159722 – v2: WebContent crash due to RELEASE_ASSERT(!m_inLoadPendingImages) in StyleResolver::~StyleResolver()

Bug 159722 - v2: WebContent crash due to RELEASE_ASSERT(!m_inLoadPendingImages) in StyleResolver::~StyleResolver()

Summary: v2: WebContent crash due to RELEASE_ASSERT(!m_inLoadPendingImages) in StyleRe...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	CSS (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-07-13 09:37 PDT by Antti Koivisto
Modified:	2016-07-13 12:19 PDT (History)
CC List:	6 users (show)

See Also:

Attachments
Patch (3.30 KB, patch) 2016-07-13 10:00 PDT, Antti Koivisto	kling: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Antti Koivisto 2016-07-13 09:37:40 PDT

Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed ↩:
0   WebCore                       	0x000000018fa989dc WebCore::StyleResolver::~StyleResolver() + 500 (StyleResolver.cpp:318)
1   WebCore                       	0x000000018fa987bc WebCore::Document::clearStyleResolver() + 32 (memory:2525)
2   WebCore                       	0x000000018fa987bc WebCore::Document::clearStyleResolver() + 32 (memory:2525)
3   WebCore                       	0x000000018fc84fdc WebCore::AuthorStyleSheets::updateActiveStyleSheets(WebCore::AuthorStyleSheets::UpdateFlag) + 484 (AuthorStyleSheets.cpp:317)
4   WebCore                       	0x000000018fa976e8 WebCore::Document::styleResolverChanged(WebCore::StyleResolverUpdateFlag) + 116 (Document.cpp:3671)
5   WebKit                        	0x000000019466a324 WebKit::WebPage::viewportConfigurationChanged() + 196 (WebPageIOS.mm:2934)
6   WebKit                        	0x000000019465d5e0 WebKit::WebPage::mainFrameDidLayout() + 156 (WebPage.cpp:3807)
7   WebCore                       	0x000000018fadad1c WebCore::FrameView::performPostLayoutTasks() + 292 (FrameView.cpp:3198)
8   WebCore                       	0x000000018fad6ec4 WebCore::FrameView::layout(bool) + 3536 (FrameView.cpp:1493)
9   WebCore                       	0x000000018fad3bd4 WebCore::Document::implicitClose() + 788 (Document.cpp:2797)
10  WebCore                       	0x000000018fad2fd4 WebCore::FrameLoader::checkCompleted() + 352 (FrameLoader.cpp:869)
11  WebCore                       	0x000000018fb04a88 WebCore::CachedResourceLoader::loadDone(WebCore::CachedResource*, bool) + 124 (CachedResourceLoader.cpp:985)
12  WebCore                       	0x000000018fb06afc WebCore::SubresourceLoader::didCancel(WebCore::ResourceError const&) + 92 (SubresourceLoader.cpp:519)
13  WebCore                       	0x000000018fb06500 WebCore::ResourceLoader::cancel(WebCore::ResourceError const&) + 476 (ResourceLoader.cpp:598)
14  WebCore                       	0x000000018fb06298 WebCore::ResourceLoader::cancel() + 64 (ResourceLoader.cpp:554)
15  WebCore                       	0x0000000190817e10 WebCore::SubresourceLoader::willSendRequestInternal(WebCore::ResourceRequest&, WebCore::ResourceResponse const&) + 836 (SubresourceLoader.cpp:222)
16  WebCore                       	0x000000018fa78378 WebCore::ResourceLoader::init(WebCore::ResourceRequest const&) + 284 (ResourceLoader.cpp:146)
17  WebCore                       	0x000000018fa78114 WebCore::SubresourceLoader::init(WebCore::ResourceRequest const&) + 32 (SubresourceLoader.cpp:144)
18  WebCore                       	0x00000001908179f8 WebCore::SubresourceLoader::create(WebCore::Frame&, WebCore::CachedResource&, WebCore::ResourceRequest const&, WebCore::ResourceLoaderOptions const&) + 196 (SubresourceLoader.cpp:112)
19  WebKit                        	0x000000019464c724 WebKit::WebLoaderStrategy::loadResource(WebCore::Frame&, WebCore::CachedResource&, WebCore::ResourceRequest const&, WebCore::ResourceLoaderOptions const&) + 52 (WebLoaderStrategy.cpp:76)
20  WebCore                       	0x000000018fcb75ec WebCore::CachedResource::load(WebCore::CachedResourceLoader&, WebCore::ResourceLoaderOptions const&) + 1136 (CachedResource.cpp:291)
21  WebCore                       	0x000000018fa75288 WebCore::CachedResourceLoader::requestResource(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&) + 2060 (CachedResourceLoader.cpp:642)
22  WebCore                       	0x000000018fb1268c WebCore::CachedResourceLoader::requestImage(WebCore::CachedResourceRequest&) + 284 (CachedResourceLoader.cpp:192)
23  WebCore                       	0x000000018fd729ac WebCore::CSSImageValue::cachedImage(WebCore::CachedResourceLoader&, WebCore::ResourceLoaderOptions const&) + 448 (CSSImageValue.cpp:89)
24  WebCore                       	0x000000019035c520 WebCore::Style::loadPendingImage(WebCore::Document&, WebCore::StyleImage const&, WebCore::Element const*, WebCore::Style::LoadPolicy) + 168 (StylePendingResources.cpp:60)
25  WebCore                       	0x000000019035c148 WebCore::Style::loadPendingResources(WebCore::Style::PendingResources const&, WebCore::Document&, WebCore::RenderStyle&, WebCore::Element const*) + 1876 (StylePendingResources.cpp:86)
26  WebCore                       	0x000000019080233c WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const&, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 2316 (StyleResolver.cpp:2115)
27  WebCore                       	0x00000001908043e0 WebCore::StyleResolver::pseudoStyleForElement(WebCore::Element const&, WebCore::PseudoStyleRequest const&, WebCore::RenderStyle const&) + 596 (StyleResolver.cpp:650)
28  WebCore                       	0x000000019061fe84 WebCore::RenderElement::getCachedPseudoStyle(WebCore::PseudoId, WebCore::RenderStyle const*) const + 128 (RenderElement.cpp:1546)
29  WebCore                       	0x00000001906ec0d8 WebCore::RenderTreeUpdater::updateBeforeOrAfterPseudoElement(WebCore::Element&, WebCore::PseudoId) + 320 (RenderTreeUpdater.cpp:465)
30  WebCore                       	0x00000001906ec2e0 WebCore::RenderTreeUpdater::popParent() + 64 (RenderTreeUpdater.cpp:194)
31  WebCore                       	0x00000001906eb090 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 736 (RenderTreeUpdater.cpp:207)
32  WebCore                       	0x00000001906ead50 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update> >) + 500 (RenderTreeUpdater.cpp:101)
33  WebCore                       	0x000000018fe09dd4 WebCore::Document::recalcStyle(WebCore::Style::Change) + 624 (Document.cpp:1926)
34  WebCore                       	0x000000018fad21b4 WebCore::Document::finishedParsing() + 340 (Document.cpp:1972)
35  WebCore                       	0x000000018facfb8c WebCore::HTMLDocumentParser::prepareToStopParsing() + 172 (HTMLDocumentParser.cpp:405)
36  WebCore                       	0x000000018facf0a8 WebCore::DocumentWriter::end() + 92 (DocumentWriter.cpp:272)
37  WebCore                       	0x000000018fac6d54 WebCore::DocumentLoader::finishedLoading(double) + 256 (DocumentLoader.cpp:437)
38  WebCore                       	0x000000018fb0437c WebCore::CachedResource::checkNotify() + 448 (CachedResource.cpp:307)
39  WebCore                       	0x000000018fcb5de8 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 224 (CachedRawResource.cpp:103)
40  WebCore                       	0x000000018fb04060 WebCore::SubresourceLoader::didFinishLoading(double) + 1020 (SubresourceLoader.cpp:440)
41  WebKit                        	0x00000001946f7aa8 WebKit::WebResourceLoader::didFinishResourceLoad(double) + 216 (WebResourceLoader.cpp:158)
42  WebKit                        	0x00000001946f82e0 WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::MessageDecoder&) + 308 (HandleMessage.h:16)
43  WebKit                        	0x0000000194539194 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::MessageDecoder, std::__1::default_delete<IPC::MessageDecoder> >) + 160 (Connection.cpp:887)
44  WebKit                        	0x000000019453b770 IPC::Connection::dispatchOneMessage() + 204 (Connection.cpp:949)

Comment 1 Antti Koivisto 2016-07-13 09:38:14 PDT

rdar://problem/27306545

Comment 2 Antti Koivisto 2016-07-13 10:00:47 PDT

Created attachment 283540 [details]
Patch

Comment 3 Simon Fraser (smfr) 2016-07-13 11:27:26 PDT

Shouldn't we instead try to avoid the call into FrameView::layout() under Document::recalcStyle(), which would require making something under the ResourceLoader::cancel() code path async?

Comment 4 Antti Koivisto 2016-07-13 11:34:28 PDT

(In reply to comment #3)
> Shouldn't we instead try to avoid the call into FrameView::layout() under
> Document::recalcStyle(), which would require making something under the
> ResourceLoader::cancel() code path async?

Yes but those are all complex and risky changes.

Comment 5 Antti Koivisto 2016-07-13 11:36:11 PDT

What we really want is to not trigger loads synchronously from the style resolver in the first place.

Comment 6 Andreas Kling 2016-07-13 12:07:39 PDT

Comment on attachment 283540 [details]
Patch

r=me

It would be good to eventually move to a system where we gather all the loads we need to schedule and fire them at a later point instead of initiating them synchronously from loadPendingImages.
That would sidestep the hackish situation Simon raised concerns about.

Comment 7 Antti Koivisto 2016-07-13 12:19:31 PDT

https://trac.webkit.org/r203172