RESOLVED FIXED282846
On some cases async/await creates a race where we try to compute translate with null values 
https://bugs.webkit.org/show_bug.cgi?id=282846
Summary On some cases async/await creates a race where we try to compute translate wi...
Pedro Varangot
Reported 2024-11-08 11:21:32 PST
This test will crash sometimes, around 20% to 50% of the time on main. Removing unused function or asynchronous code doesn't crash: <html> <head> <style> * { read-only; translate: 640rlh; }; </style> <script> nodes = new Map([ ['n0', new WeakRef(document.documentElement)] ]); function getObject(key) { entriesForKey = stuff.get(key); { nextEntry = entriesForKey.shift(); theObject = nextEntry.deref(); { return theObject; } } } node = document.createElementNS('http://www.w3.org/1999/xhtml', 'img'); nodes.get('n0').deref().append(node); (async () => { globalThis.testRunner?.waitUntilDone(); for (let i = 0; i < 1700; i++) { const url = new URL(`https://example.com/?q=${i}`); } frames.history.back(); try { await (() => { return window.caches.has("something"); })(); } catch {} node.computedStyleMap().getAll('translate'); globalThis.testRunner?.notifyDone(); globalThis.testRunner?.dumpAsText(); })(); </script> </head> </html>
Attachments
Add attachment proposed patch, testcase, etc.
Pedro Varangot
Comment 1 2024-11-08 11:22:35 PST
<rdar://problem/137177447>
Pedro Varangot
Comment 2 2024-11-08 11:26:03 PST
Pull request: https://github.com/WebKit/WebKit/pull/36409
Pedro Varangot
Comment 3 2024-11-10 08:46:03 PST
Relevant part of the stack trace: 1 WebCore 0x134ff0980 WebCore::CSSPrimitiveValue::create(WebCore::Length const&, WebCore::RenderStyle const&) + 1084 (CSSPrimitiveValue.cpp:576) 2 WebCore 0x135124a20 WebCore::ComputedStyleExtractor::zoomAdjustedPixelValueForLength(WebCore::Length const&, WebCore::RenderStyle const&) + 16 (ComputedStyleExtractor.cpp:437) [inlined] 3 WebCore 0x135124a20 WebCore::computedTranslate(WebCore::RenderObject*, WebCore::RenderStyle const&)::$_0::operator()(WebCore::Length const&) const + 16 (ComputedStyleExtractor.cpp:995) [inlined] 4 WebCore 0x135124a20 WebCore::computedTranslate(WebCore::RenderObject*, WebCore::RenderStyle const&) + 7644 (ComputedStyleExtractor.cpp:1002) 5 WebCore 0x1350d21dc WebCore::ComputedStyleExtractor::valueForPropertyInStyle(WebCore::RenderStyle const&, WebCore::CSSPropertyID, WebCore::RenderElement*, WebCore::ComputedStyleExtractor::PropertyValueType) const + 99240 (ComputedStyleExtractor.cpp:4591) 6 WebCore 0x1350b81a8 WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::ComputedStyleExtractor::UpdateLayout, WebCore::ComputedStyleExtractor::PropertyValueType) const + 1168 (ComputedStyleExtractor.cpp:3445) 7 WebCore 0x13588abec WebCore::ComputedStylePropertyMapReadOnly::propertyValue(WebCore::CSSPropertyID) const + 228 (ComputedStylePropertyMapReadOnly.cpp:53) 8 WebCore 0x1358944a4 WebCore::MainThreadStylePropertyMapReadOnly::getAll(WebCore::ScriptExecutionContext&, WTF::AtomString const&) const + 2484 (MainThreadStylePropertyMapReadOnly.cpp:107) 9 WebCore 0x132be9460 WebCore::jsStylePropertyMapReadOnlyPrototypeFunction_getAllBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSStylePropertyMapReadOnly*) + 920 (JSStylePropertyMapReadOnly.cpp:252)
EWS
Comment 4 2024-11-15 12:00:09 PST
Committed 286647@main (c1664193f635): <https://commits.webkit.org/286647@main> Reviewed commits have been landed. Closing PR #36409 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.