RESOLVED DUPLICATE of bug 295239295241
ASAN_TRAP | Style::LengthWrapperBase::validate; Style::CSSValueConversion::operator; Style::BuilderCustom::applyValuePaddingRight 
https://bugs.webkit.org/show_bug.cgi?id=295241
Summary ASAN_TRAP | Style::LengthWrapperBase::validate; Style::CSSValueConversion::op...
John Wilander
Reported 2025-06-30 16:36:36 PDT
Created attachment 475714 [details] Repro case <rdar://154646642> See attached repro case. Stack Trace ========= frame #0: WebCore`WebCore::Style::LengthWrapperBase<WebCore::Style::LengthPercentage<WebCore::CSS::Range{0x0p+0, inf}, float>>::validate(WebCore::Length const&) (.cold.12)+0x1d frame #1: WebCore`WebCore::Style::LengthWrapperBase<WebCore::Style::LengthPercentage<WebCore::CSS::Range{0x0p+0, inf}, float>>::validate(WebCore::Length const&)+0x67 frame #2: WebCore`WebCore::Style::CSSValueConversion<WebCore::Style::PaddingEdge>::operator()(WebCore::Style::BuilderState&, WebCore::CSSValue const&)::'lambda'()::operator()() const+0xd9 frame #3: WebCore`WebCore::Style::BuilderCustom::applyValuePaddingRight(WebCore::Style::BuilderState&, WebCore::CSSValue&)+0x3b frame #4: WebCore`WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask, WebCore::Style::CascadeLevel)+0x15b frame #5: WebCore`WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask, WebCore::Style::CascadeLevel)+0x416 frame #6: WebCore`WebCore::Style::Builder::applyNonHighPriorityProperties()+0xe9 frame #7: WebCore`WebCore::Style::Resolver::applyMatchedProperties(WebCore::Style::Resolver::State&, WebCore::Style::MatchResult const&, WebCore::Style::PropertyCascade::IncludedProperties&&)+0x205 frame #8: WebCore`WebCore::Style::Resolver::unadjustedStyleForElement(WebCore::Element&, WebCore::Style::ResolutionContext const&, WebCore::RuleMatchingBehavior)+0x43f frame #9: WebCore`WebCore::Style::Resolver::styleForElement(WebCore::Element&, WebCore::Style::ResolutionContext const&, WebCore::RuleMatchingBehavior)+0x23 frame #10: WebCore`WebCore::Document::styleForElementIgnoringPendingStylesheets(WebCore::Element&, WebCore::RenderStyle const*, std::__1::optional<WebCore::Style::PseudoElementIdentifier> const&)+0x93 frame #11: WebCore`WebCore::Element::resolveComputedStyle(WebCore::Element::ResolveComputedStyleMode)+0x403 frame #12: WebCore`WebCore::Node::computeEditability(WebCore::Node::UserSelectAllTreatment, WebCore::Node::ShouldUpdateStyle) const+0x12b frame #13: WebCore`WebCore::findEndOfParagraph(WebCore::Node*, WebCore::Node*, WebCore::Node*, int&, WebCore::Position::AnchorType&, WebCore::EditingBoundaryCrossingRule)+0x10a frame #14: WebCore`WebCore::endOfParagraph(WebCore::VisiblePosition const&, WebCore::EditingBoundaryCrossingRule)+0x16d frame #15: WebCore`WebCore::Editor::contextRangeForCandidateRequest() const+0xa2 frame #16: WebKit`WebKit::WebPage::getPlatformEditorState(WebCore::LocalFrame&, WebKit::EditorState&) const+0x24c frame #17: WebKit`WebKit::WebPage::editorState(WebKit::WebPage::ShouldPerformLayout) const+0x1f8 frame #18: WebKit`WebKit::WebPage::willCommitLayerTree(WebKit::RemoteLayerTreeTransaction&, WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>, unsigned long long>)+0x338 frame #19: WebKit`WebKit::RemoteLayerTreeDrawingArea::updateRendering()+0x33e frame #20: WebKit`WTF::Detail::CallableWrapper<WebCore::Timer::Timer<WebKit::RemoteLayerTreeDrawingArea, WebKit::RemoteLayerTreeDrawingArea>(WebKit::RemoteLayerTreeDrawingArea&, void (WebKit::RemoteLayerTreeDrawingArea::*)())::'lambda'(), void>::call()+0x26 frame #21: WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal()+0x10b frame #22: WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*)+0x1e frame #23: CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__+0x13 frame #24: CoreFoundation`__CFRunLoopDoTimer+0x325 frame #25: CoreFoundation`__CFRunLoopDoTimers+0xf8 frame #26: CoreFoundation`__CFRunLoopRun+0x8e9 frame #27: CoreFoundation`_CFRunLoopRunSpecificWithOptions+0x21c frame #28: Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 frame #29: Foundation`-[NSRunLoop(NSRunLoop) run]+0x4b frame #30: libxpc.dylib`_xpc_objc_main+0x271 frame #31: libxpc.dylib`_xpc_main+0x20 frame #32: libxpc.dylib`xpc_main+0x37 frame #33: WebKit`WebKit::XPCServiceMain(int, char const**)+0x1a frame #34: dyld`start+0xca4
Attachments
Repro case (725 bytes, text/html)
2025-06-30 16:36 PDT, John Wilander 		no flags
Details
Minimized and cleaned up repro (1.06 KB, text/html)
2025-07-02 01:33 PDT, Frédéric Wang (:fredw) 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Darin Adler
Comment 1 2025-07-01 10:01:09 PDT
Should we be adding Sam Weinig to the CC list on this?
Frédéric Wang (:fredw)
Comment 2 2025-07-02 01:33:31 PDT
Created attachment 475741 [details] Minimized and cleaned up repro This is a minimized and cleaned up repro. The nested elements in the original testcase are essentially just to accumulate the zoom factor. Note that changing -webkit-padding-end to -webkit-padding-before/-webkit-padding-after/-webkit-padding-start gives slightly different backtraces for applyValuePaddingTop/Bottom/Left instead.
Frédéric Wang (:fredw)
Comment 3 2025-07-02 01:58:06 PDT
The backtrace of the original repro (applyValuePaddingBottom) does not match the reported backtrace (applyValuePaddingRight). The minimized repro hits applyValuePaddingRight, as I said just use -webkit-padding-after on the inner element to hit applyValuePaddingBottom instead.
Frédéric Wang (:fredw)
Comment 4 2025-07-03 21:59:02 PDT
This is a duplicate of bug 295239, I attached a fix with tests at https://bugs.webkit.org/show_bug.cgi?id=295239#c11
Darin Adler
Comment 5 2025-07-04 14:12:44 PDT
*** This bug has been marked as a duplicate of bug 295239 ***
Note You need to log in before you can comment on or make changes to this bug.