LibWeb: Crash on CSS calc() with multiplication/division on dimensions

[sw]

Crashing website: https://www.oev-info.ch/de

I'm new to the project and have been trying to investigate this, so below is my speculation:

The CSS somewhere has calc(18em / 18em), which is parsed to ProductCalculationNode{18em, InvertCalculationNode{18em}}. This then causes a verification failure in CSSMathValue::CalculationResult::multiply_by.

https://www.w3.org/TR/css-values-4/#calc-simplification says about simplification:

7. If root is an Invert node:
   1. If root’s child is a number (not a percentage or dimension) return the reciprocal of the child’s value.
   2. If root’s child is an Invert node, return the child’s child.
   3. Return root.

I'm interpreting this to mean that InvertCalculationNode should only be used on Integer or Number.

But https://drafts.css-houdini.org/css-typed-om-1/ has a more sophisticated approach where you have to keep track of the exponent of the type. It looks like CSSNumericType supports these exponents, but CSSMathValue doesn't.