Bug 229727

Summary: imported/w3c/web-platform-tests/css/css-font-loading/fontfaceset-load-var.html crashes
Product: WebKit Reporter: Myles C. Maxfield <mmaxfield>
Component: TextAssignee: Chris Lord <clord>
Status: RESOLVED FIXED    
Severity: Normal CC: clord, darin, esprehn+autocc, ews-watchlist, glenn, gyuyoung.kim, macpherson, menard, mmaxfield, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch
none
Patch none

Myles C. Maxfield
Reported 2021-08-31 12:30:22 PDT
-
Attachments
Patch (4.45 KB, patch)
2021-09-14 09:09 PDT, Chris Lord 		no flags
DetailsFormatted DiffDiff
Patch (11.19 KB, patch)
2021-09-16 03:26 PDT, Chris Lord 		no flags
DetailsFormatted DiffDiff
Patch (11.25 KB, patch)
2021-09-16 04:18 PDT, Chris Lord 		no flags
DetailsFormatted DiffDiff
Patch (10.07 KB, patch)
2021-09-16 07:08 PDT, Chris Lord 		no flags
DetailsFormatted DiffDiff
Patch (10.05 KB, patch)
2021-09-21 01:42 PDT, Chris Lord 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-09-07 12:31:19 PDT
<rdar://problem/82834470>
Myles C. Maxfield
Comment 2 2021-09-10 00:50:25 PDT
ASSERTION FAILED: isMainThread() /Users/mmaxfield/Build/Products/Debug/usr/local/include/wtf/NeverDestroyed.h(55) : static void WTF::MainThreadAccessTraits::assertAccess() 1 0x65ba9c049 WTFCrash 2 0x66d05472b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x66d0ce95c WTF::MainThreadAccessTraits::assertAccess() 4 0x66fb9dcc9 WTF::NeverDestroyed<WebCore::CSSValuePool, WTF::MainThreadAccessTraits>::storagePointer() const 5 0x66fb8fd25 WTF::NeverDestroyed<WebCore::CSSValuePool, WTF::MainThreadAccessTraits>::operator WebCore::CSSValuePool&() 6 0x66fb8fce0 WebCore::CSSValuePool::singleton() 7 0x66fcabb48 WebCore::CSSPropertyParserHelpers::consumeNumberRawWithKnownTokenTypeFunction(WebCore::CSSParserTokenRange&, WebCore::CSSCalcSymbolTable const&, WebCore::ValueRange) 8 0x66fcaea5b WebCore::CSSPropertyParserHelpers::consumeFontWeightNumberRaw(WebCore::CSSParserTokenRange&) 9 0x66fcb2841 WebCore::CSSPropertyParserHelpers::consumeFontWeightRaw(WebCore::CSSParserTokenRange&) 10 0x66fcb37a0 WebCore::CSSPropertyParserHelpers::consumeFontRaw(WebCore::CSSParserTokenRange&, WebCore::CSSParserMode) 11 0x66fcb4173 WebCore::CSSPropertyParserWorkerSafe::parseFont(WTF::String const&, WebCore::CSSParserMode) 12 0x66fade34c WebCore::CSSFontFaceSet::matchingFacesExcludingPreinstalledFonts(WTF::String const&, WTF::String const&) 13 0x66fbdf9b1 WebCore::FontFaceSet::load(WTF::String const&, WTF::String const&, WebCore::DOMPromiseDeferred<WebCore::IDLSequence<WebCore::IDLInterface<WebCore::FontFace> > >&&) 14 0x66dbec33d WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)::'lambda'()::operator()() const 15 0x66dbec2b1 JSC::JSValue WebCore::toJS<WebCore::IDLPromise<WebCore::IDLSequence<WebCore::IDLInterface<WebCore::FontFace> > >, WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)::'lambda'()>(JSC::JSGlobalObject&, WebCore::JSDOMGlobalObject&, JSC::ThrowScope&, WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)::'lambda'()&&) 16 0x66dbebf2f WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&) 17 0x66dbec624 long long WebCore::IDLOperationReturningPromise<WebCore::JSFontFaceSet>::call<&(WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)::operator()(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&) const 18 0x66dbec115 JSC::JSValue WebCore::callPromiseFunction<long long WebCore::IDLOperationReturningPromise<WebCore::JSFontFaceSet>::call<&(WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*)::'lambda'(JSC::JSGlobalObject&, JSC::CallFrame&, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)>(JSC::JSGlobalObject&, JSC::CallFrame&, &(WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&))) 19 0x66dbeba4d long long WebCore::IDLOperationReturningPromise<WebCore::JSFontFaceSet>::call<&(WebCore::jsFontFaceSetPrototypeFunction_loadBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSFontFaceSet*, WTF::Ref<WebCore::DeferredPromise, WTF::RawPtrTraits<WebCore::DeferredPromise> >&&)), (WebCore::CastedThisErrorBehavior)2>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) 20 0x66dbe9714 WebCore::jsFontFaceSetPrototypeFunction_load(JSC::JSGlobalObject*, JSC::CallFrame*) 21 0x2c7799203e78 22 0x65c0dbfab llint_entry 23 0x65c0b8cd0 vmEntryToJavaScript 24 0x65cf78b45 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 25 0x65cf78172 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) 26 0x65d38e875 JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 27 0x65d38e9bc JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 28 0x66f869b5e WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 29 0x671d20fba WebCore::WorkerOrWorkletScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::NakedPtr<JSC::Exception>&, WTF::String*) 30 0x671d2866e WebCore::WorkerOrWorkletScriptController::evaluate(WebCore::ScriptSourceCode const&, WTF::String*) 31 0x671d58d90 WebCore::WorkerThread::evaluateScriptIfNecessary(WTF::String&)
Myles C. Maxfield
Comment 3 2021-09-10 00:52:07 PDT
It looks like we're parsing the argument to `FontFaceSet.load(...)` in a worker, but the parser requires being run on the main thread, not in a worker.
Chris Lord
Comment 4 2021-09-14 07:33:25 PDT
Looking into this now, hopefully just a missing call to get the worker's CSSValuePool.
Chris Lord
Comment 5 2021-09-14 08:49:01 PDT
The cause of this is that whenever FunctionToken was added to CSS parsing, CalcParser was used without specifying a CSSValuePool in the raw parser functions. The whole point of the raw parsers, however, is that they don't use CSSValue, so I think there was a misunderstanding somewhere (it's a shame that whenever this was done, tests weren't comprehensive enough to catch this). I'm fixing this now, but likely won't finish until tomorrow.
Chris Lord
Comment 6 2021-09-14 09:09:07 PDT
Created attachment 438148 [details] Patch
Chris Lord
Comment 7 2021-09-14 09:10:07 PDT
Possible fix, not 100% sure it's correct but I've got to sign off for the day, so let's get some EWS results and I'll think about this some more tomorrow :)
Chris Lord
Comment 8 2021-09-16 03:26:54 PDT
Created attachment 438332 [details] Patch
Chris Lord
Comment 9 2021-09-16 04:18:59 PDT
Created attachment 438334 [details] Patch
Chris Lord
Comment 10 2021-09-16 07:08:18 PDT
Created attachment 438346 [details] Patch
Darin Adler
Comment 11 2021-09-17 15:29:47 PDT
Comment on attachment 438346 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438346&action=review > Source/WebCore/css/parser/CSSPropertyParserHelpers.cpp:223 > + const CSSParserToken& token = range.peek(); Consider auto&? > Source/WebCore/css/parser/CSSPropertyParserHelpers.cpp:370 > + const CSSParserToken& token = sourceRange.peek(); Ditto.
Chris Lord
Comment 12 2021-09-21 01:42:15 PDT
Created attachment 438794 [details] Patch
EWS
Comment 13 2021-09-21 02:28:08 PDT
Committed r282809 (241941@main): <https://commits.webkit.org/241941@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438794 [details].
Note You need to log in before you can comment on or make changes to this bug.