Summary: | REGRESSION(r207669): Crash after mutating selector text | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Antti Koivisto <koivisto> | ||||||||||
Component: | CSS | Assignee: | Nobody <webkit-unassigned> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | Normal | CC: | barraclough, bfulgham, commit-queue, ddkilzer, ryanhaddad, webkit-bug-importer | ||||||||||
Priority: | P2 | Keywords: | InRadar | ||||||||||
Version: | WebKit Nightly Build | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Unspecified | ||||||||||||
Bug Depends on: | 163721 | ||||||||||||
Bug Blocks: | |||||||||||||
Attachments: |
|
Description
Antti Koivisto
2017-02-21 08:28:55 PST
Created attachment 302265 [details]
patch
Comment on attachment 302265 [details]
patch
Looks good. r=me
Created attachment 302278 [details]
for landing
Comment on attachment 302278 [details] for landing Rejecting attachment 302278 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'validate-changelog', '--check-oops', '--non-interactive', 302278, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/3167051 Created attachment 302285 [details]
for landing
Comment on attachment 302285 [details] for landing Clearing flags on attachment: 302285 Committed r212737: <http://trac.webkit.org/changeset/212737> All reviewed patches have been landed. Closing bug. Reverted r212737 for reason: This change caused an existing LayoutTest to crash. Committed r212788: <http://trac.webkit.org/changeset/212788> (In reply to comment #9) > Reverted r212737 for reason: > > This change caused an existing LayoutTest to crash. > > Committed r212788: <http://trac.webkit.org/changeset/212788> https://build.webkit.org/results/Apple%20Sierra%20Release%20WK2%20(Tests)/r212777%20(3782)/results.html Looks like extension stylesheets may trigger synchronous call to Style::Scope::scheduleUpdate from flushPendingUpdate deleting the resolver. frame #1: WebCore`WebCore::Style::Scope::scheduleUpdate(this=0x000000011db36c60, update=ContentsOrInterpretation) at StyleScope.cpp:526 frame #2: WebCore`WebCore::Style::Scope::didChangeStyleSheetEnvironment(this=0x000000011db36c60) at StyleScope.cpp:560 frame #3: WebCore`WebCore::ExtensionStyleSheets::addDisplayNoneSelector(this=0x000000011dbdc540, identifier=0x000000011dab5900, selector=0x000000011dab5910, selectorID=15) at ExtensionStyleSheets.cpp:181 frame #4: WebCore`WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(this=0x000000011dbb70f0, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at ContentExtensionsBackend.cpp:186 frame #5: WebCore`WebCore::UserContentProvider::processContentExtensionRulesForLoad(this=0x000000011dbb7000, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at UserContentProvider.cpp:108 frame #6: WebCore`WebCore::CachedResourceLoader::requestResource(this=0x000000011db36b40, type=FontResource, request=0x00007fff588c9fc0, forPreload=No, defer=NoDefer) at CachedResourceLoader.cpp:692 frame #7: WebCore`WebCore::CachedResourceLoader::requestFont(this=0x000000011db36b40, request=0x00007fff588c9fc0, isSVG=false) at CachedResourceLoader.cpp:204 frame #8: WebCore`WebCore::CSSFontFaceSrcValue::cachedFont(this=0x000000011dac2508, document=0x0000000120df4000, isSVG=false, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFaceSrcValue.cpp:105 frame #9: WebCore`WebCore::CSSFontFace::appendSources(fontFace=0x000000011db6a7e0, srcList=0x000000011daac280, document=0x0000000120df4000, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFace.cpp:79 (lldb) bt 20 * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: JavaScriptCore`::WTFCrash() at Assertions.cpp:323 frame #1: WebCore`WebCore::Style::Scope::scheduleUpdate(this=0x000000011db36c60, update=ContentsOrInterpretation) at StyleScope.cpp:526 frame #2: WebCore`WebCore::Style::Scope::didChangeStyleSheetEnvironment(this=0x000000011db36c60) at StyleScope.cpp:560 frame #3: WebCore`WebCore::ExtensionStyleSheets::addDisplayNoneSelector(this=0x000000011dbdc540, identifier=0x000000011dab5900, selector=0x000000011dab5910, selectorID=15) at ExtensionStyleSheets.cpp:181 frame #4: WebCore`WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(this=0x000000011dbb70f0, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at ContentExtensionsBackend.cpp:186 frame #5: WebCore`WebCore::UserContentProvider::processContentExtensionRulesForLoad(this=0x000000011dbb7000, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at UserContentProvider.cpp:108 frame #6: WebCore`WebCore::CachedResourceLoader::requestResource(this=0x000000011db36b40, type=FontResource, request=0x00007fff588c9fc0, forPreload=No, defer=NoDefer) at CachedResourceLoader.cpp:692 frame #7: WebCore`WebCore::CachedResourceLoader::requestFont(this=0x000000011db36b40, request=0x00007fff588c9fc0, isSVG=false) at CachedResourceLoader.cpp:204 frame #8: WebCore`WebCore::CSSFontFaceSrcValue::cachedFont(this=0x000000011dac2508, document=0x0000000120df4000, isSVG=false, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFaceSrcValue.cpp:105 frame #9: WebCore`WebCore::CSSFontFace::appendSources(fontFace=0x000000011db6a7e0, srcList=0x000000011daac280, document=0x0000000120df4000, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFace.cpp:79 frame #10: WebCore`WebCore::CSSFontSelector::addFontFaceRule(this=0x000000011db6a540, fontFaceRule=0x000000011daae0c0, isInitiatingElementInUserAgentShadowTree=false) at CSSFontSelector.cpp:202 frame #11: WebCore`WebCore::RuleSet::addChildRules(this=0x000000011db5f800, rules=0x000000011db8b328, medium=0x000000011db27790, resolver=0x000000011db27500, hasDocumentSecurityOrigin=true, isInitiatingElementInUserAgentShadowTree=false, addRuleFlags=RuleHasDocumentSecurityOrigin) at RuleSet.cpp:388 frame #12: WebCore`WebCore::RuleSet::addRulesFromSheet(this=0x000000011db5f800, sheet=0x000000011db8b2e8, medium=0x000000011db27790, resolver=0x000000011db27500) at RuleSet.cpp:420 frame #13: WebCore`WebCore::DocumentRuleSets::appendAuthorStyleSheets(this=0x000000011db27500, styleSheets=0x00007fff588cac08, medium=0x000000011db27790, inspectorCSSOMWrappers=0x000000011db277f8, resolver=0x000000011db27500) at DocumentRuleSets.cpp:96 frame #14: WebCore`WebCore::StyleResolver::appendAuthorStyleSheets(this=0x000000011db27500, styleSheets=0x00007fff588cac08) at StyleResolver.cpp:284 frame #15: WebCore`WebCore::Style::Scope::updateStyleResolver(this=0x000000011db36c60, activeStyleSheets=0x00007fff588cad78, updateType=Additive) at StyleScope.cpp:463 frame #16: WebCore`WebCore::Style::Scope::updateActiveStyleSheets(this=0x000000011db36c60, updateType=ActiveSet) at StyleScope.cpp:415 frame #17: WebCore`WebCore::Style::Scope::flushPendingSelfUpdate(this=0x000000011db36c60) at StyleScope.cpp:506 frame #18: WebCore`WebCore::Style::Scope::flushPendingUpdate(this=0x000000011db36c60) at StyleScope.h:172 Created attachment 302375 [details]
patch
Comment on attachment 302375 [details]
patch
r=me. This is pretty hacky. Would be good to make content extensions not inject all that CSS synchronously.
Comment on attachment 302375 [details] patch Clearing flags on attachment: 302375 Committed r212828: <http://trac.webkit.org/changeset/212828> All reviewed patches have been landed. Closing bug. |