Bug 223366 - Zero division in RenderBox::blockSizeFromAspectRatio via WebCore::RenderBox::computeLogicalHeight
Summary: Zero division in RenderBox::blockSizeFromAspectRatio via WebCore::RenderBox::...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Layout and Rendering (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Rob Buis
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-03-17 01:24 PDT by Ryosuke Niwa
Modified: 2021-03-18 10:50 PDT (History)
11 users (show)

See Also:

Attachments
Test (855.10 KB, text/html)
2021-03-17 01:24 PDT, Ryosuke Niwa 		no flags Details
Patch (3.30 KB, patch)
2021-03-17 02:37 PDT, Rob Buis 		no flags Details | Formatted Diff | Diff
Patch (4.85 KB, patch)
2021-03-17 05:50 PDT, Rob Buis 		no flags Details | Formatted Diff | Diff
Patch (4.98 KB, patch)
2021-03-18 01:29 PDT, Rob Buis 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2021-03-17 01:24:05 PDT 
Created attachment 423452 [details]
Test

e.g.

    #0 0x1b31b032e in WebCore::operator/(WebCore::LayoutUnit const&, WebCore::LayoutUnit const&)+0xce (WebCore.framework/Versions/A/WebCore:x86_64+0x2f3632e)
    #1 0x1b57da446 in WebCore::RenderBox::blockSizeFromAspectRatio(WebCore::LayoutUnit, WebCore::LayoutUnit, WebCore::LayoutUnit, WebCore::BoxSizing, WebCore::LayoutUnit)+0x186 (WebCore.framework/Versions/A/WebCore:x86_64+0x5560446)
    #2 0x1b58770ce in WebCore::RenderBox::computeLogicalHeight(WebCore::LayoutUnit, WebCore::LayoutUnit) const+0xa0e (WebCore.framework/Versions/A/WebCore:x86_64+0x55fd0ce)
    #3 0x1b5876257 in WebCore::RenderBox::updateLogicalHeight()+0x127 (WebCore.framework/Versions/A/WebCore:x86_64+0x55fc257)
    #4 0x1b57f1ee8 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x798 (WebCore.framework/Versions/A/WebCore:x86_64+0x5577ee8)
    #5 0x1b57c1524 in WebCore::RenderBlock::layout()+0x114 (WebCore.framework/Versions/A/WebCore:x86_64+0x5547524)
    #6 0x1b57f7074 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x5b4 (WebCore.framework/Versions/A/WebCore:x86_64+0x557d074)
    #7 0x1b57f3a9d in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x2cd (WebCore.framework/Versions/A/WebCore:x86_64+0x5579a9d)
    #8 0x1b57f1c27 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x4d7 (WebCore.framework/Versions/A/WebCore:x86_64+0x5577c27)
    #9 0x1b57c1524 in WebCore::RenderBlock::layout()+0x114 (WebCore.framework/Versions/A/WebCore:x86_64+0x5547524)
    #10 0x1b57f7074 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x5b4 (WebCore.framework/Versions/A/WebCore:x86_64+0x557d074)
    #11 0x1b57f3a9d in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x2cd (WebCore.framework/Versions/A/WebCore:x86_64+0x5579a9d)
    #12 0x1b57f1c27 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x4d7 (WebCore.framework/Versions/A/WebCore:x86_64+0x5577c27)
    #13 0x1b57c1524 in WebCore::RenderBlock::layout()+0x114 (WebCore.framework/Versions/A/WebCore:x86_64+0x5547524)
    #14 0x1b5920026 in WebCore::RenderFragmentedFlow::layout()+0x116 (WebCore.framework/Versions/A/WebCore:x86_64+0x56a6026)
    #15 0x1b5a82910 in WebCore::RenderMultiColumnFlow::layout()+0xb0 (WebCore.framework/Versions/A/WebCore:x86_64+0x5808910)
    #16 0x1b58187c3 in WebCore::RenderBlockFlow::layoutExcludedChildren(bool)+0xc3 (WebCore.framework/Versions/A/WebCore:x86_64+0x559e7c3)
    #17 0x1b57f39a2 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x1d2 (WebCore.framework/Versions/A/WebCore:x86_64+0x55799a2)
    #18 0x1b57f1c27 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x4d7 (WebCore.framework/Versions/A/WebCore:x86_64+0x5577c27)
    #19 0x1b57c1524 in WebCore::RenderBlock::layout()+0x114 (WebCore.framework/Versions/A/WebCore:x86_64+0x5547524)
    #20 0x1b57f7074 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x5b4 (WebCore.framework/Versions/A/WebCore:x86_64+0x557d074)
    #21 0x1b57f3a9d in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x2cd (WebCore.framework/Versions/A/WebCore:x86_64+0x5579a9d)
    #22 0x1b57f1c27 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x4d7 (WebCore.framework/Versions/A/WebCore:x86_64+0x5577c27)
    #23 0x1b57c1524 in WebCore::RenderBlock::layout()+0x114 (WebCore.framework/Versions/A/WebCore:x86_64+0x5547524)
    #24 0x1b57f7074 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x5b4 (WebCore.framework/Versions/A/WebCore:x86_64+0x557d074)
    #25 0x1b57f3a9d in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x2cd (WebCore.framework/Versions/A/WebCore:x86_64+0x5579a9d)
    #26 0x1b57f1c27 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x4d7 (WebCore.framework/Versions/A/WebCore:x86_64+0x5577c27)
    #27 0x1b57c1524 in WebCore::RenderBlock::layout()+0x114 (WebCore.framework/Versions/A/WebCore:x86_64+0x5547524)
    #28 0x1b57f7074 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x5b4 (WebCore.framework/Versions/A/WebCore:x86_64+0x557d074)
    #29 0x1b57f3a9d in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x2cd (WebCore.framework/Versions/A/WebCore:x86_64+0x5579a9d)
    #30 0x1b57f1c27 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x4d7 (WebCore.framework/Versions/A/WebCore:x86_64+0x5577c27)
    #31 0x1b57c1524 in WebCore::RenderBlock::layout()+0x114 (WebCore.framework/Versions/A/WebCore:x86_64+0x5547524)
    #32 0x1b57f7074 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x5b4 (WebCore.framework/Versions/A/WebCore:x86_64+0x557d074)
    #33 0x1b57f3a9d in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x2cd (WebCore.framework/Versions/A/WebCore:x86_64+0x5579a9d)
    #34 0x1b57f1c27 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x4d7 (WebCore.framework/Versions/A/WebCore:x86_64+0x5577c27)
    #35 0x1b57c1524 in WebCore::RenderBlock::layout()+0x114 (WebCore.framework/Versions/A/WebCore:x86_64+0x5547524)
    #36 0x1b57f7074 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x5b4 (WebCore.framework/Versions/A/WebCore:x86_64+0x557d074)
    #37 0x1b57f3a9d in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x2cd (WebCore.framework/Versions/A/WebCore:x86_64+0x5579a9d)
    #38 0x1b57f1c27 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x4d7 (WebCore.framework/Versions/A/WebCore:x86_64+0x5577c27)
    #39 0x1b57c1524 in WebCore::RenderBlock::layout()+0x114 (WebCore.framework/Versions/A/WebCore:x86_64+0x5547524)
    #40 0x1b5b69d36 in WebCore::RenderView::layout()+0x5c6 (WebCore.framework/Versions/A/WebCore:x86_64+0x58efd36)
    #41 0x1b4ce2829 in WebCore::FrameViewLayoutContext::layout()+0x549 (WebCore.framework/Versions/A/WebCore:x86_64+0x4a68829)
    #42 0x1b3b0ff22 in WebCore::Document::updateLayout()+0x212 (WebCore.framework/Versions/A/WebCore:x86_64+0x3895f22)
    #43 0x1b3b12462 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks)+0x92 (WebCore.framework/Versions/A/WebCore:x86_64+0x3898462)
    #44 0x1b36b6142 in WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout)+0x2a2 (WebCore.framework/Versions/A/WebCore:x86_64+0x343c142)
    #45 0x1b36b5e04 in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const+0x114 (WebCore.framework/Versions/A/WebCore:x86_64+0x343be04)
    #46 0x1b36e1522 in WebCore::CSSComputedStyleDeclaration::getPropertyCSSValueInternal(WebCore::CSSPropertyID)+0x12 (WebCore.framework/Versions/A/WebCore:x86_64+0x3467522)
    #47 0x1b37deaa5 in WebCore::CSSStyleDeclaration::namedItem(WTF::AtomString const&)+0x175 (WebCore.framework/Versions/A/WebCore:x86_64+0x3564aa5)
    #48 0x1b09d119e in WTF::Optional<WTF::Variant<WTF::String, double> > WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&)::$_8::operator()<WebCore::JSCSSStyleDeclaration, JSC::PropertyName>(WebCore::JSCSSStyleDeclaration&, JSC::PropertyName) const+0x10e (WebCore.framework/Versions/A/WebCore:x86_64+0x75719e)
    #49 0x1b09248e4 in decltype(fp2(fp0, fp1)) WebCore::accessVisibleNamedProperty<(WebCore::LegacyOverrideBuiltIns)0, WebCore::JSCSSStyleDeclaration, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&)::$_8&>(JSC::JSGlobalObject&, WebCore::JSCSSStyleDeclaration&, JSC::PropertyName, WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&)::$_8&)+0x224 (WebCore.framework/Versions/A/WebCore:x86_64+0x6aa8e4)
    #50 0x1b092149b in WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&)+0x88b (WebCore.framework/Versions/A/WebCore:x86_64+0x6a749b)
    #51 0x1d166d66e in JSC::LLInt::performLLIntGetByID(JSC::Instruction const*, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)+0x1c7e (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x277b66e)
    #52 0x1d166b7a1 in llint_slow_path_get_by_id+0x211 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x27797a1)
    #53 0x1cfb374f4 in llint_entry+0x952c (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc454f4)
    #54 0x1cfb48db0 in llint_entry+0x1ade8 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc56db0)
    #55 0x1cfb48db0 in llint_entry+0x1ade8 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc56db0)
    #56 0x1cfb49a9b in llint_entry+0x1bad3 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc57a9b)
    #57 0x1cfb2ddc8 in vmEntryToJavaScript+0xd7 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0xc3bdc8)
    #58 0x1d13767d1 in JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x611 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x24847d1)
    #59 0x1d1a5fd14 in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x64 (JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2b6dd14)
    #60 0x1b420dd23 in WebCore::HTMLMediaElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot&)::$_41::operator()(WebCore::JSDOMGlobalObject&, JSC::JSGlobalObject&, WebCore::ScriptController&, WebCore::DOMWrapperWorld&) const+0x473 (WebCore.framework/Versions/A/WebCore:x86_64+0x3f93d23)
    #61 0x1b420d861 in WTF::Detail::CallableWrapper<WebCore::HTMLMediaElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot&)::$_41, bool, WebCore::JSDOMGlobalObject&, JSC::JSGlobalObject&, WebCore::ScriptController&, WebCore::DOMWrapperWorld&>::call(WebCore::JSDOMGlobalObject&, JSC::JSGlobalObject&, WebCore::ScriptController&, WebCore::DOMWrapperWorld&)+0x51 (WebCore.framework/Versions/A/WebCore:x86_64+0x3f93861)
    #62 0x1b41aed5d in WTF::Function<bool (WebCore::JSDOMGlobalObject&, JSC::JSGlobalObject&, WebCore::ScriptController&, WebCore::DOMWrapperWorld&)>::operator()(WebCore::JSDOMGlobalObject&, JSC::JSGlobalObject&, WebCore::ScriptController&, WebCore::DOMWrapperWorld&) const+0x8d (WebCore.framework/Versions/A/WebCore:x86_64+0x3f34d5d)
    #63 0x1b41ae9a2 in WebCore::HTMLMediaElement::setupAndCallJS(WTF::Function<bool (WebCore::JSDOMGlobalObject&, JSC::JSGlobalObject&, WebCore::ScriptController&, WebCore::DOMWrapperWorld&)> const&)+0x172 (WebCore.framework/Versions/A/WebCore:x86_64+0x3f349a2)
    #64 0x1b41c1682 in WebCore::HTMLMediaElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot&)+0x1a2 (WebCore.framework/Versions/A/WebCore:x86_64+0x3f47682)
    #65 0x1b3c1d476 in WebCore::Element::addShadowRoot(WTF::Ref<WebCore::ShadowRoot, WTF::RawPtrTraits<WebCore::ShadowRoot> >&&)+0x2f6 (WebCore.framework/Versions/A/WebCore:x86_64+0x39a3476)
    #66 0x1b3c1e0b0 in WebCore::Element::ensureUserAgentShadowRoot()+0x1c0 (WebCore.framework/Versions/A/WebCore:x86_64+0x39a40b0)
    #67 0x1b41ae74f in WebCore::HTMLMediaElement::ensureMediaControlsShadowRoot()+0x9f (WebCore.framework/Versions/A/WebCore:x86_64+0x3f3474f)
    #68 0x1b418838f in WebCore::HTMLMediaElement::configureMediaControls()+0xef (WebCore.framework/Versions/A/WebCore:x86_64+0x3f0e38f)
    #69 0x1b418988b in WebCore::HTMLMediaElement::didFinishInsertingNode()+0x2cb (WebCore.framework/Versions/A/WebCore:x86_64+0x3f0f88b)
    #70 0x1b3aa38d2 in WebCore::ContainerNode::parserAppendChild(WebCore::Node&)+0x412 (WebCore.framework/Versions/A/WebCore:x86_64+0x38298d2)
    #71 0x1b44b7a96 in WebCore::insert(WebCore::HTMLConstructionSiteTask&)+0xb6 (WebCore.framework/Versions/A/WebCore:x86_64+0x423da96)
    #72 0x1b44b702c in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&)+0x1c (WebCore.framework/Versions/A/WebCore:x86_64+0x423d02c)
    #73 0x1b44a7dca in WebCore::executeTask(WebCore::HTMLConstructionSiteTask&)+0x3a (WebCore.framework/Versions/A/WebCore:x86_64+0x422ddca)
    #74 0x1b44a7c57 in WebCore::HTMLConstructionSite::executeQueuedTasks()+0x127 (WebCore.framework/Versions/A/WebCore:x86_64+0x422dc57)
    #75 0x1b450001c in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&&)+0xfc (WebCore.framework/Versions/A/WebCore:x86_64+0x428601c)
    #76 0x1b44b1785 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&)+0x135 (WebCore.framework/Versions/A/WebCore:x86_64+0x4237785)
    #77 0x1b44b1163 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)+0x163 (WebCore.framework/Versions/A/WebCore:x86_64+0x4237163)
    #78 0x1b44b02de in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)+0x17e (WebCore.framework/Versions/A/WebCore:x86_64+0x42362de)
    #79 0x1b44afe58 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)+0x38 (WebCore.framework/Versions/A/WebCore:x86_64+0x4235e58)
    #80 0x1b44b2279 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >&&)+0x2d9 (WebCore.framework/Versions/A/WebCore:x86_64+0x4238279)
    #81 0x1b3afce4e in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long)+0x16e (WebCore.framework/Versions/A/WebCore:x86_64+0x3882e4e)
    #82 0x1b4a184f8 in WebCore::DocumentWriter::addData(char const*, unsigned long)+0x78 (WebCore.framework/Versions/A/WebCore:x86_64+0x479e4f8)

<rdar://75202478>
Comment 1 Rob Buis 2021-03-17 02:37:44 PDT 
Created attachment 423457 [details]
Patch
Comment 2 Rob Buis 2021-03-17 05:50:44 PDT 
Created attachment 423477 [details]
Patch
Comment 3 zalan 2021-03-17 18:33:56 PDT 
Comment on attachment 423477 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=423477&action=review

> Source/WebCore/ChangeLog:8
> +        Use double instead of LayoutUnit division.

Please change it to say 'why' not 'what' e.g LayoutUnit resolution is not high enough to support...
Comment 4 Rob Buis 2021-03-18 01:29:56 PDT 
Created attachment 423572 [details]
Patch
Comment 5 EWS 2021-03-18 08:44:01 PDT 
Committed r274646: <https://commits.webkit.org/r274646>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 423572 [details].