WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
242159
REGRESSION(
251950@main
) Crash under WebCore::Style::ElementRuleCollector::collectMatchingRules
https://bugs.webkit.org/show_bug.cgi?id=242159
Summary
REGRESSION(251950@main) Crash under WebCore::Style::ElementRuleCollector::col...
Fujii Hironori
Reported
2022-06-29 19:26:51 PDT
I'm testing with WinCairo
251961@main
Debug build. A crash happens in this page <
https://mainichi.jp/articles/20220630/k00/00m/030/035000c
>.
> WebKit2.dll!WTF::RawPtrTraits<WTF::StringImpl>::unwrap(WTF::StringImpl * const & ptr) Line 44 C++ > WebKit2.dll!WTF::RefPtr<WTF::StringImpl,WTF::RawPtrTraits<WTF::StringImpl>,WTF::DefaultRefDerefTraits<WTF::StringImpl>>::get() Line 76 C++ > WebKit2.dll!WTF::String::impl() Line 115 C++ > WebKit2.dll!WTF::AtomString::impl() Line 82 C++ > WebKit2.dll!WTF::AtomStringHash::hash(const WTF::AtomString & key) Line 39 C++ > WebKit2.dll!WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>::hash<WTF::AtomString>(const WTF::AtomString & key) Line 311 C++ > WebKit2.dll!WTF::HashMapTranslatorAdapter<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>>::hash<WTF::AtomString>(const WTF::AtomString & key) Line 250 C++ > WebKit2.dll!WTF::HashTable<WTF::AtomString,WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::HashTraits<WTF::AtomString>>::inlineLookup<WTF::HashMapTranslatorAdapter<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>>,WTF::AtomString>(const WTF::AtomString & key) Line 688 C++ > WebKit2.dll!WTF::HashTable<WTF::AtomString,WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::HashTraits<WTF::AtomString>>::lookup<WTF::HashMapTranslatorAdapter<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>>,WTF::AtomString>(const WTF::AtomString & key) Line 674 C++ > WebKit2.dll!WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::get<WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>,WTF::AtomString>(const WTF::AtomString & value) Line 343 C++ > WebKit2.dll!WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::get(const WTF::AtomString & key) Line 459 C++ > WebKit2.dll!WebCore::Style::RuleSet::attributeRules(const WTF::AtomString & key, bool isHTMLName) Line 210 C++ > WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingRules(const WebCore::Style::MatchRequest & matchRequest) Line 166 C++ > WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingAuthorRules() Line 250 C++ > WebKit2.dll!WebCore::Style::ElementRuleCollector::matchAllRules(bool matchAuthorAndUserStyles, bool includeSMILProperties) Line 583 C++ > WebKit2.dll!WebCore::Style::Resolver::styleForElement(const WebCore::Element & element, const WebCore::Style::ResolutionContext & context, WebCore::RuleMatchingBehavior matchingBehavior) Line 257 C++ > WebKit2.dll!WebCore::Style::TreeResolver::styleForStyleable(const WebCore::Styleable & styleable, WebCore::Style::TreeResolver::ResolutionType resolutionType, const WebCore::Style::ResolutionContext & resolutionContext) Line 155 C++ > WebKit2.dll!WebCore::Style::TreeResolver::resolveElement(WebCore::Element & element, WebCore::Style::TreeResolver::ResolutionType resolutionType) Line 224 C++ > WebKit2.dll!WebCore::Style::TreeResolver::resolveComposedTree() Line 830 C++ > WebKit2.dll!WebCore::Style::TreeResolver::resolve() Line 925 C++ > WebKit2.dll!WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType type) Line 2097 C++ > WebKit2.dll!WebCore::Document::updateStyleIfNeeded() Line 2235 C++ > WebKit2.dll!WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element & element, WebCore::DimensionsCheck dimensionsCheck) Line 2338 C++ > WebKit2.dll!WebCore::DOMWindow::innerWidth() Line 1321 C++ > WebKit2.dll!WebCore::jsDOMWindow_innerWidthGetter(JSC::JSGlobalObject & lexicalGlobalObject, WebCore::JSDOMWindow & thisObject) Line 11281 C++ > WebKit2.dll!WebCore::IDLAttribute<WebCore::JSDOMWindow>::get<&WebCore::jsDOMWindow_innerWidthGetter,0>(JSC::JSGlobalObject & lexicalGlobalObject, __int64 thisValue, JSC::PropertyName attributeName) Line 100 C++ > WebKit2.dll!WebCore::jsDOMWindow_innerWidth(JSC::JSGlobalObject * lexicalGlobalObject, __int64 thisValue, JSC::PropertyName attributeName) Line 11287 C++ > JavaScriptCore.dll!JSC::PropertySlot::customGetter(JSC::VM & vm, JSC::PropertyName propertyName) Line 47 C++ > JavaScriptCore.dll!JSC::PropertySlot::getValue(JSC::JSGlobalObject * globalObject, JSC::PropertyName propertyName) Line 408 C++ > JavaScriptCore.dll!JSC::JSValue::get(JSC::JSGlobalObject * globalObject, JSC::PropertyName propertyName, JSC::PropertySlot & slot) Line 1032 C++ > JavaScriptCore.dll!JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex bytecodeIndex, JSC::CodeBlock * codeBlock, JSC::JSGlobalObject * globalObject, JSC::JSValue baseValue, const JSC::Identifier & ident, JSC::GetByIdModeMetadata & metadata) Line 813 C++ > JavaScriptCore.dll!llint_slow_path_get_by_id(JSC::CallFrame * callFrame, const JSC::BaseInstruction<JSC::JSOpcodeTraits> * pc) Line 887 C++ > JavaScriptCore.dll!llint_entry() Unknown > 000000bdd0efc930() Unknown > 000000bdd0efc9f0() Unknown > 0000025f7996f4a0() Unknown > JavaScriptCore.dll!00007ffd123ef2b8() C++ > 0000025f7996f4a0() Unknown > (...not available under JSC...)
Attachments
debugging patch
(2.36 KB, patch)
2022-06-29 21:21 PDT
,
Fujii Hironori
no flags
Details
Formatted Diff
Diff
Patch
(11.12 KB, patch)
2022-06-29 22:12 PDT
,
Antti Koivisto
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
Fujii Hironori
Comment 1
2022-06-29 19:28:50 PDT
ElementRuleCollector::collectMatchingRules has the following code:
> if (element.hasAttributesWithoutUpdate() && matchRequest.ruleSet.hasAttributeRules()) { > for (auto& attribute : element.attributesIterator()) > collectMatchingRulesForList(matchRequest.ruleSet.attributeRules(attribute.localName(), isHTML), matchRequest); > }
`attribute` wasn't valid value. This code was added by
251950@main
(
bug#242058
).
Fujii Hironori
Comment 2
2022-06-29 20:17:18 PDT
I confirmed this seems to be fixed by reverting
251950@main
.
Fujii Hironori
Comment 3
2022-06-29 20:33:40 PDT
> A crash happens in this page > <
https://mainichi.jp/articles/20220630/k00/00m/030/035000c
>.
This crash is no longer reproducible to me with this page.
Fujii Hironori
Comment 4
2022-06-29 21:21:38 PDT
Created
attachment 460568
[details]
debugging patch collectMatchingRulesForList adds a new attribute to UniqueElementData::m_attributeVector while iterating it.
Fujii Hironori
Comment 5
2022-06-29 21:23:40 PDT
Here is the callstack of
attachment#460568
[details]
patch.
> WebKit2.dll!WTFCrashWithInfo(int __formal, const char * __formal, const char * __formal, int __formal) Line 755 C++ > WebKit2.dll!WebCore::UniqueElementData::addAttribute(const WebCore::QualifiedName & attributeName, const WTF::AtomString & value) Line 334 C++ > WebKit2.dll!WebCore::Element::addAttributeInternal(const WebCore::QualifiedName & name, const WTF::AtomString & value, WebCore::Element::SynchronizationOfLazyAttribute inSynchronizationOfLazyAttribute) Line 3074 C++ > WebKit2.dll!WebCore::Element::setAttributeInternal(unsigned int index, const WebCore::QualifiedName & name, const WTF::AtomString & newValue, WebCore::Element::SynchronizationOfLazyAttribute inSynchronizationOfLazyAttribute) Line 1874 C++ > WebKit2.dll!WebCore::Element::setSynchronizedLazyAttribute(const WebCore::QualifiedName & name, const WTF::AtomString & value) Line 1860 C++ > WebKit2.dll!WebCore::StyledElement::synchronizeStyleAttributeInternalImpl() Line 68 C++ > WebKit2.dll!WebCore::StyledElement::synchronizeStyleAttributeInternal() Line 57 C++ > WebKit2.dll!WebCore::Element::synchronizeAllAttributes() Line 667 C++ > WebKit2.dll!WebCore::Element::hasAttributes() Line 2384 C++ > WebKit2.dll!WebCore::SelectorChecker::checkOne(WebCore::SelectorChecker::CheckingContext & checkingContext, const WebCore::SelectorChecker::LocalContext & context, WebCore::SelectorChecker::MatchType & matchType) Line 684 C++ > WebKit2.dll!WebCore::SelectorChecker::matchRecursively(WebCore::SelectorChecker::CheckingContext & checkingContext, const WebCore::SelectorChecker::LocalContext & context, WebCore::PseudoIdSet & dynamicPseudoIdSet) Line 272 C++ > WebKit2.dll!WebCore::SelectorChecker::match(const WebCore::CSSSelector & selector, const WebCore::Element & element, WebCore::SelectorChecker::CheckingContext & checkingContext) Line 191 C++ > WebKit2.dll!WebCore::Style::ElementRuleCollector::ruleMatches(const WebCore::Style::RuleData & ruleData, unsigned int & specificity, WebCore::Style::ScopeOrdinal styleScopeOrdinal) Line 469 C++ > WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingRulesForList(const WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc> * rules, const WebCore::Style::MatchRequest & matchRequest) Line 513 C++ > WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingRules(const WebCore::Style::MatchRequest & matchRequest) Line 169 C++ > WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingAuthorRules() Line 254 C++ > WebKit2.dll!WebCore::Style::ElementRuleCollector::matchAllRules(bool matchAuthorAndUserStyles, bool includeSMILProperties) Line 587 C++ > (...)
Antti Koivisto
Comment 6
2022-06-29 21:25:10 PDT
Oh good find
Antti Koivisto
Comment 7
2022-06-29 22:12:22 PDT
Created
attachment 460570
[details]
Patch
EWS
Comment 8
2022-06-29 23:22:53 PDT
Committed
251982@main
(41eeecebb149): <
https://commits.webkit.org/251982@main
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 460570
[details]
.
Antti Koivisto
Comment 9
2022-06-30 05:48:08 PDT
rdar://96207962
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug