Bug 173347

Summary:

Crash in WebCore::RenderStyle::colorIncludingFallback.

Product:

WebKit

Reporter:

zalan <zalan>

Component:

Layout and Rendering

Assignee:

zalan <zalan>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

bfulgham, buildbot, cdumez, commit-queue, dbates, japhet, rniwa, simon.fraser, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Archive of layout-test-results from ews104 for mac-elcapitan-wk2	none
Patch	none
Patch	none

zalan

Reported 2017-06-13 20:06:13 PDT

rdar://problem/32675317 0 WebCore 0x00000001a650261c WebCore::RenderStyle::colorIncludingFallback(int, bool) const + 564 (Ref.h:137) 1 WebCore 0x00000001a6502308 WebCore::RenderStyle::visitedDependentColor(int) const + 44 (RenderStyle.cpp:1790) 2 WebCore 0x00000001a6502308 WebCore::RenderStyle::visitedDependentColor(int) const + 44 (RenderStyle.cpp:1790) 3 WebCore 0x00000001a724a8c4 WebCore::RenderElement::hasBackground() const + 36 (RenderStyle.h:2150) 4 WebCore 0x00000001a726c368 WebCore::RenderElement::isVisibleInDocumentRect(WebCore::IntRect const&) const + 220 (RenderElement.cpp:1455) 5 WebCore 0x00000001a726c524 WebCore::RenderElement::imageFrameAvailable(WebCore::CachedImage&, WebCore::ImageAnimatingState, WebCore::IntRect const*) + 116 (RenderElement.cpp:1501) 6 WebCore 0x00000001a66f9834 WebCore::CachedImage::imageFrameAvailable(WebCore::Image const&, WebCore::ImageAnimatingState, WebCore::IntRect const*) + 316 (CachedImage.cpp:534) 7 WebCore 0x00000001a66f96dc WebCore::CachedImage::CachedImageObserver::imageFrameAvailable(WebCore::Image const&, WebCore::ImageAnimatingState, WebCore::IntRect const*) + 68 (CachedImage.cpp:359) 8 WebCore 0x00000001a73a9b18 WebCore::ScrollView::repaintContentRectangle(WebCore::IntRect const&) + 220 (ScrollView.cpp:1086) 9 WebCore 0x00000001a7343f48 WebCore::RenderView::flushAccumulatedRepaintRegion() const + 64 (RenderView.cpp:697) 10 WebCore 0x00000001a7347848 WebCore::RenderView::RepaintRegionAccumulator::~RepaintRegionAccumulator() + 44 (RenderView.cpp:1473) 11 WebCore 0x00000001a68ad040 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 980 (Document.cpp:1816) 12 WebCore 0x00000001a67d55e4 WebCore::updateStyleIfNeededForProperty(WebCore::Element&, WebCore::CSSPropertyID) + 108 (CSSComputedStyleDeclaration.cpp:2418) 13 WebCore 0x00000001a67c5494 WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) + 152 (CSSComputedStyleDeclaration.cpp:2625) 14 WebCore 0x00000001a74a5588 WebCore::SVGAnimationElement::computeCSSPropertyValue(WebCore::SVGElement*, WebCore::CSSPropertyID, WTF::String&) + 84 (SVGAnimationElement.cpp:632) 15 WebCore 0x00000001a74a071c WebCore::SVGAnimateElementBase::resetAnimatedType() + 636 (SVGAnimateElementBase.cpp:226) 16 WebCore 0x00000001a7513b38 WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) + 404 (SVGSMILElement.cpp:1120) 17 WebCore 0x00000001a660b5e4 WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) + 744 (SMILTimeContainer.cpp:305) 18 WebCore 0x00000001a73fe000 WebCore::SMILTimeContainer::setElapsed(WebCore::SMILTime) + 496 (SMILTimeContainer.cpp:207) 19 WebCore 0x00000001a7518d88 WebCore::SVGSVGElement::setCurrentTime(float) + 68 (SVGSVGElement.cpp:525) 20 WebCore 0x00000001a66f8ab8 WebCore::CachedImage::didAddClient(WebCore::CachedResourceClient&) + 380 (CachedImage.cpp:122) 21 WebCore 0x00000001a726a8cc WebCore::RenderElement::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 104 (RenderElement.cpp:337) 22 WebCore 0x00000001a6501a54 WebCore::RenderLayerModelObject::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 52 (RenderLayerModelObject.cpp:146) 23 WebCore 0x00000001a6501224 WebCore::RenderBox::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 52 (RenderBox.cpp:351) 24 WebCore 0x00000001a6500cc0 WebCore::RenderBlock::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 116 (RenderBlock.cpp:434) 25 WebCore 0x00000001a7234a80 WebCore::RenderBlockFlow::styleDidChange(WebCore::StyleDifference, WebCore::RenderStyle const*) + 44 (RenderBlockFlow.cpp:2072) 26 WebCore 0x00000001a734131c WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) + 796 (RenderTreeUpdater.cpp:359) 27 WebCore 0x00000001a73404e8 WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) + 676 (RenderTreeUpdater.cpp:281) 28 WebCore 0x00000001a733f6d0 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 648 (RenderTreeUpdater.cpp:177) 29 WebCore 0x00000001a733f3cc WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) + 564 (RenderTreeUpdater.cpp:124) 30 WebCore 0x00000001a68aceb8 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 588 (Document.cpp:1780) 31 WebCore 0x00000001a654727c WebCore::Document::finishedParsing() + 244 (Document.cpp:5021) 32 WebCore 0x00000001a6545b20 WebCore::HTMLDocumentParser::prepareToStopParsing() + 172 (HTMLDocumentParser.cpp:400) 33 WebCore 0x00000001a6545a34 WebCore::HTMLDocumentParser::finish() + 212 (HTMLDocumentParser.cpp:421) 34 WebCore 0x00000001a6545208 WebCore::DocumentWriter::end() + 92 (DocumentWriter.cpp:276) 35 WebCore 0x00000001a68cdc7c WebCore::DocumentLoader::finishedLoading() + 512 (DocumentLoader.cpp:417) 36 WebCore 0x00000001a656e4d0 WebCore::CachedResource::checkNotify() + 488 (CachedResource.cpp:303) 37 WebCore 0x00000001a66fafd0 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 160 (CachedRawResource.cpp:104) 38 WebCore 0x00000001a748f440 WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) + 924 (SubresourceLoader.cpp:562) 39 WebKit 0x00000001919c9848 WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) + 240 (WebResourceLoader.cpp:151) 40 WebKit 0x00000001919ca5d8 void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) + 92 (HandleMessage.h:40) 41 WebKit 0x000000019182e5b0 WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 464 (NetworkProcessConnection.cpp:64) 42 WebKit 0x00000001917a3dd0 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 164 (Connection.cpp:901) 43 WebKit 0x00000001917a6670 IPC::Connection::dispatchOneMessage() + 232 (Connection.cpp:959) 44 JavaScriptCore 0x000000018c87c208 WTF::RunLoop::performWork() + 344 (Function.h:50) 45 JavaScriptCore 0x000000018c87c438 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38) 46 CoreFoundation 0x00000001894631a0 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 (CFRunLoop.c:1960) 47 CoreFoundation 0x00000001894629d4 __CFRunLoopDoSources0 + 276 (CFRunLoop.c:2006) 48 CoreFoundation 0x000000018946057c __CFRunLoopRun + 832 (CFRunLoop.c:2842) 49 CoreFoundation 0x000000018937b03c CFRunLoopRunSpecific + 436 (CFRunLoop.c:3148) 50 Foundation 0x000000018b097fa0 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 304 (NSRunLoop.m:367) 51 Foundation 0x000000018b0ebe10 -[NSRunLoop(NSRunLoop) run] + 88 (NSRunLoop.m:389) 52 libxpc.dylib 0x00000001ace0a9ec _xpc_objc_main + 452 (main.m:198) 53 libxpc.dylib 0x00000001ace0c850 xpc_main + 164 (init.c:1460) 54 com.apple.WebKit.WebContent 0x00000001019f359c main + 380 (XPCServiceMain.mm:148) 55 libdyld.dylib 0x00000001acb9bd1c start + 4

Attachments
Patch (5.06 KB, patch) 2017-06-13 20:11 PDT, zalan	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews104 for mac-elcapitan-wk2 (1.20 MB, application/zip) 2017-06-13 21:24 PDT, Build Bot	no flags	Details
Patch (7.35 KB, patch) 2017-06-14 10:17 PDT, zalan	no flags	Details Formatted Diff Diff
Patch (7.80 KB, patch) 2017-06-14 11:30 PDT, zalan	no flags	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

zalan

Comment 1 2017-06-13 20:11:53 PDT

Created attachment 312850 [details] Patch

Build Bot

Comment 2 2017-06-13 21:24:09 PDT

Comment on attachment 312850 [details] Patch Attachment 312850 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/3927108 New failing tests: svg/animations/animated-svg-image-removed-from-document-paused.html

Build Bot

Comment 3 2017-06-13 21:24:11 PDT

Created attachment 312855 [details] Archive of layout-test-results from ews104 for mac-elcapitan-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews104 Port: mac-elcapitan-wk2 Platform: Mac OS X 10.11.6

zalan

Comment 4 2017-06-14 10:17:48 PDT

Created attachment 312903 [details] Patch

Chris Dumez

Comment 5 2017-06-14 10:42:11 PDT

Comment on attachment 312903 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=312903&action=review > Source/WebCore/loader/cache/CachedImage.cpp:126 > + m_image->startAnimation(); I'd rather move this logic to Image.h and have a startAnimationAsynchronously() there. > Source/WebCore/loader/cache/CachedImage.cpp:129 > + m_animationStartTimer->startOneShot(0_s); I think we should do an isActive() check before re-scheduling. > LayoutTests/svg/animations/animated-svg-image-removed-from-document-paused.html:33 > + setTimeout(function() { Indent problem. > LayoutTests/svg/animations/animated-svg-image-removed-from-document-paused.html:34 > + shouldBeTrue("internals.isImageAnimating(imageA)"); We want to test one after the other, separately, to make sure imageA starts even before imageB is inserted. > LayoutTests/svg/as-image/svg-css-animation.html:22 > + root.removeChild(body); Can be body.remove()

zalan

Comment 6 2017-06-14 11:30:35 PDT

Created attachment 312908 [details] Patch

Chris Dumez

Comment 7 2017-06-14 11:36:45 PDT

Comment on attachment 312908 [details] Patch r=me!

WebKit Commit Bot

Comment 8 2017-06-14 12:36:49 PDT

Comment on attachment 312908 [details] Patch Clearing flags on attachment: 312908 Committed r218284: <http://trac.webkit.org/changeset/218284>

WebKit Commit Bot

Comment 9 2017-06-14 12:36:51 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.