[Webkit-unassigned] [Bug 276942] New: Attribute selectors and nested selectors crash the tab repeatedly

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jul 23 03:02:29 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=276942

            Bug ID: 276942
           Summary: Attribute selectors and nested selectors crash the tab
                    repeatedly
           Product: WebKit
           Version: Safari 17
          Hardware: Mac (Apple Silicon)
                OS: macOS 14
            Status: NEW
          Severity: Major
          Priority: P2
         Component: CSS
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: bugs at bfred.it
                CC: koivisto at iki.fi

I tried using nested selectors in my web extension and they crash every tab the content script is injected into, very consistently, and makes it impossible to use the site at all.

I was not able to reproduce the bug outside the extension but from the crash log, this doesn't appear related to it.

More details may be found on: https://github.com/refined-github/refined-github/pull/7252#discussion_r1686370929
Also this other PR with larger nested selector replacements produce the same crashes: https://github.com/refined-github/refined-github/pull/7553

One thing I noticed is that even without nested selectors, I regularly see my tabs crash-reloading after a page navigation, and Console.app shows a similar/identical crash report related to selector parsing. The difference is that the crashes are not repeated so after the crash-reload, it continues working.

The troublesome rule was:

```css
.rgh-pr-cell {
        flex-wrap: wrap;
        gap: 4px;

        & > [class*='Box'] {
                /* Drop forced height on pre-existing cell */
                height: auto;
        }
}
```

And this is the crash log

```
System Integrity Protection: enabled

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000020
Exception Codes:       0x0000000000000001, 0x0000000000000020

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [89568]

VM Region Info: 0x20 is not in any region.  Bytes before following region: 4368121824
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      1045c4000-1045c8000    [   16K] r-x/r-x SM=COW  /System/Volumes/Preboot/Cryptexes/Incoming/OS/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   WebCore                                    0x1a516aba8 WebCore::SelectorChecker::attributeSelectorMatches(WebCore::Element const&, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::CSSSelector const&) + 352
1   WebCore                                    0x1a6137c18 WebCore::Style::AttributeChangeInvalidation::invalidateStyle(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&) + 3388
2   WebCore                                    0x1a5322a8c WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::InSynchronizationOfLazyAttribute) + 584
3   WebCore                                    0x1a55528c0 WebCore::DOMTokenList::updateAssociatedAttributeFromTokens() + 392
4   WebCore                                    0x1a55520ac WebCore::DOMTokenList::addInternal(WTF::AtomString const*, unsigned long) + 360
5   WebCore                                    0x1a41456b4 WebCore::jsDOMTokenListPrototypeFunction_add(JSC::JSGlobalObject*, JSC::CallFrame*) + 356
6   ???                                        0x1142643e4 ???
7   ???                                        0x114264414 ???
8   ???                                        0x114008428 ???
9   JavaScriptCore                             0x1a0a3c384 JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 612
10  JavaScriptCore                             0x1a0be5064 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 120
11  WebCore                                    0x1a4f86714 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1100
12  WebCore                                    0x1a5352e34 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) + 528
13  WebCore                                    0x1a5352a6c WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) + 408
14  WebCore                                    0x1a5347824 WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) + 2488
15  WebCore                                    0x1a5345a0c WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) + 1140
16  WebCore                                    0x1a4f167e0 WebCore::DocumentTimelinesController::updateAnimationsAndSendEvents(WTF::Seconds) + 4256
17  WebCore                                    0x1a5a8f638 WTF::Detail::CallableWrapper<WebCore::Page::updateRendering()::$_31, void, WebCore::Document&>::call(WebCore::Document&) + 80
18  WebCore                                    0x1a5a7bfb4 WebCore::Page::updateRendering()::$_24::operator()(WebCore::RenderingUpdateStep, WTF::Function<void (WebCore::Document&)> const&) const + 344
19  WebCore                                    0x1a5a7aedc WebCore::Page::updateRendering() + 1032
20  WebKit                                     0x1a714d580 WebKit::RemoteLayerTreeDrawingArea::updateRendering() + 144
21  WebCore                                    0x1a5b7b7f0 WTF::Detail::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, void>::call() + 196
22  WebCore                                    0x1a3ac19a8 WebCore::timerFired(__CFRunLoopTimer*, void*) + 68
23  CoreFoundation                             0x183a4e5b8 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 32
24  CoreFoundation                             0x183a4e25c __CFRunLoopDoTimer + 972
25  CoreFoundation                             0x183a4dd94 __CFRunLoopDoTimers + 356
26  CoreFoundation                             0x183a311cc __CFRunLoopRun + 1856
27  CoreFoundation                             0x183a30434 CFRunLoopRunSpecific + 608
28  Foundation                                 0x184b64a88 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
29  Foundation                                 0x184bde6c4 -[NSRunLoop(NSRunLoop) run] + 64
30  libxpc.dylib                               0x18366b468 _xpc_objc_main + 684
31  libxpc.dylib                               0x18367ae58 _xpc_main + 324
32  libxpc.dylib                               0x18366b014 xpc_main + 64
33  WebKit              
                       0x1a722b858 WebKit::XPCServiceMain(int, char const**) + 68
34  dyld                                       0x1835ca0e0 start + 2360
```

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240723/3fb1551b/attachment.htm>

More information about the webkit-unassigned mailing list