Bug 238491

Summary: [WinCairo] REGRESSION(r291790) fast/editing/apply-relative-font-style-change-crash-004.html is crashing
Product: WebKit Reporter: Fujii Hironori <fujii.hironori>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal    
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=238247
Attachments:
Description Flags
crash log
none
callstack none

Fujii Hironori
Reported 2022-03-29 00:22:25 PDT
Created attachment 456002 [details] crash log [WinCairo] REGRESSION(r291790) fast/editing/apply-relative-font-style-change-crash-004.html is crashing Since r291790 (Bug 238247) # Child-SP RetAddr Call Site 00 000000fd`14837a38 00007ffa`4d59960a WebKit2!__chkstk(void)+0x37 [d:\a01\_work\12\s\src\vctools\crt\vcstartup\src\misc\amd64\chkstk.asm @ 109] 01 000000fd`14837a50 00007ffa`4d5999df WebKit2!WebCore::Style::Resolver::applyMatchedProperties(class WebCore::Style::Resolver::State * state = 0x00007ffa`4d596f3e, struct WebCore::Style::MatchResult * matchResult = 0x000001fd`4de75aa0)+0x1a [C:\jenkins_slave\WinCairo-master\Source\WebCore\style\StyleResolver.cpp @ 575] 02 000000fd`14837a60 00007ffa`4d596f3e WebKit2!WebCore::Style::Resolver::applyMatchedProperties(class WebCore::Style::Resolver::State * state = 0x000000fd`1483ffb8, struct WebCore::Style::MatchResult * matchResult = 0x000000fd`148404a8)+0x3ef [C:\jenkins_slave\WinCairo-master\Source\WebCore\style\StyleResolver.cpp @ 628] 03 000000fd`1483ff80 00007ffa`4d619ff1 WebKit2!WebCore::Style::Resolver::styleForElement(class WebCore::Element * element = 0x000001fd`4cb9c050, struct WebCore::Style::ResolutionContext * context = 0x000000fd`14840838, WebCore::RuleMatchingBehavior matchingBehavior = MatchAllRules (0n0))+0x35e [C:\jenkins_slave\WinCairo-master\Source\WebCore\style\StyleResolver.cpp @ 269] 04 000000fd`148406b0 00007ffa`4d61ad0c WebKit2!WebCore::Style::TreeResolver::styleForStyleable(struct WebCore::Styleable * styleable = 0x000000fd`14840878, struct WebCore::Style::ResolutionContext * resolutionContext = 0x000000fd`14840838)+0x311 [C:\jenkins_slave\WinCairo-master\Source\WebCore\style\StyleTreeResolver.cpp @ 148] 05 000000fd`14840800 00007ffa`4d61a73c WebKit2!WebCore::Style::TreeResolver::resolveElement(class WebCore::Element * element = 0x000001fd`4cb9c050)+0x13c [C:\jenkins_slave\WinCairo-master\Source\WebCore\style\StyleTreeResolver.cpp @ 215] 06 000000fd`148409c0 00007ffa`4d619add WebKit2!WebCore::Style::TreeResolver::resolveComposedTree(void)+0x65c [C:\jenkins_slave\WinCairo-master\Source\WebCore\style\StyleTreeResolver.cpp @ 720] 07 000000fd`14843340 00007ffa`4bde7797 WebKit2!WebCore::Style::TreeResolver::resolve(void)+0x3ad [C:\jenkins_slave\WinCairo-master\Source\WebCore\style\StyleTreeResolver.cpp @ 819] 08 000000fd`14843490 00007ffa`4bde7d86 WebKit2!WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType type = Normal (0n0))+0x517 [C:\jenkins_slave\WinCairo-master\Source\WebCore\dom\Document.cpp @ 2095] 09 000000fd`14843b30 00007ffa`4bde8058 WebKit2!WebCore::Document::updateStyleIfNeeded(void)+0x226 [C:\jenkins_slave\WinCairo-master\Source\WebCore\dom\Document.cpp @ 2213] 0a 000000fd`14843bb0 00007ffa`4bde824f WebKit2!WebCore::Document::updateLayout(void)+0x1f8 [C:\jenkins_slave\WinCairo-master\Source\WebCore\dom\Document.cpp @ 2235] 0b 000000fd`14843cb0 00007ffa`4c0a6f52 WebKit2!WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks runPostLayoutTasks = Asynchronously (0n0))+0x5f [C:\jenkins_slave\WinCairo-master\Source\WebCore\dom\Document.cpp @ 2268] 0c 000000fd`14843cf0 00007ffa`4c0a85e9 WebKit2!WebCore::ApplyStyleCommand::nodeFullySelected(class WebCore::Element * element = 0x000001fd`4cb9c050, class WebCore::Position * start = 0x000000fd`14843db8, class WebCore::Position * end = 0x000000fd`14843de8)+0x42 [C:\jenkins_slave\WinCairo-master\Source\WebCore\editing\ApplyStyleCommand.cpp @ 1177] 0d 000000fd`14843d90 00007ffa`4c0a48a7 WebKit2!WebCore::ApplyStyleCommand::applyRelativeFontStyleChange(class WebCore::EditingStyle * style = 0x000001fd`4cab7090)+0xa99 [C:\jenkins_slave\WinCairo-master\Source\WebCore\editing\ApplyStyleCommand.cpp @ 399] 0e 000000fd`14844200 00007ffa`4c0973b7 WebKit2!WebCore::ApplyStyleCommand::doApply(void)+0x117 [C:\jenkins_slave\WinCairo-master\Source\WebCore\editing\ApplyStyleCommand.cpp @ 214] 0f 000000fd`14844270 00007ffa`4c0f11fc WebKit2!WebCore::CompositeEditCommand::apply(void)+0x2c7 [C:\jenkins_slave\WinCairo-master\Source\WebCore\editing\CompositeEditCommand.cpp @ 399] 10 000000fd`14844340 00007ffa`4c111195 WebKit2!WebCore::Editor::applyStyle(class WTF::RefPtr<WebCore::EditingStyle,WTF::RawPtrTraits<WebCore::EditingStyle>,WTF::DefaultRefDerefTraits<WebCore::EditingStyle> > * style = 0x000000fd`148444d0, WebCore::EditAction editingAction = Unspecified (0n0), WebCore::Editor::ColorFilterMode colorFilterMode = UseOriginalColor (0n1))+0x42c [C:\jenkins_slave\WinCairo-master\Source\WebCore\editing\Editor.cpp @ 981] 11 000000fd`148444b0 00007ffa`4c111324 WebKit2!WebCore::applyCommandToFrame(class WebCore::Frame * frame = 0x000001fd`4820a580, WebCore::EditorCommandSource source = CommandFromDOM (0n1), WebCore::EditAction action = ChangeAttributes (0n17), class WTF::Ref<WebCore::EditingStyle,WTF::RawPtrTraits<WebCore::EditingStyle> > * style = 0x000000fd`14844538)+0xb5 [C:\jenkins_slave\WinCairo-master\Source\WebCore\editing\EditorCommand.cpp @ 112] 12 000000fd`14844510 00007ffa`4c112b59 WebKit2!WebCore::executeApplyStyle(class WebCore::Frame * frame = 0x000001fd`4820a580, WebCore::EditorCommandSource source = CommandFromDOM (0n1), WebCore::EditAction action = ChangeAttributes (0n17), WebCore::CSSPropertyID propertyID = CSSPropertyWebkitFontSizeDelta (0n457), class WTF::String * propertyValue = 0x000000fd`14844828)+0x44 [C:\jenkins_slave\WinCairo-master\Source\WebCore\editing\EditorCommand.cpp @ 131] 13 000000fd`14844550 00007ffa`4c0f3093 WebKit2!WebCore::executeFontSizeDelta(class WebCore::Frame * frame = 0x000001fd`4820a580, class WebCore::Event * __formal = 0x00000000`00000000, WebCore::EditorCommandSource source = CommandFromDOM (0n1), class WTF::String * value = 0x000000fd`14844828)+0x39 [C:\jenkins_slave\WinCairo-master\Source\WebCore\editing\EditorCommand.cpp @ 402] 14 000000fd`14844590 00007ffa`4bdf74be WebKit2!WebCore::Editor::Command::execute(class WTF::String * parameter = 0x000000fd`14844828, class WebCore::Event * triggeringEvent = 0x00000000`00000000)+0xf3 [C:\jenkins_slave\WinCairo-master\Source\WebCore\editing\EditorCommand.cpp @ 1885] 15 000000fd`148445f0 00007ffa`49f0dd51 WebKit2!WebCore::Document::execCommand(class WTF::String * commandName = 0x000000fd`148447a8, bool userInterface = false, class WTF::String * value = 0x000000fd`14844828)+0x10e [C:\jenkins_slave\WinCairo-master\Source\WebCore\dom\Document.cpp @ 5883] 16 000000fd`148446a0 00007ffa`49f1e143 WebKit2!WebCore::jsDocumentPrototypeFunction_execCommandBody(class JSC::JSGlobalObject * lexicalGlobalObject = 0x000001fd`4dc49d20, class JSC::CallFrame * callFrame = 0x000000fd`14844b70, class WebCore::JSDocument * castedThis = 0x000001fd`4ccaba60)+0x7c1 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Debug\WebCore\DerivedSources\JSDocument.cpp @ 5959] 17 000000fd`148449c0 00007ffa`49eeecc5 WebKit2!WebCore::IDLOperation<WebCore::JSDocument>::call<&WebCore::jsDocumentPrototypeFunction_execCommandBody,0>(class JSC::JSGlobalObject * lexicalGlobalObject = 0x000001fd`4dc49d20, class JSC::CallFrame * callFrame = 0x000000fd`14844b70, char * operationName = 0x00007ffa`55044d38 "execCommand")+0x313 [C:\jenkins_slave\WinCairo-master\Source\WebCore\bindings\js\JSDOMOperation.h @ 63] 18 000000fd`14844b20 000001fd`000011be WebKit2!WebCore::jsDocumentPrototypeFunction_execCommand(class JSC::JSGlobalObject * lexicalGlobalObject = 0x000001fd`4dc49d20, class JSC::CallFrame * callFrame = 0x000000fd`14844b70)+0x25 [C:\jenkins_slave\WinCairo-master\WebKitBuild\Debug\WebCore\DerivedSources\JSDocument.cpp @ 5965] 19 000000fd`14844b50 000001fd`4dc49d20 0x000001fd`000011be 1a 000000fd`14844b58 000000fd`14844b70 0x000001fd`4dc49d20 1b 000000fd`14844b60 00000000`00000000 0x000000fd`14844b70
Attachments
crash log (101.26 KB, text/plain)
2022-03-29 00:22 PDT, Fujii Hironori 		no flags
Details
callstack (33.06 KB, text/plain)
2022-03-29 00:27 PDT, Fujii Hironori 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2022-03-29 00:27:53 PDT
Created attachment 456003 [details] callstack Unhandled exception at 0x00007FFDBAB3C0D7 (WebKit2.dll) in WebKitWebProcess.exe: 0xC00000FD: Stack overflow (parameters: 0x0000000000000001, 0x000000CBE1A03000).
Fujii Hironori
Comment 2 2022-03-29 00:34:16 PDT
(In reply to Fujii Hironori from comment #1) > Created attachment 456003 [details] > callstack This looks like an infinite recursion.
Fujii Hironori
Comment 3 2022-03-29 21:16:52 PDT
The infinite recursion seems the expected behavior of this test for WebKit. The problem is WebKitWebProcess.exe is crashing before dispatching "RangeError: Maximum call stack size exceeded." exception. Chrome and Firefox don't dispatch a beforeinput event in this test.
Fujii Hironori
Comment 4 2025-03-31 17:16:07 PDT
I tested again with 292959@main. The crash is no longer happening. But, the test fails due to a text diff.
Note You need to log in before you can comment on or make changes to this bug.