Bug 194335

Summary:	Extension style sheet mutation in middle of style resolution because animation code triggers a resource load
Product:	WebKit	Reporter:	Antti Koivisto <koivisto>
Component:	CSS	Assignee:	Nobody <webkit-unassigned>
Status:	NEW
Severity:	Normal	CC:	graouts, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified
See Also:	https://bugs.webkit.org/show_bug.cgi?id=194333

Antti Koivisto

Reported 2019-02-06 01:58:49 PST

This stack shows we are triggering a resource load from ImplicitAnimation::reset and then mutating an extension stylesheet via ExtensionStyleSheets::addDisplayNoneSelector. 0 WebCore 0x00000001a0245d08 WTFCrashWithInfo(int, char const*, char const*, int) + 20 1 WebCore 0x00000001a0ef3178 WebCore::StyleResolver::~StyleResolver() + 796 (Assertions.h:578) 2 WebCore 0x00000001a1904074 WebCore::Style::Scope::scheduleUpdate(WebCore::Style::Scope::UpdateType) + 168 (memory:2321) 3 WebCore 0x00000001a10107a4 WebCore::ExtensionStyleSheets::addDisplayNoneSelector(WTF::String const&, WTF::String const&, unsigned int) + 348 (ExtensionStyleSheets.cpp:172) 4 WebCore 0x00000001a0e11f20 WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(WTF::URL const&, WebCore::ResourceType, WebCore::DocumentLoader&) + 872 (ContentExtensionsBackend.cpp:190) 5 WebCore 0x00000001a14176e4 WebCore::CachedResourceLoader::requestResource(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&&, WebCore::CachedResourceLoader::ForPreload, WebCore::CachedResourceLoader::DeferOption) + 880 (CachedResourceLoader.cpp:814) 6 WebCore 0x00000001a1416f68 WebCore::CachedResourceLoader::requestImage(WebCore::CachedResourceRequest&&) + 268 (CachedResourceLoader.cpp:213) 7 WebCore 0x00000001a0e98d10 WebCore::CSSImageValue::loadImage(WebCore::CachedResourceLoader&, WebCore::ResourceLoaderOptions const&) + 492 (CSSImageValue.cpp:78) 8 WebCore 0x00000001a18a8884 WebCore::StyleCachedImage::load(WebCore::CachedResourceLoader&, WebCore::ResourceLoaderOptions const&) + 80 (StyleCachedImage.cpp:91) 9 WebCore 0x00000001a18ffc74 WebCore::Style::loadPendingImage(WebCore::Document&, WebCore::StyleImage const*, WebCore::Element const*, WebCore::Style::LoadPolicy) + 460 (StylePendingResources.cpp:62) 10 WebCore 0x00000001a18ff930 WebCore::Style::loadPendingResources(WebCore::RenderStyle&, WebCore::Document&, WebCore::Element const*) + 64 (StylePendingResources.cpp:68) 11 WebCore 0x00000001a14e9484 WebCore::ImplicitAnimation::reset(WebCore::RenderStyle const&, WebCore::CompositeAnimation&) + 112 (ImplicitAnimation.cpp:206) 12 WebCore 0x00000001a14e9350 WebCore::ImplicitAnimation::animate(WebCore::CompositeAnimation&, WebCore::RenderStyle const&, std::__1::unique_ptr<WebCore::RenderStyle, std::__1::default_delete<WebCore::RenderStyle> >&, bool&) + 88 (ImplicitAnimation.cpp:75) 13 WebCore 0x00000001a14d3724 WebCore::CompositeAnimation::animate(WebCore::Element&, WebCore::RenderStyle const*, WebCore::RenderStyle const&) + 252 (CompositeAnimation.cpp:300) 14 WebCore 0x00000001a14d359c WebCore::CSSAnimationController::updateAnimations(WebCore::Element&, WebCore::RenderStyle const&, WebCore::RenderStyle const*) + 220 (CSSAnimationController.cpp:633) 15 WebCore 0x00000001a1906aac WebCore::Style::TreeResolver::createAnimatedElementUpdate(std::__1::unique_ptr<WebCore::RenderStyle, std::__1::default_delete<WebCore::RenderStyle> >, WebCore::Element&, WebCore::Style::Change) + 416 (StyleTreeResolver.cpp:312) 16 WebCore 0x00000001a19065dc WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) + 344 (StyleTreeResolver.cpp:208) 17 WebCore 0x00000001a19073dc WebCore::Style::TreeResolver::resolveComposedTree() + 1204 (StyleTreeResolver.cpp:493) 18 WebCore 0x00000001a19080cc WebCore::Style::TreeResolver::resolve() + 720 (StyleTreeResolver.cpp:551) 19 WebCore 0x00000001a0fbcee8 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 920 (Document.cpp:1935) 20 WebCore 0x00000001a0fbd924 WebCore::Document::updateStyleIfNeeded() + 436 (Document.cpp:2064) 21 WebCore 0x00000001a0279e2c WebCore::Timer::fired() + 32 (Function.h:56) 22 WebCore 0x00000001a15388c8 WebCore::ThreadTimers::sharedTimerFiredInternal() + 196 (ThreadTimers.cpp:129) 23 WebCore 0x00000001a1522308 WebCore::MainThreadSharedTimer::fired() + 32 (Function.h:56) 24 WebCore 0x00000001a1557ba8 WebCore::timerFired(__CFRunLoopTimer*, void*) + 32 (MainThreadSharedTimerCF.cpp:74)

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2019-02-06 01:59:47 PST

<rdar://problem/47844927>

Antti Koivisto

Comment 2 2019-02-06 02:34:32 PST

Besides ImplicitAnimation::reset(), there is another similar stack via KeyframeAnimation::KeyframeAnimation()

Radar WebKit Bug Importer

Comment 3 2019-02-06 02:40:31 PST

<rdar://problem/47845431>

Antti Koivisto

Comment 4 2019-02-06 05:19:54 PST

Note that this bug only exists in the legacy animation code. The new web animation engine does not have this problem so this is fixed when it is enabled.

Note You need to log in before you can comment on or make changes to this bug.