202878 2019-10-11 23:18:09 -0700 [iOS] Crash in WebCore::DOMWindow::incrementScrollEventListenersCount 2019-10-15 16:37:01 -0700 1 1 1 Unclassified WebKit DOM WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 rniwa rniwa achristensen cdumez darin dbates esprehn+autocc ews-watchlist kangil.han koivisto wenson_hsieh oldest_to_newest 1579398 0 rniwa 2019-10-11 23:18:09 -0700 e.g. 0 com.apple.WebCore 0x0000000106a24527 WebCore::DOMWindow::incrementScrollEventListenersCount() + 7 1 com.apple.WebCore 0x000000010656fa29 WebCore::Node::addEventListener(WTF::AtomString const&, WTF::Ref<WebCore::EventListener, WTF::DumbPtrTraits<WebCore::EventListener> >&&, WebCore::EventTarget::AddEventListenerOptions const&) + 441 2 com.apple.WebCore 0x000000010654c30a WebCore::EventTarget::setAttributeEventListener(WTF::AtomString const&, WTF::RefPtr<WebCore::EventListener, WTF::DumbPtrTraits<WebCore::EventListener> >&&, WebCore::DOMWrapperWorld&) + 474 3 com.apple.WebCore 0x0000000106277aed WebCore::setEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, WebCore::EventTarget&, WTF::AtomString const&, JSC::JSValue) + 285 4 com.apple.WebCore 0x0000000105aa948b WebCore::setJSDocumentOnscroll(JSC::ExecState*, long long, long long) + 107 5 JavaScriptCore 0x00000001050cf19f JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 31 6 JavaScriptCore 0x000000010517f922 JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 994 7 JavaScriptCore 0x0000000105170126 JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 486 8 JavaScriptCore 0x0000000104f3ac4c llint_slow_path_put_by_val + 1772 <rdar://problem/55609133> 1579404 1 380820 rniwa 2019-10-11 23:40:45 -0700 Created attachment 380820 Fixes the crash 1579480 2 rniwa 2019-10-12 23:26:21 -0700 Committed r251057: <https://trac.webkit.org/changeset/251057> 1580160 3 380820 darin 2019-10-15 10:34:08 -0700 Comment on attachment 380820 Fixes the crash View in context: https://bugs.webkit.org/attachment.cgi?id=380820&action=review > Source/WebCore/dom/Node.cpp:2119 > + targetNode->document().domWindow()->incrementScrollEventListenersCount(); Should use window-> here. 1580348 4 rniwa 2019-10-15 15:54:23 -0700 Committed r251165: <https://trac.webkit.org/changeset/251165> 1580366 5 rniwa 2019-10-15 16:37:01 -0700 (In reply to Darin Adler from comment #3) > Comment on attachment 380820 [details] > Fixes the crash > > View in context: > https://bugs.webkit.org/attachment.cgi?id=380820&action=review > > > Source/WebCore/dom/Node.cpp:2119 > > + targetNode->document().domWindow()->incrementScrollEventListenersCount(); > > Should use window-> here. Oops, not sure what happened there. Fixed that. 380820 2019-10-11 23:40:45 -0700 2019-10-12 09:29:56 -0700 Fixes the crash bug-202878-20191011234045.patch text/plain 4641 rniwa U3VidmVyc2lvbiBSZXZpc2lvbjogMjUxMDQxCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggOTQ3NjAxNzE2ZmU0NGYw MmRlN2I1NWNkMWM2OGRjMjhjYzA4OGExMy4uMGNlZDk4YmNhYWUxN2YxNjY3YjYyNjFjY2NjMTlj YTMwNTRmYTBlMCAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE4IEBACisyMDE5LTEwLTExICBSeW9z dWtlIE5pd2EgIDxybml3YUB3ZWJraXQub3JnPgorCisgICAgICAgIFtpT1NdIENyYXNoIGluIFdl YkNvcmU6OkRPTVdpbmRvdzo6aW5jcmVtZW50U2Nyb2xsRXZlbnRMaXN0ZW5lcnNDb3VudAorICAg ICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjAyODc4CisKKyAg ICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgQWRkZWQgdGhlIG1p c3NpbmcgbnVsbCBjaGVjayBpbiB0cnlBZGRFdmVudExpc3RlbmVyIGFuZCB0cnlSZW1vdmVFdmVu dExpc3RlbmVyIGZvciBzY3JvbGwgZXZlbnQuCisKKyAgICAgICAgVGVzdDogZmFzdC9ldmVudHMv c2Nyb2xsLWV2ZW50LW9uLWRvY3VtZW50LXdpdGhvdXQtd2luZG93Lmh0bWwKKworICAgICAgICAq IGRvbS9Ob2RlLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OnRyeUFkZEV2ZW50TGlzdGVuZXIpOgor ICAgICAgICAoV2ViQ29yZTo6dHJ5UmVtb3ZlRXZlbnRMaXN0ZW5lcik6CisKIDIwMTktMTAtMTEg IFJvYiBCdWlzICA8cmJ1aXNAaWdhbGlhLmNvbT4KIAogICAgICAgICBDbGVhbnVwIFJ1bnRpbWVF bmFibGVkRmVhdHVyZXMgaW5jbHVkZXMKZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2RvbS9O b2RlLmNwcCBiL1NvdXJjZS9XZWJDb3JlL2RvbS9Ob2RlLmNwcAppbmRleCA5ODAxYjE3MDJiZDJh MzgyMmFiZTEzYjUzYTFlYTYwMGNmN2EwMjJiLi5jZGVkN2RlMGIxYThiOGNhOWI5YjAwZGJlM2I4 ZTNhM2QyMmVlMjA2IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9kb20vTm9kZS5jcHAKKysr IGIvU291cmNlL1dlYkNvcmUvZG9tL05vZGUuY3BwCkBAIC0yMTE0LDggKzIxMTQsMTAgQEAgc3Rh dGljIGlubGluZSBib29sIHRyeUFkZEV2ZW50TGlzdGVuZXIoTm9kZSogdGFyZ2V0Tm9kZSwgY29u c3QgQXRvbVN0cmluZyYgZXZlbnQKICAgICAgICAgdGFyZ2V0Tm9kZS0+ZG9jdW1lbnQoKS5kaWRB ZGRUb3VjaEV2ZW50SGFuZGxlcigqdGFyZ2V0Tm9kZSk7CiAKICNpZiBQTEFURk9STShJT1NfRkFN SUxZKQotICAgIGlmICh0YXJnZXROb2RlID09ICZ0YXJnZXROb2RlLT5kb2N1bWVudCgpICYmIGV2 ZW50VHlwZSA9PSBldmVudE5hbWVzKCkuc2Nyb2xsRXZlbnQpCi0gICAgICAgIHRhcmdldE5vZGUt PmRvY3VtZW50KCkuZG9tV2luZG93KCktPmluY3JlbWVudFNjcm9sbEV2ZW50TGlzdGVuZXJzQ291 bnQoKTsKKyAgICBpZiAodGFyZ2V0Tm9kZSA9PSAmdGFyZ2V0Tm9kZS0+ZG9jdW1lbnQoKSAmJiBl dmVudFR5cGUgPT0gZXZlbnROYW1lcygpLnNjcm9sbEV2ZW50KSB7CisgICAgICAgIGlmIChhdXRv KiB3aW5kb3cgPSB0YXJnZXROb2RlLT5kb2N1bWVudCgpLmRvbVdpbmRvdygpKQorICAgICAgICAg ICAgdGFyZ2V0Tm9kZS0+ZG9jdW1lbnQoKS5kb21XaW5kb3coKS0+aW5jcmVtZW50U2Nyb2xsRXZl bnRMaXN0ZW5lcnNDb3VudCgpOworICAgIH0KIAogI2lmIEVOQUJMRShUT1VDSF9FVkVOVFMpCiAg ICAgaWYgKGV2ZW50TmFtZXMoKS5pc1RvdWNoUmVsYXRlZEV2ZW50VHlwZSh0YXJnZXROb2RlLT5k b2N1bWVudCgpLCBldmVudFR5cGUpKQpAQCAtMjE0OSw4ICsyMTUxLDEwIEBAIHN0YXRpYyBpbmxp bmUgYm9vbCB0cnlSZW1vdmVFdmVudExpc3RlbmVyKE5vZGUqIHRhcmdldE5vZGUsIGNvbnN0IEF0 b21TdHJpbmcmIGV2CiAgICAgICAgIHRhcmdldE5vZGUtPmRvY3VtZW50KCkuZGlkUmVtb3ZlVG91 Y2hFdmVudEhhbmRsZXIoKnRhcmdldE5vZGUpOwogCiAjaWYgUExBVEZPUk0oSU9TX0ZBTUlMWSkK LSAgICBpZiAodGFyZ2V0Tm9kZSA9PSAmdGFyZ2V0Tm9kZS0+ZG9jdW1lbnQoKSAmJiBldmVudFR5 cGUgPT0gZXZlbnROYW1lcygpLnNjcm9sbEV2ZW50KQotICAgICAgICB0YXJnZXROb2RlLT5kb2N1 bWVudCgpLmRvbVdpbmRvdygpLT5kZWNyZW1lbnRTY3JvbGxFdmVudExpc3RlbmVyc0NvdW50KCk7 CisgICAgaWYgKHRhcmdldE5vZGUgPT0gJnRhcmdldE5vZGUtPmRvY3VtZW50KCkgJiYgZXZlbnRU eXBlID09IGV2ZW50TmFtZXMoKS5zY3JvbGxFdmVudCkgeworICAgICAgICBpZiAoYXV0byogd2lu ZG93ID0gdGFyZ2V0Tm9kZS0+ZG9jdW1lbnQoKS5kb21XaW5kb3coKSkKKyAgICAgICAgICAgIHdp bmRvdy0+ZGVjcmVtZW50U2Nyb2xsRXZlbnRMaXN0ZW5lcnNDb3VudCgpOworICAgIH0KIAogI2lm IEVOQUJMRShUT1VDSF9FVkVOVFMpCiAgICAgaWYgKGV2ZW50TmFtZXMoKS5pc1RvdWNoUmVsYXRl ZEV2ZW50VHlwZSh0YXJnZXROb2RlLT5kb2N1bWVudCgpLCBldmVudFR5cGUpKQpkaWZmIC0tZ2l0 IGEvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nIGIvTGF5b3V0VGVzdHMvQ2hhbmdlTG9nCmluZGV4IDIy OTYzMWVhZGJjMjExYTI4YWE3MTM3ODNiOGE0YWVkYWY0MjcwZDIuLjkxZjM3ZmQzMWVkMGZhMDI5 ZDk4YTVjOWRkNWY1ZjU1NDQ0MmU0NzMgMTAwNjQ0Ci0tLSBhL0xheW91dFRlc3RzL0NoYW5nZUxv ZworKysgYi9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKQEAgLTEsMyArMSwxNSBAQAorMjAxOS0xMC0x MSAgUnlvc3VrZSBOaXdhICA8cm5pd2FAd2Via2l0Lm9yZz4KKworICAgICAgICBbaU9TXSBDcmFz aCBpbiBXZWJDb3JlOjpET01XaW5kb3c6OmluY3JlbWVudFNjcm9sbEV2ZW50TGlzdGVuZXJzQ291 bnQKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTIwMjg3 OAorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIEFkZGVk IGEgcmVncmVzc2lvbiB0ZXN0IGZvciB0aGUgY3Jhc2guCisKKyAgICAgICAgKiBmYXN0L2V2ZW50 cy9zY3JvbGwtZXZlbnQtb24tZG9jdW1lbnQtd2l0aG91dC13aW5kb3ctZXhwZWN0ZWQudHh0OiBB ZGRlZC4KKyAgICAgICAgKiBmYXN0L2V2ZW50cy9zY3JvbGwtZXZlbnQtb24tZG9jdW1lbnQtd2l0 aG91dC13aW5kb3cuaHRtbDogQWRkZWQuCisKIDIwMTktMTAtMTEgIERldmluIFJvdXNzbyAgPGRy b3Vzc29AYXBwbGUuY29tPgogCiAgICAgICAgIFdlYiBJbnNwZWN0b3I6IERlYnVnZ2VyOiBzdXBw b3J0IHBhdHRlcm4gYmxhY2tib3hpbmcKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL2Zhc3QvZXZl bnRzL3Njcm9sbC1ldmVudC1vbi1kb2N1bWVudC13aXRob3V0LXdpbmRvdy1leHBlY3RlZC50eHQg Yi9MYXlvdXRUZXN0cy9mYXN0L2V2ZW50cy9zY3JvbGwtZXZlbnQtb24tZG9jdW1lbnQtd2l0aG91 dC13aW5kb3ctZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjgxMGUzZmY2MmM0MWFjOThiZjk0MjQ2 N2MxZjY0ODY1NDU0NTM0YjMKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9mYXN0L2V2 ZW50cy9zY3JvbGwtZXZlbnQtb24tZG9jdW1lbnQtd2l0aG91dC13aW5kb3ctZXhwZWN0ZWQudHh0 CkBAIC0wLDAgKzEsMyBAQAorVGhpcyB0ZXN0cyBhZGQgc2Nyb2xsIGV2ZW50IGxpc3RlbmVyIHRv IGEgZG9jdW1lbnQgd2l0aG91dCBicm93c2luZyBjb250ZXh0LiBXZWJLaXQgc2hvdWxkIG5vdCBj cmFzaC4KKworUEFTUwpkaWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvZmFzdC9ldmVudHMvc2Nyb2xs LWV2ZW50LW9uLWRvY3VtZW50LXdpdGhvdXQtd2luZG93Lmh0bWwgYi9MYXlvdXRUZXN0cy9mYXN0 L2V2ZW50cy9zY3JvbGwtZXZlbnQtb24tZG9jdW1lbnQtd2l0aG91dC13aW5kb3cuaHRtbApuZXcg ZmlsZSBtb2RlIDEwMDY0NAppbmRleCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwLi44ZDA0OGNiYzY0MTg5MzZhMmQ2YTFiMDkyY2NkN2QwNDNmZWFiOGYzCi0tLSAvZGV2 L251bGwKKysrIGIvTGF5b3V0VGVzdHMvZmFzdC9ldmVudHMvc2Nyb2xsLWV2ZW50LW9uLWRvY3Vt ZW50LXdpdGhvdXQtd2luZG93Lmh0bWwKQEAgLTAsMCArMSwxOSBAQAorPCFET0NUWVBFIGh0bWw+ Cis8aHRtbD4KKzxib2R5PgorPHA+VGhpcyB0ZXN0cyBhZGQgc2Nyb2xsIGV2ZW50IGxpc3RlbmVy IHRvIGEgZG9jdW1lbnQgd2l0aG91dCBicm93c2luZyBjb250ZXh0LiBXZWJLaXQgc2hvdWxkIG5v dCBjcmFzaC48L3A+Cis8c2NyaXB0PgorCitpZiAod2luZG93LnRlc3RSdW5uZXIpCisgICAgdGVz dFJ1bm5lci5kdW1wQXNUZXh0KCk7CisKK2NvbnN0IGRvYyA9IGRvY3VtZW50LmltcGxlbWVudGF0 aW9uLmNyZWF0ZUhUTUxEb2N1bWVudCgpOworZnVuY3Rpb24gbGlzdG5lcigpIHsgfQorZG9jLmFk ZEV2ZW50TGlzdGVuZXIoJ3Njcm9sbCcsIGxpc3RuZXIpOworZG9jLnJlbW92ZUV2ZW50TGlzdGVu ZXIoJ3Njcm9sbCcsIGxpc3RuZXIpOworCitkb2N1bWVudC53cml0ZSgnUEFTUycpOworCis8L3Nj cmlwdD4KKzwvYm9keT4KKzwvaHRtbD4K