270132 2024-02-26 16:12:51 -0800 ASSERTION FAILED: m_wrapper in JSEventListener::ensureJSFunction for imported/w3c/web-platform-tests/html/rendering/widgets/the-select-element/option-empty-label-to-empty-string.html 2024-05-01 17:11:36 -0700 1 1 1 Unclassified WebKit Bindings WebKit Nightly Build Unspecified Unspecified RESOLVED DUPLICATE 266711 InRadar P2 Normal --- 1 fujii webkit-unassigned cdumez webkit-bug-importer oldest_to_newest 2017031 0 fujii 2024-02-26 16:12:51 -0800 imported/w3c/web-platform-tests/html/rendering/widgets/the-select-element/option-empty-label-to-empty-string.html is randomly crashing. History: https://results.webkit.org/?suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Fhtml%2Frendering%2Fwidgets%2Fthe-select-element%2Foption-empty-label-to-empty-string.html Buildbot: builder Apple-Ventura-Debug-WK2-Tests build 4065 : 275325@main https://build.webkit.org/#/builders/701/builds/4065 https://build.webkit.org/results/Apple-Ventura-Debug-WK2-Tests/275325@main%20(4065)/imported/w3c/web-platform-tests/html/rendering/widgets/the-select-element/option-empty-label-to-empty-string-crash-log.txt stderr: ASSERTION FAILED: m_wrapper /Volumes/Data/worker/Apple-Ventura-Debug-Build/build/Source/WebCore/bindings/js/JSEventListener.h(164) : JSC::JSObject *WebCore::JSEventListener::ensureJSFunction(WebCore::ScriptExecutionContext &) const 1 0x4035ae5b9 WTFCrash 2 0x4a018aabb WTFCrashWithInfo(int, char const*, char const*, int) 3 0x4a3640625 WebCore::JSEventListener::ensureJSFunction(WebCore::ScriptExecutionContext&) const 4 0x4a363f8de WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) 5 0x4a3ff2401 WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase) 6 0x4a3ff1d7a WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) 7 0x4a3fd9cea WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const 8 0x4a3fdaee6 WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) 9 0x4a3fda664 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) 10 0x4a408412d WebCore::Node::dispatchEvent(WebCore::Event&) 11 0x4a44bde81 WebCore::HTMLMediaElement::layoutSizeChanged()::$_43::operator()() const 12 0x4a44bddd9 WTF::Detail::CallableWrapper<WebCore::HTMLMediaElement::layoutSizeChanged()::$_43, void>::call() 13 0x4a01b0b52 WTF::Function<void ()>::operator()() const 14 0x4a44a2a89 void WebCore::ActiveDOMObject::queueTaskKeepingObjectAlive<WebCore::HTMLMediaElement>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::Function<void ()>&&)::'lambda'()::operator()() const 15 0x4a44a29c9 WTF::Detail::CallableWrapper<void WebCore::ActiveDOMObject::queueTaskKeepingObjectAlive<WebCore::HTMLMediaElement>(WebCore::HTMLMediaElement&, WebCore::TaskSource, WTF::Function<void ()>&&)::'lambda'(), void>::call() 16 0x4a01b0b52 WTF::Function<void ()>::operator()() const 17 0x4a3fe3be9 WebCore::EventLoopFunctionDispatchTask::execute() 18 0x4a3fdeb46 WebCore::EventLoop::run(std::__1::optional<WTF::ApproximateTime>) 19 0x4a418dc66 WebCore::WindowEventLoop::didReachTimeToRun() 20 0x4a4191d69 decltype(*std::declval<WebCore::WindowEventLoop*&>().*std::declval<void (WebCore::WindowEventLoop::*&)()>()()) std::__1::__invoke[abi:v15006]<void (WebCore::WindowEventLoop::*&)(), WebCore::WindowEventLoop*&, void>(void (WebCore::WindowEventLoop::*&)(), WebCore::WindowEventLoop*&) 21 0x4a4191ced std::__1::__bind_return<void (WebCore::WindowEventLoop::*)(), std::__1::tuple<WebCore::WindowEventLoop*>, std::__1::tuple<>, __is_valid_bind_return<void (WebCore::WindowEventLoop::*)(), std::__1::tuple<WebCore::WindowEventLoop*>, std::__1::tuple<>>::value>::type std::__1::__apply_functor[abi:v15006]<void (WebCore::WindowEventLoop::*)(), std::__1::tuple<WebCore::WindowEventLoop*>, 0ul, std::__1::tuple<>>(void (WebCore::WindowEventLoop::*&)(), std::__1::tuple<WebCore::WindowEventLoop*>&, std::__1::__tuple_indices<0ul>, std::__1::tuple<>&&) 22 0x4a4191ca0 std::__1::__bind_return<void (WebCore::WindowEventLoop::*)(), std::__1::tuple<WebCore::WindowEventLoop*>, std::__1::tuple<>, __is_valid_bind_return<void (WebCore::WindowEventLoop::*)(), std::__1::tuple<WebCore::WindowEventLoop*>, std::__1::tuple<>>::value>::type std::__1::__bind<void (WebCore::WindowEventLoop::*&)(), WebCore::WindowEventLoop*>::operator()[abi:v15006]<>() 23 0x4a4191c59 WTF::Detail::CallableWrapper<std::__1::__bind<void (WebCore::WindowEventLoop::*&)(), WebCore::WindowEventLoop*>, void>::call() 24 0x4a01b0b52 WTF::Function<void ()>::operator()() const 25 0x4a02d9f89 WebCore::Timer::fired() 26 0x4a5115fc0 WebCore::ThreadTimers::sharedTimerFiredInternal() 27 0x4a511c941 WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const 28 0x4a511c8f9 WTF::Detail::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, void>::call() 29 0x4a01b0b52 WTF::Function<void ()>::operator()() const 30 0x4a50c1591 WebCore::MainThreadSharedTimer::fired() 31 0x4a51b82c6 WebCore::timerFired(__CFRunLoopTimer*, void*) com.apple.WebKit.WebContent.Development terminated (pid 80989) for reason: crash LEAK: 1 WebPageProxy 2017038 1 cdumez 2024-02-26 16:37:28 -0800 WebKit media bug? I'm guessing the shadowRoot has been detached from the tree by the time the lambda in HTMLMediaElement::layoutSizeChanged() runs and we try to dispatch the event on that root. If the shadow root is no longer part of the tree and we're not using a GCReachableRef, then there is no guarantee its JS wrapper will still be alive. It may suffice to early return in the lambda if the root is no longer connected. 2018616 2 webkit-bug-importer 2024-03-04 16:13:24 -0800 <rdar://problem/124039685> 2032644 3 fujii 2024-05-01 17:11:36 -0700 Seems like the same problem with bug#266711. *** This bug has been marked as a duplicate of bug 266711 ***