Bug 282846
| Summary: | On some cases async/await creates a race where we try to compute translate with null values | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Pedro Varangot <pvarangot> |
| Component: | CSS | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | koivisto, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Other | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Pedro Varangot
This test will crash sometimes, around 20% to 50% of the time on main. Removing unused function or asynchronous code doesn't crash:
<html>
<head>
<style>
* { read-only; translate: 640rlh; };
</style>
<script>
nodes = new Map([
['n0', new WeakRef(document.documentElement)]
]);
function getObject(key) {
entriesForKey = stuff.get(key);
{
nextEntry = entriesForKey.shift();
theObject = nextEntry.deref();
{
return theObject;
}
}
}
node = document.createElementNS('http://www.w3.org/1999/xhtml', 'img');
nodes.get('n0').deref().append(node);
(async () => {
globalThis.testRunner?.waitUntilDone();
for (let i = 0; i < 1700; i++) {
const url = new URL(`https://example.com/?q=${i}`);
}
frames.history.back();
try {
await (() => {
return window.caches.has("something");
})();
} catch {}
node.computedStyleMap().getAll('translate');
globalThis.testRunner?.notifyDone();
globalThis.testRunner?.dumpAsText();
})();
</script>
</head>
</html>
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Pedro Varangot
<rdar://problem/137177447>
Pedro Varangot
Pull request: https://github.com/WebKit/WebKit/pull/36409
Pedro Varangot
Relevant part of the stack trace:
1 WebCore 0x134ff0980 WebCore::CSSPrimitiveValue::create(WebCore::Length const&, WebCore::RenderStyle const&) + 1084 (CSSPrimitiveValue.cpp:576)
2 WebCore 0x135124a20 WebCore::ComputedStyleExtractor::zoomAdjustedPixelValueForLength(WebCore::Length const&, WebCore::RenderStyle const&) + 16 (ComputedStyleExtractor.cpp:437) [inlined]
3 WebCore 0x135124a20 WebCore::computedTranslate(WebCore::RenderObject*, WebCore::RenderStyle const&)::$_0::operator()(WebCore::Length const&) const + 16 (ComputedStyleExtractor.cpp:995) [inlined]
4 WebCore 0x135124a20 WebCore::computedTranslate(WebCore::RenderObject*, WebCore::RenderStyle const&) + 7644 (ComputedStyleExtractor.cpp:1002)
5 WebCore 0x1350d21dc WebCore::ComputedStyleExtractor::valueForPropertyInStyle(WebCore::RenderStyle const&, WebCore::CSSPropertyID, WebCore::RenderElement*, WebCore::ComputedStyleExtractor::PropertyValueType) const + 99240 (ComputedStyleExtractor.cpp:4591)
6 WebCore 0x1350b81a8 WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::ComputedStyleExtractor::UpdateLayout, WebCore::ComputedStyleExtractor::PropertyValueType) const + 1168 (ComputedStyleExtractor.cpp:3445)
7 WebCore 0x13588abec WebCore::ComputedStylePropertyMapReadOnly::propertyValue(WebCore::CSSPropertyID) const + 228 (ComputedStylePropertyMapReadOnly.cpp:53)
8 WebCore 0x1358944a4 WebCore::MainThreadStylePropertyMapReadOnly::getAll(WebCore::ScriptExecutionContext&, WTF::AtomString const&) const + 2484 (MainThreadStylePropertyMapReadOnly.cpp:107)
9 WebCore 0x132be9460 WebCore::jsStylePropertyMapReadOnlyPrototypeFunction_getAllBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSStylePropertyMapReadOnly*) + 920 (JSStylePropertyMapReadOnly.cpp:252)
EWS
Committed 286647@main (c1664193f635): <https://commits.webkit.org/286647@main>
Reviewed commits have been landed. Closing PR #36409 and removing active labels.