Bug 168655

Summary:

REGRESSION(r207669): Crash after mutating selector text

Product:

WebKit

Reporter:

Antti Koivisto <koivisto>

Component:

CSS

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, bfulgham, commit-queue, ddkilzer, ryanhaddad, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

163721

Bug Blocks:

Attachments:

Description	Flags
patch	bfulgham: review+
for landing	commit-queue: commit-queue-
for landing	none
patch	none

Antti Koivisto

Reported 2017-02-21 08:28:55 PST

Attachments
patch (3.19 KB, patch) 2017-02-21 08:35 PST, Antti Koivisto	bfulgham: review+	Details Formatted Diff Diff
for landing (3.13 KB, patch) 2017-02-21 10:14 PST, Antti Koivisto	commit-queue: commit-queue-	Details Formatted Diff Diff
for landing (3.12 KB, patch) 2017-02-21 11:06 PST, Antti Koivisto	no flags	Details Formatted Diff Diff
patch (4.84 KB, patch) 2017-02-22 00:07 PST, Antti Koivisto	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2017-02-21 08:29:41 PST

<rdar://problem/30632111>

Antti Koivisto

Comment 2 2017-02-21 08:35:22 PST

Created attachment 302265 [details] patch

Brent Fulgham

Comment 3 2017-02-21 09:20:45 PST

Comment on attachment 302265 [details] patch Looks good. r=me

Antti Koivisto

Comment 4 2017-02-21 10:14:11 PST

Created attachment 302278 [details] for landing

WebKit Commit Bot

Comment 5 2017-02-21 10:55:31 PST

Comment on attachment 302278 [details] for landing Rejecting attachment 302278 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'validate-changelog', '--check-oops', '--non-interactive', 302278, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/3167051

Antti Koivisto

Comment 6 2017-02-21 11:06:15 PST

Created attachment 302285 [details] for landing

WebKit Commit Bot

Comment 7 2017-02-21 12:08:34 PST

Comment on attachment 302285 [details] for landing Clearing flags on attachment: 302285 Committed r212737: <http://trac.webkit.org/changeset/212737>

WebKit Commit Bot

Comment 8 2017-02-21 12:08:40 PST

All reviewed patches have been landed. Closing bug.

Ryan Haddad

Comment 9 2017-02-21 18:01:45 PST

Reverted r212737 for reason: This change caused an existing LayoutTest to crash. Committed r212788: <http://trac.webkit.org/changeset/212788>

Ryan Haddad

Comment 10 2017-02-21 18:02:19 PST

(In reply to comment #9) > Reverted r212737 for reason: > > This change caused an existing LayoutTest to crash. > > Committed r212788: <http://trac.webkit.org/changeset/212788> https://build.webkit.org/results/Apple%20Sierra%20Release%20WK2%20(Tests)/r212777%20(3782)/results.html

Antti Koivisto

Comment 11 2017-02-21 23:41:02 PST

Looks like extension stylesheets may trigger synchronous call to Style::Scope::scheduleUpdate from flushPendingUpdate deleting the resolver. frame #1: WebCore`WebCore::Style::Scope::scheduleUpdate(this=0x000000011db36c60, update=ContentsOrInterpretation) at StyleScope.cpp:526 frame #2: WebCore`WebCore::Style::Scope::didChangeStyleSheetEnvironment(this=0x000000011db36c60) at StyleScope.cpp:560 frame #3: WebCore`WebCore::ExtensionStyleSheets::addDisplayNoneSelector(this=0x000000011dbdc540, identifier=0x000000011dab5900, selector=0x000000011dab5910, selectorID=15) at ExtensionStyleSheets.cpp:181 frame #4: WebCore`WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(this=0x000000011dbb70f0, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at ContentExtensionsBackend.cpp:186 frame #5: WebCore`WebCore::UserContentProvider::processContentExtensionRulesForLoad(this=0x000000011dbb7000, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at UserContentProvider.cpp:108 frame #6: WebCore`WebCore::CachedResourceLoader::requestResource(this=0x000000011db36b40, type=FontResource, request=0x00007fff588c9fc0, forPreload=No, defer=NoDefer) at CachedResourceLoader.cpp:692 frame #7: WebCore`WebCore::CachedResourceLoader::requestFont(this=0x000000011db36b40, request=0x00007fff588c9fc0, isSVG=false) at CachedResourceLoader.cpp:204 frame #8: WebCore`WebCore::CSSFontFaceSrcValue::cachedFont(this=0x000000011dac2508, document=0x0000000120df4000, isSVG=false, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFaceSrcValue.cpp:105 frame #9: WebCore`WebCore::CSSFontFace::appendSources(fontFace=0x000000011db6a7e0, srcList=0x000000011daac280, document=0x0000000120df4000, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFace.cpp:79 (lldb) bt 20 * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: JavaScriptCore`::WTFCrash() at Assertions.cpp:323 frame #1: WebCore`WebCore::Style::Scope::scheduleUpdate(this=0x000000011db36c60, update=ContentsOrInterpretation) at StyleScope.cpp:526 frame #2: WebCore`WebCore::Style::Scope::didChangeStyleSheetEnvironment(this=0x000000011db36c60) at StyleScope.cpp:560 frame #3: WebCore`WebCore::ExtensionStyleSheets::addDisplayNoneSelector(this=0x000000011dbdc540, identifier=0x000000011dab5900, selector=0x000000011dab5910, selectorID=15) at ExtensionStyleSheets.cpp:181 frame #4: WebCore`WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(this=0x000000011dbb70f0, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at ContentExtensionsBackend.cpp:186 frame #5: WebCore`WebCore::UserContentProvider::processContentExtensionRulesForLoad(this=0x000000011dbb7000, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at UserContentProvider.cpp:108 frame #6: WebCore`WebCore::CachedResourceLoader::requestResource(this=0x000000011db36b40, type=FontResource, request=0x00007fff588c9fc0, forPreload=No, defer=NoDefer) at CachedResourceLoader.cpp:692 frame #7: WebCore`WebCore::CachedResourceLoader::requestFont(this=0x000000011db36b40, request=0x00007fff588c9fc0, isSVG=false) at CachedResourceLoader.cpp:204 frame #8: WebCore`WebCore::CSSFontFaceSrcValue::cachedFont(this=0x000000011dac2508, document=0x0000000120df4000, isSVG=false, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFaceSrcValue.cpp:105 frame #9: WebCore`WebCore::CSSFontFace::appendSources(fontFace=0x000000011db6a7e0, srcList=0x000000011daac280, document=0x0000000120df4000, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFace.cpp:79 frame #10: WebCore`WebCore::CSSFontSelector::addFontFaceRule(this=0x000000011db6a540, fontFaceRule=0x000000011daae0c0, isInitiatingElementInUserAgentShadowTree=false) at CSSFontSelector.cpp:202 frame #11: WebCore`WebCore::RuleSet::addChildRules(this=0x000000011db5f800, rules=0x000000011db8b328, medium=0x000000011db27790, resolver=0x000000011db27500, hasDocumentSecurityOrigin=true, isInitiatingElementInUserAgentShadowTree=false, addRuleFlags=RuleHasDocumentSecurityOrigin) at RuleSet.cpp:388 frame #12: WebCore`WebCore::RuleSet::addRulesFromSheet(this=0x000000011db5f800, sheet=0x000000011db8b2e8, medium=0x000000011db27790, resolver=0x000000011db27500) at RuleSet.cpp:420 frame #13: WebCore`WebCore::DocumentRuleSets::appendAuthorStyleSheets(this=0x000000011db27500, styleSheets=0x00007fff588cac08, medium=0x000000011db27790, inspectorCSSOMWrappers=0x000000011db277f8, resolver=0x000000011db27500) at DocumentRuleSets.cpp:96 frame #14: WebCore`WebCore::StyleResolver::appendAuthorStyleSheets(this=0x000000011db27500, styleSheets=0x00007fff588cac08) at StyleResolver.cpp:284 frame #15: WebCore`WebCore::Style::Scope::updateStyleResolver(this=0x000000011db36c60, activeStyleSheets=0x00007fff588cad78, updateType=Additive) at StyleScope.cpp:463 frame #16: WebCore`WebCore::Style::Scope::updateActiveStyleSheets(this=0x000000011db36c60, updateType=ActiveSet) at StyleScope.cpp:415 frame #17: WebCore`WebCore::Style::Scope::flushPendingSelfUpdate(this=0x000000011db36c60) at StyleScope.cpp:506 frame #18: WebCore`WebCore::Style::Scope::flushPendingUpdate(this=0x000000011db36c60) at StyleScope.h:172

Antti Koivisto

Comment 12 2017-02-22 00:07:26 PST

Created attachment 302375 [details] patch

Andreas Kling

Comment 13 2017-02-22 05:21:20 PST

Comment on attachment 302375 [details] patch r=me. This is pretty hacky. Would be good to make content extensions not inject all that CSS synchronously.

WebKit Commit Bot

Comment 14 2017-02-22 06:47:53 PST

Comment on attachment 302375 [details] patch Clearing flags on attachment: 302375 Committed r212828: <http://trac.webkit.org/changeset/212828>

WebKit Commit Bot

Comment 15 2017-02-22 06:48:00 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.