202878 – [iOS] Crash in WebCore::DOMWindow::incrementScrollEventListenersCount

Bug 202878 - [iOS] Crash in WebCore::DOMWindow::incrementScrollEventListenersCount

Summary: [iOS] Crash in WebCore::DOMWindow::incrementScrollEventListenersCount

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-10-11 23:18 PDT by Ryosuke Niwa
Modified:	2019-10-15 16:37 PDT (History)
CC List:	9 users (show)

See Also:

Attachments
Fixes the crash (4.53 KB, patch) 2019-10-11 23:40 PDT, Ryosuke Niwa	achristensen: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2019-10-11 23:18:09 PDT

e.g.
0   com.apple.WebCore             	0x0000000106a24527 WebCore::DOMWindow::incrementScrollEventListenersCount() + 7
1   com.apple.WebCore             	0x000000010656fa29 WebCore::Node::addEventListener(WTF::AtomString const&, WTF::Ref<WebCore::EventListener, WTF::DumbPtrTraits<WebCore::EventListener> >&&, WebCore::EventTarget::AddEventListenerOptions const&) + 441
2   com.apple.WebCore             	0x000000010654c30a WebCore::EventTarget::setAttributeEventListener(WTF::AtomString const&, WTF::RefPtr<WebCore::EventListener, WTF::DumbPtrTraits<WebCore::EventListener> >&&, WebCore::DOMWrapperWorld&) + 474
3   com.apple.WebCore             	0x0000000106277aed WebCore::setEventHandlerAttribute(JSC::ExecState&, JSC::JSObject&, WebCore::EventTarget&, WTF::AtomString const&, JSC::JSValue) + 285
4   com.apple.WebCore             	0x0000000105aa948b WebCore::setJSDocumentOnscroll(JSC::ExecState*, long long, long long) + 107
5   JavaScriptCore                	0x00000001050cf19f JSC::callCustomSetter(JSC::ExecState*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 31
6   JavaScriptCore                	0x000000010517f922 JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 994
7   JavaScriptCore                	0x0000000105170126 JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 486
8   JavaScriptCore                	0x0000000104f3ac4c llint_slow_path_put_by_val + 1772

<rdar://problem/55609133>

Comment 1 Ryosuke Niwa 2019-10-11 23:40:45 PDT

Created attachment 380820 [details]
Fixes the crash

Comment 2 Ryosuke Niwa 2019-10-12 23:26:21 PDT

Committed r251057: <https://trac.webkit.org/changeset/251057>

Comment 3 Darin Adler 2019-10-15 10:34:08 PDT

Comment on attachment 380820 [details]
Fixes the crash

View in context: https://bugs.webkit.org/attachment.cgi?id=380820&action=review

> Source/WebCore/dom/Node.cpp:2119
> +            targetNode->document().domWindow()->incrementScrollEventListenersCount();

Should use window-> here.

Comment 4 Ryosuke Niwa 2019-10-15 15:54:23 PDT

Committed r251165: <https://trac.webkit.org/changeset/251165>

Comment 5 Ryosuke Niwa 2019-10-15 16:37:01 PDT

(In reply to Darin Adler from comment #3)
> Comment on attachment 380820 [details]
> Fixes the crash
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=380820&action=review
> 
> > Source/WebCore/dom/Node.cpp:2119
> > +            targetNode->document().domWindow()->incrementScrollEventListenersCount();
> 
> Should use window-> here.

Oops, not sure what happened there. Fixed that.