139592 2014-12-12 12:22:07 -0800 SVG masking can cause loadPendingResources() re-entrancy 2014-12-18 03:57:05 -0800 1 1 1 Unclassified WebKit CSS 528+ (Nightly build) Unspecified Unspecified RESOLVED DUPLICATE 139644 P2 Normal --- 139644 139294 1 simon.fraser webkit-unassigned mihnea simon.fraser stavila oldest_to_newest 1054880 0 simon.fraser 2014-12-12 12:22:07 -0800 While running tests, I just saw css3/masking/mask-svg-script-mask-to-entire-svg.html cause a crash which indicates bad behavior: Application Specific Information: CRASHING TEST: css3/masking/mask-svg-script-mask-to-entire-svg.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000116070a2a WTFCrash + 42 1 com.apple.WebCore 0x00000001192c13d9 WebCore::StyleResolver::loadPendingResources() + 153 (StyleResolver.cpp:3759) 2 com.apple.WebCore 0x00000001192bb0a2 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 1906 (StyleResolver.cpp:1827) 3 com.apple.WebCore 0x00000001192b8ca3 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) + 1251 (StyleResolver.cpp:803) 4 com.apple.WebCore 0x00000001193739f6 WebCore::SVGElement::customStyleForRenderer(WebCore::RenderStyle&) + 150 (SVGElement.cpp:790) 5 com.apple.WebCore 0x00000001192e796a WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) + 106 (StyleResolveTree.cpp:259) 6 com.apple.WebCore 0x00000001192e59f2 WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 146 (StyleResolveTree.cpp:749) 7 com.apple.WebCore 0x00000001192e342d WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 301 (StyleResolveTree.cpp:918) 8 com.apple.WebCore 0x00000001192e368b WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 907 (StyleResolveTree.cpp:957) 9 com.apple.WebCore 0x00000001192e368b WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 907 (StyleResolveTree.cpp:957) 10 com.apple.WebCore 0x00000001192e368b WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 907 (StyleResolveTree.cpp:957) 11 com.apple.WebCore 0x00000001192e32ea WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 474 (StyleResolveTree.cpp:996) 12 com.apple.WebCore 0x0000000117b72996 WebCore::Document::recalcStyle(WebCore::Style::Change) + 470 (Document.cpp:1798) 13 com.apple.WebCore 0x0000000117b6eadf WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1841) 14 com.apple.WebCore 0x0000000117ecb6a2 WebCore::FrameLoader::stopLoading(WebCore::UnloadEventPolicy) + 1218 (FrameLoader.cpp:473) 15 com.apple.WebCore 0x0000000117ecbbef WebCore::FrameLoader::closeURL() + 111 (FrameLoader.cpp:547) 16 com.apple.WebCore 0x0000000117ed5d75 WebCore::FrameLoader::detachFromParent() + 53 (FrameLoader.cpp:2486) 17 com.apple.WebCore 0x0000000117ed61fb WebCore::FrameLoader::frameDetached() + 59 (FrameLoader.cpp:2479) 18 com.apple.WebCore 0x00000001193d33b1 WebCore::SVGImage::~SVGImage() + 561 (SVGImage.cpp:60) 19 com.apple.WebCore 0x00000001193d3795 WebCore::SVGImage::~SVGImage() + 21 (SVGImage.cpp:65) 20 com.apple.WebCore 0x00000001193d37b9 WebCore::SVGImage::~SVGImage() + 25 (SVGImage.cpp:56) 21 com.apple.WebCore 0x00000001177c4113 WTF::RefCounted<WebCore::Image>::deref() + 83 (RefCounted.h:146) 22 com.apple.WebCore 0x00000001177c40b1 void WTF::derefIfNotNull<WebCore::Image>(WebCore::Image*) + 65 (PassRefPtr.h:41) 23 com.apple.WebCore 0x00000001177fcf67 WTF::RefPtr<WebCore::Image>::clear() + 39 (RefPtr.h:110) 24 com.apple.WebCore 0x00000001177f8c77 WebCore::CachedImage::clearImage() + 103 (CachedImage.cpp:365) 25 com.apple.WebCore 0x00000001177f668d WebCore::CachedImage::~CachedImage() + 61 (CachedImage.cpp:108) 26 com.apple.WebCore 0x00000001177f67b5 WebCore::CachedImage::~CachedImage() + 21 (CachedImage.cpp:108) 27 com.apple.WebCore 0x00000001177f6809 WebCore::CachedImage::~CachedImage() + 25 (CachedImage.cpp:106) 28 com.apple.WebCore 0x000000011780423e WebCore::CachedResource::deleteIfPossible() + 94 (CachedResource.cpp:487) 29 com.apple.WebCore 0x0000000117804f4e WebCore::CachedResource::unregisterHandle(WebCore::CachedResourceHandleBase*) + 174 (CachedResource.cpp:666) 30 com.apple.WebCore 0x000000011781098a WebCore::CachedResourceHandleBase::setResource(WebCore::CachedResource*) + 74 (CachedResourceHandle.cpp:64) 31 com.apple.WebCore 0x0000000117815ce7 WebCore::CachedResourceHandle<WebCore::CachedResource>::operator=(WebCore::CachedResourceHandle<WebCore::CachedResource> const&) + 55 (CachedResourceHandle.h:73) 32 com.apple.WebCore 0x0000000117811e07 WebCore::CachedResourceLoader::requestResource(WebCore::CachedResource::Type, WebCore::CachedResourceRequest&) + 1287 (CachedResourceLoader.cpp:478) 33 com.apple.WebCore 0x0000000117812820 WebCore::CachedResourceLoader::requestSVGDocument(WebCore::CachedResourceRequest&) + 64 (CachedResourceLoader.cpp:246) 34 com.apple.WebCore 0x0000000117822035 WebCore::CachedSVGDocumentReference::load(WebCore::CachedResourceLoader*) + 309 (CachedSVGDocumentReference.cpp:64) 35 com.apple.WebCore 0x00000001192c70ff WebCore::StyleResolver::loadPendingSVGDocuments() + 527 (StyleResolver.cpp:3403) 36 com.apple.WebCore 0x00000001192c13f7 WebCore::StyleResolver::loadPendingResources() + 183 (StyleResolver.cpp:3770) 37 com.apple.WebCore 0x00000001192bb0a2 WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const*, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) + 1906 (StyleResolver.cpp:1827) 38 com.apple.WebCore 0x00000001192b8ca3 WebCore::StyleResolver::styleForElement(WebCore::Element*, WebCore::RenderStyle*, WebCore::StyleSharingBehavior, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*) + 1251 (StyleResolver.cpp:803) 39 com.apple.WebCore 0x00000001192e7a32 WebCore::Style::styleForElement(WebCore::Element&, WebCore::RenderStyle&) + 306 (StyleResolveTree.cpp:263) 40 com.apple.WebCore 0x00000001192e6bb0 WebCore::Style::createRendererIfNeeded(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 208 (StyleResolveTree.cpp:288) 41 com.apple.WebCore 0x00000001192e6777 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 263 (StyleResolveTree.cpp:615) 42 com.apple.WebCore 0x00000001192e717b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 347 (StyleResolveTree.cpp:484) 43 com.apple.WebCore 0x00000001192e6849 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 473 (StyleResolveTree.cpp:631) 44 com.apple.WebCore 0x00000001192e717b WebCore::Style::attachChildren(WebCore::ContainerNode&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&) + 347 (StyleResolveTree.cpp:484) 45 com.apple.WebCore 0x00000001192e6849 WebCore::Style::attachRenderTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WTF::PassRefPtr<WebCore::RenderStyle>) + 473 (StyleResolveTree.cpp:631) 46 com.apple.WebCore 0x00000001192e5af0 WebCore::Style::resolveLocal(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 400 (StyleResolveTree.cpp:756) 47 com.apple.WebCore 0x00000001192e342d WebCore::Style::resolveTree(WebCore::Element&, WebCore::RenderStyle&, WebCore::Style::RenderTreePosition&, WebCore::Style::Change) + 301 (StyleResolveTree.cpp:918) 48 com.apple.WebCore 0x00000001192e32ea WebCore::Style::resolveTree(WebCore::Document&, WebCore::Style::Change) + 474 (StyleResolveTree.cpp:996) 49 com.apple.WebCore 0x0000000117b72996 WebCore::Document::recalcStyle(WebCore::Style::Change) + 470 (Document.cpp:1798) 50 com.apple.WebCore 0x0000000117b6eadf WebCore::Document::updateStyleIfNeeded() + 431 (Document.cpp:1841) 51 com.apple.WebCore 0x0000000117b7f472 WebCore::Document::finishedParsing() + 450 (Document.cpp:4613) 52 com.apple.WebCore 0x0000000118027c68 WebCore::HTMLConstructionSite::finishedParsing() + 24 (HTMLConstructionSite.cpp:396) 53 com.apple.WebCore 0x0000000118160e17 WebCore::HTMLTreeBuilder::finished() + 183 (HTMLTreeBuilder.cpp:3010) 54 com.apple.WebCore 0x0000000118056dee WebCore::HTMLDocumentParser::end() + 190 (HTMLDocumentParser.cpp:440) 55 com.apple.WebCore 0x0000000118054e53 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 275 (HTMLDocumentParser.cpp:451) 56 com.apple.WebCore 0x0000000118054c60 WebCore::HTMLDocumentParser::prepareToStopParsing() + 288 (HTMLDocumentParser.cpp:166) 57 com.apple.WebCore 0x0000000118056e43 WebCore::HTMLDocumentParser::attemptToEnd() + 67 (HTMLDocumentParser.cpp:463) 58 com.apple.WebCore 0x0000000118056e98 WebCore::HTMLDocumentParser::finish() + 72 (HTMLDocumentParser.cpp:491) 59 com.apple.WebCore 0x0000000117c0100a WebCore::DocumentWriter::end() + 346 (DocumentWriter.cpp:247) 60 com.apple.WebCore 0x0000000117bc89d3 WebCore::DocumentLoader::finishedLoading(double) + 1587 (DocumentLoader.cpp:441) 61 com.apple.WebCore 0x0000000117bc830e WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource*) + 270 (DocumentLoader.cpp:375) 62 com.apple.WebCore 0x0000000117803262 WebCore::CachedResource::checkNotify() + 130 (CachedResource.cpp:293) 63 com.apple.WebCore 0x0000000117803374 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) + 52 (CachedResource.cpp:310) 64 com.apple.WebCore 0x00000001177fed1a WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) + 218 (CachedRawResource.cpp:105) 1055525 1 ap 2014-12-14 18:02:25 -0800 The fix for bug 139294 was rolled out, so this problem doesn't occur any more. Keeping this open in case this needs to be addressed separately before the fix can be re-landed. 1056743 2 stavila 2014-12-18 03:57:05 -0800 The pre-existing issue that caused this problem has been fixed - https://bugs.webkit.org/show_bug.cgi?id=139644 *** This bug has been marked as a duplicate of bug 139644 ***