RESOLVED FIXED Bug 168655
REGRESSION(r207669): Crash after mutating selector text 
https://bugs.webkit.org/show_bug.cgi?id=168655
Summary REGRESSION(r207669): Crash after mutating selector text
Antti Koivisto
Reported 2017-02-21 08:28:55 PST
<style id=s> body[foo] [id=d] { color: green }; </style> <body> <div id=d>PASS</div> <script> d.offsetLeft; s.sheet.cssRules.item(0).selectorText = "body[foo]"; document.body.setAttribute("foo", "foo"); </script>
Attachments
patch (3.19 KB, patch)
2017-02-21 08:35 PST, Antti Koivisto 		bfulgham: review+
DetailsFormatted DiffDiff
for landing (3.13 KB, patch)
2017-02-21 10:14 PST, Antti Koivisto 		commit-queue: commit-queue-
DetailsFormatted DiffDiff
for landing (3.12 KB, patch)
2017-02-21 11:06 PST, Antti Koivisto 		no flags
DetailsFormatted DiffDiff
patch (4.84 KB, patch)
2017-02-22 00:07 PST, Antti Koivisto 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-02-21 08:29:41 PST
<rdar://problem/30632111>
Antti Koivisto
Comment 2 2017-02-21 08:35:22 PST
Created attachment 302265 [details] patch
Brent Fulgham
Comment 3 2017-02-21 09:20:45 PST
Comment on attachment 302265 [details] patch Looks good. r=me
Antti Koivisto
Comment 4 2017-02-21 10:14:11 PST
Created attachment 302278 [details] for landing
WebKit Commit Bot
Comment 5 2017-02-21 10:55:31 PST
Comment on attachment 302278 [details] for landing Rejecting attachment 302278 [details] from commit-queue. Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'validate-changelog', '--check-oops', '--non-interactive', 302278, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit ChangeLog entry in LayoutTests/ChangeLog contains OOPS!. Full output: http://webkit-queues.webkit.org/results/3167051
Antti Koivisto
Comment 6 2017-02-21 11:06:15 PST
Created attachment 302285 [details] for landing
WebKit Commit Bot
Comment 7 2017-02-21 12:08:34 PST
Comment on attachment 302285 [details] for landing Clearing flags on attachment: 302285 Committed r212737: <http://trac.webkit.org/changeset/212737>
WebKit Commit Bot
Comment 8 2017-02-21 12:08:40 PST
All reviewed patches have been landed. Closing bug.
Ryan Haddad
Comment 9 2017-02-21 18:01:45 PST
Reverted r212737 for reason: This change caused an existing LayoutTest to crash. Committed r212788: <http://trac.webkit.org/changeset/212788>
Ryan Haddad
Comment 10 2017-02-21 18:02:19 PST
(In reply to comment #9) > Reverted r212737 for reason: > > This change caused an existing LayoutTest to crash. > > Committed r212788: <http://trac.webkit.org/changeset/212788> https://build.webkit.org/results/Apple%20Sierra%20Release%20WK2%20(Tests)/r212777%20(3782)/results.html
Antti Koivisto
Comment 11 2017-02-21 23:41:02 PST
Looks like extension stylesheets may trigger synchronous call to Style::Scope::scheduleUpdate from flushPendingUpdate deleting the resolver. frame #1: WebCore`WebCore::Style::Scope::scheduleUpdate(this=0x000000011db36c60, update=ContentsOrInterpretation) at StyleScope.cpp:526 frame #2: WebCore`WebCore::Style::Scope::didChangeStyleSheetEnvironment(this=0x000000011db36c60) at StyleScope.cpp:560 frame #3: WebCore`WebCore::ExtensionStyleSheets::addDisplayNoneSelector(this=0x000000011dbdc540, identifier=0x000000011dab5900, selector=0x000000011dab5910, selectorID=15) at ExtensionStyleSheets.cpp:181 frame #4: WebCore`WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(this=0x000000011dbb70f0, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at ContentExtensionsBackend.cpp:186 frame #5: WebCore`WebCore::UserContentProvider::processContentExtensionRulesForLoad(this=0x000000011dbb7000, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at UserContentProvider.cpp:108 frame #6: WebCore`WebCore::CachedResourceLoader::requestResource(this=0x000000011db36b40, type=FontResource, request=0x00007fff588c9fc0, forPreload=No, defer=NoDefer) at CachedResourceLoader.cpp:692 frame #7: WebCore`WebCore::CachedResourceLoader::requestFont(this=0x000000011db36b40, request=0x00007fff588c9fc0, isSVG=false) at CachedResourceLoader.cpp:204 frame #8: WebCore`WebCore::CSSFontFaceSrcValue::cachedFont(this=0x000000011dac2508, document=0x0000000120df4000, isSVG=false, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFaceSrcValue.cpp:105 frame #9: WebCore`WebCore::CSSFontFace::appendSources(fontFace=0x000000011db6a7e0, srcList=0x000000011daac280, document=0x0000000120df4000, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFace.cpp:79 (lldb) bt 20 * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef) * frame #0: JavaScriptCore`::WTFCrash() at Assertions.cpp:323 frame #1: WebCore`WebCore::Style::Scope::scheduleUpdate(this=0x000000011db36c60, update=ContentsOrInterpretation) at StyleScope.cpp:526 frame #2: WebCore`WebCore::Style::Scope::didChangeStyleSheetEnvironment(this=0x000000011db36c60) at StyleScope.cpp:560 frame #3: WebCore`WebCore::ExtensionStyleSheets::addDisplayNoneSelector(this=0x000000011dbdc540, identifier=0x000000011dab5900, selector=0x000000011dab5910, selectorID=15) at ExtensionStyleSheets.cpp:181 frame #4: WebCore`WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(this=0x000000011dbb70f0, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at ContentExtensionsBackend.cpp:186 frame #5: WebCore`WebCore::UserContentProvider::processContentExtensionRulesForLoad(this=0x000000011dbb7000, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at UserContentProvider.cpp:108 frame #6: WebCore`WebCore::CachedResourceLoader::requestResource(this=0x000000011db36b40, type=FontResource, request=0x00007fff588c9fc0, forPreload=No, defer=NoDefer) at CachedResourceLoader.cpp:692 frame #7: WebCore`WebCore::CachedResourceLoader::requestFont(this=0x000000011db36b40, request=0x00007fff588c9fc0, isSVG=false) at CachedResourceLoader.cpp:204 frame #8: WebCore`WebCore::CSSFontFaceSrcValue::cachedFont(this=0x000000011dac2508, document=0x0000000120df4000, isSVG=false, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFaceSrcValue.cpp:105 frame #9: WebCore`WebCore::CSSFontFace::appendSources(fontFace=0x000000011db6a7e0, srcList=0x000000011daac280, document=0x0000000120df4000, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFace.cpp:79 frame #10: WebCore`WebCore::CSSFontSelector::addFontFaceRule(this=0x000000011db6a540, fontFaceRule=0x000000011daae0c0, isInitiatingElementInUserAgentShadowTree=false) at CSSFontSelector.cpp:202 frame #11: WebCore`WebCore::RuleSet::addChildRules(this=0x000000011db5f800, rules=0x000000011db8b328, medium=0x000000011db27790, resolver=0x000000011db27500, hasDocumentSecurityOrigin=true, isInitiatingElementInUserAgentShadowTree=false, addRuleFlags=RuleHasDocumentSecurityOrigin) at RuleSet.cpp:388 frame #12: WebCore`WebCore::RuleSet::addRulesFromSheet(this=0x000000011db5f800, sheet=0x000000011db8b2e8, medium=0x000000011db27790, resolver=0x000000011db27500) at RuleSet.cpp:420 frame #13: WebCore`WebCore::DocumentRuleSets::appendAuthorStyleSheets(this=0x000000011db27500, styleSheets=0x00007fff588cac08, medium=0x000000011db27790, inspectorCSSOMWrappers=0x000000011db277f8, resolver=0x000000011db27500) at DocumentRuleSets.cpp:96 frame #14: WebCore`WebCore::StyleResolver::appendAuthorStyleSheets(this=0x000000011db27500, styleSheets=0x00007fff588cac08) at StyleResolver.cpp:284 frame #15: WebCore`WebCore::Style::Scope::updateStyleResolver(this=0x000000011db36c60, activeStyleSheets=0x00007fff588cad78, updateType=Additive) at StyleScope.cpp:463 frame #16: WebCore`WebCore::Style::Scope::updateActiveStyleSheets(this=0x000000011db36c60, updateType=ActiveSet) at StyleScope.cpp:415 frame #17: WebCore`WebCore::Style::Scope::flushPendingSelfUpdate(this=0x000000011db36c60) at StyleScope.cpp:506 frame #18: WebCore`WebCore::Style::Scope::flushPendingUpdate(this=0x000000011db36c60) at StyleScope.h:172
Antti Koivisto
Comment 12 2017-02-22 00:07:26 PST
Created attachment 302375 [details] patch
Andreas Kling
Comment 13 2017-02-22 05:21:20 PST
Comment on attachment 302375 [details] patch r=me. This is pretty hacky. Would be good to make content extensions not inject all that CSS synchronously.
WebKit Commit Bot
Comment 14 2017-02-22 06:47:53 PST
Comment on attachment 302375 [details] patch Clearing flags on attachment: 302375 Committed r212828: <http://trac.webkit.org/changeset/212828>
WebKit Commit Bot
Comment 15 2017-02-22 06:48:00 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.