Bug 166816

Summary: ASSERTION FAILED: m_renderer in RenderImageResource::shutdown while destroying a RenderImage
Product: WebKit Reporter: Renata Hodovan <hodovan>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: ap, eric.carlson, jer.noble, sabouhallawa, simon.fraser, zalan
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test none

Description Renata Hodovan 2017-01-08 10:21:57 PST 
Load the attached test with debug WebKitTestRunner:

Checked version: 217d599
OS: Darwin-15.6.0-x86_64-i386-64bit

<img><body style="display:table-column-group">

Backtrace:

ASSERTION FAILED: m_renderer
WebKit/Source/WebCore/rendering/RenderImageResource.cpp(57) : virtual void WebCore::RenderImageResource::shutdown()
1   0x11484cbf1 WTFCrash
2   0x11e2f7d91 WebCore::RenderImageResource::shutdown()
3   0x11e2e9a47 WebCore::RenderImage::~RenderImage()
4   0x11e519a75 WebCore::RenderMedia::~RenderMedia()
5   0x11e9117da WebCore::RenderVideo::~RenderVideo()
6   0x11e911825 WebCore::RenderVideo::~RenderVideo()
7   0x11e911849 WebCore::RenderVideo::~RenderVideo()
8   0x11e5a9e6f WebCore::RenderObject::destroy()
9   0x11e8fead5 WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&)
10  0x11e8fc92c WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate&)
11  0x11e8fbfff WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&)
12  0x11e8fb36f WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update> >)
13  0x119ecd965 WebCore::Document::recalcStyle(WebCore::Style::Change)
14  0x119eb810b WebCore::Document::updateStyleIfNeeded()
15  0x119ef3b4a WebCore::Document::finishedParsing()
16  0x11abab566 WebCore::HTMLConstructionSite::finishedParsing()
17  0x11aebbdb8 WebCore::HTMLTreeBuilder::finished()
18  0x11ac2500c WebCore::HTMLDocumentParser::end()
19  0x11ac20cf7 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
20  0x11ac2095e WebCore::HTMLDocumentParser::prepareToStopParsing()
21  0x11ac2217b WebCore::HTMLDocumentParser::endIfDelayed()
22  0x11ac21ff6 WebCore::HTMLDocumentParser::resumeParsingAfterYield()
23  0x11addf366 WebCore::HTMLParserScheduler::continueNextChunkTimerFired()
24  0x11ade3669 void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&>(std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&&&)
25  0x11ade3379 std::__1::__function::__func<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>, std::__1::allocator<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*> >, void ()>::operator()()
26  0x118e59045 std::__1::function<void ()>::operator()() const
27  0x118e58bd9 WebCore::Timer::fired()
28  0x11f7c0c5f WebCore::ThreadTimers::sharedTimerFiredInternal()
29  0x11f7c3e11 WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const
30  0x11f7c3ddd void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&>(WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&&&)
31  0x11f7c3d89 std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator()()
ASAN:DEADLYSIGNAL
=================================================================
==8675==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00011484cc29 bp 0x7fff54f97130 sp 0x7fff54f97120 T0)
    #0 0x11484cc28 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2e80c28)
    #1 0x11e2f7d90 in WebCore::RenderImageResource::shutdown() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5599d90)
    #2 0x11e2e9a46 in WebCore::RenderImage::~RenderImage() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x558ba46)
    #3 0x11e519a74 in WebCore::RenderMedia::~RenderMedia() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57bba74)
    #4 0x11e9117d9 in WebCore::RenderVideo::~RenderVideo() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5bb37d9)
    #5 0x11e911824 in WebCore::RenderVideo::~RenderVideo() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5bb3824)
    #6 0x11e911848 in WebCore::RenderVideo::~RenderVideo() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5bb3848)
    #7 0x11e5a9e6e in WebCore::RenderObject::destroy() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x584be6e)
    #8 0x11e8fead4 in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ba0ad4)
    #9 0x11e8fc92b in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5b9e92b)
    #10 0x11e8fbffe in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5b9dffe)
    #11 0x11e8fb36e in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update> >) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5b9d36e)
    #12 0x119ecd964 in WebCore::Document::recalcStyle(WebCore::Style::Change) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x116f964)
    #13 0x119eb810a in WebCore::Document::updateStyleIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x115a10a)
    #14 0x119ef3b49 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1195b49)
    #15 0x11abab565 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e4d565)
    #16 0x11aebbdb7 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x215ddb7)
    #17 0x11ac2500b in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec700b)
    #18 0x11ac20cf6 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec2cf6)
    #19 0x11ac2095d in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec295d)
    #20 0x11ac2217a in WebCore::HTMLDocumentParser::endIfDelayed() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec417a)
    #21 0x11ac21ff5 in WebCore::HTMLDocumentParser::resumeParsingAfterYield() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec3ff5)
    #22 0x11addf365 in WebCore::HTMLParserScheduler::continueNextChunkTimerFired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2081365)
    #23 0x11ade3668 in void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&>(std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2085668)
    #24 0x11ade3378 in std::__1::__function::__func<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>, std::__1::allocator<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*> >, void ()>::operator()() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2085378)
    #25 0x118e59044 in std::__1::function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfb044)
    #26 0x118e58bd8 in WebCore::Timer::fired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfabd8)
    #27 0x11f7c0c5e in WebCore::ThreadTimers::sharedTimerFiredInternal() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a62c5e)
    #28 0x11f7c3e10 in WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a65e10)
    #29 0x11f7c3ddc in void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&>(WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a65ddc)
    #30 0x11f7c3d88 in std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator()() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a65d88)
    #31 0x118e59044 in std::__1::function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfb044)
    #32 0x11d58e29d in WebCore::MainThreadSharedTimer::fired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x483029d)
    #33 0x11d58eb22 in WebCore::timerFired(__CFRunLoopTimer*, void*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4830b22)
    #34 0x7fff927b1af3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92af3)
    #35 0x7fff927b1782 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92782)
    #36 0x7fff927b12d9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x922d9)
    #37 0x7fff927a87d0 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x897d0)
    #38 0x7fff927a7e37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37)
    #39 0x7fff90b63934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934)
    #40 0x7fff90b6376e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e)
    #41 0x7fff90b635ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae)
    #42 0x7fff95a03df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5)
    #43 0x7fff95a03225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225)
    #44 0x7fff959f7d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f)
    #45 0x7fff959c1367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367)
    #46 0x7fff897b8193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193)
    #47 0x7fff897b6bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd)
    #48 0x10ac62f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73)
    #49 0x7fff9c5a45ac in start (/usr/lib/system/libdyld.dylib+0x35ac)
    #50 0x0  (<unknown module>)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2e80c28) in WTFCrash
==8675==ABORTING
#CRASHED - com.apple.WebKit.WebContent.Development (pid 8675)
Comment 1 Renata Hodovan 2017-01-08 10:21:59 PST 
Created attachment 298306 [details]
Test
Comment 2 Alexey Proskuryakov 2017-01-09 16:17:42 PST 
The test case seems suspicious, as there is no video there. Is this actually reproducible?
Comment 3 zalan 2017-01-09 16:21:24 PST 
updated stacktrace

ASSERTION FAILED: m_renderer
/Users/zbujtas/OpenSource/Source/WebCore/rendering/RenderImageResource.cpp(57) : virtual void WebCore::RenderImageResource::shutdown()
1   0x1101bee31 WTFCrash
2   0x11a053c01 WebCore::RenderImageResource::shutdown()
3   0x11a045907 WebCore::RenderImage::~RenderImage()
4   0x11a045af5 WebCore::RenderImage::~RenderImage()
5   0x11a045b19 WebCore::RenderImage::~RenderImage()
6   0x11a30e89f WebCore::RenderObject::destroy()
7   0x11a662e85 WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&)
8   0x11a6609b0 WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&)
9   0x11a65ff23 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&)
10  0x11a65ed4f WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >)
11  0x115b121e8 WebCore::Document::recalcStyle(WebCore::Style::Change)
12  0x115af73bb WebCore::Document::updateStyleIfNeeded()
13  0x115b43303 WebCore::Document::finishedParsing()
14  0x1168530c6 WebCore::HTMLConstructionSite::finishedParsing()
15  0x116b62088 WebCore::HTMLTreeBuilder::finished()
16  0x1168ccffc WebCore::HTMLDocumentParser::end()
17  0x1168c77a7 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd()
18  0x1168c735e WebCore::HTMLDocumentParser::prepareToStopParsing()
19  0x1168cd11c WebCore::HTMLDocumentParser::attemptToEnd()
20  0x1168cd254 WebCore::HTMLDocumentParser::finish()
21  0x115d14260 WebCore::DocumentWriter::end()
22  0x115c5b417 WebCore::DocumentLoader::finishedLoading(double)
23  0x115c5aeeb WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&)
24  0x114fb98b4 WebCore::CachedResource::checkNotify()
25  0x114fb9f44 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*)
26  0x114fabed5 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*)
27  0x11b0bb69f WebCore::SubresourceLoader::didFinishLoading(double)
28  0x11a73c404 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double)
29  0x11b9d8496 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:]
30  0x7fff9b04db83 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke
31  0x7fff9b04da95 -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]