Bug 229727

Summary: imported/w3c/web-platform-tests/css/css-font-loading/fontfaceset-load-var.html crashes
Product: WebKit Reporter: Myles C. Maxfield <mmaxfield>
Component: TextAssignee: Chris Lord <clord>
Status: RESOLVED FIXED    
Severity: Normal CC: clord, darin, esprehn+autocc, ews-watchlist, glenn, gyuyoung.kim, macpherson, menard, mmaxfield, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch none

Description Myles C. Maxfield 2021-08-31 12:30:22 PDT 
-
Comment 1 Radar WebKit Bug Importer 2021-09-07 12:31:19 PDT 
<rdar://problem/82834470>
Comment 2 Myles C. Maxfield 2021-09-10 00:50:25 PDT 
ASSERTION FAILED: isMainThread()
/Users/mmaxfield/Build/Products/Debug/usr/local/include/wtf/NeverDestroyed.h(55) : static void WTF::MainThreadAccessTraits::assertAccess()
1   0x65ba9c049 WTFCrash
2   0x66d05472b WTFCrashWithInfo(int, char const*, char const*, int)
3   0x66d0ce95c WTF::MainThreadAccessTraits::assertAccess()
4   0x66fb9dcc9 WTF::NeverDestroyed<WebCore::CSSValuePool, WTF::MainThreadAccessTraits>::storagePointer() const
5   0x66fb8fd25 WTF::NeverDestroyed<WebCore::CSSValuePool, WTF::MainThreadAccessTraits>::operator WebCore::CSSValuePool&()
6   0x66fb8fce0 WebCore::CSSValuePool::singleton()
7   0x66fcabb48 WebCore::CSSPropertyParserHelpers::consumeNumberRawWithKnownTokenTypeFunction(WebCore::CSSParserTokenRange&, WebCore::CSSCalcSymbolTable const&, WebCore::ValueRange)
8   0x66fcaea5b WebCore::CSSPropertyParserHelpers::consumeFontWeightNumberRaw(WebCore::CSSParserTokenRange&)
9   0x66fcb2841 WebCore::CSSPropertyParserHelpers::consumeFontWeightRaw(WebCore::CSSParserTokenRange&)
10  0x66fcb37a0 WebCore::CSSPropertyParserHelpers::consumeFontRaw(WebCore::CSSParserTokenRange&, WebCore::CSSParserMode)
11  0x66fcb4173 WebCore::CSSPropertyParserWorkerSafe::parseFont(WTF::String const&, WebCore::CSSParserMode)
12  0x66fade34c WebCore::CSSFontFaceSet::matchingFacesExcludingPreinstalledFonts(WTF::String const&, WTF::String const&)
13  0x66fbdf9b1 WebCore::FontFaceSet::load(WTF::String const&, WTF::String const&, WebCore::DOMPromiseDeferred<WebCore::IDLSequence<WebCore::IDLInterface<WebCore::FontFace> > >&&)
14  0x66dbec33d WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)::'lambda'()::operator()() const
15  0x66dbec2b1 JSC::JSValue WebCore::toJS<WebCore::IDLPromise<WebCore::IDLSequence<WebCore::IDLInterface<WebCore::FontFace> > >, WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)::'lambda'()>(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)::'lambda'()&&)
16  0x66dbebf2f WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)
17  0x66dbec624 long long WebCore::IDLOperationReturningPromise<WebCore::JSFontFaceSet>::call<&(WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)::operator()(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&) const
18  0x66dbec115 JSC::JSValue WebCore::callPromiseFunction<long long WebCore::IDLOperationReturningPromise<WebCore::JSFontFaceSet>::call<&(WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)>(JSC::JSGlobalObject&, JSC::CallFrame&, &(WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)))
19  0x66dbeba4d long long WebCore::IDLOperationReturningPromise<WebCore::JSFontFaceSet>::call<&(WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)
20  0x66dbe9714 WebCore::jsFontFaceSetPrototypeFunction_load(JSC::JSGlobalObject*, JSC::CallFrame*)
21  0x2c7799203e78
22  0x65c0dbfab llint_entry
23  0x65c0b8cd0 vmEntryToJavaScript
24  0x65cf78b45 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
25  0x65cf78172 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)
26  0x65d38e875 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
27  0x65d38e9bc JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
28  0x66f869b5e WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)
29  0x671d20fba WebCore::WorkerOrWorkletScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::NakedPtr<JSC::Exception>&, WTF::String*)
30  0x671d2866e WebCore::WorkerOrWorkletScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::String*)
31  0x671d58d90 WebCore::WorkerThread::evaluateScriptIfNecessary(WTF::String&)
Comment 3 Myles C. Maxfield 2021-09-10 00:52:07 PDT 
It looks like we're parsing the argument to `FontFaceSet.load(...)` in a worker, but the parser requires being run on the main thread, not in a worker.
Comment 4 Chris Lord 2021-09-14 07:33:25 PDT 
Looking into this now, hopefully just a missing call to get the worker's CSSValuePool.
Comment 5 Chris Lord 2021-09-14 08:49:01 PDT 
The cause of this is that whenever FunctionToken was added to CSS parsing, CalcParser was used without specifying a CSSValuePool in the raw parser functions.

The whole point of the raw parsers, however, is that they don't use CSSValue, so I think there was a misunderstanding somewhere (it's a shame that whenever this was done, tests weren't comprehensive enough to catch this).

I'm fixing this now, but likely won't finish until tomorrow.
Comment 6 Chris Lord 2021-09-14 09:09:07 PDT 
Created attachment 438148 [details]
Patch
Comment 7 Chris Lord 2021-09-14 09:10:07 PDT 
Possible fix, not 100% sure it's correct but I've got to sign off for the day, so let's get some EWS results and I'll think about this some more tomorrow :)
Comment 8 Chris Lord 2021-09-16 03:26:54 PDT 
Created attachment 438332 [details]
Patch
Comment 9 Chris Lord 2021-09-16 04:18:59 PDT 
Created attachment 438334 [details]
Patch
Comment 10 Chris Lord 2021-09-16 07:08:18 PDT 
Created attachment 438346 [details]
Patch
Comment 11 Darin Adler 2021-09-17 15:29:47 PDT 
Comment on attachment 438346 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=438346&action=review

> Source/WebCore/css/parser/CSSPropertyParserHelpers.cpp:223
> +    const CSSParserToken& token = range.peek();

Consider auto&?

> Source/WebCore/css/parser/CSSPropertyParserHelpers.cpp:370
> +    const CSSParserToken& token = sourceRange.peek();

Ditto.
Comment 12 Chris Lord 2021-09-21 01:42:15 PDT 
Created attachment 438794 [details]
Patch
Comment 13 EWS 2021-09-21 02:28:08 PDT 
Committed r282809 (241941@main): <https://commits.webkit.org/241941@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 438794 [details].