Bug 229196 - Crash under JSIntersectionObserverCallback::handleEvent()
Summary: Crash under JSIntersectionObserverCallback::handleEvent()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-08-17 10:33 PDT by Chris Dumez
Modified: 2021-08-18 08:25 PDT (History)
7 users (show)

See Also:

Attachments
Patch (2.09 KB, patch)
2021-08-17 10:38 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (2.41 KB, patch)
2021-08-17 10:40 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (3.16 KB, patch)
2021-08-17 11:20 PDT, Chris Dumez 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (4.50 KB, patch)
2021-08-17 13:31 PDT, Chris Dumez 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (5.04 KB, patch)
2021-08-17 13:38 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2021-08-17 10:33:08 PDT 
Crash under JSIntersectionObserverCallback::handleEvent():
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000005
Exception Note:        EXC_CORPSE_NOTIFY

Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001b22e3480 WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 140
1   com.apple.WebCore             	0x00000001b19dbd10 WebCore::JSIntersectionObserverCallback::handleEvent(WebCore::IntersectionObserver&, WTF::Vector<WTF::Ref<WebCore::IntersectionObserverEntry, WTF::RawPtrTraits<WebCore::IntersectionObserverEntry> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::IntersectionObserver&) + 564
2   com.apple.WebCore             	0x00000001b19dbd10 WebCore::JSIntersectionObserverCallback::handleEvent(WebCore::IntersectionObserver&, WTF::Vector<WTF::Ref<WebCore::IntersectionObserverEntry, WTF::RawPtrTraits<WebCore::IntersectionObserverEntry> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::IntersectionObserver&) + 564
3   com.apple.WebCore             	0x00000001b2ca597c WebCore::IntersectionObserver::notify() + 228
4   com.apple.WebCore             	0x00000001b25cf534 WebCore::Document::updateIntersectionObservations() + 5532
5   com.apple.WebCore             	0x00000001b2caee30 WebCore::Page::forEachDocument(WTF::Function<void (WebCore::Document&)> const&) const + 328
6   com.apple.WebCore             	0x00000001b2cb6c5c WebCore::Page::updateRendering() + 1148
7   com.apple.WebKit              	0x00000001b4413e9c WebKit::TiledCoreAnimationDrawingArea::updateRendering(WebKit::TiledCoreAnimationDrawingArea::UpdateRenderingType) + 588
8   com.apple.CoreFoundation      	0x00000001957e3e84 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 36
9   com.apple.CoreFoundation      	0x00000001957e3cd0 __CFRunLoopDoObservers + 572
10  com.apple.CoreFoundation      	0x00000001957e27c0 CFRunLoopRunSpecific + 684
11  com.apple.Foundation          	0x00000001966b6820 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 236
12  com.apple.Foundation          	0x00000001967462c0 -[NSRunLoop(NSRunLoop) run] + 92
13  libxpc.dylib                  	0x0000000195476900 _xpc_objc_main + 900
14  libxpc.dylib                  	0x0000000195476204 xpc_main + 108
15  com.apple.WebKit              	0x00000001b40ccad8 WebKit::XPCServiceMain(int, char const**) + 152
16  dyld                          	0x0000000100c390f4 start + 520
Comment 1 Chris Dumez 2021-08-17 10:33:23 PDT 
<rdar://82016054>
Comment 2 Chris Dumez 2021-08-17 10:38:32 PDT 
Created attachment 435695 [details]
Patch
Comment 3 Chris Dumez 2021-08-17 10:40:26 PDT 
Created attachment 435696 [details]
Patch
Comment 4 Geoffrey Garen 2021-08-17 10:57:13 PDT 
Comment on attachment 435696 [details]
Patch

r=me
Comment 5 Ryosuke Niwa 2021-08-17 11:16:24 PDT 
Can we also fix ResizeObserver to be safe?
Comment 6 Chris Dumez 2021-08-17 11:20:42 PDT 
Created attachment 435699 [details]
Patch
Comment 7 Chris Dumez 2021-08-17 11:21:14 PDT 
(In reply to Ryosuke Niwa from comment #5)
> Can we also fix ResizeObserver to be safe?

Good idea. Done.
Comment 8 Chris Dumez 2021-08-17 13:31:47 PDT 
Created attachment 435709 [details]
Patch
Comment 9 Chris Dumez 2021-08-17 13:38:11 PDT 
Created attachment 435710 [details]
Patch
Comment 10 Ryosuke Niwa 2021-08-17 13:44:43 PDT 
(In reply to Chris Dumez from comment #7)
> (In reply to Ryosuke Niwa from comment #5)
> > Can we also fix ResizeObserver to be safe?
> 
> Good idea. Done.

Thanks!
Comment 11 EWS 2021-08-17 18:03:23 PDT 
Found 1 new test failure: imported/w3c/web-platform-tests/navigation-timing/nav2_test_attributes_values.html
Comment 12 Chris Dumez 2021-08-18 08:25:14 PDT 
Comment on attachment 435710 [details]
Patch

Clearing flags on attachment: 435710

Committed r281188 (240632@main): <https://commits.webkit.org/240632@main>
Comment 13 Chris Dumez 2021-08-18 08:25:17 PDT 
All reviewed patches have been landed.  Closing bug.