RESOLVED DUPLICATE of bug 215610 216007
REGRESSION(r266350): WebCore::ImageLoader::updateFromElement(WebCore::RelevantMutation) 
https://bugs.webkit.org/show_bug.cgi?id=216007
Summary REGRESSION(r266350): WebCore::ImageLoader::updateFromElement(WebCore::Relevan...
Hector Lopez
Reported 2020-08-31 09:46:49 PDT
Created attachment 407606 [details] Crash log imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/image-loading-lazy-slow.html Test is a constant crash according to history on macOS and iOS. The first occurrence of a crash is at r266350. History: https://results.webkit.org/?suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Fhtml%2Fsemantics%2Fembedded-content%2Fthe-img-element%2Fimage-loading-lazy-slow.html Crash log: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001079c56be WebCore::ImageLoader::updateFromElement(WebCore::RelevantMutation) + 1086 1 com.apple.WebCore 0x0000000107703464 WebCore::HTMLImageElement::selectImageSource(WebCore::RelevantMutation) + 1060 2 com.apple.WebCore 0x000000010750a8df WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 1327 3 com.apple.WebCore 0x000000010770354e WebCore::HTMLImageElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 126 4 com.apple.WebCore 0x0000000107509af0 WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 848 5 com.apple.WebCore 0x00000001067c8130 WebCore::setJSHTMLImageElementSrc(JSC::JSGlobalObject*, long long, long long) + 448 6 com.apple.JavaScriptCore 0x0000000101230a6f JSC::callCustomSetter(JSC::JSGlobalObject*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 31 7 com.apple.JavaScriptCore 0x00000001012f90ae JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1134 8 com.apple.JavaScriptCore 0x0000000100799b04 llint_slow_path_put_by_id + 1252 9 com.apple.JavaScriptCore 0x00000001009a564d llint_entry + 38921 10 com.apple.JavaScriptCore 0x000000010099bc4f vmEntryToJavaScript + 216 11 com.apple.JavaScriptCore 0x0000000100fd6e16 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 518 12 com.apple.JavaScriptCore 0x00000001011fe303 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 147 or see attached
Attachments
Crash log (99.63 KB, text/plain)
2020-08-31 09:46 PDT, Hector Lopez 		no flags
Details
Crash log for r266408 change (171.95 KB, text/plain)
2020-09-01 18:50 PDT, Hector Lopez 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-08-31 09:49:05 PDT
<rdar://problem/68082162>
Hector Lopez
Comment 2 2020-08-31 10:25:05 PDT
Reverted while being investigated: https://trac.webkit.org/changeset/266358/webkit
Alexey Proskuryakov
Comment 3 2020-08-31 13:57:35 PDT
Marking as fixed per the above.
Hector Lopez
Comment 4 2020-09-01 18:50:06 PDT
Created attachment 407729 [details] Crash log for r266408 change
Hector Lopez
Comment 5 2020-09-01 18:50:42 PDT
Test is a constant crash according to history on macOS and iOS. First occurrence of a crash is at r266408. https://trac.webkit.org/changeset/266408/webkit History: https://results.webkit.org/?suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Fhtml%2Fsemantics%2Fembedded-content%2Fthe-img-element%2Fimage-loading-lazy-slow.html Same crash log: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000106d60b0e WebCore::ImageLoader::updateFromElement(WebCore::RelevantMutation) + 1086 1 com.apple.WebCore 0x0000000106a97d34 WebCore::HTMLImageElement::selectImageSource(WebCore::RelevantMutation) + 1060 2 com.apple.WebCore 0x000000010689d70f WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 1327 3 com.apple.WebCore 0x0000000106a97e1e WebCore::HTMLImageElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 126 4 com.apple.WebCore 0x000000010689c920 WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 848 5 com.apple.WebCore 0x0000000105b53000 WebCore::setJSHTMLImageElementSrc(JSC::JSGlobalObject*, long long, long long) + 448 6 com.apple.JavaScriptCore 0x00000001030928ef JSC::callCustomSetter(JSC::JSGlobalObject*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 31 7 com.apple.JavaScriptCore 0x000000010315af2e JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1134 8 com.apple.JavaScriptCore 0x00000001025fbf04 llint_slow_path_put_by_id + 1252
Hector Lopez
Comment 6 2020-09-01 18:57:32 PDT
Reverted change while investigated: https://trac.webkit.org/changeset/266446/webkit
youenn fablet
Comment 7 2020-09-03 01:48:02 PDT
*** This bug has been marked as a duplicate of bug 215610 ***
youenn fablet
Comment 8 2020-09-03 01:48:17 PDT
Let's move investigation to the initial bug.
Note You need to log in before you can comment on or make changes to this bug.