Bug 216007

Summary:

REGRESSION(r266350): WebCore::ImageLoader::updateFromElement(WebCore::RelevantMutation)

Product:

WebKit

Reporter:

Hector Lopez <hector_i_lopez>

Component:

New Bugs

Assignee:

Rob Buis <rwlbuis>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

rwlbuis, webkit-bot-watchers-bugzilla, webkit-bug-importer, youennf

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=215610

Attachments:

Description	Flags
Crash log	none
Crash log for r266408 change	none

Description Hector Lopez 2020-08-31 09:46:49 PDT

Created attachment 407606 [details]
Crash log

imported/w3c/web-platform-tests/html/semantics/embedded-content/the-img-element/image-loading-lazy-slow.html

Test is a constant crash according to history on macOS and iOS. The first occurrence of a crash is at r266350.

History:
https://results.webkit.org/?suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Fhtml%2Fsemantics%2Fembedded-content%2Fthe-img-element%2Fimage-loading-lazy-slow.html

Crash log:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00000001079c56be WebCore::ImageLoader::updateFromElement(WebCore::RelevantMutation) + 1086
1   com.apple.WebCore             	0x0000000107703464 WebCore::HTMLImageElement::selectImageSource(WebCore::RelevantMutation) + 1060
2   com.apple.WebCore             	0x000000010750a8df WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 1327
3   com.apple.WebCore             	0x000000010770354e WebCore::HTMLImageElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 126
4   com.apple.WebCore             	0x0000000107509af0 WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 848
5   com.apple.WebCore             	0x00000001067c8130 WebCore::setJSHTMLImageElementSrc(JSC::JSGlobalObject*, long long, long long) + 448
6   com.apple.JavaScriptCore      	0x0000000101230a6f JSC::callCustomSetter(JSC::JSGlobalObject*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 31
7   com.apple.JavaScriptCore      	0x00000001012f90ae JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1134
8   com.apple.JavaScriptCore      	0x0000000100799b04 llint_slow_path_put_by_id + 1252
9   com.apple.JavaScriptCore      	0x00000001009a564d llint_entry + 38921
10  com.apple.JavaScriptCore      	0x000000010099bc4f vmEntryToJavaScript + 216
11  com.apple.JavaScriptCore      	0x0000000100fd6e16 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 518
12  com.apple.JavaScriptCore      	0x00000001011fe303 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 147

or see attached

Comment 1 Radar WebKit Bug Importer 2020-08-31 09:49:05 PDT

<rdar://problem/68082162>

Comment 2 Hector Lopez 2020-08-31 10:25:05 PDT

Reverted while being investigated:

https://trac.webkit.org/changeset/266358/webkit

Comment 3 Alexey Proskuryakov 2020-08-31 13:57:35 PDT

Marking as fixed per the above.

Comment 4 Hector Lopez 2020-09-01 18:50:06 PDT

Created attachment 407729 [details]
Crash log for r266408 change

Comment 5 Hector Lopez 2020-09-01 18:50:42 PDT

Test is a constant crash according to history on macOS and iOS. First occurrence of a crash is at r266408.

https://trac.webkit.org/changeset/266408/webkit

History:
https://results.webkit.org/?suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Fhtml%2Fsemantics%2Fembedded-content%2Fthe-img-element%2Fimage-loading-lazy-slow.html

Same crash log:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x0000000106d60b0e WebCore::ImageLoader::updateFromElement(WebCore::RelevantMutation) + 1086
1   com.apple.WebCore             	0x0000000106a97d34 WebCore::HTMLImageElement::selectImageSource(WebCore::RelevantMutation) + 1060
2   com.apple.WebCore             	0x000000010689d70f WebCore::Element::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 1327
3   com.apple.WebCore             	0x0000000106a97e1e WebCore::HTMLImageElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) + 126
4   com.apple.WebCore             	0x000000010689c920 WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::SynchronizationOfLazyAttribute) + 848
5   com.apple.WebCore             	0x0000000105b53000 WebCore::setJSHTMLImageElementSrc(JSC::JSGlobalObject*, long long, long long) + 448
6   com.apple.JavaScriptCore      	0x00000001030928ef JSC::callCustomSetter(JSC::JSGlobalObject*, JSC::JSValue, bool, JSC::JSObject*, JSC::JSValue, JSC::JSValue) + 31
7   com.apple.JavaScriptCore      	0x000000010315af2e JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1134
8   com.apple.JavaScriptCore      	0x00000001025fbf04 llint_slow_path_put_by_id + 1252

Comment 6 Hector Lopez 2020-09-01 18:57:32 PDT

Reverted change while investigated:

https://trac.webkit.org/changeset/266446/webkit

Comment 7 youenn fablet 2020-09-03 01:48:02 PDT


*** This bug has been marked as a duplicate of bug 215610 ***

Comment 8 youenn fablet 2020-09-03 01:48:17 PDT

Let's move investigation to the initial bug.