Bug 168655 - REGRESSION(r207669): Crash after mutating selector text
Summary: REGRESSION(r207669): Crash after mutating selector text
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: CSS (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on: 163721
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-21 08:28 PST by Antti Koivisto
Modified: 2017-02-22 06:48 PST (History)
6 users (show)

See Also:


Attachments
patch (3.19 KB, patch)
2017-02-21 08:35 PST, Antti Koivisto
bfulgham: review+
Details | Formatted Diff | Diff
for landing (3.13 KB, patch)
2017-02-21 10:14 PST, Antti Koivisto
commit-queue: commit-queue-
Details | Formatted Diff | Diff
for landing (3.12 KB, patch)
2017-02-21 11:06 PST, Antti Koivisto
no flags Details | Formatted Diff | Diff
patch (4.84 KB, patch)
2017-02-22 00:07 PST, Antti Koivisto
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Antti Koivisto 2017-02-21 08:28:55 PST
<style id=s>
body[foo] [id=d] { color: green };
</style>
<body>
<div id=d>PASS</div>
<script>
d.offsetLeft;
s.sheet.cssRules.item(0).selectorText = "body[foo]";
document.body.setAttribute("foo", "foo");
</script>
Comment 1 Radar WebKit Bug Importer 2017-02-21 08:29:41 PST
<rdar://problem/30632111>
Comment 2 Antti Koivisto 2017-02-21 08:35:22 PST
Created attachment 302265 [details]
patch
Comment 3 Brent Fulgham 2017-02-21 09:20:45 PST
Comment on attachment 302265 [details]
patch

Looks good. r=me
Comment 4 Antti Koivisto 2017-02-21 10:14:11 PST
Created attachment 302278 [details]
for landing
Comment 5 WebKit Commit Bot 2017-02-21 10:55:31 PST
Comment on attachment 302278 [details]
for landing

Rejecting attachment 302278 [details] from commit-queue.

Failed to run "['/Volumes/Data/EWS/WebKit/Tools/Scripts/webkit-patch', '--status-host=webkit-queues.webkit.org', '--bot-id=webkit-cq-01', 'validate-changelog', '--check-oops', '--non-interactive', 302278, '--port=mac']" exit_code: 1 cwd: /Volumes/Data/EWS/WebKit

ChangeLog entry in LayoutTests/ChangeLog contains OOPS!.

Full output: http://webkit-queues.webkit.org/results/3167051
Comment 6 Antti Koivisto 2017-02-21 11:06:15 PST
Created attachment 302285 [details]
for landing
Comment 7 WebKit Commit Bot 2017-02-21 12:08:34 PST
Comment on attachment 302285 [details]
for landing

Clearing flags on attachment: 302285

Committed r212737: <http://trac.webkit.org/changeset/212737>
Comment 8 WebKit Commit Bot 2017-02-21 12:08:40 PST
All reviewed patches have been landed.  Closing bug.
Comment 9 Ryan Haddad 2017-02-21 18:01:45 PST
Reverted r212737 for reason:

This change caused an existing LayoutTest to crash.

Committed r212788: <http://trac.webkit.org/changeset/212788>
Comment 10 Ryan Haddad 2017-02-21 18:02:19 PST
(In reply to comment #9)
> Reverted r212737 for reason:
> 
> This change caused an existing LayoutTest to crash.
> 
> Committed r212788: <http://trac.webkit.org/changeset/212788>

https://build.webkit.org/results/Apple%20Sierra%20Release%20WK2%20(Tests)/r212777%20(3782)/results.html
Comment 11 Antti Koivisto 2017-02-21 23:41:02 PST
Looks like extension stylesheets may trigger synchronous call to Style::Scope::scheduleUpdate from flushPendingUpdate deleting the resolver.

    frame #1: WebCore`WebCore::Style::Scope::scheduleUpdate(this=0x000000011db36c60, update=ContentsOrInterpretation) at StyleScope.cpp:526
    frame #2: WebCore`WebCore::Style::Scope::didChangeStyleSheetEnvironment(this=0x000000011db36c60) at StyleScope.cpp:560
    frame #3: WebCore`WebCore::ExtensionStyleSheets::addDisplayNoneSelector(this=0x000000011dbdc540, identifier=0x000000011dab5900, selector=0x000000011dab5910, selectorID=15) at ExtensionStyleSheets.cpp:181
    frame #4: WebCore`WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(this=0x000000011dbb70f0, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at ContentExtensionsBackend.cpp:186
    frame #5: WebCore`WebCore::UserContentProvider::processContentExtensionRulesForLoad(this=0x000000011dbb7000, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at UserContentProvider.cpp:108
    frame #6: WebCore`WebCore::CachedResourceLoader::requestResource(this=0x000000011db36b40, type=FontResource, request=0x00007fff588c9fc0, forPreload=No, defer=NoDefer) at CachedResourceLoader.cpp:692
    frame #7: WebCore`WebCore::CachedResourceLoader::requestFont(this=0x000000011db36b40, request=0x00007fff588c9fc0, isSVG=false) at CachedResourceLoader.cpp:204
    frame #8: WebCore`WebCore::CSSFontFaceSrcValue::cachedFont(this=0x000000011dac2508, document=0x0000000120df4000, isSVG=false, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFaceSrcValue.cpp:105
    frame #9: WebCore`WebCore::CSSFontFace::appendSources(fontFace=0x000000011db6a7e0, srcList=0x000000011daac280, document=0x0000000120df4000, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFace.cpp:79
(lldb) bt 20
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
  * frame #0: JavaScriptCore`::WTFCrash() at Assertions.cpp:323
    frame #1: WebCore`WebCore::Style::Scope::scheduleUpdate(this=0x000000011db36c60, update=ContentsOrInterpretation) at StyleScope.cpp:526
    frame #2: WebCore`WebCore::Style::Scope::didChangeStyleSheetEnvironment(this=0x000000011db36c60) at StyleScope.cpp:560
    frame #3: WebCore`WebCore::ExtensionStyleSheets::addDisplayNoneSelector(this=0x000000011dbdc540, identifier=0x000000011dab5900, selector=0x000000011dab5910, selectorID=15) at ExtensionStyleSheets.cpp:181
    frame #4: WebCore`WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(this=0x000000011dbb70f0, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at ContentExtensionsBackend.cpp:186
    frame #5: WebCore`WebCore::UserContentProvider::processContentExtensionRulesForLoad(this=0x000000011dbb7000, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at UserContentProvider.cpp:108
    frame #6: WebCore`WebCore::CachedResourceLoader::requestResource(this=0x000000011db36b40, type=FontResource, request=0x00007fff588c9fc0, forPreload=No, defer=NoDefer) at CachedResourceLoader.cpp:692
    frame #7: WebCore`WebCore::CachedResourceLoader::requestFont(this=0x000000011db36b40, request=0x00007fff588c9fc0, isSVG=false) at CachedResourceLoader.cpp:204
    frame #8: WebCore`WebCore::CSSFontFaceSrcValue::cachedFont(this=0x000000011dac2508, document=0x0000000120df4000, isSVG=false, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFaceSrcValue.cpp:105
    frame #9: WebCore`WebCore::CSSFontFace::appendSources(fontFace=0x000000011db6a7e0, srcList=0x000000011daac280, document=0x0000000120df4000, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFace.cpp:79
    frame #10: WebCore`WebCore::CSSFontSelector::addFontFaceRule(this=0x000000011db6a540, fontFaceRule=0x000000011daae0c0, isInitiatingElementInUserAgentShadowTree=false) at CSSFontSelector.cpp:202
    frame #11: WebCore`WebCore::RuleSet::addChildRules(this=0x000000011db5f800, rules=0x000000011db8b328, medium=0x000000011db27790, resolver=0x000000011db27500, hasDocumentSecurityOrigin=true, isInitiatingElementInUserAgentShadowTree=false, addRuleFlags=RuleHasDocumentSecurityOrigin) at RuleSet.cpp:388
    frame #12: WebCore`WebCore::RuleSet::addRulesFromSheet(this=0x000000011db5f800, sheet=0x000000011db8b2e8, medium=0x000000011db27790, resolver=0x000000011db27500) at RuleSet.cpp:420
    frame #13: WebCore`WebCore::DocumentRuleSets::appendAuthorStyleSheets(this=0x000000011db27500, styleSheets=0x00007fff588cac08, medium=0x000000011db27790, inspectorCSSOMWrappers=0x000000011db277f8, resolver=0x000000011db27500) at DocumentRuleSets.cpp:96
    frame #14: WebCore`WebCore::StyleResolver::appendAuthorStyleSheets(this=0x000000011db27500, styleSheets=0x00007fff588cac08) at StyleResolver.cpp:284
    frame #15: WebCore`WebCore::Style::Scope::updateStyleResolver(this=0x000000011db36c60, activeStyleSheets=0x00007fff588cad78, updateType=Additive) at StyleScope.cpp:463
    frame #16: WebCore`WebCore::Style::Scope::updateActiveStyleSheets(this=0x000000011db36c60, updateType=ActiveSet) at StyleScope.cpp:415
    frame #17: WebCore`WebCore::Style::Scope::flushPendingSelfUpdate(this=0x000000011db36c60) at StyleScope.cpp:506
    frame #18: WebCore`WebCore::Style::Scope::flushPendingUpdate(this=0x000000011db36c60) at StyleScope.h:172
Comment 12 Antti Koivisto 2017-02-22 00:07:26 PST
Created attachment 302375 [details]
patch
Comment 13 Andreas Kling 2017-02-22 05:21:20 PST
Comment on attachment 302375 [details]
patch

r=me. This is pretty hacky. Would be good to make content extensions not inject all that CSS synchronously.
Comment 14 WebKit Commit Bot 2017-02-22 06:47:53 PST
Comment on attachment 302375 [details]
patch

Clearing flags on attachment: 302375

Committed r212828: <http://trac.webkit.org/changeset/212828>
Comment 15 WebKit Commit Bot 2017-02-22 06:48:00 PST
All reviewed patches have been landed.  Closing bug.