RESOLVED FIXED 206337
REGRESSION (r251110): Crash on https://developer.apple.com/tutorials/swiftui/creating-and-combining-views 
https://bugs.webkit.org/show_bug.cgi?id=206337
Summary REGRESSION (r251110): Crash on https://developer.apple.com/tutorials/swiftui/...
Ryosuke Niwa
Reported 2020-01-15 21:56:55 PST
WebKit crashes with the following backtrace when visiting https://developer.apple.com/tutorials/swiftui/creating-and-combining-views. 0 WebCore 0x00000001b88af7b0 WebCore::RadioButtonGroups::hasCheckedButton(WebCore::HTMLInputElement const&) const + 136 1 WebCore 0x00000001b88af74c WebCore::RadioButtonGroups::hasCheckedButton(WebCore::HTMLInputElement const&) const + 36 2 WebCore 0x00000001b8ae7310 WebCore::RadioInputType::matchesIndeterminatePseudoClass() const + 48 3 ??? 0x0000000caf0068a0 0 + 54475647136 4 WebCore 0x00000001b9238b0c WebCore::Style::ElementRuleCollector::collectMatchingRulesForList(WTF::Vector<WebCore::Style::RuleData, 1ul, WTF::CrashOnOverflow, 16ul> const*, WebCore::Style::MatchRequest const&) + 384 5 WebCore 0x00000001b9238840 WebCore::Style::ElementRuleCollector::collectMatchingRules(WebCore::Style::MatchRequest const&) + 740 6 WebCore 0x00000001b9239930 WebCore::Style::ElementRuleCollector::matchUARules() + 104 7 WebCore 0x00000001b9239f60 WebCore::Style::ElementRuleCollector::matchAllRules(bool, bool) + 40 8 WebCore 0x00000001b9250990 WebCore::Style::Resolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::SelectorFilter const*) + 488 9 WebCore 0x00000001b925b9e4 WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&) + 228 10 WebCore 0x00000001b925bd20 WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) + 112 11 WebCore 0x00000001b925cd9c WebCore::Style::TreeResolver::resolveComposedTree() + 1388 12 WebCore 0x00000001b925d8f0 WebCore::Style::TreeResolver::resolve() + 700 <rdar://problem/58441241>
Attachments
Fixes the bug (4.57 KB, patch)
2020-01-15 22:07 PST, Ryosuke Niwa 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2020-01-15 22:07:18 PST
Created attachment 387895 [details] Fixes the bug
Geoffrey Garen
Comment 2 2020-01-16 10:34:26 PST
Comment on attachment 387895 [details] Fixes the bug r=me
Wenson Hsieh
Comment 3 2020-01-16 11:32:12 PST
Comment on attachment 387895 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=387895&action=review > LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html:18 > +script.textContent = 'document.getElementById("result").textContent = getComputedStyle(input).color ? "PASS" : "PASS"'; Nit - this could just be document.getElementById("result").textContent = "PASS";
Ryosuke Niwa
Comment 4 2020-01-16 11:36:58 PST
Comment on attachment 387895 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=387895&action=review >> LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html:18 >> +script.textContent = 'document.getElementById("result").textContent = getComputedStyle(input).color ? "PASS" : "PASS"'; > > Nit - this could just be document.getElementById("result").textContent = "PASS"; Ah, no, no, getComputedStyle(input).color is what triggers the crash. Without it, the test won't do anything useful. Perhaps I should split into a separate line to make it clear.
Wenson Hsieh
Comment 5 2020-01-16 11:38:24 PST
Comment on attachment 387895 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=387895&action=review >>> LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html:18 >>> +script.textContent = 'document.getElementById("result").textContent = getComputedStyle(input).color ? "PASS" : "PASS"'; >> >> Nit - this could just be document.getElementById("result").textContent = "PASS"; > > Ah, no, no, getComputedStyle(input).color is what triggers the crash. > Without it, the test won't do anything useful. > Perhaps I should split into a separate line to make it clear. Oh, I see! Yep, I think that splitting it out clarifies things.
Ryosuke Niwa
Comment 6 2020-01-16 11:39:42 PST
Comment on attachment 387895 [details] Fixes the bug View in context: https://bugs.webkit.org/attachment.cgi?id=387895&action=review > LayoutTests/fast/forms/match-pseudo-on-radio-before-finalizing-tree-insertion-crash.html:26 > + Oh weird, this doesn't have the second input which makes this test hang in the trunk. Will fix that before landing it.
Ryosuke Niwa
Comment 7 2020-01-16 16:47:12 PST
Committed r254722: <https://trac.webkit.org/changeset/254722>
Note You need to log in before you can comment on or make changes to this bug.