[Webkit-unassigned] [Bug 168655] REGRESSION(r207669): Crash after mutating selector text

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Feb 21 23:41:02 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=168655

--- Comment #11 from Antti Koivisto <koivisto at iki.fi> ---
Looks like extension stylesheets may trigger synchronous call to Style::Scope::scheduleUpdate from flushPendingUpdate deleting the resolver.

    frame #1: WebCore`WebCore::Style::Scope::scheduleUpdate(this=0x000000011db36c60, update=ContentsOrInterpretation) at StyleScope.cpp:526
    frame #2: WebCore`WebCore::Style::Scope::didChangeStyleSheetEnvironment(this=0x000000011db36c60) at StyleScope.cpp:560
    frame #3: WebCore`WebCore::ExtensionStyleSheets::addDisplayNoneSelector(this=0x000000011dbdc540, identifier=0x000000011dab5900, selector=0x000000011dab5910, selectorID=15) at ExtensionStyleSheets.cpp:181
    frame #4: WebCore`WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(this=0x000000011dbb70f0, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at ContentExtensionsBackend.cpp:186
    frame #5: WebCore`WebCore::UserContentProvider::processContentExtensionRulesForLoad(this=0x000000011dbb7000, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at UserContentProvider.cpp:108
    frame #6: WebCore`WebCore::CachedResourceLoader::requestResource(this=0x000000011db36b40, type=FontResource, request=0x00007fff588c9fc0, forPreload=No, defer=NoDefer) at CachedResourceLoader.cpp:692
    frame #7: WebCore`WebCore::CachedResourceLoader::requestFont(this=0x000000011db36b40, request=0x00007fff588c9fc0, isSVG=false) at CachedResourceLoader.cpp:204
    frame #8: WebCore`WebCore::CSSFontFaceSrcValue::cachedFont(this=0x000000011dac2508, document=0x0000000120df4000, isSVG=false, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFaceSrcValue.cpp:105
    frame #9: WebCore`WebCore::CSSFontFace::appendSources(fontFace=0x000000011db6a7e0, srcList=0x000000011daac280, document=0x0000000120df4000, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFace.cpp:79
(lldb) bt 20
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
  * frame #0: JavaScriptCore`::WTFCrash() at Assertions.cpp:323
    frame #1: WebCore`WebCore::Style::Scope::scheduleUpdate(this=0x000000011db36c60, update=ContentsOrInterpretation) at StyleScope.cpp:526
    frame #2: WebCore`WebCore::Style::Scope::didChangeStyleSheetEnvironment(this=0x000000011db36c60) at StyleScope.cpp:560
    frame #3: WebCore`WebCore::ExtensionStyleSheets::addDisplayNoneSelector(this=0x000000011dbdc540, identifier=0x000000011dab5900, selector=0x000000011dab5910, selectorID=15) at ExtensionStyleSheets.cpp:181
    frame #4: WebCore`WebCore::ContentExtensions::ContentExtensionsBackend::processContentExtensionRulesForLoad(this=0x000000011dbb70f0, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at ContentExtensionsBackend.cpp:186
    frame #5: WebCore`WebCore::UserContentProvider::processContentExtensionRulesForLoad(this=0x000000011dbb7000, url=0x00007fff588c9fc0, resourceType=Font, initiatingDocumentLoader=0x000000011db20000) at UserContentProvider.cpp:108
    frame #6: WebCore`WebCore::CachedResourceLoader::requestResource(this=0x000000011db36b40, type=FontResource, request=0x00007fff588c9fc0, forPreload=No, defer=NoDefer) at CachedResourceLoader.cpp:692
    frame #7: WebCore`WebCore::CachedResourceLoader::requestFont(this=0x000000011db36b40, request=0x00007fff588c9fc0, isSVG=false) at CachedResourceLoader.cpp:204
    frame #8: WebCore`WebCore::CSSFontFaceSrcValue::cachedFont(this=0x000000011dac2508, document=0x0000000120df4000, isSVG=false, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFaceSrcValue.cpp:105
    frame #9: WebCore`WebCore::CSSFontFace::appendSources(fontFace=0x000000011db6a7e0, srcList=0x000000011daac280, document=0x0000000120df4000, isInitiatingElementInUserAgentShadowTree=false) at CSSFontFace.cpp:79
    frame #10: WebCore`WebCore::CSSFontSelector::addFontFaceRule(this=0x000000011db6a540, fontFaceRule=0x000000011daae0c0, isInitiatingElementInUserAgentShadowTree=false) at CSSFontSelector.cpp:202
    frame #11: WebCore`WebCore::RuleSet::addChildRules(this=0x000000011db5f800, rules=0x000000011db8b328, medium=0x000000011db27790, resolver=0x000000011db27500, hasDocumentSecurityOrigin=true, isInitiatingElementInUserAgentShadowTree=false, addRuleFlags=RuleHasDocumentSecurityOrigin) at RuleSet.cpp:388
    frame #12: WebCore`WebCore::RuleSet::addRulesFromSheet(this=0x000000011db5f800, sheet=0x000000011db8b2e8, medium=0x000000011db27790, resolver=0x000000011db27500) at RuleSet.cpp:420
    frame #13: WebCore`WebCore::DocumentRuleSets::appendAuthorStyleSheets(this=0x000000011db27500, styleSheets=0x00007fff588cac08, medium=0x000000011db27790, inspectorCSSOMWrappers=0x000000011db277f8, resolver=0x000000011db27500) at DocumentRuleSets.cpp:96
    frame #14: WebCore`WebCore::StyleResolver::appendAuthorStyleSheets(this=0x000000011db27500, styleSheets=0x00007fff588cac08) at StyleResolver.cpp:284
    frame #15: WebCore`WebCore::Style::Scope::updateStyleResolver(this=0x000000011db36c60, activeStyleSheets=0x00007fff588cad78, updateType=Additive) at StyleScope.cpp:463
    frame #16: WebCore`WebCore::Style::Scope::updateActiveStyleSheets(this=0x000000011db36c60, updateType=ActiveSet) at StyleScope.cpp:415
    frame #17: WebCore`WebCore::Style::Scope::flushPendingSelfUpdate(this=0x000000011db36c60) at StyleScope.cpp:506
    frame #18: WebCore`WebCore::Style::Scope::flushPendingUpdate(this=0x000000011db36c60) at StyleScope.h:172

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170222/e9d9483f/attachment-0001.html>

More information about the webkit-unassigned mailing list