RESOLVED FIXED 202878
[iOS] Crash in WebCore::DOMWindow::incrementScrollEventListenersCount 
https://bugs.webkit.org/show_bug.cgi?id=202878
Summary [iOS] Crash in WebCore::DOMWindow::incrementScrollEventListenersCount
Ryosuke Niwa
Reported 2019-10-11 23:18:09 PDT
e.g. 0 com.apple.WebCore 0x0000000106a24527 WebCore::DOMWindow::incrementScrollEventListenersCount() + 7 1 com.apple.WebCore 0x000000010656fa29 WebCore::Node::addEventListener(WTF::AtomString const&, WTF::Ref<WebCore::EventListener, WTF::DumbPtrTraits<WebCore::EventListener> >&&, WebCore::EventTarget::AddEventListenerOptions const&) + 441 2 com.apple.WebCore 0x000000010654c30a WebCore::EventTarget::setAttributeEventListener(WTF::AtomString const&, WTF::RefPtr<WebCore::EventListener, WTF::DumbPtrTraits<WebCore::EventListener> >&&, WebCore::DOMWrapperWorld&) + 474 3 com.apple.WebCore 0x0000000106277aed WebCore::setEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, WebCore::EventTarget&, WTF::AtomString const&, JSC::JSValue) + 285 4 com.apple.WebCore 0x0000000105aa948b WebCore::setJSDocumentOnscroll(JSC::ExecState*, long long, long long) + 107 5 JavaScriptCore 0x00000001050cf19f JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 31 6 JavaScriptCore 0x000000010517f922 JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 994 7 JavaScriptCore 0x0000000105170126 JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 486 8 JavaScriptCore 0x0000000104f3ac4c llint_slow_path_put_by_val + 1772 <rdar://problem/55609133>
Attachments
Fixes the crash (4.53 KB, patch)
2019-10-11 23:40 PDT, Ryosuke Niwa 		achristensen: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2019-10-11 23:40:45 PDT
Created attachment 380820 [details] Fixes the crash
Ryosuke Niwa
Comment 2 2019-10-12 23:26:21 PDT
Committed r251057: <https://trac.webkit.org/changeset/251057>
Darin Adler
Comment 3 2019-10-15 10:34:08 PDT
Comment on attachment 380820 [details] Fixes the crash View in context: https://bugs.webkit.org/attachment.cgi?id=380820&action=review > Source/WebCore/dom/Node.cpp:2119 > + targetNode->document().domWindow()->incrementScrollEventListenersCount(); Should use window-> here.
Ryosuke Niwa
Comment 4 2019-10-15 15:54:23 PDT
Committed r251165: <https://trac.webkit.org/changeset/251165>
Ryosuke Niwa
Comment 5 2019-10-15 16:37:01 PDT
(In reply to Darin Adler from comment #3) > Comment on attachment 380820 [details] > Fixes the crash > > View in context: > https://bugs.webkit.org/attachment.cgi?id=380820&action=review > > > Source/WebCore/dom/Node.cpp:2119 > > + targetNode->document().domWindow()->incrementScrollEventListenersCount(); > > Should use window-> here. Oops, not sure what happened there. Fixed that.
Note You need to log in before you can comment on or make changes to this bug.