https://trac.webkit.org/changeset/276380 broke the build: Caused WPT css/css-counter-styles/cssom test crashes on macOS WK1 with ASan This is an automatic bug report generated by webkitbot. If this bug report was created because of a flaky test, please file a bug for the flaky test (if we don't already have one on file) and dup this bug against that bug so that we can track how often these flaky tests fail.
Created attachment 426767 [details] REVERT of r276380 Any committer can land this patch automatically by marking it commit-queue+. The commit-queue will build and test the patch before landing to ensure that the revert will be successful. This process takes approximately 15 minutes. If you would like to land the revert faster, you can use the following command: webkit-patch land-attachment ATTACHMENT_ID where ATTACHMENT_ID is the ID of this attachment.
These are the tests that were crashing on macOS WK1 under ASan: imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-additive-symbols-setter-invalid.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-additive-symbols-setter.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-fallback-setter-invalid.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-fallback-setter.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-name-setter-invalid.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-name-setter.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-negative-setter-invalid.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-negative-setter.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-pad-setter-invalid.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-pad-setter.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-prefix-suffix-setter-invalid.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-prefix-suffix-setter.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-range-setter-invalid.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-range-setter.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-symbols-setter-invalid.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-symbols-setter.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-system-setter-1.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-system-setter-2.html imported/w3c/web-platform-tests/css/css-counter-styles/cssom/cssom-system-setter-invalid.html
==41704==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffee70753b8 at pc 0x00012e571e86 bp 0x7ffee7074c40 sp 0x7ffee7074c38 READ of size 4 at 0x7ffee70753b8 thread T0 #0 0x12e571e85 in WebCore::CSSParserToken::type() const+0x35 (WebCore:x86_64+0x342de85) #1 0x12e8842b0 in WTF::Optional<int> WebCore::CSSPropertyParserHelpers::consumeIntegerTypeRaw<int>(WebCore::CSSParserTokenRange&, double)+0xd0 (WebCore:x86_64+0x37402b0) #2 0x12e8841cd in WebCore::CSSPropertyParserHelpers::consumeIntegerRaw(WebCore::CSSParserTokenRange&, double)+0xd (WebCore:x86_64+0x37401cd) #3 0x12e861038 in WebCore::CSSPropertyParserHelpers::consumeInteger(WebCore::CSSParserTokenRange&, double)+0xc8 (WebCore:x86_64+0x371d038) #4 0x12e86f584 in WebCore::consumeCounterStyleAdditiveSymbols(WebCore::CSSParserTokenRange&, WebCore::CSSParserContext const&)+0x284 (WebCore:x86_64+0x372b584) #5 0x12e86ce27 in WebCore::CSSPropertyParser::parseCounterStyleDescriptor(WebCore::CSSPropertyID, WebCore::CSSParserTokenRange&, WebCore::CSSParserContext const&)+0x1f7 (WebCore:x86_64+0x3728e27) #6 0x12e5dfccb in WebCore::CSSCounterStyleRule::setterInternal(WebCore::CSSPropertyID, WTF::String const&)+0x1db (WebCore:x86_64+0x349bccb) #7 0x12e5e0020 in WebCore::CSSCounterStyleRule::setAdditiveSymbols(WTF::String const&)+0x10 (WebCore:x86_64+0x349c020) #8 0x12b890bbf in WebCore::setJSCSSCounterStyleRule_additiveSymbolsSetter(JSC::JSGlobalObject&, WebCore::JSCSSCounterStyleRule&, JSC::JSValue)::'lambda'()::operator()() const+0x4f (WebCore:x86_64+0x74cbbf) #9 0x12b890b68 in void WebCore::invokeFunctorPropagatingExceptionIfNecessary<WebCore::setJSCSSCounterStyleRule_additiveSymbolsSetter(JSC::JSGlobalObject&, WebCore::JSCSSCounterStyleRule&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSCSSCounterStyleRule_additiveSymbolsSetter(JSC::JSGlobalObject&, WebCore::JSCSSCounterStyleRule&, JSC::JSValue)::'lambda'()&&)+0x8 (WebCore:x86_64+0x74cb68) #10 0x12b890a64 in WebCore::setJSCSSCounterStyleRule_additiveSymbolsSetter(JSC::JSGlobalObject&, WebCore::JSCSSCounterStyleRule&, JSC::JSValue)+0x164 (WebCore:x86_64+0x74ca64) #11 0x12b7d49fb in bool WebCore::IDLAttribute<WebCore::JSCSSCounterStyleRule>::set<&(WebCore::setJSCSSCounterStyleRule_additiveSymbolsSetter(JSC::JSGlobalObject&, WebCore::JSCSSCounterStyleRule&, JSC::JSValue)), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, JSC::PropertyName)+0x10b (WebCore:x86_64+0x6909fb) #12 0x12b7d48e8 in WebCore::setJSCSSCounterStyleRule_additiveSymbols(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName)+0x8 (WebCore:x86_64+0x6908e8) #13 0x10ca7261a in JSC::callCustomSetter(JSC::JSGlobalObject*, bool (*)(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName), bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue, JSC::PropertyName)+0xea (JavaScriptCore:x86_64+0x2ccb61a) #14 0x10cd036f7 in JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&)+0x857 (JavaScriptCore:x86_64+0x2f5c6f7) #15 0x10c5bcdd7 in llint_slow_path_put_by_id+0xa27 (JavaScriptCore:x86_64+0x2815dd7) #16 0x10a9fcdff in llint_entry+0xa01f (JavaScriptCore:x86_64+0xc55dff) #17 0x10a9f2bd8 in vmEntryToJavaScript+0xd7 (JavaScriptCore:x86_64+0xc4bbd8) #18 0x10c2b0fdc in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*)+0x7b8c (JavaScriptCore:x86_64+0x2509fdc) #19 0x10ca6017e in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0x21e (JavaScriptCore:x86_64+0x2cb917e) #20 0x10ca60437 in JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0xe7 (JavaScriptCore:x86_64+0x2cb9437) #21 0x12e2c8400 in WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&)+0xe0 (WebCore:x86_64+0x3184400) #22 0x12e2c7c05 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)+0x2e5 (WebCore:x86_64+0x3183c05) #23 0x12e2c77fd in WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&)+0xed (WebCore:x86_64+0x31837fd) #24 0x12e2c860f in WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&)+0x1f (WebCore:x86_64+0x318460f) #25 0x12ec781ac in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&)+0x3bc (WebCore:x86_64+0x3b341ac) #26 0x12ec74c8e in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport)+0xb0e (WebCore:x86_64+0x3b30c8e) #27 0x12f40bd06 in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&)+0x206 (WebCore:x86_64+0x42c7d06) #28 0x12f40b9d4 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::RawPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&)+0x84 (WebCore:x86_64+0x42c79d4) #29 0x12f3e23bd in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder()+0x3ed (WebCore:x86_64+0x429e3bd) #30 0x12f3e2a4d in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&)+0x32d (WebCore:x86_64+0x429ea4d) #31 0x12f3e19fe in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode)+0x17e (WebCore:x86_64+0x429d9fe) #32 0x12f3e1578 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode)+0x38 (WebCore:x86_64+0x429d578) #33 0x12f3e3999 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >&&)+0x2d9 (WebCore:x86_64+0x429f999) #34 0x12ea20a5f in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&)+0x14f (WebCore:x86_64+0x38dca5f) #35 0x12f91047b in WebCore::DocumentWriter::end()+0x14b (WebCore:x86_64+0x47cc47b) #36 0x12f90f032 in WebCore::DocumentLoader::finishedLoading()+0x2e2 (WebCore:x86_64+0x47cb032) #37 0x12f90e998 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&)+0x2c8 (WebCore:x86_64+0x47ca998) #38 0x12fae3e1f in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&)+0x17f (WebCore:x86_64+0x499fe1f) #39 0x12fade2ce in WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&)+0x4e (WebCore:x86_64+0x499a2ce) #40 0x12fadfd48 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*, WebCore::NetworkLoadMetrics const&)+0x258 (WebCore:x86_64+0x499bd48) #41 0x12fa519b7 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&)+0x737 (WebCore:x86_64+0x490d9b7) #42 0x12fa31300 in WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*)+0x140 (WebCore:x86_64+0x48ed300) #43 0x1315a5940 in -[WebCoreResourceHandleAsOperationQueueDelegate connectionDidFinishLoading:]::$_7::operator()()+0xe0 (WebCore:x86_64+0x6461940) #44 0x1315a57ac in WTF::Detail::CallableWrapper<-[WebCoreResourceHandleAsOperationQueueDelegate connectionDidFinishLoading:]::$_7, void>::call()+0xc (WebCore:x86_64+0x64617ac) #45 0x109de0eee in WTF::Function<void ()>::operator()() const+0x3e (JavaScriptCore:x86_64+0x39eee) #46 0x109e80328 in WTF::RunLoop::performWork()+0x238 (JavaScriptCore:x86_64+0xd9328) #47 0x109e837aa in WTF::RunLoop::performWork(void*)+0xba (JavaScriptCore:x86_64+0xdc7aa) #48 0x7fff204d47db in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (CoreFoundation:x86_64+0x817db) #49 0x7fff204d4743 in __CFRunLoopDoSource0+0xb3 (CoreFoundation:x86_64+0x81743) #50 0x7fff204d44b9 in __CFRunLoopDoSources0+0xf1 (CoreFoundation:x86_64+0x814b9) #51 0x7fff204d2ec7 in __CFRunLoopRun+0x380 (CoreFoundation:x86_64+0x7fec7) #52 0x7fff204d247f in CFRunLoopRunSpecific+0x236 (CoreFoundation:x86_64+0x7f47f) #53 0x108bb7d00 in runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) DumpRenderTree.mm:1959 #54 0x108bb7131 in runTestingServerLoop() DumpRenderTree.mm:1073 #55 0x108bb6005 in dumpRenderTree(int, char const**) DumpRenderTree.mm:1186 #56 0x108bb8ac4 in DumpRenderTreeMain(int, char const**) DumpRenderTree.mm:1297 #57 0x108cb6198 in main DumpRenderTreeMain.mm:34 #58 0x7fff203f6f3c in start+0x0 (libdyld.dylib:x86_64+0x15f3c) Address 0x7ffee70753b8 is located in stack of thread T0 at offset 248 in frame #0 0x12e5dfaff in WebCore::CSSCounterStyleRule::setterInternal(WebCore::CSSPropertyID, WTF::String const&)+0xf (WebCore:x86_64+0x349baff) This frame has 7 object(s): [32, 40) 'ref.tmp.i.i15' [64, 72) 'ref.tmp.i.i' [96, 112) 'tokens' (line 223) [128, 1032) 'ref.tmp' (line 223) <== Memory access at offset 248 is inside this variable [1168, 1176) 'newValue' (line 224) [1200, 1208) 'agg.tmp' [1232, 1256) 'mutationScope' (line 228) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-scope (WebCore:x86_64+0x342de85) in WebCore::CSSParserToken::type() const+0x35 Shadow bytes around the buggy address: 0x1fffdce0ea20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1fffdce0ea30: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 f8 f2 f2 f2 0x1fffdce0ea40: f8 f2 f2 f2 f8 f3 f3 f3 00 00 00 00 00 00 00 00 0x1fffdce0ea50: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 0x1fffdce0ea60: f8 f2 f2 f2 00 00 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 =>0x1fffdce0ea70: f8 f8 f8 f8 f8 f8 f8[f8]f8 f8 f8 f8 f8 f8 f8 f8 0x1fffdce0ea80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x1fffdce0ea90: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x1fffdce0eaa0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x1fffdce0eab0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x1fffdce0eac0: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==41704==ABORTING
Committed r276418 (236883@main): <https://commits.webkit.org/236883@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 426767 [details].
<rdar://problem/77047779>