Bug 303057

Summary: Crash in WebCore::updateCSSTransitionsForStyleableAndProperty
Product: WebKit Reporter: Michael Catanzaro <mcatanzaro>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: ap, graouts, koivisto, mcatanzaro
Priority: P2    
Version: WebKit Nightly Build   
Hardware: PC   
OS: Linux   
See Also: https://bugs.webkit.org/show_bug.cgi?id=302713
Attachments:
Description Flags
Stack trace none

Michael Catanzaro
Reported 2025-11-24 09:58:11 PST
Created attachment 477501 [details] Stack trace Epiphany Tech Preview using WebKitGTK 2.51.2 crashes when I click the Save Changes button after editing a page on GNOME GitLab's wiki: https://gitlab.gnome.org/Teams/Releng/security/-/wikis/2025 Unfortunately you of course need to be logged in to do this. Full stack trace attached. Problem is dereference of WeakPtr corresponding to null underlying pointer. Program terminated with signal SIGABRT, Aborted. #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0; [Current thread is 1 (Thread 0x7f2efa5c4e80 (LWP 2))] (gdb) bt #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0) at pthread_kill.c:44 #1 0x00007f2f0469d5e3 in __pthread_kill_internal (threadid=<optimized out>, signo=6) at pthread_kill.c:89 #2 0x00007f2f046433be in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26 #3 0x00007f2f0462a8ed in __GI_abort () at abort.c:77 #4 0x00007f2f04f1a2af in WTFCrashWithInfo () at WTF/Headers/wtf/Assertions.h:985 #5 0x00007f2f07e9b5fa in WTF::WeakPtr<WebCore::KeyframeEffect, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl> >::operator* (this=0x7f2e0ad10488) at WTF/Headers/wtf/WeakPtr.h:145 #6 WebCore::updateCSSTransitionsForStyleableAndProperty(WebCore::Styleable const&, mpark::variant<WebCore::CSSPropertyID, WTF::AtomString> const&, WebCore::RenderStyle const&, WebCore::RenderStyle const&, WTF::MonotonicTime, WTF::Vector<WTF::WeakPtr<WebCore::StyleOriginatedAnimation, WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&)::$_0::operator()() const (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/Styleable.cpp:608 #7 WebCore::updateCSSTransitionsForStyleableAndProperty (styleable=..., property=..., currentStyle=..., newStyle=..., generationTime=..., newStyleOriginatedAnimations=WTF::Vector of length 1, capacity 16 = {...}) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/Styleable.cpp:603 #8 0x00007f2f07e9a083 in WebCore::Styleable::updateCSSTransitions(WebCore::RenderStyle const&, WebCore::RenderStyle const&, WTF::Vector<WTF::WeakPtr<WebCore::StyleOriginatedAnimation, WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) const::$_2::operator()(unsigned int) const (index=<optimized out>, this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/Styleable.cpp:839 #9 WTF::forEachSetBit<unsigned long, 10ul, WebCore::Styleable::updateCSSTransitions(WebCore::RenderStyle const&, WebCore::RenderStyle const&, WTF::Vector<WTF::WeakPtr<WebCore::StyleOriginatedAnimation, WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) const::$_2>(std::span<unsigned long const, 10ul>, WebCore::Styleable::updateCSSTransitions(WebCore::RenderStyle const&, WebCore::RenderStyle const&, WTF::Vector<WTF::WeakPtr<WebCore::StyleOriginatedAnimation, WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) const::$_2 const&) (bits=std::span of length 10 = {...}, func=<optimized out>) at WTF/Headers/wtf/StdLibExtras.h:1408 #10 WTF::BitSet<586ul, unsigned long>::forEachSetBit<WebCore::Styleable::updateCSSTransitions(WebCore::RenderStyle const&, WebCore::RenderStyle const&, WTF::Vector<WTF::WeakPtr<WebCore::StyleOriginatedAnimation, WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) const::$_2>(WebCore::Styleable::updateCSSTransitions(WebCore::RenderStyle const&, WebCore::RenderStyle const&, WTF::Vector<WTF::WeakPtr<WebCore::StyleOriginatedAnimation, WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) const::$_2 const&) const (this=0x7fffbb16f5c0, func=<optimized out>) at WTF/Headers/wtf/BitSet.h:408 #11 WebCore::Styleable::updateCSSTransitions (this=0x7fffbb16f7d0, currentStyle=..., newStyle=..., newStyleOriginatedAnimations=WTF::Vector of length 1, capacity 16 = {...}) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/Styleable.cpp:835 #12 0x00007f2f07e8d1ef in WebCore::Style::TreeResolver::createAnimatedElementUpdate(WebCore::Style::ResolvedStyle&&, WebCore::Styleable const&, WTF::OptionSet<WebCore::Style::Change, (WTF::ConcurrencyTag)0>, WebCore::Style::ResolutionContext const&, WebCore::Style::IsInDisplayNoneTree)::$_1::operator()() const (this=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/StyleTreeResolver.cpp:791 #13 WebCore::Style::TreeResolver::createAnimatedElementUpdate (this=0x7fffbb1720d0, resolvedStyle=..., styleable=..., parentChanges=..., resolutionContext=..., isInDisplayNoneTree=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/StyleTreeResolver.cpp:870 #14 0x00007f2f07e8bfab in WebCore::Style::TreeResolver::resolveElement (this=0x7fffbb1720d0, element=..., existingStyle=0x7f2eee1d4a50, resolutionType=WebCore::Style::TreeResolver::ResolutionType::Full) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/StyleTreeResolver.cpp:346 #15 0x00007f2f07e9179c in WebCore::Style::TreeResolver::resolveComposedTree (this=0x7fffbb1720d0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/StyleTreeResolver.cpp:1274 #16 0x00007f2f07e92fdc in WebCore::Style::TreeResolver::resolve (this=0x7fffbb1720d0) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/StyleTreeResolver.cpp:1430 #17 0x00007f2f06eaca66 in WebCore::Document::resolveStyle (this=0x7f2ef0120e00, type=<optimized out>) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Document.cpp:2876 #18 0x00007f2f06ead7b8 in WebCore::Document::updateStyleIfNeeded (this=0x7f2ef0120e00) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Document.cpp:3009 #19 0x00007f2f07e61640 in WebCore::Style::Extractor::updateStyleIfNeededForProperty (element=..., propertyID=WebCore::CSSPropertyCustom) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/StyleExtractor.cpp:202 #20 0x00007f2f07e616d5 in WebCore::Style::Extractor::computeStyleForCustomProperty (this=0x7fffbb1725e0, ownedStyle=std::unique_ptr<WebCore::RenderStyle> = {...}) at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/style/StyleExtractor.cpp:225 #21 0x00007f2f07e61a80 in WebCore::Style::Extractor::customPropertyValueSerialization (this=0x0, propertyName=Python Exception <class 'gdb.MemoryError'>: Cannot access memory at address 0x6 #22 0x00007f2f06bde8cf in WebCore::CSSComputedStyleDeclaration::getPropertyValue (this=<optimized out>, propertyName="--pane-max-width-diff") at /usr/lib/debug/source/sdk/webkitgtk-6.0.bst/Source/WebCore/css/CSSComputedStyleDeclaration.cpp:206 #23 0x00007f2f05ca8e13 in WebCore::jsCSSStyleDeclarationPrototypeFunction_getPropertyValueBody (lexicalGlobalObject=0x7f2ef0220088, callFrame=<optimized out>, castedThis=<optimized out>) at WebCore/DerivedSources/JSCSSStyleDeclaration.cpp:466 --Type <RET> for more, q to quit, c to continue without paging--bt #24 WebCore::IDLOperation<WebCore::JSCSSStyleDeclaration>::call<&WebCore::jsCSSStyleDeclarationPrototypeFunction_getPropertyValueBody, (WebCore::CastedThisErrorBehavior)0> (lexicalGlobalObject=..., callFrame=<optimized out>, operationName=<optimized out>) at WebCore/PrivateHeaders/WebCore/JSDOMOperation.h:63 #25 WebCore::jsCSSStyleDeclarationPrototypeFunction_getPropertyValue (lexicalGlobalObject=0x7f2ef0220088, callFrame=<optimized out>) at WebCore/DerivedSources/JSCSSStyleDeclaration.cpp:471 #26 0x00007f2eada0c038 in ??? () #27 0x00007fffbb172750 in ??? () #28 0x00007f2f015b3491 in llint_op_call () at /usr/lib/x86_64-linux-gnu/libjavascriptcoregtk-6.0.so.1 #29 0x0000000000000000 in ??? ()
Attachments
Stack trace (177.93 KB, text/plain)
2025-11-24 09:58 PST, Michael Catanzaro 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Michael Catanzaro
Comment 1 2025-11-24 10:01:08 PST
Hm, immediately after reporting this bug 2 minutes ago, I encountered the same crash on https://github.com/libproxy/libproxy/tree/main, not just once, but twice. But I don't seem to be able to reproduce it. Refreshing the page does not work.
Michael Catanzaro
Comment 2 2025-11-24 10:03:08 PST
Seems it just crashes sometimes when viewing any directory on github.com.
Michael Catanzaro
Comment 3 2025-11-24 10:07:58 PST
OK, I will try to bisect this, because I have hit the crash 7 times in the past 20 minutes.
Michael Catanzaro
Comment 4 2025-11-24 10:55:00 PST
Possibly fixed by 303234@main, which landed shortly after 2.51.2 was released? Hi Antoine, is this the crash that you fixed in that commit?
Michael Catanzaro
Comment 5 2025-11-24 10:56:48 PST
(I have not bisected this. Just a guess.)
Michael Catanzaro
Comment 6 2025-11-24 13:16:40 PST
(In reply to Michael Catanzaro from comment #2) > Seems it just crashes sometimes when viewing any directory on github.com. It's happening on a bunch of different websites. It's unlikely that any user could use the browser for long without encountering this crash.
Alexey Proskuryakov
Comment 7 2025-11-24 17:05:45 PST
The crash fixed in 303234@main did look like this, yes. Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 WebCore 0x1152de658 WebCore::updateCSSTransitionsForStyleableAndProperty(WebCore::Styleable const&, mpark::variant<WebCore::CSSPropertyID, WTF::AtomString> const&, WebCore::RenderStyle const&, WebCore::RenderStyle const&, WTF::MonotonicTime, WTF::Vector<WTF::WeakPtr<WebCore::StyleOriginatedAnimation, WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) + 4860 1 WebCore 0x1152ddb30 WebCore::updateCSSTransitionsForStyleableAndProperty(WebCore::Styleable const&, mpark::variant<WebCore::CSSPropertyID, WTF::AtomString> const&, WebCore::RenderStyle const&, WebCore::RenderStyle const&, WTF::MonotonicTime, WTF::Vector<WTF::WeakPtr<WebCore::StyleOriginatedAnimation, WebCore::WeakPtrImplWithEventTargetData, WTF::RawPtrTraits<WebCore::WeakPtrImplWithEventTargetData>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) + 2004 2 WebCore 0x1152cbd14 WebCore::Style::TreeResolver::createAnimatedElementUpdate(WebCore::Style::ResolvedStyle&&, WebCore::Styleable const&, WTF::OptionSet<WebCore::Style::Change, (WTF::ConcurrencyTag)0>, WebCore::Style::ResolutionContext const&, WebCore::Style::IsInDisplayNoneTree) + 12988 3 WebCore 0x1152c48d4 WebCore::Style::TreeResolver::resolveElement(WebCore::Element&, WebCore::RenderStyle const*, WebCore::Style::TreeResolver::ResolutionType) + 5720 4 WebCore 0x1152d322c WebCore::Style::TreeResolver::resolve() + 2220 5 WebCore 0x114046e10 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 560 6 WebCore 0x1140485c4 WebCore::Document::updateStyleIfNeeded() + 264 7 WebCore 0x114089bcc WTF::Detail::CallableWrapper<WebCore::Document::Document(WebCore::LocalFrame*, WebCore::Settings const&, WTF::URL const&, WTF::OptionSet<WebCore::DocumentClass, (WTF::ConcurrencyTag)0>, WTF::OptionSet<WebCore::Document::ConstructionFlag, (WTF::ConcurrencyTag)0>, std::__1::optional<WebCore::ProcessQualified<WTF::UUID>>)::$_0, void>::call() + 40 8 WebCore 0x114b0d344 WTF::Detail::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, void>::call() + 448
Michael Catanzaro
Comment 8 2025-11-25 07:39:04 PST
*** This bug has been marked as a duplicate of bug 302713 ***
Note You need to log in before you can comment on or make changes to this bug.