280214 2024-09-23 14:40:12 -0700 Debug assertion on https://www.browserbench.org/MotionMark1.3.1/developer.html 2024-11-18 00:29:31 -0800 1 1 1 Unclassified WebKit Layout and Rendering WebKit Local Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 279618 1 zimmermann zimmermann bfulgham simon.fraser webkit-bug-importer zalan oldest_to_newest 2062473 0 zimmermann 2024-09-23 14:40:12 -0700 m_isOwnedByMainThread == isMainThread() /host/home/nzimmermann/Software/GitRepositories/WebKit/WebKitBuild/WPE/Release/WTF/Headers/wtf/RefCounted.h(124) : void WTF::RefCountedBase::applyRefDerefThreadingCheck() const 1 0x7dde91da2911 WTF::RefCountedBase::derefAllowingPartiallyDestroyedBase() const 2 0x7dde920f10e1 WebCore::ToggleButtonPart::~ToggleButtonPart() 3 0x7dde97ef183e WebCore::RenderObject::RenderObjectRareData::~RenderObjectRareData() 4 0x7dde97ef49a2 WebCore::RenderObject::removeRareData() 5 0x7dde97e0d059 WebCore::RenderElement::willBeDestroyed() 6 0x7dde97eda7b8 WebCore::RenderObject::destroy() 7 0x7dde980d0bda WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) 8 0x7dde980d157e WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&, WebCore::RenderElement const*) 9 0x7dde980e7766 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::{lambda(unsigned int)#1}::operator()(unsigned int) const 10 0x7dde980e6d43 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) 11 0x7dde980e9473 WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) 12 0x7dde980eb410 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) 13 0x7dde980eb8cd WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) 14 0x7dde96c0b79e WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) 15 0x7dde96c796fe WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) 16 0x7dde96c79ad9 WebCore::Document::updateStyleIfNeeded() 17 0x7dde96c79cbd WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions>, WebCore::Element const*) 18 0x7dde97076576 WebCore::HTMLLabelElement::defaultEventHandler(WebCore::Event&) 19 0x7dde96ce2f08 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) 20 0x7dde9779701f WebCore::PointerCaptureController::dispatchEvent(WebCore::PointerEvent&, WebCore::EventTarget*) [clone .part.0] 21 0x7dde96cc979e WebCore::Element::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomString const&, int, WebCore::Element*, WebCore::IsSyntheticClick) 22 0x7dde97669d31 WebCore::EventHandler::dispatchMouseEvent(WTF::AtomString const&, WebCore::Node*, int, WebCore::PlatformMouseEvent const&, WebCore::EventHandler::FireMouseOverOut) 23 0x7dde9766aa9b WebCore::EventHandler::swallowAnyClickEvent(WebCore::PlatformMouseEvent const&, WebCore::MouseEventWithHitTestResults const&, WebCore::EventHandler::IgnoreAncestorNodesForClickEvent) 24 0x7dde9767b0ad WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) 25 0x7dde92b6cd82 WebKit::WebFrame::handleMouseEvent(WebKit::WebMouseEvent const&) 26 0x7dde92b3f957 WebKit::WebPage::mouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long, (WTF::SupportsObjectIdentifierNullState)0> >, WebKit::WebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&) 27 0x7dde9204717e void IPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, WebKit::WebPage, void (WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long, (WTF::SupportsObjectIdentifierNullState)0> >, WebKit::WebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long, (WTF::SupportsObjectIdentifierNullState)0> >, WebKit::WebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)) [clone .isra.0] 28 0x7dde92058685 WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 29 0x7dde9252e7e7 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) 30 0x7dde91f0f395 WebKit::AuxiliaryProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 31 0x7dde92528dad IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) [clone .part.0] Just opened the page, and made a random mouse movement, when I saw this. Opening a ticket, so we don't forget. 2062867 1 zimmermann 2024-09-24 15:38:15 -0700 I can reproduce it every time on WPE, with threaded CPU rendering activated, when clicking on the 'Run Benchmark' button. I checked how ControlParts are created: RenderBox::paintBoxDecorations() calls RenderBox::ensureControlPartForRenderer(), which calls RenderBox::ensureControlPart(), which in turns calls theme().createControlPart() which creates a ToggleButtonPart object for the 'Run benchmark' button. In the threaded CPU rendering case, the ControlPart creation happens from within the worker thread, when we replay the previously recorded DisplayList (recording happened on the main thread). As can be seen from the backtrace, the destruction of the RenderObjectRareData, and thus the ToggleButtonPart was triggered from the main thread during layout / style resolving. Since ControlPart is not ThreadSafeRefCounted, the assertion popped up. 2062870 2 zimmermann 2024-09-24 15:47:22 -0700 This fixes the assertion for me: diff --git a/Source/WebCore/platform/graphics/controls/ControlPart.h b/Source/WebCore/platform/graphics/controls/ControlPart.h index 8aa1fd401bbe..ec931ea345aa 100644 --- a/Source/WebCore/platform/graphics/controls/ControlPart.h +++ b/Source/WebCore/platform/graphics/controls/ControlPart.h @@ -29,7 +29,7 @@ #include "ControlFactory.h" #include "PlatformControl.h" #include "StyleAppearance.h" -#include <wtf/RefCounted.h> +#include <wtf/ThreadSafeRefCounted.h> namespace WebCore { @@ -37,7 +37,7 @@ class FloatRect; class GraphicsContext; class ControlFactory; -class ControlPart : public RefCounted<ControlPart> { +class ControlPart : public ThreadSafeRefCounted<ControlPart> { public: virtual ~ControlPart() = default; 2062962 3 zimmermann 2024-09-24 23:53:23 -0700 Pull request: https://github.com/WebKit/WebKit/pull/34215 2063127 4 ews-feeder 2024-09-25 14:29:16 -0700 Committed 284244@main (f9961c9edb08): <https://commits.webkit.org/284244@main> Reviewed commits have been landed. Closing PR #34215 and removing active labels. 2063129 5 webkit-bug-importer 2024-09-25 14:30:20 -0700 <rdar://problem/136707099>