RESOLVED FIXED 132575
Named element cache can become invalid during HTMLCollection::updateNamedElementCache() 
https://bugs.webkit.org/show_bug.cgi?id=132575
Summary Named element cache can become invalid during HTMLCollection::updateNamedElem...
Chris Dumez
Reported 2014-05-05 11:12:58 PDT
Named element cache can become invalid during HTMLCollection::updateNamedElementCache(). This is because HTMLCollection::updateNamedElementCache() works as follows: 1. Create the named element cache (i.e. hasNamedElementCache() starts returning true) 2. Traverse the HTMLCollection (and thus the DOM tree) to populate the cache Traversing the DOM tree and looking for matches can cause tree updates (https://code.google.com/p/chromium/issues/detail?id=360474#c6) and thus cache invalidation. Therefore, the named element cache can become invalid while HTMLCollection::updateNamedElementCache() is populating it. When this happens, WebKit crashes: ASSERTION FAILED: m_namedElementCache /home/chris/devel/WebKit/Source/WebCore/html/HTMLCollection.cpp(416) : virtual WebCore::Node* WebCore::HTMLCollection::namedItem(const WTF::AtomicString&) const 1 0x7ffff5eb4451 WTFCrash 2 0x7ffff16677c9 WebCore::HTMLCollection::namedItem(WTF::AtomicString const&) const 3 0x7ffff23c5592 WebCore::jsHTMLCollectionPrototypeFunctionNamedItem(JSC::ExecState*) 4 0x7fff9b8980b4 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff5eb4456 in WTFCrash () at /home/chris/devel/WebKit/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff5eb4456 in WTFCrash () at /home/chris/devel/WebKit/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff16677c9 in WebCore::HTMLCollection::namedItem (this=0x14069c0, name=...) at /home/chris/devel/WebKit/Source/WebCore/html/HTMLCollection.cpp:416 #2 0x00007ffff23c5592 in WebCore::jsHTMLCollectionPrototypeFunctionNamedItem (exec=0x7fffffffa630) at /home/chris/devel/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSHTMLCollection.cpp:252 The same issue has been addressed on Blink side: - https://src.chromium.org/viewvc/blink?view=rev&revision=171062 - https://code.google.com/p/chromium/issues/detail?id=360474
Attachments
Patch (9.10 KB, patch)
2014-05-05 12:53 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (9.10 KB, patch)
2014-05-05 13:15 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (9.19 KB, patch)
2014-05-05 15:11 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2014-05-05 12:53:30 PDT
Created attachment 230849 [details] Patch
jochen
Comment 2 2014-05-05 13:03:35 PDT
Comment on attachment 230849 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=230849&action=review > LayoutTests/fast/dom/htmlcollection-selectedOptions-namedItem-crash.html:19 > + nit. unnecessary empty line
jochen
Comment 3 2014-05-05 13:04:11 PDT
i reviewed the chromium patch so you might want to get a second pair of eyes on this, but otherwise lgtm
Chris Dumez
Comment 4 2014-05-05 13:13:34 PDT
(In reply to comment #3) > i reviewed the chromium patch so you might want to get a second pair of eyes on this, but otherwise lgtm Yes, I am going to cc relevant people once the ews has had a chance to chew through it.
Chris Dumez
Comment 5 2014-05-05 13:15:21 PDT
Created attachment 230852 [details] Patch
Ryosuke Niwa
Comment 6 2014-05-05 14:18:33 PDT
Comment on attachment 230852 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=230852&action=review > Source/WebCore/ChangeLog:17 > + The issue is that finding matches in the DOM tree can cause > + HTMLCollection::invalidateCache() to be called under certain circumstances and > + thus the named element cache object can become invalid while > + updateNamedElementCache() is populating it. What exactly is that circumstance?
Chris Dumez
Comment 7 2014-05-05 14:28:19 PDT
(In reply to comment #6) > (From update of attachment 230852 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=230852&action=review > > > Source/WebCore/ChangeLog:17 > > + The issue is that finding matches in the DOM tree can cause > > + HTMLCollection::invalidateCache() to be called under certain circumstances and > > + thus the named element cache object can become invalid while > > + updateNamedElementCache() is populating it. > > What exactly is that circumstance? This is explained at https://code.google.com/p/chromium/issues/detail?id=360474#c6, basically the stack trace looks like: HTMLCollection::updateIdNameCache HTMLCollection::traverseToFirstElement LiveNodeListBase::firstMatchingElement<WebCore::HTMLCollection> isMatchingElement<WebCore::HTMLCollection> HTMLOptionElement::selected HTMLSelectElement::updateListItemSelectedStates HTMLSelectElement::recalcListItems HTMLOptionElement::setSelectedState HTMLSelectElement::invalidateSelectedItems HTMLCollection::invalidateCache HTMLCollection::invalidateIdNameCacheMaps So it is for HTMLCollection of selected options (SelectedOptions collection type), we traverse the DOM tree and call the following to see if the Element is a match: element.hasTagName(optionTag) && toHTMLOptionElement(element).selected(); The issue is that HTMLOptionElement::selected() can cause HTMLCollection cache invalidation as per above backtrace.
Ryosuke Niwa
Comment 8 2014-05-05 14:47:41 PDT
Comment on attachment 230852 [details] Patch Thanks for the clarification.
Ryosuke Niwa
Comment 9 2014-05-05 14:48:08 PDT
Comment on attachment 230852 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=230852&action=review > LayoutTests/fast/dom/htmlcollection-selectedOptions-namedItem-crash.html:5 > +<head> > +<script src="../../resources/js-test-pre.js"></script> > +</head> We don't need head if we put js-test-pre.js inside body.
Chris Dumez
Comment 10 2014-05-05 15:11:41 PDT
Created attachment 230858 [details] Patch
WebKit Commit Bot
Comment 11 2014-05-05 15:51:05 PDT
Comment on attachment 230858 [details] Patch Clearing flags on attachment: 230858 Committed r168322: <http://trac.webkit.org/changeset/168322>
WebKit Commit Bot
Comment 12 2014-05-05 15:51:10 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 13 2014-05-05 19:55:55 PDT
<rdar://problem/16821718>
Geoffrey Garen
Comment 14 2014-05-06 10:35:05 PDT
Comment on attachment 230849 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=230849&action=review > Source/WebCore/ChangeLog:17 > + HTMLCollection::invalidateCache() to be called under certain circumstances and > + thus the named element cache object can become invalid while > + updateNamedElementCache() is populating it. If the cache becomes invalid during its construction, why is it OK to assign the cache to the collection unconditionally? Wouldn't you end up with an invalid cache? Should there be some kind of check for invalidation inside setNameItemCache?
Chris Dumez
Comment 15 2014-05-06 11:42:13 PDT
(In reply to comment #14) > (From update of attachment 230849 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=230849&action=review > > > Source/WebCore/ChangeLog:17 > > + HTMLCollection::invalidateCache() to be called under certain circumstances and > > + thus the named element cache object can become invalid while > > + updateNamedElementCache() is populating it. > > If the cache becomes invalid during its construction, why is it OK to assign the cache to the collection unconditionally? Wouldn't you end up with an invalid cache? Should there be some kind of check for invalidation inside setNameItemCache? For this particular case, based on the implementation of HTMLSelectElement::recalcListItems(), I think it is OK. When traversing the DOM tree and reaching the first <option> element in a <select>. We will call HTMLOptionElement::selected() which may result in calling HTMLSelectElement::recalcListItems(). recalcListItems() will make sure: - Only 1 <option> is selected if m_multiple is false: * To do so, it will unselect later <option> elements. This will update only future elements in your traversal so our cache should still be valid. - If no <option> is selected and m_size is 1 (the <select> only has one <option>), the option will be selected. * This will update the 'selected' state of the <option> we are calling HTMLOptionElement::selected() on, so our cache should still be valid. Basically, HTMLSelectElement::recalcListItems() can only update the selected state of the option we are currently at (while traversing the DOM tree) or the following ones. Since we are doing a forward traversal, what we previous added to the cache should remain valid. For the record, my patch makes updateNamedElementCache() behave like it used to before this relatively recent change that introduced the regression: http://trac.webkit.org/changeset/164772 We used to call setHasIdNameCache() at the *end* of the update function, which resulted in the same behavior as with my patch.
Ryosuke Niwa
Comment 16 2014-05-06 12:20:56 PDT
I agree that the fact HTMLSelectElement is implicitly changing the HTML collection's state is really annoying but I can't think of a better way to fix this without pluming through a flag everywhere.
Note You need to log in before you can comment on or make changes to this bug.