[Webkit-unassigned] [Bug 138745] New: Crash in WebCore::StyleResolver::loadPendingImages()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Nov 14 11:02:13 PST 2014 

https://bugs.webkit.org/show_bug.cgi?id=138745

            Bug ID: 138745
           Summary: Crash in WebCore::StyleResolver::loadPendingImages()
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: iOS
                OS: iOS 8.1
            Status: NEW
          Severity: Major
          Priority: P2
         Component: HTML DOM
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: stuartmorgan at chromium.org

A significant source of UIWebView-related crashes in Chrome for iOS (based on automated crash collection) is a stack that looks like this, or some similar variation with the same top:

Thread 18 CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0xffffffffc2c80000] MAGIC SIGNATURE THREAD
0x320a8cc2    [WebCore + 0x0000ecc2 ]    WebCore::StyleResolver::loadPendingImages()
0x320d9a55    [WebCore + 0x0003fa55 ]    WebCore::CachedResourceRequest::~CachedResourceRequest()
0x329c321f    [WebCore + 0x0092921f ]    WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache)
0x320a9eb5    [WebCore + 0x0000feb5 ]    WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion*)
0x32157b3b    [WebCore + 0x000bdb3b ]    WebCore::Document::styleForElementIgnoringPendingStylesheets(WebCore::Element*)
0x32157a37    [WebCore + 0x000bda37 ]    WebCore::Element::computedStyle(WebCore::PseudoId)
0x322fe2a9    [WebCore + 0x002642a9 ]    WebCore::computeRenderStyleForProperty(WebCore::Node*, WebCore::PseudoId, WebCore::CSSPropertyID)
0x32190d23    [WebCore + 0x000f6d23 ]    WebCore::ComputedStyleExtractor::propertyValue(WebCore::CSSPropertyID, WebCore::EUpdateLayout) const
0x32190bd3    [WebCore + 0x000f6bd3 ]    WebCore::CSSComputedStyleDeclaration::getPropertyCSSValueInternal(WebCore::CSSPropertyID)
0x32190333    [WebCore + 0x000f6333 ]    WebCore::JSCSSStyleDeclaration::getOwnPropertySlotDelegate(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
0x325c3a51    [WebCore + 0x00529a51 ]    WebCore::JSCSSStyleDeclaration::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
0x27e0c65b    [JavaScriptCore + 0x0006665b ]    JSC::LLInt::getByVal(JSC::ExecState*, JSC::JSValue, JSC::JSValue)
0x27defe21    [JavaScriptCore + 0x00049e21 ]    llint_slow_path_get_by_val
0x2801bc4f    [JavaScriptCore + 0x00275c4f ]    llint_entry
0x2801de77    [JavaScriptCore + 0x00277e77 ]    llint_entry
0x2801de77    [JavaScriptCore + 0x00277e77 ]    llint_entry
0x2801dec5    [JavaScriptCore + 0x00277ec5 ]    llint_entry
0x2801dec5    [JavaScriptCore + 0x00277ec5 ]    llint_entry
0x28018d7d    [JavaScriptCore + 0x00272d7d ]    callToJavaScript
0x27fa9653    [JavaScriptCore + 0x00203653 ]    JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*)
0x27df94ad    [JavaScriptCore + 0x000534ad ]    JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
0x27eecb0f    [JavaScriptCore + 0x00146b0f ]    JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*)
0x321f9e81    [WebCore + 0x0015fe81 ]    WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*)
0x321cb299    [WebCore + 0x00131299 ]    WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&)
0x321281d1    [WebCore + 0x0008e1d1 ]    WebCore::EventTarget::fireEventListeners(WebCore::Event*)
0x324121ad    [WebCore + 0x003781ad ]    WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>)
0x32128063    [WebCore + 0x0008e063 ]    WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>)
0x323711a1    [WebCore + 0x002d71a1 ]    WebCore::DocumentEventQueue::dispatchEvent(WebCore::Event&)
0x321d2da5    [WebCore + 0x00138da5 ]    WebCore::DocumentEventQueue::pendingEventTimerFired()
0x320b7a13    [WebCore + 0x0001da13 ]    WebCore::ThreadTimers::sharedTimerFiredInternal()
0x320b7967    [WebCore + 0x0001d967 ]    WebCore::timerFired(__CFRunLoopTimer*, void*)
0x26bae515    [CoreFoundation + 0x000ce515 ]    __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__

We've had some luck with the following repro steps:
1. Open Chrome on iOS
2. Load www.smh.com.au
3. Open any article
4. Scroll through the page, then press the browser back button
but it's not completely reliable. If there's any more useful information we can provide from our aggregate data, please let us know.

This stack is from iOS 8.1, but crashes with essentially the same top frames date back to at least iOS 7.

This is also filed as rdar://12708566

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20141114/e9263a71/attachment-0002.html>

More information about the webkit-unassigned mailing list