[Webkit-unassigned] [Bug 223379] New: Crash viewing any stock on finance.google.com in WebCore::TranslateTransformOperation::~TranslateTransformOperation

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Mar 17 08:22:05 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=223379

            Bug ID: 223379
           Summary: Crash viewing any stock on finance.google.com in
                    WebCore::TranslateTransformOperation::~TranslateTransf
                    ormOperation
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mcatanzaro at gnome.org

Try to look up any stock on finance.google.com. WebKit will crash pretty deep in CSS code. Here is a backtrace using WebKitGTK 2.31.91:

Core was generated by `/usr/libexec/webkit2gtk-4.0/WebKitWebProcess 454 95'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  WTF::RefCountedBase::derefBase (this=0x552076e) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:187
187         void deref() const
[Current thread is 1 (Thread 0x7fd164e359c0 (LWP 2))]
(gdb) bt
#0  WTF::RefCountedBase::derefBase() const (this=0x552076e) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:187
#1  WTF::RefCounted<WebCore::CalculationValue, std::default_delete<WebCore::CalculationValue> >::deref() const
    (this=0x552076e) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:189
#2  WTF::Ref<WebCore::CalculationValue, WTF::RawPtrTraits<WebCore::CalculationValue> >::~Ref()
    (this=<synthetic pointer>, __in_chrg=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Ref.h:61
#3  WebCore::CalculationValueMap::deref(unsigned int)
    (handle=<optimized out>, this=0x7fd16f0a6de0 <WebCore::calculationValues()::map>)
    at ../Source/WebCore/platform/Length.cpp:232
#4  WebCore::Length::deref() const (this=this at entry=0x7fcf7aaeb310) at ../Source/WebCore/platform/Length.cpp:266
#5  0x00007fd16da4aad0 in WebCore::Length::~Length() (this=<optimized out>, __in_chrg=<optimized out>)
    at ../Source/WebCore/platform/Length.h:219
#6  WebCore::TranslateTransformOperation::~TranslateTransformOperation()
    (this=0x7fcf7aaeb2f8, __in_chrg=<optimized out>)
    at ../Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h:34
#7  WebCore::TranslateTransformOperation::~TranslateTransformOperation()
    (this=0x7fcf7aaeb2f8, __in_chrg=<optimized out>)
    at ../Source/WebCore/platform/graphics/transforms/TranslateTransformOperation.h:34
#8  0x00007fd16cd170df in std::default_delete<WebCore::TransformOperation>::operator()(WebCore::TransformOperation*) const (__ptr=<optimized out>, this=<optimized out>) at /usr/include/c++/10.2.0/bits/unique_ptr.h:79
#9  WTF::RefCounted<WebCore::TransformOperation, std::default_delete<WebCore::TransformOperation> >::deref() const
    (this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:190
#10 WTF::RefCounted<WebCore::TransformOperation, std::default_delete<WebCore::TransformOperation> >::deref() const
    (this=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:187
#11 WTF::DefaultRefDerefTraits<WebCore::TransformOperation>::derefIfNotNull(WebCore::TransformOperation*)
    (ptr=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:42
#12 WTF::RefPtr<WebCore::TransformOperation, WTF::RawPtrTraits<WebCore::TransformOperation>, WTF::DefaultRefDerefTraits<WebCore::TransformOperation> >::~RefPtr() (this=0x7fd04c258480, __in_chrg=<optimized out>)
    at DerivedSources/ForwardingHeaders/wtf/RefPtr.h:73
#13 WTF::VectorDestructor<true, WTF::RefPtr<WebCore::TransformOperation, WTF::RawPtrTraits<WebCore::TransformOperation>, WTF::DefaultRefDerefTraits<WebCore::TransformOperation> > >::destruct(WTF::RefPtr<WebCore::TransformOperation, WTF::RawPtrTraits<WebCore::TransformOperation>, WTF::DefaultRefDerefTraits<WebCore::TransformOperation> >*, WTF::RefPtr<WebCore::TransformOperation, WTF::RawPtrTraits<WebCore::TransformOperation>, WTF::DefaultRefDerefTraits<WebCore::TransformOperation> >*) (end=0x7fd04c258488, begin=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:67
#14 WTF::VectorTypeOperations<WTF::RefPtr<WebCore::TransformOperation, WTF::RawPtrTraits<WebCore::TransformOperation>, WTF::DefaultRefDerefTraits<WebCore::TransformOperation> > >::destruct(WTF::RefPtr<WebCore::TransformOperation, WTF::RawPtrTraits<WebCore::TransformOperation>, WTF::DefaultRefDerefTraits<WebCore::TransformOperation> >*, WTF::RefPtr<WebCore::TransformOperation, WTF::RawPtrTraits<WebCore::TransformOperation>, WTF::DefaultRefDerefTraits<WebCore::TransformOperation> >*) (end=0x7fd04c258488, begin=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:243
#15 WTF::Vector<WTF::RefPtr<WebCore::TransformOperation, WTF::RawPtrTraits<WebCore::TransformOperation>, WTF::DefaultRefDerefTraits<WebCore::TransformOperation> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::~Vector()
    (this=0x7ffedbf24b90, __in_chrg=<optimized out>) at DerivedSources/ForwardingHeaders/wtf/Vector.h:676
#16 WebCore::TransformOperations::~TransformOperations() (this=0x7ffedbf24b90, __in_chrg=<optimized out>)
    at ../Source/WebCore/platform/graphics/transforms/TransformOperations.h:34
#17 WebCore::Style::BuilderFunctions::applyValueTransform(WebCore::Style::BuilderState&, WebCore::CSSValue&)
    (builderState=..., value=...) at DerivedSources/WebCore/StyleBuilderGenerated.cpp:3392
#18 0x00007fd16ddabe69 in WebCore::Style::Builder::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue&, WebCore::SelectorChecker::LinkMatchMask) (this=<optimized out>, id=<optimized out>, value=..., linkMatchMask=<optimized out>)
    at DerivedSources/ForwardingHeaders/wtf/RawPtrTraits.h:43
#19 0x00007fd16ddad7f8 in WebCore::Style::Builder::applyCascadeProperty(WebCore::Style::PropertyCascade::Property const&)::{lambda(WebCore::SelectorChecker::LinkMatchMask)#1}::operator()(WebCore::SelectorChecker::LinkMatchMask) const
    (linkMatch=WebCore::SelectorChecker::MatchLink, __closure=<synthetic pointer>)
    at ../Source/WebCore/style/StyleBuilder.cpp:252
--Type <RET> for more, q to quit, c to continue without paging--c
#20 WebCore::Style::Builder::applyCascadeProperty(WebCore::Style::PropertyCascade::Property const&) (property=..., this=0x7ffedbf24d60) at ../Source/WebCore/style/StyleBuilder.cpp:261
#21 WebCore::Style::Builder::applyPropertiesImpl<(WebCore::Style::Builder::CustomPropertyCycleTracking)1>(int, int) (lastProperty=<optimized out>, firstProperty=<optimized out>, this=<optimized out>) at ../Source/WebCore/style/StyleBuilder.cpp:175
#22 WebCore::Style::Builder::applyProperties(int, int) (this=this at entry=0x7ffedbf24d60, firstProperty=firstProperty at entry=31, lastProperty=lastProperty at entry=476) at ../Source/WebCore/style/StyleBuilder.cpp:143
#23 0x00007fd16ddada2f in WebCore::Style::Builder::applyLowPriorityProperties() (this=this at entry=0x7ffedbf24d60) at ../Source/WebCore/style/StyleBuilder.cpp:118
#24 0x00007fd16ddb76c8 in WebCore::Style::Resolver::applyMatchedProperties(WebCore::Style::Resolver::State&, WebCore::Style::MatchResult const&, WebCore::Style::Resolver::UseMatchedDeclarationsCache) (this=this at entry=0x7fcf7cc18cf0, state=..., matchResult=..., useMatchedDeclarationsCache=useMatchedDeclarationsCache at entry=WebCore::Style::Resolver::UseMatchedDeclarationsCache::Yes) at ../Source/WebCore/style/StyleResolver.cpp:554
#25 0x00007fd16ddb90a7 in WebCore::Style::Resolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::SelectorFilter const*) (this=this at entry=0x7fcf7cc18cf0, element=..., parentStyle=parentStyle at entry=0x7fd030456160, parentBoxStyle=<optimized out>, matchingBehavior=matchingBehavior at entry=WebCore::RuleMatchingBehavior::MatchAllRules, selectorFilter=<optimized out>) at ../Source/WebCore/style/StyleResolver.cpp:241
#26 0x00007fd16ddc5e48 in WebCore::Style::TreeResolver::styleForStyleable(WebCore::Styleable const&, WebCore::RenderStyle const&) (this=0x7ffedbf2ba00, styleable=..., inheritedStyle=...) at ../Source/WebCore/style/StyleTreeResolver.h:91
#27 0x00007fd16ddc7a4a in WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) (this=0x7ffedbf2ba00, element=...) at DerivedSources/ForwardingHeaders/wtf/Vector.h:343
#28 0x00007fd16ddc84af in WebCore::Style::TreeResolver::resolveComposedTree() (this=0x7ffedbf2ba00) at ../Source/WebCore/style/StyleTreeResolver.cpp:533
#29 0x00007fd16ddc8f89 in WebCore::Style::TreeResolver::resolve() (this=this at entry=0x7ffedbf2ba00) at ../Source/WebCore/style/StyleTreeResolver.cpp:591
#30 0x00007fd16d28dbc9 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (this=0x7fd164158e20, type=<optimized out>) at ../Source/WebCore/dom/Document.cpp:2056
#31 0x00007fd16d28e340 in WebCore::Document::updateStyleIfNeeded() (this=0x7fd164158e20) at ../Source/WebCore/dom/Document.cpp:2156
#32 0x00007fd16d28e456 in WebCore::Document::updateLayout() (this=0x7fd164158e20) at ../Source/WebCore/dom/Document.cpp:2177
#33 0x00007fd16d28eb26 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (this=0x7fd164158e20, runPostLayoutTasks=runPostLayoutTasks at entry=WebCore::Document::RunPostLayoutTasks::Asynchronously) at ../Source/WebCore/dom/Document.cpp:2197
#34 0x00007fd16d2ad8ac in WebCore::Element::scrollLeft() (this=0x7fd164159b80) at /usr/include/c++/10.2.0/bits/refwrap.h:337
#35 0x00007fd16c773f25 in WebCore::jsElement_scrollLeftGetter (thisObject=..., lexicalGlobalObject=...) at DerivedSources/WebCore/JSElement.cpp:2743
#36 WebCore::IDLAttribute<WebCore::JSElement>::get<WebCore::jsElement_scrollLeftGetter, (WebCore::CastedThisErrorBehavior)3> (attributeName=0x7fd16e366c4d "scrollLeft", thisValue=<optimized out>, lexicalGlobalObject=...) at ../Source/WebCore/bindings/js/JSDOMAttribute.h:67
#37 WebCore::jsElement_scrollLeft(JSC::JSGlobalObject*, JSC::EncodedJSValue, JSC::PropertyName) (lexicalGlobalObject=<optimized out>, thisValue=<optimized out>) at DerivedSources/WebCore/JSElement.cpp:2748
#38 0x00007fd16abf18d0 in JSC::PropertySlot::customGetter(JSC::JSGlobalObject*, JSC::PropertyName) const (this=<optimized out>, globalObject=globalObject at entry=0x7fd0c849a068, propertyName=..., propertyName at entry=...) at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:219
#39 0x00007fd16a88dbbb in JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const (propertyName=..., globalObject=0x7fd0c849a068, this=0x7ffedbf2c030) at ../Source/JavaScriptCore/runtime/PropertySlot.h:407
#40 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const (slot=..., propertyName=..., globalObject=0x7fd0c849a068, this=0x7ffedbf2bfe8) at ../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:950
#41 JSC::LLInt::performLLIntGetByID(JSC::Instruction const*, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&) (pc=0x7fcf8408a464, codeBlock=0x7fcf7fa52400, globalObject=0x7fd0c849a068, baseValue=..., ident=..., metadata=...) at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:759
#42 0x00007fd16a88ec3f in JSC::LLInt::llint_slow_path_get_by_id(JSC::CallFrame*, JSC::Instruction const*) (callFrame=0x7ffedbf2c260, pc=0x7fcf8408a464) at ../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:833
#43 0x00007fd169ec32fa in llint_op_get_by_id () at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:97
#44 0xfffe000000000000 in  ()
#45 0xfffe000000000002 in  ()
#46 0x00007ffedbf2c260 in  ()
#47 0x00007fd169ed4aa7 in llint_op_call () at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1093
#48 0x00007fcf7fa52520 in  ()
#49 0x00007fd0e84f6c60 in  ()
#50 0xfffe000000000000 in  ()
#51 0x00007fd0e84e2a40 in  ()
#52 0x00007fd0186f0000 in  ()
#53 0x00007fd0e84f6920 in  ()
#54 0x00007fd0c84ff3c8 in  ()
#55 0x00007fd15eefc8d8 in  ()
#56 0x00007fd0186f0000 in  ()
#57 0x00007fd0186f0000 in  ()
#58 0x00007fcf7fcb4c10 in  ()
#59 0x00007fcf7fc49498 in  ()
#60 0xfffe000000000000 in  ()
#61 0xfffe000000000002 in  ()
#62 0x00007ffedbf2c310 in  ()
#63 0x00007fd169ed4aa7 in llint_op_call () at /usr/lib/debug/source/sdk/webkitgtk.bst/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1093
#64 0x00007fcf7fa52400 in  ()
#65 0x00007fd0e84f6c40 in  ()
#66 0x000000c400000002 in  ()
#67 0x00007fd0e84e2a40 in  ()
#68 0x00007fd0c84ff3c8 in  ()
#69 0x0000000000000000 in  ()

Full backtrace attached.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210317/18dac434/attachment-0001.htm>

More information about the webkit-unassigned mailing list