[Webkit-unassigned] [Bug 242159] New: Crash under WebCore::Style::ElementRuleCollector::collectMatchingRules

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 29 19:26:51 PDT 2022 

https://bugs.webkit.org/show_bug.cgi?id=242159

            Bug ID: 242159
           Summary: Crash under
                    WebCore::Style::ElementRuleCollector::collectMatchingR
                    ules
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: CSS
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: Hironori.Fujii at sony.com
                CC: koivisto at iki.fi

I'm testing with WinCairo 251961 at main Debug build.
A crash happens in this page <https://mainichi.jp/articles/20220630/k00/00m/030/035000c>.

> WebKit2.dll!WTF::RawPtrTraits<WTF::StringImpl>::unwrap(WTF::StringImpl * const & ptr) Line 44	C++
> WebKit2.dll!WTF::RefPtr<WTF::StringImpl,WTF::RawPtrTraits<WTF::StringImpl>,WTF::DefaultRefDerefTraits<WTF::StringImpl>>::get() Line 76	C++
> WebKit2.dll!WTF::String::impl() Line 115	C++
> WebKit2.dll!WTF::AtomString::impl() Line 82	C++
> WebKit2.dll!WTF::AtomStringHash::hash(const WTF::AtomString & key) Line 39	C++
> WebKit2.dll!WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>::hash<WTF::AtomString>(const WTF::AtomString & key) Line 311	C++
> WebKit2.dll!WTF::HashMapTranslatorAdapter<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>>::hash<WTF::AtomString>(const WTF::AtomString & key) Line 250	C++
> WebKit2.dll!WTF::HashTable<WTF::AtomString,WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::HashTraits<WTF::AtomString>>::inlineLookup<WTF::HashMapTranslatorAdapter<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>>,WTF::AtomString>(const WTF::AtomString & key) Line 688	C++
> WebKit2.dll!WTF::HashTable<WTF::AtomString,WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::HashTraits<WTF::AtomString>>::lookup<WTF::HashMapTranslatorAdapter<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>>,WTF::AtomString>(const WTF::AtomString & key) Line 674	C++
> WebKit2.dll!WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::get<WTF::IdentityHashTranslator<WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::KeyValuePairTraits,WTF::DefaultHash<WTF::AtomString>>,WTF::AtomString>(const WTF::AtomString & value) Line 343	C++
> WebKit2.dll!WTF::HashMap<WTF::AtomString,std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>,WTF::DefaultHash<WTF::AtomString>,WTF::HashTraits<WTF::AtomString>,WTF::HashTraits<std::unique_ptr<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>,std::default_delete<WTF::Vector<WebCore::Style::RuleData,1,WTF::CrashOnOverflow,16,WTF::FastMalloc>>>>,WTF::HashTableTraits>::get(const WTF::AtomString & key) Line 459	C++
> WebKit2.dll!WebCore::Style::RuleSet::attributeRules(const WTF::AtomString & key, bool isHTMLName) Line 210	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingRules(const WebCore::Style::MatchRequest & matchRequest) Line 166	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::collectMatchingAuthorRules() Line 250	C++
> WebKit2.dll!WebCore::Style::ElementRuleCollector::matchAllRules(bool matchAuthorAndUserStyles, bool includeSMILProperties) Line 583	C++
> WebKit2.dll!WebCore::Style::Resolver::styleForElement(const WebCore::Element & element, const WebCore::Style::ResolutionContext & context, WebCore::RuleMatchingBehavior matchingBehavior) Line 257	C++
> WebKit2.dll!WebCore::Style::TreeResolver::styleForStyleable(const WebCore::Styleable & styleable, WebCore::Style::TreeResolver::ResolutionType resolutionType, const WebCore::Style::ResolutionContext & resolutionContext) Line 155	C++
> WebKit2.dll!WebCore::Style::TreeResolver::resolveElement(WebCore::Element & element, WebCore::Style::TreeResolver::ResolutionType resolutionType) Line 224	C++
> WebKit2.dll!WebCore::Style::TreeResolver::resolveComposedTree() Line 830	C++
> WebKit2.dll!WebCore::Style::TreeResolver::resolve() Line 925	C++
> WebKit2.dll!WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType type) Line 2097	C++
> WebKit2.dll!WebCore::Document::updateStyleIfNeeded() Line 2235	C++
> WebKit2.dll!WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element & element, WebCore::DimensionsCheck dimensionsCheck) Line 2338	C++
> WebKit2.dll!WebCore::DOMWindow::innerWidth() Line 1321	C++
> WebKit2.dll!WebCore::jsDOMWindow_innerWidthGetter(JSC::JSGlobalObject & lexicalGlobalObject, WebCore::JSDOMWindow & thisObject) Line 11281	C++
> WebKit2.dll!WebCore::IDLAttribute<WebCore::JSDOMWindow>::get<&WebCore::jsDOMWindow_innerWidthGetter,0>(JSC::JSGlobalObject & lexicalGlobalObject, __int64 thisValue, JSC::PropertyName attributeName) Line 100	C++
> WebKit2.dll!WebCore::jsDOMWindow_innerWidth(JSC::JSGlobalObject * lexicalGlobalObject, __int64 thisValue, JSC::PropertyName attributeName) Line 11287	C++
> JavaScriptCore.dll!JSC::PropertySlot::customGetter(JSC::VM & vm, JSC::PropertyName propertyName) Line 47	C++
> JavaScriptCore.dll!JSC::PropertySlot::getValue(JSC::JSGlobalObject * globalObject, JSC::PropertyName propertyName) Line 408	C++
> JavaScriptCore.dll!JSC::JSValue::get(JSC::JSGlobalObject * globalObject, JSC::PropertyName propertyName, JSC::PropertySlot & slot) Line 1032	C++
> JavaScriptCore.dll!JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex bytecodeIndex, JSC::CodeBlock * codeBlock, JSC::JSGlobalObject * globalObject, JSC::JSValue baseValue, const JSC::Identifier & ident, JSC::GetByIdModeMetadata & metadata) Line 813	C++
> JavaScriptCore.dll!llint_slow_path_get_by_id(JSC::CallFrame * callFrame, const JSC::BaseInstruction<JSC::JSOpcodeTraits> * pc) Line 887	C++
> JavaScriptCore.dll!llint_entry()	Unknown
> 000000bdd0efc930()	Unknown
> 000000bdd0efc9f0()	Unknown
> 0000025f7996f4a0()	Unknown
> JavaScriptCore.dll!00007ffd123ef2b8()	C++
> 0000025f7996f4a0()	Unknown
> (...not available under JSC...)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20220630/15775a1e/attachment-0001.htm>

More information about the webkit-unassigned mailing list