Bug 156997

Summary: Crash under WebCore::MutationObserver::deliverAllMutations()
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, esprehn+autocc, ggaren, kangil.han, rniwa, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Chris Dumez
Reported 2016-04-25 14:49:51 PDT
Crash under WebCore::MutationObserver::deliverAllMutations(): Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x00000000000000b0) [ 0] 0x00007fff84d4ddad WebCore`WebCore::MutationObserver::deliverAllMutations() [inlined] WTF::RefPtr<WebCore::MutationCallback>::operator->() const at ScriptExecutionContext.h:98 94 virtual void suspendActiveDOMObjects(ActiveDOMObject::ReasonForSuspension); 95 virtual void resumeActiveDOMObjects(ActiveDOMObject::ReasonForSuspension); 96 virtual void stopActiveDOMObjects(); 97 -> 98 bool activeDOMObjectsAreSuspended() const { return m_activeDOMObjectsAreSuspended; } 99 bool activeDOMObjectsAreStopped() const { return m_activeDOMObjectsAreStopped; } 100 101 // Called from the constructor and destructors of ActiveDOMObject. 102 void didCreateActiveDOMObject(ActiveDOMObject*); 0x00007fff84d4dda0: movq (%r15), %rax 0x00007fff84d4dda3: movq 0x8(%rax), %rdi 0x00007fff84d4dda7: movq (%rdi), %rax 0x00007fff84d4ddaa: callq *0x18(%rax) -> 0x00007fff84d4ddad: cmpb $0x0, 0xb0(%rax) 0x00007fff84d4ddb4: jne 0x139eb1 ; <+433> at MutationObserver.cpp:221 0x00007fff84d4ddba: cmpb $0x1, 0xed44ef(%rip) ; WebCore::suspendedMutationObservers()::suspendedObservers + 7 0x00007fff84d4ddc1: jne 0x139dd0 ; <+208> [inlined] WebCore::suspendedMutationObservers() + 15 at MutationObserver.cpp:225 0x00007fff84d4ddc3: movq 0xed44de(%rip), %rbx ; WebCore::suspendedMutationObservers()::suspendedObservers [ 0] 0x00007fff84d4ddad WebCore`WebCore::MutationObserver::deliverAllMutations() [inlined] WTF::Vector<WTF::RefPtr<WebCore::MutationObserver>, 0ul, WTF::CrashOnOverflow>::operator[](unsigned long) + 25 at MutationObserver.cpp:184 180 } 181 182 bool MutationObserver::canDeliver() 183 { -> 184 return !m_callback->scriptExecutionContext()->activeDOMObjectsAreSuspended(); 185 } 186 187 void MutationObserver::deliver() 188 { [ 0] 0x00007fff84d4dd94 WebCore`WebCore::MutationObserver::deliverAllMutations() + 148 at MutationObserver.cpp:222 218 if (!suspendedMutationObservers().isEmpty()) { 219 Vector<RefPtr<MutationObserver> > suspended; 220 copyToVector(suspendedMutationObservers(), suspended); 221 for (size_t i = 0; i < suspended.size(); ++i) { -> 222 if (!suspended[i]->canDeliver()) 223 continue; 224 225 suspendedMutationObservers().remove(suspended[i]); 226 activeMutationObservers().add(suspended[i]); [ 1] 0x00007fff84e393df WebCore`WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) [inlined] WebCore::JSMainThreadExecState::~JSMainThreadExecState() + 18 at JSMainThreadExecState.h:97 93 94 s_mainThreadState = m_previousState; 95 96 if (didExitJavaScript) -> 97 didLeaveScriptContext(); 98 } 99 100 private: 101 static JSC::ExecState* s_mainThreadState; 0x00007fff84e393d1: je 0x2253e2 ; <+178> [inlined] WebCore::JSMainThreadExecState::~JSMainThreadExecState() + 21 at JSMainThreadExecState.h:89 0x00007fff84e393d3: movq %r14, (%r15) 0x00007fff84e393d6: testq %r14, %r14 0x00007fff84e393d9: jne 0x2253e5 ; <+181> at JSMainThreadExecState.h:57 -> 0x00007fff84e393db: callq 0x13b9a0 ; WebCore::JSMainThreadExecState::didLeaveScriptContext at JSMainThreadExecState.cpp:39 0x00007fff84e393e0: jmp 0x2253e5 ; <+181> at JSMainThreadExecState.h:57 0x00007fff84e393e2: movq %r14, (%r15) 0x00007fff84e393e5: movq %rbx, %rax 0x00007fff84e393e8: addq $0x18, %rsp [ 1] 0x00007fff84e393cd WebCore`WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) [inlined] WebCore::JSMainThreadExecState::~JSMainThreadExecState() at JSMainThreadExecState.h:89 [ 1] 0x00007fff84e393cd WebCore`WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 157 at JSMainThreadExecState.h:57 [ 2] 0x00007fff84e7db51 WebCore`WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 449 at ScheduledAction.cpp:111 0x00007fff84e7db3c: leaq -0x48(%rbp), %rcx 0x00007fff84e7db40: leaq -0xc0(%rbp), %r9 0x00007fff84e7db47: movq %rbx, %rdi 0x00007fff84e7db4a: movl %r13d, %edx -> 0x00007fff84e7db4d: callq 0x225330 ; WebCore::JSMainThreadExecState::call at JSMainThreadExecState.h:51 0x00007fff84e7db52: jmp 0x269b81 ; <+497> [inlined] WebCore::InspectorInstrumentation::hasFrontends() at InspectorInstrumentation.h:853 0x00007fff84e7db54: movq -0x58(%rbp), %rax 0x00007fff84e7db58: movq %rax, -0xd0(%rbp) 0x00007fff84e7db5f: movl -0xa0(%rbp), %eax
Attachments
Patch (3.71 KB, patch)
2016-04-25 15:27 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2016-04-25 14:50:25 PDT
rdar://problem/16542323
Chris Dumez
Comment 2 2016-04-25 15:27:42 PDT
Created attachment 277284 [details] Patch
WebKit Commit Bot
Comment 3 2016-04-25 17:12:38 PDT
Comment on attachment 277284 [details] Patch Clearing flags on attachment: 277284 Committed r200062: <http://trac.webkit.org/changeset/200062>
WebKit Commit Bot
Comment 4 2016-04-25 17:12:43 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.