263671 2023-10-25 10:31:53 -0700 Regression(268375@main) Crash under ~Node() due to CheckedRef 2024-10-01 17:50:03 -0700 1 1 1 Unclassified WebKit DOM WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=280723 InRadar P2 Normal --- 261983 1 cdumez cdumez heycam webkit-bug-importer oldest_to_newest 1987464 0 cdumez 2023-10-25 10:31:53 -0700 Crash under ~Node() due to CheckedRef: ``` ASSERTION FAILED: !m_count /Volumes/Work/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h(250) : WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() [StorageType = WTF::SingleThreadIntegralWrapper<unsigned int>, PtrCounterType = unsigned int] 1 0x138bbdb3c WTFCrash 2 0x282d68d1c WebCore::BaseAudioContext::markSummingJunctionDirty(WebCore::AudioSummingJunction*) 3 0x28326135c WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() 4 0x283d3426c WebCore::EventTarget::~EventTarget() 5 0x283daf064 WebCore::Node::~Node() 6 0x283b5bbf4 WebCore::ContainerNode::~ContainerNode() 7 0x283cbcb3c WebCore::Element::~Element() 8 0x283e00150 WebCore::PseudoElement::~PseudoElement() 9 0x283e00180 WebCore::PseudoElement::~PseudoElement() 10 0x283e001b0 WebCore::PseudoElement::~PseudoElement() 11 0x283dbaf04 WebCore::Node::removedLastRef() 12 0x2832ca440 WebCore::Node::deref() const 13 0x283d0511c WTF::DefaultRefDerefTraits<WebCore::PseudoElement>::derefIfNotNull(WebCore::PseudoElement*) 14 0x283d050dc WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::~RefPtr() 15 0x283cd85e0 WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::~RefPtr() 16 0x283cf6020 WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::operator=(WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>&&) 17 0x283cd8ecc WebCore::ElementRareData::setBeforePseudoElement(WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>&&) 18 0x283cd90fc WebCore::Element::clearBeforePseudoElementSlow() 19 0x283cd0024 WebCore::Element::clearBeforePseudoElement() 20 0x285bd1424 WebCore::RenderTreeUpdater::GeneratedContent::removeBeforePseudoElement(WebCore::Element&, WebCore::RenderTreeBuilder&) 21 0x285bd06d0 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_5::operator()(unsigned int) const 22 0x285bcf090 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) 23 0x285bcde5c WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) 24 0x285bcd3fc WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) 25 0x285bccc28 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>) 26 0x283bd6650 WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>) 27 0x283bd6cf8 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) 28 0x283bd7a8c WebCore::Document::updateStyleIfNeeded() 29 0x284c03f80 WebCore::LocalFrameViewLayoutContext::layout() 30 0x284c18608 WebCore::LocalFrameView::updateContentsSize() 31 0x284ee692c WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) ``` Test case: ``` <style> html { content: "a" url(); } html::before { container-type: size; content: url(); float: left; } </style> ``` 1987465 1 webkit-bug-importer 2023-10-25 10:33:25 -0700 <rdar://problem/117483509> 1987635 2 cdumez 2023-10-25 18:47:48 -0700 Remaining CheckedRef: ``` 1 0x2a5d3adc4 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::SharedStackTrace::create() 2 0x2a5d3acc8 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::registerCheckedPtr(void const*) const 3 0x2a89a1f20 WTF::CheckedRef<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::CheckedRef(WebCore::Element&) 4 0x2a8999760 WTF::CheckedRef<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::CheckedRef(WebCore::Element&) 5 0x2aab07310 WebCore::Style::Scope::updateQueryContainerState(WebCore::Style::Scope::QueryContainerUpdateContext&) 6 0x2a9a76300 WebCore::LocalFrameViewLayoutContext::layout() 7 0x2a9a8a9a8 WebCore::LocalFrameView::updateContentsSize() 8 0x2a9d5a2ac WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) 9 0x2a9d5bfb8 WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) 10 0x2a9a79a40 WebCore::LocalFrameView::setContentsSize(WebCore::IntSize const&) 11 0x2a9a73544 WebCore::LocalFrameView::adjustViewSize() 12 0x2a9a9a470 WebCore::LocalFrameViewLayoutContext::performLayout() 13 0x2a9a7629c WebCore::LocalFrameViewLayoutContext::layout() 14 0x2a8a4f648 WebCore::Document::implicitClose() 15 0x2a9803b78 WebCore::FrameLoader::checkCallImplicitClose() 16 0x2a980359c WebCore::FrameLoader::checkCompleted() ``` 1987658 3 cdumez 2023-10-25 21:31:27 -0700 Pull request: https://github.com/WebKit/WebKit/pull/19582 1987862 4 ews-feeder 2023-10-26 16:25:08 -0700 Committed 269829@main (f747a6b78181): <https://commits.webkit.org/269829@main> Reviewed commits have been landed. Closing PR #19582 and removing active labels.