WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED DUPLICATE of
bug 295239
295240
ASAN_ILL | Style::CSSValueConversion::operator; Style::BuilderGenerated::applyProperty; Style::Builder::applyProperty
https://bugs.webkit.org/show_bug.cgi?id=295240
Summary
ASAN_ILL | Style::CSSValueConversion::operator; Style::BuilderGenerated::appl...
John Wilander
Reported
2025-06-30 16:34:20 PDT
Created
attachment 475713
[details]
Repro case <
rdar://154646334
> See attached repro case. Stack Trace ========= frame #0: WebCore`WTFCrashWithInfo(int, char const*, char const*, int)+0x1b frame #1: WebCore`WebCore::Style::CSSValueConversion<WebCore::Style::FlexBasis>::operator()(WebCore::Style::BuilderState&, WebCore::CSSValue const&)+0x20a frame #2: WebCore`WebCore::Style::BuilderGenerated::applyProperty(WebCore::CSSPropertyID, WebCore::Style::BuilderState&, WebCore::CSSValue&, WebCore::Style::ApplyValueType)+0x52b6 frame #3: WebCore`WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask, WebCore::Style::CascadeLevel)+0x333 frame #4: WebCore`void WebCore::Style::Builder::applyPropertiesImpl<(WebCore::Style::Builder::CustomPropertyCycleTracking)0>(int, int)+0x44d frame #5: WebCore`WebCore::Style::Builder::applyNonHighPriorityProperties()+0x115 frame #6: WebCore`WebCore::Style::Resolver::applyMatchedProperties(WebCore::Style::Resolver::State&, WebCore::Style::MatchResult const&, WebCore::Style::PropertyCascade::IncludedProperties&&)+0x574 frame #7: WebCore`WebCore::Style::Resolver::unadjustedStyleForElement(WebCore::Element&, WebCore::Style::ResolutionContext const&, WebCore::RuleMatchingBehavior)+0x6fc frame #8: WebCore`WebCore::Style::TreeResolver::styleForStyleable(WebCore::Styleable const&, WebCore::Style::TreeResolver::ResolutionType, WebCore::Style::ResolutionContext const&, WebCore::RenderStyle const*)+0x88f frame #9: WebCore`WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType)+0x470 frame #10: WebCore`WebCore::Style::TreeResolver::resolveComposedTree()+0xf6b frame #11: WebCore`WebCore::Style::TreeResolver::resolve()+0x618 frame #12: WebCore`WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)+0x520 frame #13: WebCore`WebCore::Document::updateStyleIfNeeded()+0x24a frame #14: WebCore`WebCore::Document::finishedParsing()+0x7fd frame #15: WebCore`WebCore::HTMLConstructionSite::finishedParsing()+0xcc frame #16: WebCore`WebCore::HTMLDocumentParser::prepareToStopParsing()+0x176 frame #17: WebCore`WebCore::HTMLDocumentParser::finish()+0x128 frame #18: WebCore`WebCore::DocumentWriter::end()+0x2bb frame #19: WebCore`WebCore::DocumentLoader::finishedLoading()+0x36c frame #20: WebCore`WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0x383 frame #21: WebCore`WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0x14d frame #22: WebCore`WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&)+0xe4 frame #23: WebCore`WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&)+0x35f frame #24: WebCore`WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0xc62 frame #25: WebKit`WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&)+0x590 frame #26: WebKit`WebKit::WebResourceLoader::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x3e2 frame #27: WebKit`WebKit::NetworkProcessConnection::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x239 frame #28: WebKit`WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x194 frame #29: WebKit`IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>)+0x1fb frame #30: WebKit`IPC::Connection::dispatchOneIncomingMessage()+0x150 frame #31: JavaScriptCore`WTF::RunLoop::performWork()+0x6a4 frame #32: JavaScriptCore`WTF::RunLoop::performWork(void*)+0x7d frame #33: CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 frame #34: CoreFoundation`__CFRunLoopDoSource0+0x9c frame #35: CoreFoundation`__CFRunLoopDoSources0+0xca frame #36: CoreFoundation`__CFRunLoopRun+0x3db frame #37: CoreFoundation`_CFRunLoopRunSpecificWithOptions+0x21c frame #38: Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 frame #39: Foundation`-[NSRunLoop(NSRunLoop) run]+0x4b frame #40: libxpc.dylib`_xpc_objc_main+0x271 frame #41: libxpc.dylib`_xpc_main+0x20 frame #42: libxpc.dylib`xpc_main+0x37 frame #43: WebKit`WebKit::XPCServiceMain(int, char const**)+0x91 frame #44: dyld`start+0xca4
Attachments
Repro case
(468 bytes, text/html)
2025-06-30 16:34 PDT
,
John Wilander
no flags
Details
Minimized and cleaned up repro (for applyValueMaxWidth)
(1.05 KB, text/html)
2025-07-02 02:06 PDT
,
Frédéric Wang (:fredw)
no flags
Details
Minimized and cleaned up repro (for applyValueFlexBasis)
(1.05 KB, text/html)
2025-07-02 02:08 PDT
,
Frédéric Wang (:fredw)
no flags
Details
View All
Add attachment
proposed patch, testcase, etc.
Darin Adler
Comment 1
2025-07-01 10:00:42 PDT
Should we be adding Sam Weinig to the CC list on this?
Frédéric Wang (:fredw)
Comment 2
2025-07-02 02:06:41 PDT
Created
attachment 475744
[details]
Minimized and cleaned up repro (for applyValueMaxWidth) I believe there is a mismatch between the repro and reported backtrace. Anyway, this is again very similar to
bug 295241
. I'm attaching a minimized testcase, obtained by just tweaking the css property on the inner element. For the record, the backtrace I get: ASSERTION FAILED: CSS::isWithinRange<Fixed::range>(length.value()) /Users/fred/WebKit/Source/WebCore/style/values/primitives/StyleLengthWrapper.h(189) : static void WebCore::Style::LengthWrapperBase<WebCore::Style::LengthPercentage<CSS::Range{0.000000e+00, INF, 0}>, WebCore::Constant<WebCore::CSSValueNone>, WebCore::Constant<WebCore::CSSValueMinContent>, WebCore::Constant<WebCore::CSSValueMaxContent>, WebCore::Constant<WebCore::CSSValueFitContent>, WebCore::Constant<WebCore::CSSValueWebkitFillAvailable>, WebCore::Constant<WebCore::CSSValueIntrinsic>, WebCore::Constant<WebCore::CSSValueMinIntrinsic>>::validate(const WebCore::Length &) [Numeric = WebCore::Style::LengthPercentage<CSS::Range{0.000000e+00, INF, 0}>, Ks = <WebCore::Constant<WebCore::CSSValueNone>, WebCore::Constant<WebCore::CSSValueMinContent>, WebCore::Constant<WebCore::CSSValueMaxContent>, WebCore::Constant<WebCore::CSSValueFitContent>, WebCore::Constant<WebCore::CSSValueWebkitFillAvailable>, WebCore::Constant<WebCore::CSSValueIntrinsic>, WebCore::Constant<WebCore::CSSValueMinIntrinsic>>] 1 0x341f525f0 WebCore::Style::LengthWrapperBase<WebCore::Style::LengthPercentage<WebCore::CSS::Range{0x0p+0, inf}, float>, WebCore::Constant<(WebCore::CSSValueID)6>, WebCore::Constant<(WebCore::CSSValueID)555>, WebCore::Constant<(WebCore::CSSValueID)557>, WebCore::Constant<(WebCore::CSSValueID)560>, WebCore::Constant<(WebCore::CSSValueID)559>, WebCore::Constant<(WebCore::CSSValueID)553>, WebCore::Constant<(WebCore::CSSValueID)554>>::validate(WebCore::Length const&) 2 0x341f52554 WebCore::Style::LengthWrapperBase<WebCore::Style::LengthPercentage<WebCore::CSS::Range{0x0p+0, inf}, float>, WebCore::Constant<(WebCore::CSSValueID)6>, WebCore::Constant<(WebCore::CSSValueID)555>, WebCore::Constant<(WebCore::CSSValueID)557>, WebCore::Constant<(WebCore::CSSValueID)560>, WebCore::Constant<(WebCore::CSSValueID)559>, WebCore::Constant<(WebCore::CSSValueID)553>, WebCore::Constant<(WebCore::CSSValueID)554>>::LengthWrapperBase(WebCore::Length&&) 3 0x341f52518 WebCore::Style::MaximumSize::MaximumSize(WebCore::Length&&) 4 0x341f5246c WebCore::Style::MaximumSize::MaximumSize(WebCore::Length&&) 5 0x341f520d4 WebCore::Style::CSSValueConversion<WebCore::Style::MaximumSize>::operator()(WebCore::Style::BuilderState&, WebCore::CSSValue const&)::'lambda'()::operator()() const 6 0x341f51a70 WebCore::Style::CSSValueConversion<WebCore::Style::MaximumSize>::operator()(WebCore::Style::BuilderState&, WebCore::CSSValue const&) 7 0x341f5176c WebCore::Style::MaximumSize WebCore::Style::CSSValueConversionInvoker<WebCore::Style::MaximumSize>::operator()<>(WebCore::Style::BuilderState&, WebCore::CSSValue const&) const 8 0x341f516ac WebCore::Style::MaximumSize WebCore::Style::BuilderConverter::convertStyleType<WebCore::Style::MaximumSize>(WebCore::Style::BuilderState&, WebCore::CSSValue const&) 9 0x341d5f9a8 WebCore::Style::BuilderFunctions::applyValueMaxWidth(WebCore::Style::BuilderState&, WebCore::CSSValue&) 10 0x341d09804 WebCore::Style::BuilderGenerated::applyProperty(WebCore::CSSPropertyID, WebCore::Style::BuilderState&, WebCore::CSSValue&, WebCore::Style::ApplyValueType) 11 0x34a5cd818 WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask, WebCore::Style::CascadeLevel) 12 0x34a60ae64 WebCore::Style::Builder::applyCascadeProperty(WebCore::Style::PropertyCascade::Property const&)::'lambda'(WebCore::SelectorChecker::LinkMatchMask)::operator()(WebCore::SelectorChecker::LinkMatchMask) const 13 0x34a5ca094 WebCore::Style::Builder::applyCascadeProperty(WebCore::Style::PropertyCascade::Property const&) 14 0x34a5c9b20 WebCore::Style::Builder::applyLogicalGroupProperties() 15 0x34a5c92e8 WebCore::Style::Builder::applyNonHighPriorityProperties() 16 0x34a6a6ac8 WebCore::Style::Resolver::applyMatchedProperties(WebCore::Style::Resolver::State&, WebCore::Style::MatchResult const&, WebCore::Style::PropertyCascade::IncludedProperties&&) 17 0x34a6a60e0 WebCore::Style::Resolver::unadjustedStyleForElement(WebCore::Element&, WebCore::Style::ResolutionContext const&, WebCore::RuleMatchingBehavior) 18 0x34a6c635c WebCore::Style::TreeResolver::styleForStyleable(WebCore::Styleable const&, WebCore::Style::TreeResolver::ResolutionType, WebCore::Style::ResolutionContext const&, WebCore::RenderStyle const*)::$_0::operator()() const 19 0x34a6c4f6c WebCore::Style::TreeResolver::styleForStyleable(WebCore::Styleable const&, WebCore::Style::TreeResolver::ResolutionType, WebCore::Style::ResolutionContext const&, WebCore::RenderStyle const*) 20 0x34a6c7328 WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType) 21 0x34a6d4244 WebCore::Style::TreeResolver::resolveComposedTree() 22 0x34a6d740c WebCore::Style::TreeResolver::resolve() 23 0x345d6a7fc WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) 24 0x345d6c2d8 WebCore::Document::updateStyleIfNeeded() 25 0x345db64b0 WebCore::Document::finishedParsing() 26 0x346f0b6a0 WebCore::HTMLConstructionSite::finishedParsing() 27 0x346fe55d8 WebCore::HTMLTreeBuilder::finished() 28 0x346f2c75c WebCore::HTMLDocumentParser::end() 29 0x346f283fc WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 30 0x346f280b4 WebCore::HTMLDocumentParser::prepareToStopParsing() 31 0x346f2c88c WebCore::HTMLDocumentParser::attemptToEnd() com.apple.WebKit.WebContent.Development terminated (pid 7180) for reason: crash
Frédéric Wang (:fredw)
Comment 3
2025-07-02 02:08:39 PDT
Created
attachment 475745
[details]
Minimized and cleaned up repro (for applyValueFlexBasis)
Frédéric Wang (:fredw)
Comment 4
2025-07-03 21:58:52 PDT
This is a duplicate of
bug 295239
, I attached a fix with tests at
https://bugs.webkit.org/show_bug.cgi?id=295239#c11
Darin Adler
Comment 5
2025-07-04 14:12:05 PDT
*** This bug has been marked as a duplicate of
bug 295239
***
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug