Bug 242159

Summary:

REGRESSION(251950@main) Crash under WebCore::Style::ElementRuleCollector::collectMatchingRules

Product:

WebKit

Reporter:

Fujii Hironori <Hironori.Fujii>

Component:

CSS

Assignee:

Antti Koivisto <koivisto>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

koivisto, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

242058

Attachments:

Description	Flags
debugging patch	none
Patch	none

Description Fujii Hironori 2022-06-29 19:26:51 PDT

I'm testing with WinCairo 251961@main Debug build.
A crash happens in this page <https://mainichi.jp/articles/20220630/k00/00m/030/035000c>.

> WebKit2.dll!WTF::RawPtrTraits<WTF::StringImpl>::unwrap(WTF::StringImpl * const & ptr) Line 44	C++
> WebKit2.dll!WTF::RefPtr<WTF::StringImpl,WTF::RawPtrTraits<WTF::StringImpl>,WTF::DefaultRefDerefTraits<WTF::StringImpl>>::get() Line 76	C++
> WebKit2.dll!WTF::String::impl() Line 115	C++
> WebKit2.dll!WTF::AtomString::impl() Line 82	C++
> WebKit2.dll!WTF::AtomStringHash::hash(const WTF::AtomString & key) Line 39	C++
> WebKit2.dll!WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>::hash<WTF::AtomString>(const WTF::AtomString & key) Line 311	C++
> WebKit2.dll!WTF::HashMapTranslatorAdapter<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>>::hash<WTF::AtomString>(const WTF::AtomString & key) Line 250	C++
> WebKit2.dll!WTF::HashTable<WTF::AtomString,WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::HashTraits<WTF::AtomString>>::inlineLookup<WTF::HashMapTranslatorAdapter<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>>,WTF::AtomString>(const WTF::AtomString & key) Line 688	C++
> WebKit2.dll!WTF::HashTable<WTF::AtomString,WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::HashTraits<WTF::AtomString>>::lookup<WTF::HashMapTranslatorAdapter<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>>,WTF::AtomString>(const WTF::AtomString & key) Line 674	C++
> WebKit2.dll!WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::get<WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>,WTF::AtomString>(const WTF::AtomString & value) Line 343	C++
> WebKit2.dll!WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::get(const WTF::AtomString & key) Line 459	C++
> WebKit2.dll!WebCore::Style::RuleSet::attributeRules(const WTF::AtomString & key, bool isHTMLName) Line 210	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingRules(const WebCore::Style::MatchRequest & matchRequest) Line 166	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingAuthorRules() Line 250	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::matchAllRules(bool matchAuthorAndUserStyles, bool includeSMILProperties) Line 583	C++
> WebKit2.dll!WebCore::Style::Resolver::styleForElement(const WebCore::Element & element, const WebCore::Style::ResolutionContext & context, WebCore::RuleMatchingBehavior matchingBehavior) Line 257	C++
> WebKit2.dll!WebCore::Style::TreeResolver::styleForStyleable(const WebCore::Styleable & styleable, WebCore::Style::TreeResolver::ResolutionType resolutionType, const WebCore::Style::ResolutionContext & resolutionContext) Line 155	C++
> WebKit2.dll!WebCore::Style::TreeResolver::resolveElement(WebCore::Element & element, WebCore::Style::TreeResolver::ResolutionType resolutionType) Line 224	C++
> WebKit2.dll!WebCore::Style::TreeResolver::resolveComposedTree() Line 830	C++
> WebKit2.dll!WebCore::Style::TreeResolver::resolve() Line 925	C++
> WebKit2.dll!WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType type) Line 2097	C++
> WebKit2.dll!WebCore::Document::updateStyleIfNeeded() Line 2235	C++
> WebKit2.dll!WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element & element, WebCore::DimensionsCheck dimensionsCheck) Line 2338	C++
> WebKit2.dll!WebCore::DOMWindow::innerWidth() Line 1321	C++
> WebKit2.dll!WebCore::jsDOMWindow_innerWidthGetter(JSC::JSGlobalObject & lexicalGlobalObject, WebCore::JSDOMWindow & thisObject) Line 11281	C++
> WebKit2.dll!WebCore::IDLAttribute<WebCore::JSDOMWindow>::get<&WebCore::jsDOMWindow_innerWidthGetter,0>(JSC::JSGlobalObject & lexicalGlobalObject, __int64 thisValue, JSC::PropertyName attributeName) Line 100	C++
> WebKit2.dll!WebCore::jsDOMWindow_innerWidth(JSC::JSGlobalObject * lexicalGlobalObject, __int64 thisValue, JSC::PropertyName attributeName) Line 11287	C++
> JavaScriptCore.dll!JSC::PropertySlot::customGetter(JSC::VM & vm, JSC::PropertyName propertyName) Line 47	C++
> JavaScriptCore.dll!JSC::PropertySlot::getValue(JSC::JSGlobalObject * globalObject, JSC::PropertyName propertyName) Line 408	C++
> JavaScriptCore.dll!JSC::JSValue::get(JSC::JSGlobalObject * globalObject, JSC::PropertyName propertyName, JSC::PropertySlot & slot) Line 1032	C++
> JavaScriptCore.dll!JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex bytecodeIndex, JSC::CodeBlock * codeBlock, JSC::JSGlobalObject * globalObject, JSC::JSValue baseValue, const JSC::Identifier & ident, JSC::GetByIdModeMetadata & metadata) Line 813	C++
> JavaScriptCore.dll!llint_slow_path_get_by_id(JSC::CallFrame * callFrame, const JSC::BaseInstruction<JSC::JSOpcodeTraits> * pc) Line 887	C++
> JavaScriptCore.dll!llint_entry()	Unknown
> 000000bdd0efc930()	Unknown
> 000000bdd0efc9f0()	Unknown
> 0000025f7996f4a0()	Unknown
> JavaScriptCore.dll!00007ffd123ef2b8()	C++
> 0000025f7996f4a0()	Unknown
> (...not available under JSC...)

Comment 1 Fujii Hironori 2022-06-29 19:28:50 PDT

ElementRuleCollector::collectMatchingRules has the following code:

>    if (element.hasAttributesWithoutUpdate() && matchRequest.ruleSet.hasAttributeRules()) {
>        for (auto& attribute : element.attributesIterator())
>            collectMatchingRulesForList(matchRequest.ruleSet.attributeRules(attribute.localName(), isHTML), matchRequest);
>    }

`attribute` wasn't valid value.
This code was added by 251950@main (bug#242058).

Comment 2 Fujii Hironori 2022-06-29 20:17:18 PDT

I confirmed this seems to be fixed by reverting 251950@main.

Comment 3 Fujii Hironori 2022-06-29 20:33:40 PDT

> A crash happens in this page
> <https://mainichi.jp/articles/20220630/k00/00m/030/035000c>.

This crash is no longer reproducible to me with this page.

Comment 4 Fujii Hironori 2022-06-29 21:21:38 PDT

Created attachment 460568 [details]
debugging patch

collectMatchingRulesForList adds a new attribute to UniqueElementData::m_attributeVector while iterating it.

Comment 5 Fujii Hironori 2022-06-29 21:23:40 PDT

Here is the callstack of attachment#460568 [details] patch.

> WebKit2.dll!WTFCrashWithInfo(int __formal, const char * __formal, const char * __formal, int __formal) Line 755	C++
> WebKit2.dll!WebCore::UniqueElementData::addAttribute(const WebCore::QualifiedName & attributeName, const WTF::AtomString & value) Line 334	C++
> WebKit2.dll!WebCore::Element::addAttributeInternal(const WebCore::QualifiedName & name, const WTF::AtomString & value, WebCore::Element::SynchronizationOfLazyAttribute inSynchronizationOfLazyAttribute) Line 3074	C++
> WebKit2.dll!WebCore::Element::setAttributeInternal(unsigned int index, const WebCore::QualifiedName & name, const WTF::AtomString & newValue, WebCore::Element::SynchronizationOfLazyAttribute inSynchronizationOfLazyAttribute) Line 1874	C++
> WebKit2.dll!WebCore::Element::setSynchronizedLazyAttribute(const WebCore::QualifiedName & name, const WTF::AtomString & value) Line 1860	C++
> WebKit2.dll!WebCore::StyledElement::synchronizeStyleAttributeInternalImpl() Line 68	C++
> WebKit2.dll!WebCore::StyledElement::synchronizeStyleAttributeInternal() Line 57	C++
> WebKit2.dll!WebCore::Element::synchronizeAllAttributes() Line 667	C++
> WebKit2.dll!WebCore::Element::hasAttributes() Line 2384	C++
> WebKit2.dll!WebCore::SelectorChecker::checkOne(WebCore::SelectorChecker::CheckingContext & checkingContext, const WebCore::SelectorChecker::LocalContext & context, WebCore::SelectorChecker::MatchType & matchType) Line 684	C++
> WebKit2.dll!WebCore::SelectorChecker::matchRecursively(WebCore::SelectorChecker::CheckingContext & checkingContext, const WebCore::SelectorChecker::LocalContext & context, WebCore::PseudoIdSet & dynamicPseudoIdSet) Line 272	C++
> WebKit2.dll!WebCore::SelectorChecker::match(const WebCore::CSSSelector & selector, const WebCore::Element & element, WebCore::SelectorChecker::CheckingContext & checkingContext) Line 191	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::ruleMatches(const WebCore::Style::RuleData & ruleData, unsigned int & specificity, WebCore::Style::ScopeOrdinal styleScopeOrdinal) Line 469	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingRulesForList(const WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc> * rules, const WebCore::Style::MatchRequest & matchRequest) Line 513	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingRules(const WebCore::Style::MatchRequest & matchRequest) Line 169	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingAuthorRules() Line 254	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::matchAllRules(bool matchAuthorAndUserStyles, bool includeSMILProperties) Line 587	C++
> (...)

Comment 6 Antti Koivisto 2022-06-29 21:25:10 PDT

Oh good find

Comment 7 Antti Koivisto 2022-06-29 22:12:22 PDT

Created attachment 460570 [details]
Patch

Comment 8 EWS 2022-06-29 23:22:53 PDT

Committed 251982@main (41eeecebb149): <https://commits.webkit.org/251982@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 460570 [details].

Comment 9 Antti Koivisto 2022-06-30 05:48:08 PDT

rdar://96207962