Bug 193253 - CRASH: WebCore::IntersectionObserver::notify while debugging
Summary: CRASH: WebCore::IntersectionObserver::notify while debugging
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-01-08 13:15 PST by Joseph Pecoraro
Modified: 2019-01-11 11:32 PST (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Pecoraro 2019-01-08 13:15:30 PST 
I was debugging Web Inspector (which was using IntersectionObservers) and soon after saw this crash.

WebKit @ r239704 with this patch <https://bugs.webkit.org/attachment.cgi?id=358179>.

Notes:
- I was pausing and continuing inside of an IntersectionObserver callback, not sure if that was related

Crash:
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0xffffffff00000297
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [1715]    

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001095e557f WebCore::IntersectionObserver::notify() + 15 (Vector.h:694)
1   com.apple.WebCore             	0x0000000109127a37 WebCore::Document::notifyIntersectionObserversTimerFired() + 71 (Document.cpp:7926)
2   com.apple.WebCore             	0x0000000109691b40 WebCore::ThreadTimers::sharedTimerFiredInternal() + 176 (ThreadTimers.cpp:120)
3   com.apple.WebCore             	0x00000001096b347f WebCore::timerFired(__CFRunLoopTimer*, void*) + 31 (MainThreadSharedTimerCF.cpp:75)
4   com.apple.CoreFoundation      	0x00007fff488b20d0 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
5   com.apple.CoreFoundation      	0x00007fff488b1c7c __CFRunLoopDoTimer + 851
6   com.apple.CoreFoundation      	0x00007fff488b17c2 __CFRunLoopDoTimers + 330
7   com.apple.CoreFoundation      	0x00007fff488929be __CFRunLoopRun + 2130
8   com.apple.CoreFoundation      	0x00007fff48891f1a CFRunLoopRunSpecific + 455
9   com.apple.Foundation          	0x00007fff4abbbc2f -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 280
10  com.apple.Foundation          	0x00007fff4abbbb04 -[NSRunLoop(NSRunLoop) run] + 76
11  libxpc.dylib                  	0x00007fff751f91e3 _xpc_objc_main + 552
12  libxpc.dylib                  	0x00007fff751f8ce5 xpc_main + 433
13  com.apple.WebKit.WebContent   	0x0000000106fff6e2 WebKit::XPCServiceMain(int, char const**) + 547
14  com.apple.WebKit.WebContent   	0x0000000106fff867 main + 9 (XPCServiceMain.mm:46)
15  libdyld.dylib                 	0x00007fff74fc43ed start + 1
Comment 1 Joseph Pecoraro 2019-01-08 13:15:51 PST 
<rdar://problem/47105185>
Comment 2 Ali Juma 2019-01-09 13:07:10 PST 
The crash stack is a bit strange: Document::notifyIntersectionObserversTimerFired accesses IntersectionObservers using WeakPtrs, and null-checks before calling IntersectionObsever::notify, and yet we're crashing on the first line of IntersectionObserver::notify when calling m_queuedEntries.isEmpty(). This makes it seem like something is corrupting the contents of Document::m_intersectionObserversWithPendingNotifications so that it has bogus WeakPtrs.
Comment 3 Joseph Pecoraro 2019-01-11 11:32:06 PST 
I wasn't able to reproduce this throughout the week.

Perhaps this was specific to the fact that I was paused inside of IntersectionObservers. Pausing runs a nested runloop, which allows some events to happen, potentially deleting objects, before continuing, and running again inside of a handler.