Assertion failure in blink::CSSPrimitiveValue::clampToCSSLengthRange |
||||||||||||
Issue descriptionVersion: ToT OS: tested on Linux What steps will reproduce the problem? (1) Build Chromium with DCHECKs on (2) Start chromium in a profile that is not signed-in (3) Select "Settings" from the menu (4) Click the "Sign in to Chromium" button What is the expected output? A sign in dialog is displayed What do you see instead? A frame appears where the sign in dialog should be, but nothing is drawn in it. The console displays an assertion error: ASSERTION FAILED: !std::isnan(static_cast<double>(value)) ../../third_party/WebKit/Source/wtf/MathExtras.h(283) : LimitType clampTo(ValueType, LimitType, LimitType) [LimitType = float, ValueType = double] 1 0x7f14d0e9dc17 2 0x7f14d103bf97 blink::CSSPrimitiveValue::clampToCSSLengthRange(double) 3 0x7f14d0f61836 4 0x7f14d0f11a93 5 0x7f14d0f50805 blink::InvalidatableInterpolation::applyStack(WTF::Vector<WTF::RefPtr<blink::Interpolation>, 1ul, WTF::PartitionAllocator> const&, blink::InterpolationEnvironment&) 6 0x7f14d11ce082 7 0x7f14d11c94e5 blink::StyleResolver::applyAnimatedProperties(blink::StyleResolverState&, blink::Element const*) 8 0x7f14d11c803f blink::StyleResolver::styleForElement(blink::Element*, blink::ComputedStyle const*, blink::StyleSharingBehavior, blink::RuleMatchingBehavior) 9 0x7f14d1f5a852 blink::SVGElement::customStyleForLayoutObject() 10 0x7f14d12b396f blink::Element::styleForLayoutObject() 11 0x7f14d12b48ca blink::Element::recalcOwnStyle(blink::StyleRecalcChange) 12 0x7f14d12b4298 blink::Element::recalcStyle(blink::StyleRecalcChange, blink::Text*) 13 0x7f14d12069ee blink::ContainerNode::recalcDescendantStyles(blink::StyleRecalcChange) 14 0x7f14d12b43d0 blink::Element::recalcStyle(blink::StyleRecalcChange, blink::Text*) 15 0x7f14d12069ee blink::ContainerNode::recalcDescendantStyles(blink::StyleRecalcChange) 16 0x7f14d12b43d0 blink::Element::recalcStyle(blink::StyleRecalcChange, blink::Text*) 17 0x7f14d123f968 blink::Document::updateStyle() 18 0x7f14d123bc96 blink::Document::updateStyleAndLayoutTree() 19 0x7f14d1647b8a blink::FrameView::performPreLayoutTasks() 20 0x7f14d1645cad blink::FrameView::layout() 21 0x7f14d165211d blink::FrameView::updateStyleAndLayoutIfNeededRecursiveInternal() 22 0x7f14d1650bab blink::FrameView::updateStyleAndLayoutIfNeededRecursive() 23 0x7f14d164fc13 blink::FrameView::updateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleState) 24 0x7f14d1650392 blink::FrameView::updateAllLifecyclePhasesExceptPaint() 25 0x7f14d20012d3 blink::SVGImage::drawInternal(SkCanvas*, SkPaint const&, blink::FloatRect const&, blink::FloatRect const&, blink::RespectImageOrientationEnum, blink::Image::ImageClampingMode, blink::KURL const&) 26 0x7f14d2000e70 blink::SVGImage::drawForContainer(SkCanvas*, SkPaint const&, blink::FloatSize, float, blink::FloatRect const&, blink::FloatRect const&, blink::KURL const&) 27 0x7f14d2005f77 28 0x7f14dccce71c blink::GraphicsContext::drawImage(blink::Image*, blink::FloatRect const&, blink::FloatRect const*, SkXfermode::Mode, blink::RespectImageOrientationEnum) 29 0x7f14dccce92d blink::GraphicsContext::drawImageRRect(blink::Image*, blink::FloatRoundedRect const&, blink::FloatRect const&, SkXfermode::Mode, blink::RespectImageOrientationEnum) 30 0x7f14d1e4fd92 31 0x7f14d1e4da71 Received signal 11 SEGV_MAPERR 0000fbadbeef #0 0x7f14eb5fb6de base::debug::StackTrace::StackTrace() #1 0x7f14eb5fb21f base::debug::(anonymous namespace)::StackDumpSignalHandler() #2 0x7f14d78b2330 <unknown> #3 0x7f14d0e9dc1e clampTo<>() #4 0x7f14d103bf97 blink::CSSPrimitiveValue::clampToCSSLengthRange() #5 0x7f14d0f61836 blink::LengthInterpolationFunctions::createLength() #6 0x7f14d0f11a93 blink::CSSLengthInterpolationType::apply() #7 0x7f14d0f50805 blink::InvalidatableInterpolation::applyStack() #8 0x7f14d11ce082 blink::StyleResolver::applyAnimatedProperties<>() #9 0x7f14d11c94e5 blink::StyleResolver::applyAnimatedProperties() #10 0x7f14d11c803f blink::StyleResolver::styleForElement() #11 0x7f14d1f5a852 blink::SVGElement::customStyleForLayoutObject() #12 0x7f14d12b396f blink::Element::styleForLayoutObject() #13 0x7f14d12b48ca blink::Element::recalcOwnStyle() #14 0x7f14d12b4298 blink::Element::recalcStyle() #15 0x7f14d12069ee blink::ContainerNode::recalcDescendantStyles() #16 0x7f14d12b43d0 blink::Element::recalcStyle() #17 0x7f14d12069ee blink::ContainerNode::recalcDescendantStyles() #18 0x7f14d12b43d0 blink::Element::recalcStyle() #19 0x7f14d123f968 blink::Document::updateStyle() #20 0x7f14d123bc96 blink::Document::updateStyleAndLayoutTree() #21 0x7f14d1647b8a blink::FrameView::performPreLayoutTasks() #22 0x7f14d1645cad blink::FrameView::layout() #23 0x7f14d165211d blink::FrameView::updateStyleAndLayoutIfNeededRecursiveInternal() #24 0x7f14d1650bab blink::FrameView::updateStyleAndLayoutIfNeededRecursive() #25 0x7f14d164fc13 blink::FrameView::updateLifecyclePhasesInternal() #26 0x7f14d1650392 blink::FrameView::updateAllLifecyclePhasesExceptPaint() #27 0x7f14d20012d3 blink::SVGImage::drawInternal() #28 0x7f14d2000e70 blink::SVGImage::drawForContainer() #29 0x7f14d2005f77 blink::SVGImageForContainer::draw() #30 0x7f14dccce71c blink::GraphicsContext::drawImage() #31 0x7f14dccce92d blink::GraphicsContext::drawImageRRect() #32 0x7f14d1e4fd92 blink::(anonymous namespace)::paintFastBottomLayer() #33 0x7f14d1e4da71 blink::BoxPainter::paintFillLayer() #34 0x7f14d1e4d7ea blink::BoxPainter::paintFillLayers() #35 0x7f14d1e4d36c blink::BoxPainter::paintBackground() #36 0x7f14d1e4c871 blink::BoxPainter::paintBoxDecorationBackgroundWithRect() #37 0x7f14d1e4c3aa blink::BoxPainter::paintBoxDecorationBackground() #38 0x7f14d1b52e45 blink::LayoutBox::paintBoxDecorationBackground() #39 0x7f14d1e3a4ed blink::BlockPainter::paintObject() #40 0x7f14d1b0c365 blink::LayoutBlock::paintObject() #41 0x7f14d1e39b6c blink::BlockPainter::paint() #42 0x7f14d1b0c2e5 blink::LayoutBlock::paint() #43 0x7f14d1e3a19a blink::BlockPainter::paintChild() #44 0x7f14d1e3a0eb blink::BlockPainter::paintChildren() #45 0x7f14d1b0c325 blink::LayoutBlock::paintChildren() #46 0x7f14d1e3ad91 blink::BlockPainter::paintContents() #47 0x7f14d1e3ab71 blink::BlockPainter::paintObject() #48 0x7f14d1b0c365 blink::LayoutBlock::paintObject() #49 0x7f14d1e39c06 blink::BlockPainter::paint() #50 0x7f14d1b0c2e5 blink::LayoutBlock::paint() #51 0x7f14d1e9e405 blink::PaintLayerPainter::paintFragmentWithPhase() #52 0x7f14d1e9e531 blink::PaintLayerPainter::paintForegroundForFragmentsWithPhase() #53 0x7f14d1e9d0f3 blink::PaintLayerPainter::paintForegroundForFragments() #54 0x7f14d1e9c284 blink::PaintLayerPainter::paintLayerContents() #55 0x7f14d1e9b024 blink::PaintLayerPainter::paintLayerContentsAndReflection() #56 0x7f14d1e9a433 blink::PaintLayerPainter::paintLayer() #57 0x7f14d1e9ccfc blink::PaintLayerPainter::paintChildren() #58 0x7f14d1e9c2e9 blink::PaintLayerPainter::paintLayerContents() #59 0x7f14d1e9b024 blink::PaintLayerPainter::paintLayerContentsAndReflection() #60 0x7f14d1e9a433 blink::PaintLayerPainter::paintLayer() #61 0x7f14d1e9ccfc blink::PaintLayerPainter::paintChildren() r8: 00007f14cc188a00 r9: 00007f14d19d52fc r10: 00007f14d5f13be0 r11: 0000000000000000 r12: 00007f14ec23d85c r13: 00007fff561a48d0 r14: 0000000000000000 r15: 94c98da9c10f2400 di: 0000000000000000 si: 00000000fbadbeef bp: 00007fff561954e0 bx: 94c98da9c10f2400 dx: 0000000000000000 ax: 94c98da9c10f2400 cx: 00000000fbadbeef sp: 00007fff561954d0 ip: 00007f14d0e9dc1e efl: 0000000000010246 cgf: 0000000000000033 erf: 0000000000000006 trp: 000000000000000e msk: 0000000000000000 cr2: 00000000fbadbeef [end of stack trace] Reproducible: 5/5
,
Sep 26 2016
,
Sep 27 2016
,
Sep 27 2016
Looks like we're crashing when rendering https://cs.chromium.org/chromium/src/ui/webui/resources/images/throbber_small.svg inside an img tag.
,
Sep 27 2016
Looks like CSSToLengthConversionData::viewportHeightPercent() is -nan inside the SVGImage.
,
Sep 27 2016
,
Sep 27 2016
Created minimal repro without animations: <img src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg'><rect style='left: 1vh'></rect></svg>"> Crash stack: #0 0x7ff7d2b33b27 base::debug::(anonymous namespace)::StackDumpSignalHandler() #1 0x7ff7d462a330 <unknown> #2 0x7ff7cae42c37 gsignal #3 0x7ff7cae46028 abort #4 0x7ff7d2b2d622 base::debug::BreakDebugger() #5 0x7ff7d2b5647a logging::LogMessage::~LogMessage() #6 0x7ff7ce5b653d blink::CSSToLengthConversionData::ViewportSize::ViewportSize() #7 0x7ff7ce5b6680 blink::CSSToLengthConversionData::CSSToLengthConversionData() #8 0x7ff7ce69dad7 blink::StyleResolverState::setStyle() #9 0x7ff7ce6930ab blink::StyleResolver::styleForElement() #10 0x7ff7ceee7cbe blink::SVGElement::customStyleForLayoutObject() #11 0x7ff7ce71d9f7 blink::Element::styleForLayoutObject() #12 0x7ff7ce71e310 blink::Element::recalcOwnStyle() #13 0x7ff7ce71ded3 blink::Element::recalcStyle() #14 0x7ff7ce6b7e07 blink::ContainerNode::recalcDescendantStyles() #15 0x7ff7ce71e002 blink::Element::recalcStyle() #16 0x7ff7ce6dea2d blink::Document::updateStyle() #17 0x7ff7ce6db301 blink::Document::updateStyleAndLayoutTree() #18 0x7ff7ce949bca blink::FrameView::performPreLayoutTasks() #19 0x7ff7ce947d58 blink::FrameView::layout() #20 0x7ff7ce953e3d blink::FrameView::updateStyleAndLayoutIfNeededRecursiveInternal() #21 0x7ff7ce952671 blink::FrameView::updateStyleAndLayoutIfNeededRecursive() #22 0x7ff7ce9519b1 blink::FrameView::updateLifecyclePhasesInternal() #23 0x7ff7cef4a84e blink::SVGImage::drawInternal()
,
Sep 27 2016
Oops, the above crash stack is with my custom build with added asserts, the ToT crash stack is: ASSERTION FAILED: !std::isnan(static_cast<double>(value)) ../../third_party/WebKit/Source/wtf/MathExtras.h(283) : LimitType clampTo(ValueType, LimitType, LimitTyp e) [LimitType = float, ValueType = double] 1 0x7f28208496af blink::CSSPrimitiveValue::convertToLength(blink::CSSToLengthConversionData const&) co nst 2 0x7f282092d8b7 3 0x7f282074dec0 4 0x7f2820936900 blink::StyleBuilder::applyProperty(blink::CSSPropertyID, blink::StyleResolverState&, blink::CSSValue const&) 5 0x7f282094814b 6 0x7f2820941b02 7 0x7f282093ff35 blink::StyleResolver::applyMatchedProperties(blink::StyleResolverState&, blink::Match Result const&) 8 0x7f282093f0ed blink::StyleResolver::styleForElement(blink::Element*, blink::ComputedStyle const*, b link::StyleSharingBehavior, blink::RuleMatchingBehavior) 9 0x7f282119395e blink::SVGElement::customStyleForLayoutObject() 10 0x7f28209c9697 blink::Element::styleForLayoutObject() 11 0x7f28209c9fb0 blink::Element::recalcOwnStyle(blink::StyleRecalcChange) 12 0x7f28209c9b73 blink::Element::recalcStyle(blink::StyleRecalcChange, blink::Text*) 13 0x7f2820963aa7 blink::ContainerNode::recalcDescendantStyles(blink::StyleRecalcChange) 14 0x7f28209c9ca2 blink::Element::recalcStyle(blink::StyleRecalcChange, blink::Text*) 15 0x7f282098a6cd blink::Document::updateStyle() 16 0x7f2820986fa1 blink::Document::updateStyleAndLayoutTree() 17 0x7f2820bf586a blink::FrameView::performPreLayoutTasks() 18 0x7f2820bf39f8 blink::FrameView::layout() 19 0x7f2820bffadd blink::FrameView::updateStyleAndLayoutIfNeededRecursiveInternal() 20 0x7f2820bfe311 blink::FrameView::updateStyleAndLayoutIfNeededRecursive() 21 0x7f2820bfd651 blink::FrameView::updateLifecyclePhasesInternal(blink::DocumentLifecycle::LifecycleSt ate) 22 0x7f28211f64ee blink::SVGImage::drawInternal(SkCanvas*, SkPaint const&, blink::FloatRect const&, bli nk::FloatRect const&, blink::RespectImageOrientationEnum, blink::Image::ImageClampingMode, blink::KURL c onst&)
,
Sep 27 2016
This is out of scope for TE, hence added TE-NeedsTriageHelp to addressed further.
,
Sep 27 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1ad339d4e001d04db7f63a1d0daa3cb17b5bac64 commit 1ad339d4e001d04db7f63a1d0daa3cb17b5bac64 Author: alancutter <alancutter@chromium.org> Date: Tue Sep 27 07:34:26 2016 Avoid SVG viewport bug for CSS length animations that don't use viewport units This change optimises LengthInterpolationFunctions::createLength() to skip processing units whose corresponding values are zero. This avoids the nanification of Length for the majority of CSS length animations that don't use viewport units in SVG images. See crbug.com/650147 for further details on nan viewport units in SVG images. BUG= 650147 , 650216 Review-Url: https://codereview.chromium.org/2370783003 Cr-Commit-Position: refs/heads/master@{#421137} [add] https://crrev.com/1ad339d4e001d04db7f63a1d0daa3cb17b5bac64/third_party/WebKit/LayoutTests/svg/animations/img-tag-css-length-animation-crash.html [modify] https://crrev.com/1ad339d4e001d04db7f63a1d0daa3cb17b5bac64/third_party/WebKit/Source/core/animation/LengthInterpolationFunctions.cpp
,
Nov 14 2016
Removing the Needs-Bisect label as the Fix is already landed in C#10. alancutter@: Could you please close the issue if there is no further work to be done here.
,
Nov 14 2017
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 14 2017
,
Nov 14
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 15
I'll try throwing in an initial size for the view of the SVGImage. No indication that it will help anything though. The size is (potentially) updated by each Draw(), so in a sense setting an initial size will just hide bugs caused by degenerate views.
,
Nov 19
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/eea1d1c8765953e8f0b8f38a46ba767c94e78d32 commit eea1d1c8765953e8f0b8f38a46ba767c94e78d32 Author: Fredrik Söderquist <fs@opera.com> Date: Mon Nov 19 17:33:02 2018 Add test for viewport units in SVG-in-<img> context Bug: 650147 Change-Id: I4a158f600acb733477d33ebbd6a504490a5b54a4 Reviewed-on: https://chromium-review.googlesource.com/c/1341836 Commit-Queue: Fredrik Söderquist <fs@opera.com> Reviewed-by: Philip Rogers <pdr@chromium.org> Cr-Commit-Position: refs/heads/master@{#609346} [add] https://crrev.com/eea1d1c8765953e8f0b8f38a46ba767c94e78d32/third_party/WebKit/LayoutTests/external/wpt/svg/embedded/image-embedding-svg-with-viewport-units.svg [add] https://crrev.com/eea1d1c8765953e8f0b8f38a46ba767c94e78d32/third_party/WebKit/LayoutTests/external/wpt/svg/embedded/support/green-rect-100x100.svg
,
Nov 19
The issue (post fix in c#10) no longer reproduces. Added a test to try to avoid it reappearing.
,
Nov 20
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2ede9326be5d20d3032a82a48dca543499feabdd commit 2ede9326be5d20d3032a82a48dca543499feabdd Author: Fredrik Söderquist <fs@opera.com> Date: Tue Nov 20 19:35:33 2018 Add one more test for viewport units in SVG-in-<img> context This one using inline style instead of presentation attributes. Bug: 650147 Change-Id: I00ee6c52b95803a928dd0b95a33da89f531a05ac Reviewed-on: https://chromium-review.googlesource.com/c/1344102 Reviewed-by: Philip Rogers <pdr@chromium.org> Commit-Queue: Fredrik Söderquist <fs@opera.com> Cr-Commit-Position: refs/heads/master@{#609772} [add] https://crrev.com/2ede9326be5d20d3032a82a48dca543499feabdd/third_party/WebKit/LayoutTests/external/wpt/svg/embedded/image-embedding-svg-with-viewport-units-inline-style.svg |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by timloh@chromium.org
, Sep 26 2016