1362419 - Assertion failure: !IsNaN(value) (The value should not be NaN), @[/home/worker/workspace/build/src/layout/style/nsCSSScanner.cpp:953]

Status: RESOLVED DUPLICATE of bug 1355135

(Core :: Layout, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Testcase found while fuzzing mozilla-central rev 20170504-0b255199db9d.

Assertion failure: !IsNaN(value) (The value should not be NaN), at /home/worker/workspace/build/src/layout/style/nsCSSScanner.cpp:953

ASAN:DEADLYSIGNAL
=================================================================
==23702==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fed69f14f57 bp 0x7ffc4de31da0 sp 0x7ffc4de31c40 T0)
==23702==The signal is caused by a WRITE memory access.
==23702==Hint: address points to the zero page.
    #0 0x7fed69f14f56 in nsCSSScanner::ScanNumber(nsCSSToken&) /home/worker/workspace/build/src/layout/style/nsCSSScanner.cpp:824:5
    #1 0x7fed69f15c69 in nsCSSScanner::Next(nsCSSToken&, nsCSSScannerExclude) /home/worker/workspace/build/src/layout/style/nsCSSScanner.cpp:1268:12
    #2 0x7fed69f5e849 in (anonymous namespace)::CSSParserImpl::GetToken(bool) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:3116:20
    #3 0x7fed69f76d43 in (anonymous namespace)::CSSParserImpl::ParseCalcTerm(nsCSSValue&, unsigned int&) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:13803:8
    #4 0x7fed69f76778 in (anonymous namespace)::CSSParserImpl::ParseCalcMultiplicativeExpression(nsCSSValue&, unsigned int&, bool*) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:13699:10
    #5 0x7fed69f76314 in (anonymous namespace)::CSSParserImpl::ParseCalcAdditiveExpression(nsCSSValue&, unsigned int&) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:13636:10
    #6 0x7fed69f6a548 in (anonymous namespace)::CSSParserImpl::ParseCalc(nsCSSValue&, unsigned int) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:13599:10
    #7 0x7fed69f664e4 in (anonymous namespace)::CSSParserImpl::ParseVariant(nsCSSValue&, unsigned int, nsCSSProps::KTableEntry const*) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:7962:10
    #8 0x7fed69f654f6 in (anonymous namespace)::CSSParserImpl::ParseNonNegativeVariant(nsCSSValue&, int, nsCSSProps::KTableEntry const*) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:7594:27
    #9 0x7fed69f84910 in (anonymous namespace)::CSSParserImpl::ParseBoxCornerRadius(nsCSSPropertyID) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:11271:7
    #10 0x7fed69f804f6 in (anonymous namespace)::CSSParserImpl::ParsePropertyByFunction(nsCSSPropertyID) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:11742:12
    #11 0x7fed69f7dee3 in (anonymous namespace)::CSSParserImpl::ParseProperty(nsCSSPropertyID) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:11488:16
    #12 0x7fed69f7cd91 in (anonymous namespace)::CSSParserImpl::ParseDeclaration(mozilla::css::Declaration*, unsigned int, bool, bool*, (anonymous namespace)::CSSParserImpl::nsCSSContextType) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:7257:10
    #13 0x7fed69f7c3ee in (anonymous namespace)::CSSParserImpl::ParseDeclarationBlock(unsigned int, (anonymous namespace)::CSSParserImpl::nsCSSContextType) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:6661:10
    #14 0x7fed69f5ef0d in (anonymous namespace)::CSSParserImpl::ParseRuleSet(void (*)(mozilla::css::Rule*, void*), void*, bool) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:5403:42
    #15 0x7fed69ee92fb in (anonymous namespace)::CSSParserImpl::ParseRule(nsAString const&, nsIURI*, nsIURI*, nsIPrincipal*, mozilla::css::Rule**) /home/worker/workspace/build/src/layout/style/nsCSSParser.cpp:1885:7

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Dupe of bug 1355135?

Comment 2

[Hiroyuki Ikezoe (:hiro)]

Looks a dupe. Thank you, Ryan!