RESOLVED DUPLICATE of bug 200919 200319
Crash under RuleSet::hasShadowPseudoElementRules() during class change style invalidation 
https://bugs.webkit.org/show_bug.cgi?id=200319
Summary Crash under RuleSet::hasShadowPseudoElementRules() during class change style ...
Chris Dumez
Reported 2019-07-31 14:45:36 PDT
Crash under RuleSet::hasShadowPseudoElementRules(): Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000070 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [73259] VM Regions Near 0x70: --> __TEXT 00000001089e3000-00000001089e4000 [ 4K] r-x/rwx SM=COW /Applications/Safari Technology Preview.app/Contents/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent Application Specific Information: Bundle controller class: BrowserBundleController Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000568eb6cb6 WebCore::RuleSet::hasShadowPseudoElementRules() const + 6 1 com.apple.WebCore 0x000000056979fa3d WebCore::Style::ClassChangeInvalidation::invalidateStyleWithRuleSets() + 77 2 com.apple.WebCore 0x000000056806a511 WebCore::Element::classAttributeChanged(WTF::AtomicString const&) + 337 3 com.apple.WebCore 0x0000000568fb7ead WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomicString const&, WTF::AtomicString const&, WebCore::Element::AttributeModificationReason) + 301 4 com.apple.WebCore 0x000000056809050e WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomicString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 622 5 com.apple.WebCore 0x00000005690d7d0d WebCore::DOMTokenList::updateAssociatedAttributeFromTokens() + 349 6 com.apple.WebCore 0x00000005690d76ab WebCore::DOMTokenList::addInternal(WTF::String const*, unsigned long) + 443 7 com.apple.WebCore 0x00000005690d74d7 WebCore::DOMTokenList::add(WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul> const&) + 23 8 com.apple.WebCore 0x000000056811315b WebCore::jsDOMTokenListPrototypeFunctionAdd(JSC::ExecState*) + 251 9 ??? 0x0000286b9620116b 0 + 44442545295723 10 ??? 0x0000286b96945e19 0 + 44442552917529 11 ??? 0x0000286b969dbf78 0 + 44442553532280 12 ??? 0x0000286b96731b0f 0 + 44442550737679 13 com.apple.JavaScriptCore 0x000000056b94f9e5 llint_entry + 92972 14 ??? 0x0000286b969bf8a2 0 + 44442553415842 15 ??? 0x0000286b969cb701 0 + 44442553464577 16 ??? 0x0000286b967a17df 0 + 44442551195615 17 com.apple.JavaScriptCore 0x000000056b938d0f vmEntryToJavaScript + 200 18 com.apple.JavaScriptCore 0x000000056b5a1bcf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 415 19 com.apple.JavaScriptCore 0x000000056c0e212b JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 187 20 com.apple.WebCore 0x0000000568d55e94 WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 100 21 com.apple.WebCore 0x0000000568d55de0 WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 368 22 com.apple.WebCore 0x00000005681b46f3 WebCore::JSRequestAnimationFrameCallback::handleEvent(double) + 467 23 com.apple.WebCore 0x0000000569005a8b WebCore::ScriptedAnimationController::serviceRequestAnimationFrameCallbacks(double) + 539 24 com.apple.WebCore 0x00000005693b6a89 WebCore::Page::updateRendering() + 281 25 com.apple.WebKit 0x0000000108d9ffd7 WebKit::TiledCoreAnimationDrawingArea::flushLayers(WebKit::TiledCoreAnimationDrawingArea::FlushType) + 63 26 com.apple.CoreFoundation 0x00007fff50216928 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 23
Attachments
Patch (10.63 KB, patch)
2019-07-31 15:02 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2019-07-31 14:45:51 PDT
<rdar://problem/53413013>
Chris Dumez
Comment 2 2019-07-31 15:02:13 PDT
Created attachment 375256 [details] Patch
Ryosuke Niwa
Comment 3 2019-07-31 15:04:14 PDT
Comment on attachment 375256 [details] Patch Hm... I think this code is pretty perf sensitive. An extra heap allocation for each InvalidationRuleSet could be expensive?
Chris Dumez
Comment 4 2019-07-31 15:11:57 PDT
(In reply to Ryosuke Niwa from comment #3) > Comment on attachment 375256 [details] > Patch > > Hm... I think this code is pretty perf sensitive. An extra heap allocation > for each InvalidationRuleSet could be expensive? This is a risk, yes. One alternative would be to update m_invalidationRuleSets to be a Vector<std::pair<RuleSet*, MatchElement>> instead of a Vector<InvalidationRuleSet*>. or a struct { RuleSet* ruleSet; MatchElement matchElement; }; instead of a std::pair.
Chris Dumez
Comment 5 2019-07-31 15:22:29 PDT
Comment on attachment 375256 [details] Patch I think my theory is wrong.
youenn fablet
Comment 6 2019-08-22 11:03:03 PDT
*** This bug has been marked as a duplicate of bug 200919 ***
Note You need to log in before you can comment on or make changes to this bug.