From 18cf540bfbe2d36e830c82a9fe43b64722e2453c Mon Sep 17 00:00:00 2001
From: Aliaksandr Kalenik <kalenik.aliaksandr@gmail.com>
Date: Mon, 8 Sep 2025 17:50:49 +0200
Subject: [PATCH] LibWeb: Fix crashing in
 `LengthOrAutoOrCalculated::without_auto()`

...when `LengthOrAutoOrCalculated` holds calculated value. We were
incorrectly assuming that if contained value is not auto, then it must
be a length.

Fixes crashing on https://hollowknightsilksong.com/
---
 Libraries/LibWeb/CSS/CalculatedOr.cpp               |  2 ++
 .../crash-tests/img-with-calc-inside-sizes-attr.txt | 13 +++++++++++++
 .../img-with-calc-inside-sizes-attr.html            |  1 +
 3 files changed, 16 insertions(+)
 create mode 100644 Tests/LibWeb/Layout/expected/crash-tests/img-with-calc-inside-sizes-attr.txt
 create mode 100644 Tests/LibWeb/Layout/input/crash-tests/img-with-calc-inside-sizes-attr.html

diff --git a/Libraries/LibWeb/CSS/CalculatedOr.cpp b/Libraries/LibWeb/CSS/CalculatedOr.cpp
index 5eb4485ae39..f89c8a0b08c 100644
--- a/Libraries/LibWeb/CSS/CalculatedOr.cpp
+++ b/Libraries/LibWeb/CSS/CalculatedOr.cpp
@@ -89,6 +89,8 @@ bool LengthOrAutoOrCalculated::is_auto() const
 LengthOrCalculated LengthOrAutoOrCalculated::without_auto() const
 {
     VERIFY(!is_auto());
+    if (is_calculated())
+        return calculated();
     return value().length();
 }
 
diff --git a/Tests/LibWeb/Layout/expected/crash-tests/img-with-calc-inside-sizes-attr.txt b/Tests/LibWeb/Layout/expected/crash-tests/img-with-calc-inside-sizes-attr.txt
new file mode 100644
index 00000000000..92072d06efc
--- /dev/null
+++ b/Tests/LibWeb/Layout/expected/crash-tests/img-with-calc-inside-sizes-attr.txt
@@ -0,0 +1,13 @@
+Viewport <#document> at [0,0] [0+0+0 800 0+0+0] [0+0+0 600 0+0+0] children: not-inline
+  BlockContainer <html> at [0,0] [0+0+0 800 0+0+0] [0+0+0 34 0+0+0] [BFC] children: not-inline
+    BlockContainer <body> at [8,8] [8+0+0 784 0+0+8] [8+0+0 18 0+0+8] children: inline
+      frag 0 from ImageBox start: 0, length: 0, rect: [8,21 0x0] baseline: 0
+      ImageBox <img> at [8,21] [0+0+0 0 0+0+0] [0+0+0 0 0+0+0] children: not-inline
+
+ViewportPaintable (Viewport<#document>) [0,0 800x600]
+  PaintableWithLines (BlockContainer<HTML>) [0,0 800x34]
+    PaintableWithLines (BlockContainer<BODY>) [8,8 784x18]
+      ImagePaintable (ImageBox<IMG>) [8,21 0x0]
+
+SC for Viewport<#document> [0,0 800x600] [children: 1] (z-index: auto)
+ SC for BlockContainer<HTML> [0,0 800x34] [children: 0] (z-index: auto)
diff --git a/Tests/LibWeb/Layout/input/crash-tests/img-with-calc-inside-sizes-attr.html b/Tests/LibWeb/Layout/input/crash-tests/img-with-calc-inside-sizes-attr.html
new file mode 100644
index 00000000000..f9159d72237
--- /dev/null
+++ b/Tests/LibWeb/Layout/input/crash-tests/img-with-calc-inside-sizes-attr.html
@@ -0,0 +1 @@
+<!doctype html><img sizes="calc(90vw - 32px), 33vw">
\ No newline at end of file