Crash under JSIntersectionObserverCallback::handleEvent(): Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000005 Exception Note: EXC_CORPSE_NOTIFY Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00000001b22e3480 WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBuffer&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 140 1 com.apple.WebCore 0x00000001b19dbd10 WebCore::JSIntersectionObserverCallback::handleEvent(WebCore::IntersectionObserver&, WTF::Vector<WTF::Ref<WebCore::IntersectionObserverEntry, WTF::RawPtrTraits<WebCore::IntersectionObserverEntry> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::IntersectionObserver&) + 564 2 com.apple.WebCore 0x00000001b19dbd10 WebCore::JSIntersectionObserverCallback::handleEvent(WebCore::IntersectionObserver&, WTF::Vector<WTF::Ref<WebCore::IntersectionObserverEntry, WTF::RawPtrTraits<WebCore::IntersectionObserverEntry> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::IntersectionObserver&) + 564 3 com.apple.WebCore 0x00000001b2ca597c WebCore::IntersectionObserver::notify() + 228 4 com.apple.WebCore 0x00000001b25cf534 WebCore::Document::updateIntersectionObservations() + 5532 5 com.apple.WebCore 0x00000001b2caee30 WebCore::Page::forEachDocument(WTF::Function<void (WebCore::Document&)> const&) const + 328 6 com.apple.WebCore 0x00000001b2cb6c5c WebCore::Page::updateRendering() + 1148 7 com.apple.WebKit 0x00000001b4413e9c WebKit::TiledCoreAnimationDrawingArea::updateRendering(WebKit::TiledCoreAnimationDrawingArea::UpdateRenderingType) + 588 8 com.apple.CoreFoundation 0x00000001957e3e84 __CFRUNLOOP_IS_CALLING_OUT_TO_AN_OBSERVER_CALLBACK_FUNCTION__ + 36 9 com.apple.CoreFoundation 0x00000001957e3cd0 __CFRunLoopDoObservers + 572 10 com.apple.CoreFoundation 0x00000001957e27c0 CFRunLoopRunSpecific + 684 11 com.apple.Foundation 0x00000001966b6820 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 236 12 com.apple.Foundation 0x00000001967462c0 -[NSRunLoop(NSRunLoop) run] + 92 13 libxpc.dylib 0x0000000195476900 _xpc_objc_main + 900 14 libxpc.dylib 0x0000000195476204 xpc_main + 108 15 com.apple.WebKit 0x00000001b40ccad8 WebKit::XPCServiceMain(int, char const**) + 152 16 dyld 0x0000000100c390f4 start + 520
<rdar://82016054>
Created attachment 435695 [details] Patch
Created attachment 435696 [details] Patch
Comment on attachment 435696 [details] Patch r=me
Can we also fix ResizeObserver to be safe?
Created attachment 435699 [details] Patch
(In reply to Ryosuke Niwa from comment #5) > Can we also fix ResizeObserver to be safe? Good idea. Done.
Created attachment 435709 [details] Patch
Created attachment 435710 [details] Patch
(In reply to Chris Dumez from comment #7) > (In reply to Ryosuke Niwa from comment #5) > > Can we also fix ResizeObserver to be safe? > > Good idea. Done. Thanks!
Found 1 new test failure: imported/w3c/web-platform-tests/navigation-timing/nav2_test_attributes_values.html
Comment on attachment 435710 [details] Patch Clearing flags on attachment: 435710 Committed r281188 (240632@main): <https://commits.webkit.org/240632@main>
All reviewed patches have been landed. Closing bug.