WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
156997
Crash under WebCore::MutationObserver::deliverAllMutations()
https://bugs.webkit.org/show_bug.cgi?id=156997
Summary
Crash under WebCore::MutationObserver::deliverAllMutations()
Chris Dumez
Reported
2016-04-25 14:49:51 PDT
Crash under WebCore::MutationObserver::deliverAllMutations(): Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x00000000000000b0) [ 0] 0x00007fff84d4ddad WebCore`WebCore::MutationObserver::deliverAllMutations() [inlined] WTF::RefPtr<WebCore::MutationCallback>::operator->() const at ScriptExecutionContext.h:98 94 virtual void suspendActiveDOMObjects(ActiveDOMObject::ReasonForSuspension); 95 virtual void resumeActiveDOMObjects(ActiveDOMObject::ReasonForSuspension); 96 virtual void stopActiveDOMObjects(); 97 -> 98 bool activeDOMObjectsAreSuspended() const { return m_activeDOMObjectsAreSuspended; } 99 bool activeDOMObjectsAreStopped() const { return m_activeDOMObjectsAreStopped; } 100 101 // Called from the constructor and destructors of ActiveDOMObject. 102 void didCreateActiveDOMObject(ActiveDOMObject*); 0x00007fff84d4dda0: movq (%r15), %rax 0x00007fff84d4dda3: movq 0x8(%rax), %rdi 0x00007fff84d4dda7: movq (%rdi), %rax 0x00007fff84d4ddaa: callq *0x18(%rax) -> 0x00007fff84d4ddad: cmpb $0x0, 0xb0(%rax) 0x00007fff84d4ddb4: jne 0x139eb1 ; <+433> at MutationObserver.cpp:221 0x00007fff84d4ddba: cmpb $0x1, 0xed44ef(%rip) ; WebCore::suspendedMutationObservers()::suspendedObservers + 7 0x00007fff84d4ddc1: jne 0x139dd0 ; <+208> [inlined] WebCore::suspendedMutationObservers() + 15 at MutationObserver.cpp:225 0x00007fff84d4ddc3: movq 0xed44de(%rip), %rbx ; WebCore::suspendedMutationObservers()::suspendedObservers [ 0] 0x00007fff84d4ddad WebCore`WebCore::MutationObserver::deliverAllMutations() [inlined] WTF::Vector<WTF::RefPtr<WebCore::MutationObserver>, 0ul, WTF::CrashOnOverflow>::operator[](unsigned long) + 25 at MutationObserver.cpp:184 180 } 181 182 bool MutationObserver::canDeliver() 183 { -> 184 return !m_callback->scriptExecutionContext()->activeDOMObjectsAreSuspended(); 185 } 186 187 void MutationObserver::deliver() 188 { [ 0] 0x00007fff84d4dd94 WebCore`WebCore::MutationObserver::deliverAllMutations() + 148 at MutationObserver.cpp:222 218 if (!suspendedMutationObservers().isEmpty()) { 219 Vector<RefPtr<MutationObserver> > suspended; 220 copyToVector(suspendedMutationObservers(), suspended); 221 for (size_t i = 0; i < suspended.size(); ++i) { -> 222 if (!suspended[i]->canDeliver()) 223 continue; 224 225 suspendedMutationObservers().remove(suspended[i]); 226 activeMutationObservers().add(suspended[i]); [ 1] 0x00007fff84e393df WebCore`WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) [inlined] WebCore::JSMainThreadExecState::~JSMainThreadExecState() + 18 at JSMainThreadExecState.h:97 93 94 s_mainThreadState = m_previousState; 95 96 if (didExitJavaScript) -> 97 didLeaveScriptContext(); 98 } 99 100 private: 101 static JSC::ExecState* s_mainThreadState; 0x00007fff84e393d1: je 0x2253e2 ; <+178> [inlined] WebCore::JSMainThreadExecState::~JSMainThreadExecState() + 21 at JSMainThreadExecState.h:89 0x00007fff84e393d3: movq %r14, (%r15) 0x00007fff84e393d6: testq %r14, %r14 0x00007fff84e393d9: jne 0x2253e5 ; <+181> at JSMainThreadExecState.h:57 -> 0x00007fff84e393db: callq 0x13b9a0 ; WebCore::JSMainThreadExecState::didLeaveScriptContext at JSMainThreadExecState.cpp:39 0x00007fff84e393e0: jmp 0x2253e5 ; <+181> at JSMainThreadExecState.h:57 0x00007fff84e393e2: movq %r14, (%r15) 0x00007fff84e393e5: movq %rbx, %rax 0x00007fff84e393e8: addq $0x18, %rsp [ 1] 0x00007fff84e393cd WebCore`WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) [inlined] WebCore::JSMainThreadExecState::~JSMainThreadExecState() at JSMainThreadExecState.h:89 [ 1] 0x00007fff84e393cd WebCore`WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 157 at JSMainThreadExecState.h:57 [ 2] 0x00007fff84e7db51 WebCore`WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 449 at ScheduledAction.cpp:111 0x00007fff84e7db3c: leaq -0x48(%rbp), %rcx 0x00007fff84e7db40: leaq -0xc0(%rbp), %r9 0x00007fff84e7db47: movq %rbx, %rdi 0x00007fff84e7db4a: movl %r13d, %edx -> 0x00007fff84e7db4d: callq 0x225330 ; WebCore::JSMainThreadExecState::call at JSMainThreadExecState.h:51 0x00007fff84e7db52: jmp 0x269b81 ; <+497> [inlined] WebCore::InspectorInstrumentation::hasFrontends() at InspectorInstrumentation.h:853 0x00007fff84e7db54: movq -0x58(%rbp), %rax 0x00007fff84e7db58: movq %rax, -0xd0(%rbp) 0x00007fff84e7db5f: movl -0xa0(%rbp), %eax
Attachments
Patch
(3.71 KB, patch)
2016-04-25 15:27 PDT
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Chris Dumez
Comment 1
2016-04-25 14:50:25 PDT
rdar://problem/16542323
Chris Dumez
Comment 2
2016-04-25 15:27:42 PDT
Created
attachment 277284
[details]
Patch
WebKit Commit Bot
Comment 3
2016-04-25 17:12:38 PDT
Comment on
attachment 277284
[details]
Patch Clearing flags on attachment: 277284 Committed
r200062
: <
http://trac.webkit.org/changeset/200062
>
WebKit Commit Bot
Comment 4
2016-04-25 17:12:43 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug