 0x00000001883cc8ee WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 670 (JSCSSStyleDeclaration.cpp:201) 11 com.apple.JavaScriptCore 0x00000001978beea2 JSC::JSObject::getNonIndexPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 690 (JSObjectInlines.h:150) 12 com.apple.JavaScriptCore 0x00000001978be356 bool JSC::JSObject::getPropertySlot<false>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) + 246 (JSObject.h:1422) 13 com.apple.JavaScriptCore 0x0000000198105032 JSC::JSValue::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 594 (JSCJSValueInlines.h:866) 14 com.apple.JavaScriptCore 0x00000001980ecb42 JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const + 162 (JSCJSValueInlines.h:820) 15 com.apple.JavaScriptCore 0x00000001980e414d JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName) const + 93 (JSCJSValueInlines.h:814) 16 com.apple.JavaScriptCore 0x00000001987cb9f6 JSC::LLInt::getByVal(JSC::VM&, JSC::ExecState*, JSC::Instruction*, JSC::JSValue, JSC::JSValue) + 1430 (LLIntSlowPaths.cpp:942) 17 com.apple.JavaScriptCore 0x00000001987cb325 llint_slow_path_get_by_val + 325 (LLIntSlowPaths.cpp:948) 18 com.apple.JavaScriptCore 0x000000019788c772 llint_entry + 16529
Attachments
Crash log
(102.88 KB, text/plain)
2018-07-06 16:06 PDT
,
Ryan Haddad
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Ryan Haddad
Comment 1
2018-07-06 16:09:52 PDT
The attached crashlog blames imported/w3c/canvas/type.replace.html, but no test is mentioned in some of the other examples I see on the debug bots.
Ryan Haddad
Comment 2
2018-07-06 16:11:15 PDT
Here is a DRT example:
https://build.webkit.org/results/Apple%20Sierra%20Debug%20WK1%20(Tests)/r233591%20(8542)/DumpRenderTree-47189-crash-log.txt
CRASHING TEST:
http://localhost:8800/infrastructure/assumptions/html-elements.html
Ryan Haddad
Comment 3
2018-07-06 16:11:53 PDT
imported/w3c/web-platform-tests/infrastructure/assumptions/html-elements.html was added in
https://trac.webkit.org/changeset/233463
Ryan Haddad
Comment 4
2018-07-06 16:12:50 PDT
Ah, the test is marked as [ Pass Crash ]
https://bugs.webkit.org/show_bug.cgi?id=187093
Ryan Haddad
Comment 5
2018-07-06 16:13:34 PDT
*** This bug has been marked as a duplicate of
bug 187093
***
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug