166568 2016-12-28 15:31:36 -0800 ASSERTION FAILED: !source || is<Target>(*source) in CoordinatedGraphicsLayer::removeFromParent 2018-01-03 10:53:22 -0800 1 1 1 Unclassified WebKit WebKitGTK WebKit Nightly Build PC Linux RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=180232 P2 Normal --- 1 mcatanzaro mcatanzaro bugs-noreply commit-queue magomez mcatanzaro simon.fraser zan oldest_to_newest 1262990 0 mcatanzaro 2016-12-28 15:31:36 -0800 This coordinated graphics assertion is reproducible by clicking the video conference button on https://talkgadget.google.com in Epiphany. Both the original browser tab and the new tab created when clicking the button display the crash error page, but it's just one crash because the new webview is related (sharing the original web process): ASSERTION FAILED: !source || is<Target>(*source) ../../Source/WTF/wtf/TypeCasts.h(89) : typename WTF::match_constness<Source, Target>::type* WTF::downcast(Source*) [with Target = WebCore::CoordinatedGraphicsLayer; Source = WebCore::GraphicsLayer; typename WTF::match_constness<Source, Target>::type = WebCore::CoordinatedGraphicsLayer] 1 0x7fffe935ff82 /home/mcatanzaro/src/jhbuild/install/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7fffe935ff82] 2 0x7fffe935ff98 /home/mcatanzaro/src/jhbuild/install/lib/libjavascriptcoregtk-4.0.so.18(+0x2498f98) [0x7fffe935ff98] 3 0x7ffff30f9520 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF8downcastIN7WebCore24CoordinatedGraphicsLayerENS1_13GraphicsLayerEEEPNS_15match_constnessIT0_T_E4typeEPS5_+0x4a) [0x7ffff30f9520] 4 0x7ffff30fa106 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore24CoordinatedGraphicsLayer16removeFromParentEv+0x20) [0x7ffff30fa106] 5 0x7ffff2990634 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore13GraphicsLayer15willBeDestroyedEv+0xc6) [0x7ffff2990634] 6 0x7ffff30f9e7a /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore24CoordinatedGraphicsLayerD1Ev+0x134) [0x7ffff30f9e7a] 7 0x7ffff30f9f50 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore24CoordinatedGraphicsLayerD0Ev+0x18) [0x7ffff30f9f50] 8 0x7ffff164dd5c /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZNKSt14default_deleteIN7WebCore13GraphicsLayerEEclEPS1_+0x2e) [0x7ffff164dd5c] 9 0x7ffff1957c4d /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZNSt10unique_ptrIN7WebCore13GraphicsLayerESt14default_deleteIS1_EE5resetEPS1_+0x53) [0x7ffff1957c4d] 10 0x7ffff1955beb /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZNSt10unique_ptrIN7WebCore13GraphicsLayerESt14default_deleteIS1_EEaSEDn+0x21) [0x7ffff1955beb] 11 0x7ffff2c277b6 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore18RenderLayerBacking27updateChildClippingStrategyEb+0x3a0) [0x7ffff2c277b6] 12 0x7ffff2c216cc /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore18RenderLayerBacking19updateConfigurationEv+0x2b2) [0x7ffff2c216cc] 13 0x7ffff2c34df6 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore21RenderLayerCompositor27rebuildCompositingLayerTreeERNS_11RenderLayerERN3WTF6VectorIPNS_13GraphicsLayerELm0ENS3_15CrashOnOverflowELm16EEEi+0xb8) [0x7ffff2c34df6] 14 0x7ffff2c3514d /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore21RenderLayerCompositor27rebuildCompositingLayerTreeERNS_11RenderLayerERN3WTF6VectorIPNS_13GraphicsLayerELm0ENS3_15CrashOnOverflowELm16EEEi+0x40f) [0x7ffff2c3514d] 15 0x7ffff2c3514d /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore21RenderLayerCompositor27rebuildCompositingLayerTreeERNS_11RenderLayerERN3WTF6VectorIPNS_13GraphicsLayerELm0ENS3_15CrashOnOverflowELm16EEEi+0x40f) [0x7ffff2c3514d] 16 0x7ffff2c31af1 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore21RenderLayerCompositor23updateCompositingLayersENS_21CompositingUpdateTypeEPNS_11RenderLayerE+0x5bf) [0x7ffff2c31af1] 17 0x7ffff27b2551 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore9FrameView34updateCompositingLayersAfterLayoutEv+0x55) [0x7ffff27b2551] 18 0x7ffff27b4580 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore9FrameView6layoutEb+0x115e) [0x7ffff27b4580] 19 0x7ffff27c0385 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN7WebCore9FrameView37updateLayoutAndStyleIfNeededRecursiveEv+0x85) [0x7ffff27c0385] 20 0x7ffff1952e84 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit22CompositingCoordinator16syncDisplayStateEv+0x2c) [0x7ffff1952e84] 21 0x7ffff195f7c3 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN6WebKit24CoordinatedLayerTreeHost20layerFlushTimerFiredEv+0x3f) [0x7ffff195f7c3] 22 0x7ffff195fd58 /home/mcatanzaro/src/jhbuild/install/lib/libwebkit2gtk-4.0.so.37(_ZN3WTF7RunLoop5TimerIN6WebKit24CoordinatedLayerTreeHostEE5firedEv+0x66) [0x7ffff195fd58] 23 0x7fffe93c7731 /home/mcatanzaro/src/jhbuild/install/lib/libjavascriptcoregtk-4.0.so.18(+0x2500731) [0x7fffe93c7731] 24 0x7fffe93c776d /home/mcatanzaro/src/jhbuild/install/lib/libjavascriptcoregtk-4.0.so.18(+0x250076d) [0x7fffe93c776d] 25 0x7fffe93c6d94 /home/mcatanzaro/src/jhbuild/install/lib/libjavascriptcoregtk-4.0.so.18(+0x24ffd94) [0x7fffe93c6d94] 26 0x7fffe93c6dc3 /home/mcatanzaro/src/jhbuild/install/lib/libjavascriptcoregtk-4.0.so.18(+0x24ffdc3) [0x7fffe93c6dc3] 27 0x7fffe16b12de /home/mcatanzaro/src/jhbuild/install/lib/libglib-2.0.so.0(+0x542de) [0x7fffe16b12de] 28 0x7fffe16b2160 /home/mcatanzaro/src/jhbuild/install/lib/libglib-2.0.so.0(g_main_context_dispatch+0x33) [0x7fffe16b2160] 29 0x7fffe16b2344 /home/mcatanzaro/src/jhbuild/install/lib/libglib-2.0.so.0(+0x55344) [0x7fffe16b2344] 30 0x7fffe16b276a /home/mcatanzaro/src/jhbuild/install/lib/libglib-2.0.so.0(g_main_loop_run+0x1d5) [0x7fffe16b276a] 31 0x7fffe93c7374 /home/mcatanzaro/src/jhbuild/install/lib/libjavascriptcoregtk-4.0.so.18(_ZN3WTF7RunLoop3runEv+0xac) [0x7fffe93c7374] 1376681 1 mcatanzaro 2017-11-30 18:46:55 -0800 This is 100% reproducible by playing any YouTube video and clicking on the settings button. ASSERTION FAILED: !source || is<Target>(*source) ../../Source/WTF/wtf/TypeCasts.h(89) : typename WTF::match_constness<Source, Target>::type* WTF::downcast(Source*) [with Target = WebCore::CoordinatedGraphicsLayer; Source = WebCore::GraphicsLayer; typename WTF::match_constness<Source, Target>::type = WebCore::CoordinatedGraphicsLayer] #0 0x00007f2a7fd59e87 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:273 No locals. #1 0x00007f2a7fd59e98 in WTFCrashWithSecurityImplication () at ../../Source/WTF/wtf/Assertions.cpp:294 No locals. #2 0x00007f2a89845859 in WTF::downcast<WebCore::CoordinatedGraphicsLayer, WebCore::GraphicsLayer> (source=0x7f2a10478900) at ../../Source/WTF/wtf/TypeCasts.h:89 __PRETTY_FUNCTION__ = "typename WTF::match_constness<Source, Target>::type* WTF::downcast(Source*) [with Target = WebCore::CoordinatedGraphicsLayer; Source = WebCore::GraphicsLayer; typename WTF::match_constness<Source, Tar"... #3 0x00007f2a89840250 in WebCore::CoordinatedGraphicsLayer::removeFromParent ( this=0x7f29f41e7000) at ../../Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:206 parentLayer = 0x7f29f4f33840 #4 0x00007f2a8afb099a in WebCore::GraphicsLayer::willBeDestroyed ( this=0x7f29f41e7000) at ../../Source/WebCore/platform/graphics/GraphicsLayer.cpp:170 No locals. #5 0x00007f2a8983ffc5 in WebCore::CoordinatedGraphicsLayer::~CoordinatedGraphicsLayer (this=0x7f29f41e7000, __in_chrg=<optimized out>) at ../../Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:159 No locals. #6 0x00007f2a8984009a in WebCore::CoordinatedGraphicsLayer::~CoordinatedGraphicsLayer (this=0x7f29f41e7000, __in_chrg=<optimized out>) at ../../Source/WebCore/platform/graphics/texmap/coordinated/CoordinatedGraphicsLayer.cpp:160 No locals. #7 0x00007f2a8943b2b6 in std::default_delete<WebCore::GraphicsLayer>::operator() (this=0x7f29f4f33888, __ptr=0x7f29f41e7000) at /usr/include/c++/7/bits/unique_ptr.h:78 No locals. #8 0x00007f2a8970f823 in std::unique_ptr<WebCore::GraphicsLayer, std::default_delete<WebCore::GraphicsLayer> >::reset (this=0x7f29f4f33888, __p=0x7f29f41e7000) at /usr/include/c++/7/bits/unique_ptr.h:376 No locals. #9 0x00007f2a8970daeb in std::unique_ptr<WebCore::GraphicsLayer, std::default_delete<WebCore::GraphicsLayer> >::operator=(decltype(nullptr)) ( this=0x7f29f4f33888) at /usr/include/c++/7/bits/unique_ptr.h:312 No locals. #10 0x00007f2a8b2a479c in WebCore::RenderLayerBacking::updateChildClippingStrategy (this=0x7f29f4f33840, needsDescendantsClippingLayer=false) at ../../Source/WebCore/rendering/RenderLayerBacking.cpp:1704 No locals. #11 0x00007f2a8b29e958 in WebCore::RenderLayerBacking::updateConfiguration ( this=0x7f29f4f33840) at ../../Source/WebCore/rendering/RenderLayerBacking.cpp:708 layerConfigChanged = true needsDescendantsClippingLayer = false contentsInfo = {m_backing = @0x7ffee4fa8810, m_boxDecorations = -1960043926, m_content = 32554, m_subpixelAntialiasedText = 1828332384, m_contentsType = 32554} #12 0x00007f2a8b2aeaa4 in WebCore::RenderLayerCompositor::rebuildCompositingLayerTree (this=0x7f2a6cfa44f8, layer=..., childLayersOfEnclosingLayer=..., depth=2) at ../../Source/WebCore/rendering/RenderLayerCompositor.cpp:1538 layerBacking = 0x7f29f4f33840 layerChildren = {<WTF::VectorBuffer<WebCore::GraphicsLayer*, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::GraphicsLayer*, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>} childList = @0x7ffee4fa8890: {<WTF::VectorBuffer<WebCore::GraphicsLayer*, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::GraphicsLayer*, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>} mutationChecker = {m_layer = 0x7f2a0fed8120, m_previousMutationAllowedState = true} #13 0x00007f2a8b2aed64 in WebCore::RenderLayerCompositor::rebuildCompositingLayerTree (this=0x7f2a6cfa44f8, layer=..., childLayersOfEnclosingLayer=..., depth=1) at ../../Source/WebCore/rendering/RenderLayerCompositor.cpp:1580 renderLayer = 0x7f29dd93e7e0 __for_range = @0x7f2a113ea420: {<WTF::VectorBuffer<WebCore::RenderLayer*, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::RenderLayer*, WTF::FastMalloc>> = {m_buffer = 0x7f29ea271000, m_capacity = 214, m_size = 188}, <No data fields>}, <No data fields>} __for_begin = 0x7f29ea271548 __for_end = 0x7f29ea2715e0 posZOrderList = 0x7f2a113ea420 layerBacking = 0x0 layerChildren = {<WTF::VectorBuffer<WebCore::GraphicsLayer*, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::GraphicsLayer*, WTF::FastMalloc>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>} childList = @0x7ffee4fa8ad0: {<WTF::VectorBuffer<WebCore::GraphicsLayer*, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::GraphicsLayer*, WTF::FastMalloc>> = {m_buffer = 0x7f2a0f481680, m_capacity = 16, m_size = 11}, <No data fields>}, <No data fields>} mutationChecker = {m_layer = 0x7f2a6cfa2b40, m_previousMutationAllowedState = true} #14 0x00007f2a8b2aed64 in WebCore::RenderLayerCompositor::rebuildCompositingLayerTree (this=0x7f2a6cfa44f8, layer=..., childLayersOfEnclosingLayer=..., depth=0) at ../../Source/WebCore/rendering/RenderLayerCompositor.cpp:1580 renderLayer = 0x7f2a6cfa2b40 __for_range = @0x7f2a1b2965e0: {<WTF::VectorBuffer<WebCore::RenderLayer*, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::RenderLayer*, WTF::FastMalloc>> = {m_buffer = 0x7f2a1b26d980, m_capacity = 16, m_size = 1}, <No data fields>}, <No data fields>} __for_begin = 0x7f2a1b26d980 __for_end = 0x7f2a1b26d988 posZOrderList = 0x7f2a1b2965e0 layerBacking = 0x7f2a0f40e8f0 layerChildren = {<WTF::VectorBuffer<WebCore::GraphicsLayer*, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::GraphicsLayer*, WTF::FastMalloc>> = {m_buffer = 0x7f2a0f481680, m_capacity = 16, m_size = 11}, <No data fields>}, <No data fields>} childList = @0x7ffee4fa8ad0: {<WTF::VectorBuffer<WebCore::GraphicsLayer*, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::GraphicsLayer*, WTF::FastMalloc>> = {m_buffer = 0x7f2a0f481680, m_capacity = 16, m_size = 11}, <No data fields>}, <No data fields>} mutationChecker = {m_layer = 0x7f2a6cfa2360, m_previousMutationAllowedState = true} #15 0x00007f2a8b2abc5b in WebCore::RenderLayerCompositor::updateCompositingLayers (this=0x7f2a6cfa44f8, updateType=WebCore::CompositingUpdateType::AfterLayout, updateRoot=0x7f2a6cfa2360) at ../../Source/WebCore/rendering/RenderLayerCompositor.cpp:735 childList = {<WTF::VectorBuffer<WebCore::GraphicsLayer*, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::GraphicsLayer*, WTF::FastMalloc>> = { m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>} __PRETTY_FUNCTION__ = "bool WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*)" animationUpdateBlock = {m_animationController = 0x7f2a6cfff938} postLayoutChange = {m_scopedVariable = @0x7f2a6cfa4567, m_originalValue = false} checkForHierarchyUpdate = true needGeometryUpdate = false needHierarchyUpdate = true isFullUpdate = true startTime = {static clockType = WTF::ClockType::Monotonic, m_value = 0} #16 0x00007f2a8ada47ad in WebCore::FrameView::updateCompositingLayersAfterLayout (this=0x7f2a228f4900) at ../../Source/WebCore/page/FrameView.cpp:802 renderView = 0x7f2a1c2004f0 #17 0x00007f2a8ada5d24 in WebCore::FrameView::didLayout (this=0x7f2a228f4900, layoutRoot=...) at ../../Source/WebCore/page/FrameView.cpp:1270 layoutRootEnclosingLayer = 0x7f2a6cfa2360 #18 0x00007f2a8adb59fa in WebCore::LayoutContext::layout (this=0x7f2a228f4c80) at ../../Source/WebCore/page/LayoutContext.cpp:206 layoutPhase = {m_scopedVariable = @0x7f2a228f4d10, m_originalValue = WebCore::LayoutContext::LayoutPhase::OutsideLayout} __PRETTY_FUNCTION__ = "void WebCore::LayoutContext::layout()" protectView = {static isRef = <optimized out>, m_ptr = 0x7f2a228f4900} layoutScope = {m_view = @0x7f2a228f4900, m_nestedState = { m_scopedVariable = @0x7f2a228f4d14, m_originalValue = WebCore::LayoutContext::LayoutNestedState::NotInLayout}, m_schedulingIsEnabled = {m_scopedVariable = @0x7f2a228f4d08, m_originalValue = true}, m_inProgrammaticScroll = false} tracingScope = {m_exitCode = LayoutEnd} inspectorLayoutScope = {m_instrumentingAgents = { static isRefPtr = <optimized out>, m_ptr = 0x0}, m_timelineAgentId = 0} animationUpdateBlock = {m_animationController = 0x7f2a6cfff938} layoutRoot = {m_ref = {static isRefPtr = <optimized out>, m_ptr = 0x7f2a1b2a3dc0}} #19 0x00007f2a8a725e45 in WebCore::Document::updateLayout (this=0x7f2a6cf8a000) at ../../Source/WebCore/dom/Document.cpp:1985 __PRETTY_FUNCTION__ = "void WebCore::Document::updateLayout()" frameView = {static isRefPtr = <optimized out>, m_ptr = 0x7f2a228f4900} repaintRegionAccumulator = {m_rootView = {m_ref = { static isRefPtr = <optimized out>, m_ptr = 0x7f2a1b2a3dc0}}, m_wasAccumulatingRepaintRegion = false} layoutCheckPoint = {<No data fields>} #20 0x00007f2a8a725ec2 in WebCore::Document::updateLayoutIgnorePendingStylesheets (this=0x7f2a6cf8a000, runPostLayoutTasks=WebCore::Document::RunPostLayoutTasks::Asynchronously) at ../../Source/WebCore/dom/Document.cpp:1999 oldIgnore = false #21 0x00007f2a8a79e093 in WebCore::Element::boundingClientRect ( this=0x7f2a1b2f9f70) at ../../Source/WebCore/dom/Element.cpp:1222 renderer = 0x7f2a89310c40 <WebCore::JSDOMWrapper<WebCore::EventTarget>::wrapped() const+28> quads = {<WTF::VectorBuffer<WebCore::FloatQuad, 0, WTF::FastMalloc>> = {<WTF::VectorBufferBase<WebCore::FloatQuad, WTF::FastMalloc>> = { m_buffer = 0x7ffee4fa93c0, m_capacity = 2301712372, m_size = 32554}, <No data fields>}, <No data fields>} result = {m_location = {m_x = -3.69786963e+22, m_y = 4.64544454e-41}, m_size = {m_width = 1.27056962e-21, m_height = 4.56178702e-41}} #22 0x00007f2a8a79e422 in WebCore::Element::getBoundingClientRect ( this=0x7f2a1b2f9f70) at ../../Source/WebCore/dom/Element.cpp:1251 No locals. #23 0x00007f2a8996d57d in WebCore::jsElementPrototypeFunctionGetBoundingClientRectBody (state=0x7ffee4fa95e0, castedThis=0x7f29eda89ca0, throwScope=...) at DerivedSources/WebCore/JSElement.cpp:2251 impl = @0x7f2a1b2f9f70: {<WebCore::ContainerNode> = {<WebCore::Node> = {<No data fields>}, m_firstChild = 0x7f29ed643cd0, m_lastChild = 0x7f29ef9c9b40}, m_tagName = {m_impl = {static isRefPtr = <optimized out>, m_ptr = 0x7f29f3785e70}}, m_elementData = { static isRefPtr = <optimized out>, m_ptr = 0x7f29efe16100}} #24 0x00007f2a8997bac7 in WebCore::IDLOperation<WebCore::JSElement>::call<WebCore::jsElementPrototypeFunctionGetBoundingClientRectBody> (state=..., operationName=0x7f2a8c216088 "getBoundingClientRect") at ../../Source/WebCore/bindings/js/JSDOMOperation.h:53 __PRETTY_FUNCTION__ = "static JSC::EncodedJSValue WebCore::IDLOperation<JSClass>::call(JSC::ExecState&, const char*) [with JSC::EncodedJSValue (* operation)(JSC::ExecState*, WebCore::IDLOperation<JSClass>::ClassParameter, J"... __FUNCTION__ = "call" throwScope = {<JSC::ExceptionScope> = {m_vm = @0x7f2a1cc00000, m_previousScope = 0x7ffee4fa9b50, m_location = { functionName = 0x7f2a8c225abc <long WebCore::IDLOperation<WebCore::JSElement>::call<&WebCore::jsElementPrototypeFunctionGetBoundingClientRectBody, (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*)::__FUNCTION__> "call", file = 0x7f2a8c216ba0 "../../Source/WebCore/bindings/js/JSDOMOperation.h", line = 43}, m_recursionDepth = 4}, m_isReleased = false} thisObject = 0x7f29eda89ca0 #25 0x00007f2a8996d5df in WebCore::jsElementPrototypeFunctionGetBoundingClientRect (state=0x7ffee4fa95e0) at DerivedSources/WebCore/JSElement.cpp:2256 No locals. #26 0x00007f2a2490a168 in ?? () No symbol table info available. #27 0x00007ffee4fa9790 in ?? () No symbol table info available. #28 0x00007f2a249c0fe2 in ?? () No symbol table info available. #29 0x0000000000000000 in ?? () No symbol table info available. 1376690 2 mcatanzaro 2017-11-30 19:12:17 -0800 (In reply to Michael Catanzaro from comment #1) > This is 100% reproducible by playing any YouTube video and clicking on the > settings button. You might have to additionally click on the button to show the video resolution selector. 1376695 3 mcatanzaro 2017-11-30 19:56:52 -0800 (In reply to Michael Catanzaro from comment #0) > This coordinated graphics assertion is reproducible by clicking the video > conference button on https://talkgadget.google.com in Epiphany. Both the > original browser tab and the new tab created when clicking the button > display the crash error page, but it's just one crash because the new > webview is related (sharing the original web process) That crash is no longer happening. Use YouTube to reproduce. 1376718 4 mcatanzaro 2017-11-30 21:38:52 -0800 The problem is the parent layer has already been destroyed. But, from code inspection, it looks like that should be impossible. I'm missing something. 1376813 5 mcatanzaro 2017-12-01 08:05:25 -0800 (In reply to Michael Catanzaro from comment #4) > The problem is the parent layer has already been destroyed. But, from code > inspection, it looks like that should be impossible. I'm missing something. More specifically, the problem is that, at the time the parent layer was destroyed, it had no children, i.e. its m_children.size() was 0, so it did not unparent the child layer when destroyed, because it did not know about the child layer. But the child layer still holds a dangling pointer to the parent layer. Remaining question is why. 1376849 6 328106 mcatanzaro 2017-12-01 09:39:05 -0800 Created attachment 328106 Patch 1377290 7 mcatanzaro 2017-12-02 07:25:50 -0800 (In reply to Michael Catanzaro from comment #6) > Created attachment 328106 [details] > Patch This really ought to have a layout test. Figuring out how to do that seems a lot harder than fixing the crash, though. 1385352 8 mcatanzaro 2018-01-02 18:14:18 -0800 Any reviewers interested in this one? 1385517 9 328106 commit-queue 2018-01-03 10:53:21 -0800 Comment on attachment 328106 Patch Clearing flags on attachment: 328106 Committed r226368: <https://trac.webkit.org/changeset/226368> 1385518 10 commit-queue 2018-01-03 10:53:22 -0800 All reviewed patches have been landed. Closing bug. 328106 2017-12-01 09:39:05 -0800 2018-01-03 10:53:21 -0800 Patch bug-166568-20171201113904.patch text/plain 1713 mcatanzaro U3VidmVyc2lvbiBSZXZpc2lvbjogMjI1MzM4CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggM2Q2ZjQwMDVkNWYxZDcx MzA0YTY2NzVmZTg1ODQ0ZmI4YzlkYmJjMi4uOGU5YjI1M2RlZDljOGM1ZGRlYmYyMTBiMDU2OTAy OGFlNDUwNTZhZiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE4IEBACisyMDE3LTEyLTAxICBNaWNo YWVsIENhdGFuemFybyAgPG1jYXRhbnphcm9AaWdhbGlhLmNvbT4KKworICAgICAgICBBU1NFUlRJ T04gRkFJTEVEOiAhc291cmNlIHx8IGlzPFRhcmdldD4oKnNvdXJjZSkgaW4gQ29vcmRpbmF0ZWRH cmFwaGljc0xheWVyOjpyZW1vdmVGcm9tUGFyZW50CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJr aXQub3JnL3Nob3dfYnVnLmNnaT9pZD0xNjY1NjgKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JP RFkgKE9PUFMhKS4KKworICAgICAgICBXaGVuIGEgR3JhcGhpY3NMYXllciBoYXMgYSBtYXNrIGxh eWVyLCBpdCBmYWlscyB0byBwcm9wZXJseSB1bnBhcmVudCB0aGUgbWFzayBsYXllciBiZWZvcmUK KyAgICAgICAgaXQgaXMgZGVzdHJveWVkLiBUaGlzIGxlYXZlcyB0aGUgbWFzayBsYXllciB3aXRo IGEgZGFuZ2xpbmcgcGFyZW50IHBvaW50ZXIuIEZpeCBpdCwgd2hpbGUKKyAgICAgICAgdGFraW5n IGNhcmUgbm90IHRvIGludHJvZHVjZSB5ZXQgYW5vdGhlciB2aXJ0dWFsIGZ1bmN0aW9uIGNhbGwg ZHVyaW5nIHRoZSBleGVjdXRpb24gb2YgdGhlCisgICAgICAgIGRlc3RydWN0b3IuCisKKyAgICAg ICAgKiBwbGF0Zm9ybS9ncmFwaGljcy9HcmFwaGljc0xheWVyLmNwcDoKKyAgICAgICAgKFdlYkNv cmU6OkdyYXBoaWNzTGF5ZXI6OndpbGxCZURlc3Ryb3llZCk6CisKIDIwMTctMTEtMzAgIENocmlz IER1bWV6ICA8Y2R1bWV6QGFwcGxlLmNvbT4KIAogICAgICAgICBSZW5hbWUgUmVnaXN0cmF0aW9u T3B0aW9ucyB0byBTZXJ2aWNlV29ya2VyUmVnaXN0cmF0aW9uT3B0aW9ucwpkaWZmIC0tZ2l0IGEv U291cmNlL1dlYkNvcmUvcGxhdGZvcm0vZ3JhcGhpY3MvR3JhcGhpY3NMYXllci5jcHAgYi9Tb3Vy Y2UvV2ViQ29yZS9wbGF0Zm9ybS9ncmFwaGljcy9HcmFwaGljc0xheWVyLmNwcAppbmRleCA4ZTE4 YzI3ZTI4M2ZjM2MyNTJkYWEyZTk2NmJiODJkMWU0MGQ2ZDUwLi4xMzEyMTRiNGUxZWI2NjY4MzEx MmY2ZmM5NjM1YjM4MWU4NDlhMjk5IDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9y bS9ncmFwaGljcy9HcmFwaGljc0xheWVyLmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9y bS9ncmFwaGljcy9HcmFwaGljc0xheWVyLmNwcApAQCAtMTY2LDYgKzE2NiwxMSBAQCB2b2lkIEdy YXBoaWNzTGF5ZXI6OndpbGxCZURlc3Ryb3llZCgpCiAgICAgaWYgKG1fcmVwbGljYXRlZExheWVy KQogICAgICAgICBtX3JlcGxpY2F0ZWRMYXllci0+c2V0UmVwbGljYXRlZEJ5TGF5ZXIoMCk7CiAK KyAgICBpZiAobV9tYXNrTGF5ZXIpIHsKKyAgICAgICAgbV9tYXNrTGF5ZXItPnNldFBhcmVudChu dWxscHRyKTsKKyAgICAgICAgbV9tYXNrTGF5ZXItPnNldElzTWFza0xheWVyKGZhbHNlKTsKKyAg ICB9CisKICAgICByZW1vdmVBbGxDaGlsZHJlbigpOwogICAgIHJlbW92ZUZyb21QYXJlbnQoKTsK IH0K