Changeset 203172 in webkit


Ignore:
Timestamp:
Jul 13, 2016 12:17:46 PM (8 years ago)
Author:
Antti Koivisto
Message:

v2: WebContent crash due to RELEASE_ASSERT(!m_inLoadPendingImages) in StyleResolver::~StyleResolver()
https://bugs.webkit.org/show_bug.cgi?id=159722

Reviewed by Andreas Kling.

We have crashes where a StyleResolver is deleted underneath pseudoStyleForElement (key parts of the stack):

0 WebCore::StyleResolver::~StyleResolver
3 WebCore::AuthorStyleSheets::updateActiveStyleSheets
4 WebCore::Document::styleResolverChanged
5 WebKit::WebPage::viewportConfigurationChanged()
6 WebKit::WebPage::mainFrameDidLayout()
9 WebCore::FrameLoader::checkCompleted
13 WebCore::ResourceLoader::cancel
19 WebKit::WebLoaderStrategy::loadResource
24 WebCore::Style::loadPendingImage
27 WebCore::StyleResolver::pseudoStyleForElement
29 WebCore::RenderTreeUpdater::updateBeforeOrAfterPseudoElement
33 WebCore::Document::recalcStyle

This appears to be happening when a content blocker blocks a resource load for an image referenced from a stylesheet
and triggers synchronous cancellation of the load. With engine in suitable state this can clear style resolver.

No test, don't know how to make one. This is very timing and engine state dependent.

  • dom/AuthorStyleSheets.cpp:

(WebCore::AuthorStyleSheets::updateActiveStyleSheets):

We have an existing check here that prevents destruction of the style resolver when we are in the middle of
a style resolution. However the old inStyleRecalc() bit no longer covers the render tree update phase. Pseudo
elements are resolved during render tree update.

Fix by adding a check for inRenderTreeUpdate() bit too.

This just fixes a regression. A proper fix would be to gather all resources during style resolution
and trigger the loads afterwards.

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r203171 r203172  
     12016-07-13  Antti Koivisto  <antti@apple.com>
     2
     3        v2: WebContent crash due to RELEASE_ASSERT(!m_inLoadPendingImages) in StyleResolver::~StyleResolver()
     4        https://bugs.webkit.org/show_bug.cgi?id=159722
     5
     6        Reviewed by Andreas Kling.
     7
     8        We have crashes where a StyleResolver is deleted underneath pseudoStyleForElement (key parts of the stack):
     9
     10        0   WebCore::StyleResolver::~StyleResolver
     11        3   WebCore::AuthorStyleSheets::updateActiveStyleSheets
     12        4   WebCore::Document::styleResolverChanged
     13        5   WebKit::WebPage::viewportConfigurationChanged()
     14        6   WebKit::WebPage::mainFrameDidLayout()
     15        9   WebCore::FrameLoader::checkCompleted
     16        13  WebCore::ResourceLoader::cancel
     17        19  WebKit::WebLoaderStrategy::loadResource
     18        24  WebCore::Style::loadPendingImage
     19        27  WebCore::StyleResolver::pseudoStyleForElement
     20        29  WebCore::RenderTreeUpdater::updateBeforeOrAfterPseudoElement
     21        33  WebCore::Document::recalcStyle
     22
     23        This appears to be happening when a content blocker blocks a resource load for an image referenced from a stylesheet
     24        and triggers synchronous cancellation of the load. With engine in suitable state this can clear style resolver.
     25
     26        No test, don't know how to make one. This is very timing and engine state dependent.
     27
     28        * dom/AuthorStyleSheets.cpp:
     29        (WebCore::AuthorStyleSheets::updateActiveStyleSheets):
     30
     31        We have an existing check here that prevents destruction of the style resolver when we are in the middle of
     32        a style resolution. However the old inStyleRecalc() bit no longer covers the render tree update phase. Pseudo
     33        elements are resolved during render tree update.
     34
     35        Fix by adding a check for inRenderTreeUpdate() bit too.
     36
     37        This just fixes a regression. A proper fix would be to gather all resources during style resolution
     38        and trigger the loads afterwards.
     39
    1402016-07-13  Frederic Wang  <fred.wang@free.fr>
    241

  • trunk/Source/WebCore/dom/AuthorStyleSheets.cpp

    r191792 r203172  
    292292bool AuthorStyleSheets::updateActiveStyleSheets(UpdateFlag updateFlag)
    293293{
    294     if (m_document.inStyleRecalc()) {
    295         // SVG <use> element may manage to invalidate style selector in the middle of a style recalc.
    296         // https://bugs.webkit.org/show_bug.cgi?id=54344
    297         // FIXME: This should be fixed in SVG and the call site replaced by ASSERT(!m_inStyleRecalc).
     294    if (m_document.inStyleRecalc() || m_document.inRenderTreeUpdate()) {
     295        // Protect against deleting style resolver in the middle of a style resolution.
     296        // Crash stacks indicate we can get here when z resource load fails synchronously (for example due to content blocking).
     297        // FIXME: These kind of cases should be eliminated and this path replaced by an assert.
    298298        m_pendingUpdateType = FullUpdate;
    299299        m_document.scheduleForcedStyleRecalc();
Note: See TracChangeset for help on using the changeset viewer.