[Webkit-unassigned] [Bug 200635] Crash in Document::updateResizeObservations()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 14 09:23:26 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=200635

Said Abou-Hallawa <sabouhallawa at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sabouhallawa at apple.com

--- Comment #4 from Said Abou-Hallawa <sabouhallawa at apple.com> ---
Here is a more detailed crash call stack:

Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000008)
Getting symbols for 28C4435F-393E-3FBC-87E7-9CFEBA0FAB85 /System/Library/PrivateFrameworks/WebCore.framework/WebCore... ok
[  0] 0x00000001c2abda8c WebCore`WebCore::Document::updateResizeObservations(WebCore::Page&) [inlined] WebCore::ResizeObserver::WeakValueType* WTF::WeakPtrImpl::get<WebCore::ResizeObserver>() at WeakPtr.h:64:56

     0x00000001c2abda7c:      cmn x21, #0x1            ; =0x1 
     0x00000001c2abda80:     b.eq 0xe2cb20             ; <+304> [inlined] WebCore::Document::hasSkippedResizeObservations() const at Document.cpp:7559
     0x00000001c2abda84:     tbnz w8, #0x0, 0xe2cab0   ; <+192> at Document.cpp:7556:14
     0x00000001c2abda88:      ldr x9, [x23]
 ->  0x00000001c2abda8c:      ldr x8, [x9, #0x8]
     0x00000001c2abda90:      ldr w10, [x8, #0x4c]
     0x00000001c2abda94:      cbz w10, 0xe2caa4        ; <+180> [inlined] WebCore::Document::deliverResizeObservations() + 32 at Document.cpp:7555
     0x00000001c2abda98:      cmp x9, #0x0             ; =0x0 
     0x00000001c2abda9c:     csel x0, xzr, x8, eq

[  0] 0x00000001c2abda8c WebCore`WebCore::Document::updateResizeObservations(WebCore::Page&) [inlined] WTF::WeakPtr<WebCore::ResizeObserver>::get() const + 4 at WeakPtr.h:89
[  0] 0x00000001c2abda88 WebCore`WebCore::Document::updateResizeObservations(WebCore::Page&) [inlined] WTF::WeakPtr<WebCore::ResizeObserver>::operator->() const at WeakPtr.h:96
[  0] 0x00000001c2abda88 WebCore`WebCore::Document::updateResizeObservations(WebCore::Page&) [inlined] WebCore::Document::deliverResizeObservations() + 4 at Document.cpp:7523
       7519     
       7520     void Document::deliverResizeObservations()
       7521     {
       7522         for (const auto& observer : m_resizeObservers) {
    -> 7523             if (!observer->hasActiveObservations())
       7524                 continue;
       7525             observer->deliverObservations();
       7526         }
       7527     }

[  0] 0x00000001c2abda84 WebCore`WebCore::Document::updateResizeObservations(WebCore::Page&) + 148 at Document.cpp:7555
[  1] 0x00000001c2abdaa3 WebCore`WebCore::Document::updateResizeObservations(WebCore::Page&) [inlined] WebCore::Document::deliverResizeObservations() + 31 at Document.cpp:7525:19
[  1] 0x00000001c2abda84 WebCore`WebCore::Document::updateResizeObservations(WebCore::Page&) + 148 at Document.cpp:7555
[  2] 0x00000001c2f82d67 WebCore`WebCore::Page::updateRendering() + 363 at Page.cpp:1313:19
Getting symbols for DADAF4DE-FBC2-32FF-A641-4CC6D9432DDD /System/Library/Frameworks/WebKit.framework/WebKit... ok
[  3] 0x00000001c1760317 WebKit`WebKit::RemoteLayerTreeDrawingArea::flushLayers() + 131 at RemoteLayerTreeDrawingArea.mm:374:15
[  4] 0x00000001c302e6a3 WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal() + 215 at ThreadTimers.cpp:129:23
[  5] 0x00000001c3051643 WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*) + 27 at MainThreadSharedTimerCF.cpp:74:40
Getting symbols for 05D70723-5989-31E9-8633-F71B5D0F2CE1 /System/Library/Frameworks/CoreFoundation.framework/CoreFoundation... ok
[  6] 0x00000001ba1bb5b3 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 27 at CFRunLoop.c:1757:9
[  7] 0x00000001ba1bb2ef CoreFoundation`__CFRunLoopDoTimer + 879 at CFRunLoop.c:2348:2
[  8] 0x00000001ba1ba9bf CoreFoundation`__CFRunLoopDoTimers + 275 at CFRunLoop.c:2503:23
[  9] 0x00000001ba1b5afb CoreFoundation`__CFRunLoopRun + 1919 at CFRunLoop.c:0
[ 10] 0x00000001ba1b5053 CoreFoundation`CFRunLoopRunSpecific + 463 at CFRunLoop.c:3183:18
Getting symbols for 0C953B39-2D12-3FD6-B93A-902C7D918CB8 /System/Library/Frameworks/Foundation.framework/Foundation... ok
[ 11] 0x00000001ba4f38c3 Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 227 at NSRunLoop.m:374:5
[ 12] 0x00000001ba52d2d3 Foundation`-[NSRunLoop(NSRunLoop) run] + 87 at NSRunLoop.m:399:12
Getting symbols for 196D3B08-CA14-3696-B592-AA04A85F8BDF /usr/lib/system/libxpc.dylib... ok
[ 13] 0x00000001b9e1535f libxpc.dylib`_xpc_objc_main + 303 at main.m:179:3
[ 14] 0x00000001b9e17c9f libxpc.dylib`xpc_main + 147 at init.c:1568:2
[ 15] 0x00000001c184dc6b WebKit`WebKit::XPCServiceMain(int, char const**) + 359 at XPCServiceMain.mm:147:5
Getting symbols for 0C5E6B14-C214-3A21-B8DB-8372DF7297B5 /usr/lib/system/libdyld.dylib... ok
[ 16] 0x00000001ba040c7b libdyld.dylib`start + 3


Since m_resizeObservers is a Vector<WeakPtr<ResizeObserver>>, I think it is okay to have one of the pointers to be null. So maybe we need to change the condition in Document::deliverResizeObservations() to be:

    if (!observer || !observer->hasActiveObservations())

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190814/a4bef2f5/attachment.html>

More information about the webkit-unassigned mailing list