166824 2017-01-08 13:00:48 -0800 ASSERTION FAILED: isPlaced() in WebCore::FloatingObject::frameRect 2022-10-25 09:18:31 -0700 1 1 1 Unclassified WebKit Layout and Rendering WebKit Local Build Unspecified Unspecified RESOLVED DUPLICATE 244580 P2 Normal --- 116980 1 hodovan webkit-unassigned fred.wang simon.fraser zalan oldest_to_newest 1264843 0 hodovan 2017-01-08 13:00:48 -0800 Load the attached test with debug WebKitTestRunner: Checked version: 217d599 OS: Darwin-15.6.0-x86_64-i386-64bit <style>{}*,*{float:right</style><object></object><br><wbr><object> Backtrace: ASSERTION FAILED: isPlaced() WebKit/Source/WebCore/rendering/FloatingObjects.h(67) : const WebCore::LayoutRect &WebCore::FloatingObject::frameRect() const 1 0x1155214f1 WTFCrash 2 0x11aefe7ee WebCore::FloatingObject::frameRect() const 3 0x11e5f6b8c WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) 4 0x11e5f180b WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) 5 0x11e5fcf42 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 6 0x11e57879b WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 7 0x11e575791 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 8 0x11e4bf1b2 WebCore::RenderBlock::layout() 9 0x11af4c3ec WebCore::RenderElement::layoutIfNeeded() 10 0x11e57e131 WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) 11 0x11db5fabc WebCore::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::FloatingObject*, WebCore::LineWidth&) 12 0x11db60044 WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::LineLayoutState&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) 13 0x11e5f4b0a WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) 14 0x11e5f180b WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) 15 0x11e5fcf42 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 16 0x11e57879b WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 17 0x11e575791 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 18 0x11e4bf1b2 WebCore::RenderBlock::layout() 19 0x11af4c3ec WebCore::RenderElement::layoutIfNeeded() 20 0x11e57e131 WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) 21 0x11db5fabc WebCore::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::FloatingObject*, WebCore::LineWidth&) 22 0x11db60044 WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::LineLayoutState&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) 23 0x11e5f4b0a WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) 24 0x11e5f180b WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) 25 0x11e5fcf42 WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 26 0x11e57879b WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) 27 0x11e575791 WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) 28 0x11e4bf1b2 WebCore::RenderBlock::layout() 29 0x11ef063b6 WebCore::RenderView::layoutContent(WebCore::LayoutState const&) 30 0x11ef08816 WebCore::RenderView::layout() 31 0x11b2ba6a2 WebCore::FrameView::layout(bool) ASAN:DEADLYSIGNAL ================================================================= ==17380==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x000115521529 bp 0x7fff53f831f0 sp 0x7fff53f831e0 T0) #0 0x115521528 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) #1 0x11aefe7ed in WebCore::FloatingObject::frameRect() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x17487ed) #2 0x11e5f6b8b in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4e40b8b) #3 0x11e5f180a in WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4e3b80a) #4 0x11e5fcf41 in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4e46f41) #5 0x11e57879a in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc279a) #6 0x11e575790 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf790) #7 0x11e4bf1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1) #8 0x11af4c3eb in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x17963eb) #9 0x11e57e130 in WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc8130) #10 0x11db5fabb in WebCore::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::FloatingObject*, WebCore::LineWidth&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x43a9abb) #11 0x11db60043 in WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::LineLayoutState&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x43aa043) #12 0x11e5f4b09 in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4e3eb09) #13 0x11e5f180a in WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4e3b80a) #14 0x11e5fcf41 in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4e46f41) #15 0x11e57879a in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc279a) #16 0x11e575790 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf790) #17 0x11e4bf1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1) #18 0x11af4c3eb in WebCore::RenderElement::layoutIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x17963eb) #19 0x11e57e130 in WebCore::RenderBlockFlow::insertFloatingObject(WebCore::RenderBox&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc8130) #20 0x11db5fabb in WebCore::LineBreaker::skipLeadingWhitespace(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::FloatingObject*, WebCore::LineWidth&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x43a9abb) #21 0x11db60043 in WebCore::LineBreaker::nextLineBreak(WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::LineInfo&, WebCore::LineLayoutState&, WebCore::RenderTextInfo&, WebCore::FloatingObject*, unsigned int, WTF::Vector<WebCore::WordMeasurement, 64ul, WTF::CrashOnOverflow, 16ul>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x43aa043) #22 0x11e5f4b09 in WebCore::RenderBlockFlow::layoutRunsAndFloatsInRange(WebCore::LineLayoutState&, WebCore::BidiResolverWithIsolate<WebCore::InlineIterator, WebCore::BidiRun, WebCore::BidiIsolatedRun>&, WebCore::InlineIterator const&, WebCore::BidiStatus const&, unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4e3eb09) #23 0x11e5f180a in WebCore::RenderBlockFlow::layoutRunsAndFloats(WebCore::LineLayoutState&, bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4e3b80a) #24 0x11e5fcf41 in WebCore::RenderBlockFlow::layoutLineBoxes(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4e46f41) #25 0x11e57879a in WebCore::RenderBlockFlow::layoutInlineChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dc279a) #26 0x11e575790 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4dbf790) #27 0x11e4bf1b1 in WebCore::RenderBlock::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4d091b1) #28 0x11ef063b5 in WebCore::RenderView::layoutContent(WebCore::LayoutState const&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57503b5) #29 0x11ef08815 in WebCore::RenderView::layout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5752815) #30 0x11b2ba6a1 in WebCore::FrameView::layout(bool) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1b046a1) #31 0x11a93a6f9 in WebCore::Document::updateLayout() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x11846f9) #32 0x11a942fc0 in WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x118cfc0) #33 0x11ace2415 in WebCore::Element::getBoundingClientRect() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x152c415) #34 0x11c7fc094 in WebCore::jsElementPrototypeFunctionGetBoundingClientRect(JSC::ExecState*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x3046094) #35 0x3b1c2ee01027 (<unknown module>) #36 0x114ba6993 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2386993) #37 0x114ba6993 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2386993) #38 0x114ba6993 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2386993) #39 0x114ba6993 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2386993) #40 0x114ba6993 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2386993) #41 0x114ba6993 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2386993) #42 0x114ba6993 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2386993) #43 0x114ba6d04 in llint_entry (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2386d04) #44 0x114b9f4ad in vmEntryToJavaScript (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x237f4ad) #45 0x1145cd2bd in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1dad2bd) #46 0x1144986f0 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1c786f0) #47 0x112f7971a in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x75971a) #48 0x11b7903d9 in WebCore::HTMLMediaElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fda3d9) #49 0x11ace79a7 in WebCore::Element::addShadowRoot(WTF::Ref<WebCore::ShadowRoot>&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x15319a7) #50 0x11ace7c7a in WebCore::Element::ensureUserAgentShadowRoot() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1531c7a) #51 0x11b77e869 in WebCore::HTMLMediaElement::ensureMediaControlsShadowRoot() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fc8869) #52 0x11b7581ec in WebCore::HTMLMediaElement::configureMediaControls() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fa21ec) #53 0x11b759885 in WebCore::HTMLMediaElement::insertedInto(WebCore::ContainerNode&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1fa3885) #54 0x11a077183 in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8c1183) #55 0x11a077a43 in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x8c1a43) #56 0x11a0541a9 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x89e1a9) #57 0x11a05270d in WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x89c70d) #58 0x11b5f32c2 in WebCore::insert(WebCore::HTMLConstructionSiteTask&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e3d2c2) #59 0x11b5f2d6e in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e3cd6e) #60 0x11b5ebbc1 in WebCore::executeTask(WebCore::HTMLConstructionSiteTask&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e35bc1) #61 0x11b5eba98 in WebCore::HTMLConstructionSite::executeQueuedTasks() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e35a98) #62 0x11b8d36a2 in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x211d6a2) #63 0x11b65f576 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea9576) #64 0x11b65f2d2 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea92d2) #65 0x11b65ceb2 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea6eb2) #66 0x11b65c86f in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ea686f) #67 0x11b660afb in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1eaaafb) #68 0x11a80e1eb in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x10581eb) #69 0x11ab2ccf1 in WebCore::DocumentWriter::addData(char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1376cf1) #70 0x11aa87045 in WebCore::DocumentLoader::commitData(char const*, unsigned long) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12d1045) #71 0x10cd72e4d in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, char const*, int) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x10ede4d) #72 0x11aa8c1b6 in WebCore::DocumentLoader::commitLoad(char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12d61b6) #73 0x11aa8befa in WebCore::DocumentLoader::dataReceived(char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12d5efa) #74 0x11aa8c598 in WebCore::DocumentLoader::dataReceived(WebCore::CachedResource&, char const*, int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x12d6598) #75 0x119dbc931 in WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x606931) #76 0x119dbc5e0 in WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6065e0) #77 0x11f8b891a in WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::RefPtr<WebCore::SharedBuffer>&&, long long, WebCore::DataPayloadType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x610291a) #78 0x11f8b8250 in WebCore::SubresourceLoader::didReceiveData(char const*, unsigned int, long long, WebCore::DataPayloadType) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6102250) #79 0x10d7161fa in WebKit::WebResourceLoader::didReceiveData(IPC::DataReference const&, long long) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a911fa) #80 0x10d724003 in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9f003) #81 0x10d723b04 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long), std::__1::tuple<IPC::DataReference, long long>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<IPC::DataReference, long long>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9eb04) #82 0x10d721211 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::DataReference const&, long long)) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9c211) #83 0x10d71f7c0 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1a9a7c0) #84 0x10c448da9 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x7c3da9) #85 0x10be5cfba in IPC::Connection::dispatchMessage(IPC::Decoder&) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d7fba) #86 0x10be457c4 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1c07c4) #87 0x10be5dca5 in IPC::Connection::dispatchOneMessage() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1d8ca5) #88 0x10be6e25c in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e925c) #89 0x10be6e188 in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/WebKit+0x1e9188) #90 0x1155a5830 in WTF::Function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d85830) #91 0x1155efc46 in WTF::RunLoop::performWork() (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dcfc46) #92 0x1155f0b11 in WTF::RunLoop::performWork(void*) (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2dd0b11) #93 0x7fff81c1f880 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa880) #94 0x7fff81bfefbb in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89fbb) #95 0x7fff81bfe4de in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x894de) #96 0x7fff81bfded7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88ed7) #97 0x7fff82fde934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934) #98 0x7fff82fde76e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e) #99 0x7fff82fde5ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae) #100 0x7fff8e643df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5) #101 0x7fff8e643225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225) #102 0x7fff8e637d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f) #103 0x7fff8e601367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367) #104 0x7fff92f09193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193) #105 0x7fff92f07bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd) #106 0x10bc68f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73) #107 0x7fff8ab8d5ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #108 0x0 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2d01528) in WTFCrash ==17380==ABORTING #CRASHED - com.apple.WebKit.WebContent.Development (pid 17380) 1264844 1 298315 hodovan 2017-01-08 13:00:53 -0800 Created attachment 298315 Test 1266205 2 298697 zalan 2017-01-12 10:45:14 -0800 Created attachment 298697 Test reduction 1906388 3 fred.wang 2022-10-17 23:10:57 -0700 I cannot reproduce at https://commits.webkit.org/255418@main Tested with non-ASAN Linux GTK debug/release builds and ASAN macOS debug/release builds. 1908129 4 fred.wang 2022-10-25 09:18:31 -0700 As said in comment 3, I cannot reproduce with the attached testcase. Let's mark this as a duplicate of bug 244580, which has similar backtrace and a minimized testcase. *** This bug has been marked as a duplicate of bug 244580 *** 298315 2017-01-08 13:00:53 -0800 2017-01-12 10:45:14 -0800 Test test.html application/octet-stream 66 hodovan PHN0eWxlPnt9Kiwqe2Zsb2F0OnJpZ2h0PC9zdHlsZT48b2JqZWN0Pjwvb2JqZWN0Pjxicj48d2Jy PjxvYmplY3Q+ 298697 2017-01-12 10:45:14 -0800 2017-01-12 10:45:14 -0800 Test reduction test-8.html text/html 91 zalan PHN0eWxlPgpodG1sLCBvYmplY3QgewogIGZsb2F0OiBsZWZ0Owp9Cjwvc3R5bGU+PG9iamVjdD48 L29iamVjdD48YnI+PHdicj48b2JqZWN0Pjwvb2JqZWN0Pg==