196035 2019-03-20 14:58:26 -0700 [iOS] Crash in WebCore::Node::renderRect 2019-03-20 15:49:59 -0700 1 1 1 Unclassified WebKit UI Events WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 dino dino cdumez dbates esprehn+autocc ews-watchlist graouts kangil.han webkit-bug-importer oldest_to_newest 1519213 0 dino 2019-03-20 14:58:26 -0700 Since https://trac.webkit.org/changeset/242757/webkit fast/images/imagemap-in-shadow-tree.html http/tests/download/area-download.html ASSERTION FAILED: hitRenderer ./dom/Node.cpp(798) : WebCore::LayoutRect WebCore::Node::renderRect(bool *) 1 0x2c641f649 WTFCrash 2 0x2ca4eda7b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x2cc6f207e WebCore::Node::renderRect(bool*) 4 0x105ac91b9 WebKit::ViewGestureGeometryCollector::computeZoomInformationForNode(WebCore::Node&, WebCore::FloatPoint&, WebCore::FloatRect&, bool&, double&, double&) 5 0x1057acf6b WebKit::WebPage::potentialTapAtPosition(unsigned long long, WebCore::FloatPoint const&, bool) 6 0x105c10e37 void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, WebCore::FloatPoint const&, bool), std::__1::tuple<unsigned long long, WebCore::FloatPoint, bool>, 0ul, 1ul, 2ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, WebCore::FloatPoint const&, bool), std::__1::tuple<unsigned long long, WebCore::FloatPoint, bool>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul>) 7 0x105c10d10 void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, WebCore::FloatPoint const&, bool), std::__1::tuple<unsigned long long, WebCore::FloatPoint, bool>, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul> >(std::__1::tuple<unsigned long long, WebCore::FloatPoint, bool>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, WebCore::FloatPoint const&, bool)) 8 0x105bf26d6 void IPC::handleMessage<Messages::WebPage::PotentialTapAtPosition, WebKit::WebPage, void (WebKit::WebPage::*)(unsigned long long, WebCore::FloatPoint const&, bool)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(unsigned long long, WebCore::FloatPoint const&, bool)) 9 0x105be8512 WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) 10 0x105b918ae WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 11 0x104b1cf6a IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) 12 0x1057f3afd WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 13 0x104ad029c IPC::Connection::dispatchMessage(IPC::Decoder&) 14 0x104ac2881 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) 15 0x104ad1067 IPC::Connection::dispatchOneIncomingMessage() 16 0x104af1cf8 IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14::operator()() 17 0x104af1c09 WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_14>::call() 18 0x2c6449add WTF::Function<void ()>::operator()() const 19 0x2c64a9233 WTF::RunLoop::performWork() 20 0x2c64a9bc4 WTF::RunLoop::performWork(void*) 21 0x2c0b9a721 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 22 0x2c0b99f93 __CFRunLoopDoSources0 23 0x2c0b9463f __CFRunLoopRun 24 0x2c0b93e11 CFRunLoopRunSpecific 25 0x104508322 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] 26 0x104508492 -[NSRunLoop(NSRunLoop) run] 27 0x2c22f7812 _xpc_objc_main 28 0x2c22f9cbd xpc_main 29 0x104f6d427 WebKit::XPCServiceMain(int, char const**) 30 0x104e83a6b WKXPCServiceMain 31 0x10444da8e main LEAK: 1 WebPageProxy  1519216 1 dino 2019-03-20 14:59:05 -0700 <rdar://problem/49076783> 1519247 2 365416 dino 2019-03-20 15:42:11 -0700 Created attachment 365416 Patch 1519252 3 365416 graouts 2019-03-20 15:47:34 -0700 Comment on attachment 365416 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=365416&action=review > Source/WebCore/dom/Node.cpp:799 > + if (!hitRenderer && is<HTMLAreaElement>(*this)) { You can use simply `this` here. > Source/WebCore/dom/Node.cpp:802 > + auto* imageElement = area.imageElement(); > + if (imageElement) if (auto* …) 1519255 4 dino 2019-03-20 15:49:59 -0700 Committed r243249: <https://trac.webkit.org/changeset/243249> 365416 2019-03-20 15:42:11 -0700 2019-03-20 15:47:34 -0700 Patch bug-196035-20190321094210.patch text/plain 2363 dino U3VidmVyc2lvbiBSZXZpc2lvbjogMjQzMTgzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggMWE2MmUyZGM3MzdiOTgx YmRhNTIwZDk5MGIwZTUyYTMzNjkzMTFlYS4uOWI4OTQ2ZjdhZWY5MjFmZWQ2NzI3OWRkM2JkMzNm ZGQyZjIwYTU4ZiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDI2IEBACisyMDE5LTAzLTIwICBEZWFu IEphY2tzb24gIDxkaW5vQGFwcGxlLmNvbT4KKworICAgICAgICBbaU9TXSBDcmFzaCBpbiBXZWJD b3JlOjpOb2RlOjpyZW5kZXJSZWN0CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD0xOTYwMzUKKyAgICAgICAgPHJkYXI6Ly9wcm9ibGVtLzQ5MDc2NzgzPgor CisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFdoZW4gcmVu ZGVyUmVjdCB3YXMgY2FsbGVkIG9uIGFuIEhUTUxBcmVhRWxlbWVudCwgaXQgd291bGQKKyAgICAg ICAgQVNTRVJUIGJlY2F1c2UgaXQgZG9lc24ndCBoYXZlIGEgcmVuZGVyZXIuIFdlIGhhZG4ndCBu b3RpY2VkCisgICAgICAgIHRoaXMgYmVmb3JlIGJlY2F1c2Ugbm9uZSBvZiBvdXIgdGVzdHMgd2Vy ZSBoaXR0aW5nIHRoaXMgaW4KKyAgICAgICAgZGVidWcgbW9kZS4KKworICAgICAgICBUaGUgZml4 IGlzIHRvIGFzayB0aGUgY29ycmVzcG9uZGluZyBIVE1MSW1hZ2VFbGVtZW50IGZvcgorICAgICAg ICBpdHMgcmVuZGVyZXIsIGFuZCB1c2UgdGhhdCBmb3IgdGhlIHJldHVybmVkIHJlY3RhbmdsZS4K KworICAgICAgICBDb3ZlcmVkIGJ5IHRoZXNlIHRlc3RzIHRoYXQgaGFkIGJlY29tZSBmbGFrZXk6 CisgICAgICAgICAgICBmYXN0L2ltYWdlcy9pbWFnZW1hcC1pbi1zaGFkb3ctdHJlZS5odG1sCisg ICAgICAgICAgICBodHRwL3Rlc3RzL2Rvd25sb2FkL2FyZWEtZG93bmxvYWQuaHRtbAorCisgICAg ICAgICogZG9tL05vZGUuY3BwOgorICAgICAgICAoV2ViQ29yZTo6Tm9kZTo6cmVuZGVyUmVjdCk6 CisKIDIwMTktMDMtMTkgIFNhaWQgQWJvdS1IYWxsYXdhICA8c2Fib3VoYWxsYXdhQGFwcGxlLmNv bT4KIAogICAgICAgICBSZW1vdmUgdGhlIFNWRyBwcm9wZXJ0eSB0ZWFyIG9mZiBvYmplY3RzIG9m IFNWR0FuaW1hdGVkUmVjdApkaWZmIC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvZG9tL05vZGUuY3Bw IGIvU291cmNlL1dlYkNvcmUvZG9tL05vZGUuY3BwCmluZGV4IGU5ZmYxYjMyYzdlZjMwNjQ0NjI5 Y2IyZDNmNmY5ODI3YmMyZmVlYjYuLjRjMjQ2ZTA2ZjU3Njg2YjdkMjViMWE4ZGM1NjQ3ZWJmZmE5 ODYwOTkgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2RvbS9Ob2RlLmNwcAorKysgYi9Tb3Vy Y2UvV2ViQ29yZS9kb20vTm9kZS5jcHAKQEAgLTQyLDYgKzQyLDcgQEAKICNpbmNsdWRlICJFdmVu dERpc3BhdGNoZXIuaCIKICNpbmNsdWRlICJFdmVudEhhbmRsZXIuaCIKICNpbmNsdWRlICJGcmFt ZVZpZXcuaCIKKyNpbmNsdWRlICJIVE1MQXJlYUVsZW1lbnQuaCIKICNpbmNsdWRlICJIVE1MQm9k eUVsZW1lbnQuaCIKICNpbmNsdWRlICJIVE1MQ29sbGVjdGlvbi5oIgogI2luY2x1ZGUgIkhUTUxF bGVtZW50LmgiCkBAIC03OTUsNyArNzk2LDEyIEBAIFJlbmRlckJveE1vZGVsT2JqZWN0KiBOb2Rl OjpyZW5kZXJCb3hNb2RlbE9iamVjdCgpIGNvbnN0CiBMYXlvdXRSZWN0IE5vZGU6OnJlbmRlclJl Y3QoYm9vbCogaXNSZXBsYWNlZCkKIHsgICAgCiAgICAgUmVuZGVyT2JqZWN0KiBoaXRSZW5kZXJl ciA9IHRoaXMtPnJlbmRlcmVyKCk7Ci0gICAgQVNTRVJUKGhpdFJlbmRlcmVyKTsKKyAgICBpZiAo IWhpdFJlbmRlcmVyICYmIGlzPEhUTUxBcmVhRWxlbWVudD4oKnRoaXMpKSB7CisgICAgICAgIGF1 dG8mIGFyZWEgPSBkb3duY2FzdDxIVE1MQXJlYUVsZW1lbnQ+KCp0aGlzKTsKKyAgICAgICAgYXV0 byogaW1hZ2VFbGVtZW50ID0gYXJlYS5pbWFnZUVsZW1lbnQoKTsKKyAgICAgICAgaWYgKGltYWdl RWxlbWVudCkKKyAgICAgICAgICAgIGhpdFJlbmRlcmVyID0gaW1hZ2VFbGVtZW50LT5yZW5kZXJl cigpOworICAgIH0KICAgICBSZW5kZXJPYmplY3QqIHJlbmRlcmVyID0gaGl0UmVuZGVyZXI7CiAg ICAgd2hpbGUgKHJlbmRlcmVyICYmICFyZW5kZXJlci0+aXNCb2R5KCkgJiYgIXJlbmRlcmVyLT5p c0RvY3VtZW50RWxlbWVudFJlbmRlcmVyKCkpIHsKICAgICAgICAgaWYgKHJlbmRlcmVyLT5pc1Jl bmRlckJsb2NrKCkgfHwgcmVuZGVyZXItPmlzSW5saW5lQmxvY2tPcklubGluZVRhYmxlKCkgfHwg cmVuZGVyZXItPmlzUmVwbGFjZWQoKSkgewo=