[Webkit-unassigned] [Bug 139592] New: SVG masking can cause loadPendingResources() re-entrancy

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Dec 12 12:22:07 PST 2014 

https://bugs.webkit.org/show_bug.cgi?id=139592

            Bug ID: 139592
           Summary: SVG masking can cause loadPendingResources()
                    re-entrancy
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: simon.fraser at apple.com

While running tests, I just saw css3/masking/mask-svg-script-mask-to-entire-svg.html cause a crash which indicates bad behavior:

Application Specific Information:
CRASHING TEST: css3/masking/mask-svg-script-mask-to-entire-svg.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore          0x0000000116070a2a WTFCrash + 42
1   com.apple.WebCore                 0x00000001192c13d9 WebCore::StyleResolver::loadPendingResources() + 153 (StyleResolver.cpp:3759)
2   com.apple.WebCore                 0x00000001192bb0a2 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 1906 (StyleResolver.cpp:1827)
3   com.apple.WebCore                 0x00000001192b8ca3 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) + 1251 (StyleResolver.cpp:803)
4   com.apple.WebCore                 0x00000001193739f6 WebCore::SVGElement::customStyleForRenderer(WebCore::RenderStyle&) + 150 (SVGElement.cpp:790)
5   com.apple.WebCore                 0x00000001192e796a WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) + 106 (StyleResolveTree.cpp:259)
6   com.apple.WebCore                 0x00000001192e59f2 WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 146 (StyleResolveTree.cpp:749)
7   com.apple.WebCore                 0x00000001192e342d WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 301 (StyleResolveTree.cpp:918)
8   com.apple.WebCore                 0x00000001192e368b WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 907 (StyleResolveTree.cpp:957)
9   com.apple.WebCore                 0x00000001192e368b WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 907 (StyleResolveTree.cpp:957)
10  com.apple.WebCore                 0x00000001192e368b WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 907 (StyleResolveTree.cpp:957)
11  com.apple.WebCore                 0x00000001192e32ea WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 474 (StyleResolveTree.cpp:996)
12  com.apple.WebCore                 0x0000000117b72996 WebCore::Document::recalcStyle(WebCore::Style::Change) + 470 (Document.cpp:1798)
13  com.apple.WebCore                 0x0000000117b6eadf WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1841)
14  com.apple.WebCore                 0x0000000117ecb6a2 WebCore::FrameLoader::stopLoading(WebCore::UnloadEventPolicy) + 1218 (FrameLoader.cpp:473)
15  com.apple.WebCore                 0x0000000117ecbbef WebCore::FrameLoader::closeURL() + 111 (FrameLoader.cpp:547)
16  com.apple.WebCore                 0x0000000117ed5d75 WebCore::FrameLoader::detachFromParent() + 53 (FrameLoader.cpp:2486)
17  com.apple.WebCore                 0x0000000117ed61fb WebCore::FrameLoader::frameDetached() + 59 (FrameLoader.cpp:2479)
18  com.apple.WebCore                 0x00000001193d33b1 WebCore::SVGImage::~SVGImage() + 561 (SVGImage.cpp:60)
19  com.apple.WebCore                 0x00000001193d3795 WebCore::SVGImage::~SVGImage() + 21 (SVGImage.cpp:65)
20  com.apple.WebCore                 0x00000001193d37b9 WebCore::SVGImage::~SVGImage() + 25 (SVGImage.cpp:56)
21  com.apple.WebCore                 0x00000001177c4113 WTF::RefCounted<WebCore::Image>::deref() + 83 (RefCounted.h:146)
22  com.apple.WebCore                 0x00000001177c40b1 void WTF::derefIfNotNull<WebCore::Image>(WebCore::Image*) + 65 (PassRefPtr.h:41)
23  com.apple.WebCore                 0x00000001177fcf67 WTF::RefPtr<WebCore::Image>::clear() + 39 (RefPtr.h:110)
24  com.apple.WebCore                 0x00000001177f8c77 WebCore::CachedImage::clearImage() + 103 (CachedImage.cpp:365)
25  com.apple.WebCore                 0x00000001177f668d WebCore::CachedImage::~CachedImage() + 61 (CachedImage.cpp:108)
26  com.apple.WebCore                 0x00000001177f67b5 WebCore::CachedImage::~CachedImage() + 21 (CachedImage.cpp:108)
27  com.apple.WebCore                 0x00000001177f6809 WebCore::CachedImage::~CachedImage() + 25 (CachedImage.cpp:106)
28  com.apple.WebCore                 0x000000011780423e WebCore::CachedResource::deleteIfPossible() + 94 (CachedResource.cpp:487)
29  com.apple.WebCore                 0x0000000117804f4e WebCore::CachedResource::unregisterHandle(WebCore::CachedResourceHandleBase*) + 174 (CachedResource.cpp:666)
30  com.apple.WebCore                 0x000000011781098a WebCore::CachedResourceHandleBase::setResource(WebCore::CachedResource*) + 74 (CachedResourceHandle.cpp:64)
31  com.apple.WebCore                 0x0000000117815ce7 WebCore::CachedResourceHandle<WebCore::CachedResource>::operator=(WebCore::CachedResourceHandle<WebCore::CachedResource> const&) + 55 (CachedResourceHandle.h:73)
32  com.apple.WebCore                 0x0000000117811e07 WebCore::CachedResourceLoader::requestResource(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&) + 1287 (CachedResourceLoader.cpp:478)
33  com.apple.WebCore                 0x0000000117812820 WebCore::CachedResourceLoader::requestSVGDocument(WebCore::CachedResourceRequest&) + 64 (CachedResourceLoader.cpp:246)
34  com.apple.WebCore                 0x0000000117822035 WebCore::CachedSVGDocumentReference::load(WebCore::CachedResourceLoader*) + 309 (CachedSVGDocumentReference.cpp:64)
35  com.apple.WebCore                 0x00000001192c70ff WebCore::StyleResolver::loadPendingSVGDocuments() + 527 (StyleResolver.cpp:3403)
36  com.apple.WebCore                 0x00000001192c13f7 WebCore::StyleResolver::loadPendingResources() + 183 (StyleResolver.cpp:3770)
37  com.apple.WebCore                 0x00000001192bb0a2 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 1906 (StyleResolver.cpp:1827)
38  com.apple.WebCore                 0x00000001192b8ca3 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) + 1251 (StyleResolver.cpp:803)
39  com.apple.WebCore                 0x00000001192e7a32 WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) + 306 (StyleResolveTree.cpp:263)
40  com.apple.WebCore                 0x00000001192e6bb0 WebCore::Style::createRendererIfNeeded(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 208 (StyleResolveTree.cpp:288)
41  com.apple.WebCore                 0x00000001192e6777 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 263 (StyleResolveTree.cpp:615)
42  com.apple.WebCore                 0x00000001192e717b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 347 (StyleResolveTree.cpp:484)
43  com.apple.WebCore                 0x00000001192e6849 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 473 (StyleResolveTree.cpp:631)
44  com.apple.WebCore                 0x00000001192e717b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 347 (StyleResolveTree.cpp:484)
45  com.apple.WebCore                 0x00000001192e6849 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 473 (StyleResolveTree.cpp:631)
46  com.apple.WebCore                 0x00000001192e5af0 WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 400 (StyleResolveTree.cpp:756)
47  com.apple.WebCore                 0x00000001192e342d WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 301 (StyleResolveTree.cpp:918)
48  com.apple.WebCore                 0x00000001192e32ea WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 474 (StyleResolveTree.cpp:996)
49  com.apple.WebCore                 0x0000000117b72996 WebCore::Document::recalcStyle(WebCore::Style::Change) + 470 (Document.cpp:1798)
50  com.apple.WebCore                 0x0000000117b6eadf WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1841)
51  com.apple.WebCore                 0x0000000117b7f472 WebCore::Document::finishedParsing() + 450 (Document.cpp:4613)
52  com.apple.WebCore                 0x0000000118027c68 WebCore::HTMLConstructionSite::finishedParsing() + 24 (HTMLConstructionSite.cpp:396)
53  com.apple.WebCore                 0x0000000118160e17 WebCore::HTMLTreeBuilder::finished() + 183 (HTMLTreeBuilder.cpp:3010)
54  com.apple.WebCore                 0x0000000118056dee WebCore::HTMLDocumentParser::end() + 190 (HTMLDocumentParser.cpp:440)
55  com.apple.WebCore                 0x0000000118054e53 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 275 (HTMLDocumentParser.cpp:451)
56  com.apple.WebCore                 0x0000000118054c60 WebCore::HTMLDocumentParser::prepareToStopParsing() + 288 (HTMLDocumentParser.cpp:166)
57  com.apple.WebCore                 0x0000000118056e43 WebCore::HTMLDocumentParser::attemptToEnd() + 67 (HTMLDocumentParser.cpp:463)
58  com.apple.WebCore                 0x0000000118056e98 WebCore::HTMLDocumentParser::finish() + 72 (HTMLDocumentParser.cpp:491)
59  com.apple.WebCore                 0x0000000117c0100a WebCore::DocumentWriter::end() + 346 (DocumentWriter.cpp:247)
60  com.apple.WebCore                 0x0000000117bc89d3 WebCore::DocumentLoader::finishedLoading(double) + 1587 (DocumentLoader.cpp:441)
61  com.apple.WebCore                 0x0000000117bc830e WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) + 270 (DocumentLoader.cpp:375)
62  com.apple.WebCore                 0x0000000117803262 WebCore::CachedResource::checkNotify() + 130 (CachedResource.cpp:293)
63  com.apple.WebCore                 0x0000000117803374 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) + 52 (CachedResource.cpp:310)
64  com.apple.WebCore                 0x00000001177fed1a WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 218 (CachedRawResource.cpp:105)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141212/ace00d9a/attachment-0002.html>

More information about the webkit-unassigned mailing list