Bug 166816

Summary: ASSERTION FAILED: m_renderer in RenderImageResource::shutdown while destroying a RenderImage
Product: WebKit Reporter: Renata Hodovan <hodovan>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: ap, eric.carlson, jer.noble, sabouhallawa, simon.fraser, zalan
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 116980    
Attachments:
Description Flags
Test none

Renata Hodovan
Reported 2017-01-08 10:21:57 PST
Load the attached test with debug WebKitTestRunner: Checked version: 217d599 OS: Darwin-15.6.0-x86_64-i386-64bit <img><body style="display:table-column-group"> Backtrace: ASSERTION FAILED: m_renderer WebKit/Source/WebCore/rendering/RenderImageResource.cpp(57) : virtual void WebCore::RenderImageResource::shutdown() 1 0x11484cbf1 WTFCrash 2 0x11e2f7d91 WebCore::RenderImageResource::shutdown() 3 0x11e2e9a47 WebCore::RenderImage::~RenderImage() 4 0x11e519a75 WebCore::RenderMedia::~RenderMedia() 5 0x11e9117da WebCore::RenderVideo::~RenderVideo() 6 0x11e911825 WebCore::RenderVideo::~RenderVideo() 7 0x11e911849 WebCore::RenderVideo::~RenderVideo() 8 0x11e5a9e6f WebCore::RenderObject::destroy() 9 0x11e8fead5 WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) 10 0x11e8fc92c WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate&) 11 0x11e8fbfff WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) 12 0x11e8fb36f WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update> >) 13 0x119ecd965 WebCore::Document::recalcStyle(WebCore::Style::Change) 14 0x119eb810b WebCore::Document::updateStyleIfNeeded() 15 0x119ef3b4a WebCore::Document::finishedParsing() 16 0x11abab566 WebCore::HTMLConstructionSite::finishedParsing() 17 0x11aebbdb8 WebCore::HTMLTreeBuilder::finished() 18 0x11ac2500c WebCore::HTMLDocumentParser::end() 19 0x11ac20cf7 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 20 0x11ac2095e WebCore::HTMLDocumentParser::prepareToStopParsing() 21 0x11ac2217b WebCore::HTMLDocumentParser::endIfDelayed() 22 0x11ac21ff6 WebCore::HTMLDocumentParser::resumeParsingAfterYield() 23 0x11addf366 WebCore::HTMLParserScheduler::continueNextChunkTimerFired() 24 0x11ade3669 void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&>(std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&&&) 25 0x11ade3379 std::__1::__function::__func<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>, std::__1::allocator<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*> >, void ()>::operator()() 26 0x118e59045 std::__1::function<void ()>::operator()() const 27 0x118e58bd9 WebCore::Timer::fired() 28 0x11f7c0c5f WebCore::ThreadTimers::sharedTimerFiredInternal() 29 0x11f7c3e11 WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const 30 0x11f7c3ddd void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&>(WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&&&) 31 0x11f7c3d89 std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator()() ASAN:DEADLYSIGNAL ================================================================= ==8675==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00011484cc29 bp 0x7fff54f97130 sp 0x7fff54f97120 T0) #0 0x11484cc28 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2e80c28) #1 0x11e2f7d90 in WebCore::RenderImageResource::shutdown() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5599d90) #2 0x11e2e9a46 in WebCore::RenderImage::~RenderImage() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x558ba46) #3 0x11e519a74 in WebCore::RenderMedia::~RenderMedia() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57bba74) #4 0x11e9117d9 in WebCore::RenderVideo::~RenderVideo() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5bb37d9) #5 0x11e911824 in WebCore::RenderVideo::~RenderVideo() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5bb3824) #6 0x11e911848 in WebCore::RenderVideo::~RenderVideo() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5bb3848) #7 0x11e5a9e6e in WebCore::RenderObject::destroy() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x584be6e) #8 0x11e8fead4 in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ba0ad4) #9 0x11e8fc92b in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5b9e92b) #10 0x11e8fbffe in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5b9dffe) #11 0x11e8fb36e in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update> >) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5b9d36e) #12 0x119ecd964 in WebCore::Document::recalcStyle(WebCore::Style::Change) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x116f964) #13 0x119eb810a in WebCore::Document::updateStyleIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x115a10a) #14 0x119ef3b49 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1195b49) #15 0x11abab565 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e4d565) #16 0x11aebbdb7 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x215ddb7) #17 0x11ac2500b in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec700b) #18 0x11ac20cf6 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec2cf6) #19 0x11ac2095d in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec295d) #20 0x11ac2217a in WebCore::HTMLDocumentParser::endIfDelayed() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec417a) #21 0x11ac21ff5 in WebCore::HTMLDocumentParser::resumeParsingAfterYield() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec3ff5) #22 0x11addf365 in WebCore::HTMLParserScheduler::continueNextChunkTimerFired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2081365) #23 0x11ade3668 in void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&>(std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2085668) #24 0x11ade3378 in std::__1::__function::__func<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>, std::__1::allocator<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*> >, void ()>::operator()() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2085378) #25 0x118e59044 in std::__1::function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfb044) #26 0x118e58bd8 in WebCore::Timer::fired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfabd8) #27 0x11f7c0c5e in WebCore::ThreadTimers::sharedTimerFiredInternal() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a62c5e) #28 0x11f7c3e10 in WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a65e10) #29 0x11f7c3ddc in void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&>(WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a65ddc) #30 0x11f7c3d88 in std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator()() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a65d88) #31 0x118e59044 in std::__1::function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfb044) #32 0x11d58e29d in WebCore::MainThreadSharedTimer::fired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x483029d) #33 0x11d58eb22 in WebCore::timerFired(__CFRunLoopTimer*, void*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4830b22) #34 0x7fff927b1af3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92af3) #35 0x7fff927b1782 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92782) #36 0x7fff927b12d9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x922d9) #37 0x7fff927a87d0 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x897d0) #38 0x7fff927a7e37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37) #39 0x7fff90b63934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934) #40 0x7fff90b6376e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e) #41 0x7fff90b635ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae) #42 0x7fff95a03df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5) #43 0x7fff95a03225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225) #44 0x7fff959f7d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f) #45 0x7fff959c1367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367) #46 0x7fff897b8193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193) #47 0x7fff897b6bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd) #48 0x10ac62f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73) #49 0x7fff9c5a45ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #50 0x0 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2e80c28) in WTFCrash ==8675==ABORTING #CRASHED - com.apple.WebKit.WebContent.Development (pid 8675)
Attachments
Test (46 bytes, text/html)
2017-01-08 10:21 PST, Renata Hodovan 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Renata Hodovan
Comment 1 2017-01-08 10:21:59 PST
Created attachment 298306 [details] Test
Alexey Proskuryakov
Comment 2 2017-01-09 16:17:42 PST
The test case seems suspicious, as there is no video there. Is this actually reproducible?
alan
Comment 3 2017-01-09 16:21:24 PST
updated stacktrace ASSERTION FAILED: m_renderer /Users/zbujtas/OpenSource/Source/WebCore/rendering/RenderImageResource.cpp(57) : virtual void WebCore::RenderImageResource::shutdown() 1 0x1101bee31 WTFCrash 2 0x11a053c01 WebCore::RenderImageResource::shutdown() 3 0x11a045907 WebCore::RenderImage::~RenderImage() 4 0x11a045af5 WebCore::RenderImage::~RenderImage() 5 0x11a045b19 WebCore::RenderImage::~RenderImage() 6 0x11a30e89f WebCore::RenderObject::destroy() 7 0x11a662e85 WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) 8 0x11a6609b0 WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) 9 0x11a65ff23 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) 10 0x11a65ed4f WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) 11 0x115b121e8 WebCore::Document::recalcStyle(WebCore::Style::Change) 12 0x115af73bb WebCore::Document::updateStyleIfNeeded() 13 0x115b43303 WebCore::Document::finishedParsing() 14 0x1168530c6 WebCore::HTMLConstructionSite::finishedParsing() 15 0x116b62088 WebCore::HTMLTreeBuilder::finished() 16 0x1168ccffc WebCore::HTMLDocumentParser::end() 17 0x1168c77a7 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 18 0x1168c735e WebCore::HTMLDocumentParser::prepareToStopParsing() 19 0x1168cd11c WebCore::HTMLDocumentParser::attemptToEnd() 20 0x1168cd254 WebCore::HTMLDocumentParser::finish() 21 0x115d14260 WebCore::DocumentWriter::end() 22 0x115c5b417 WebCore::DocumentLoader::finishedLoading(double) 23 0x115c5aeeb WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) 24 0x114fb98b4 WebCore::CachedResource::checkNotify() 25 0x114fb9f44 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) 26 0x114fabed5 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) 27 0x11b0bb69f WebCore::SubresourceLoader::didFinishLoading(double) 28 0x11a73c404 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) 29 0x11b9d8496 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] 30 0x7fff9b04db83 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke 31 0x7fff9b04da95 -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]
Note You need to log in before you can comment on or make changes to this bug.