Bug 180896

Summary: ASSERTION FAILED: !m_current in WebCore::RenderTreeBuilder::RenderTreeBuilder()
Product: WebKit Reporter: Ryan Haddad <ryanhaddad>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: bfulgham, koivisto, simon.fraser, zalan
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=180817
Attachments:
Description Flags
crash log none

Ryan Haddad
Reported 2017-12-15 17:50:00 PST
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001109ef744 WTFCrash + 36 (Assertions.cpp:272) 1 com.apple.WebCore 0x000000011da9ff96 WebCore::RenderTreeBuilder::RenderTreeBuilder() + 70 (RenderTreeBuilder.cpp:42) 2 com.apple.WebCore 0x000000011da9ffc5 WebCore::RenderTreeBuilder::RenderTreeBuilder() + 21 (RenderTreeBuilder.cpp:44) 3 com.apple.WebCore 0x000000011dc5e618 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) + 24 (RenderTreeUpdater.cpp:519) 4 com.apple.WebCore 0x000000011c901f5c WebCore::Document::destroyRenderTree() + 540 (Document.cpp:2307) 5 com.apple.WebCore 0x000000011c90239d WebCore::Document::prepareForDestruction() + 557 (Document.cpp:2366) 6 com.apple.WebCore 0x000000011d1730f0 WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView>&&) + 192 (Frame.cpp:257) 7 com.apple.WebCore 0x000000011cff0a42 WebCore::FrameLoader::detachFromParent() + 546 (FrameLoader.cpp:2582) 8 com.apple.WebCore 0x000000011cff0e98 WebCore::FrameLoader::frameDetached() + 104 (FrameLoader.cpp:2553) 9 com.apple.WebCore 0x000000011ddd3a98 WebCore::SVGImage::~SVGImage() + 552 (SVGImage.cpp:80) 10 com.apple.WebCore 0x000000011ddd3e95 WebCore::SVGImage::~SVGImage() + 21 (SVGImage.cpp:85) 11 com.apple.WebCore 0x000000011ddd3eb9 WebCore::SVGImage::~SVGImage() + 25 (SVGImage.cpp:76) 12 com.apple.WebCore 0x000000011b04801f WTF::RefCounted<WebCore::Image>::deref() const + 79 (RefCounted.h:145) 13 com.apple.WebCore 0x000000011b047fc5 void WTF::derefIfNotNull<WebCore::Image>(WebCore::Image*) + 53 (RefPtr.h:46) 14 com.apple.WebCore 0x000000011cc1bfcb WTF::RefPtr<WebCore::Image>::operator=(std::nullptr_t) + 91 (RefPtr.h:152) 15 com.apple.WebCore 0x000000011d0b217b WebCore::CachedImage::clearImage() + 347 (CachedImage.cpp:421) 16 com.apple.WebCore 0x000000011d0b1f0a WebCore::CachedImage::~CachedImage() + 42 (CachedImage.cpp:86) 17 com.apple.WebCore 0x000000011d0b2225 WebCore::CachedImage::~CachedImage() + 21 (CachedImage.cpp:86) 18 com.apple.WebCore 0x000000011d0b2249 WebCore::CachedImage::~CachedImage() + 25 (CachedImage.cpp:84) 19 com.apple.WebCore 0x000000011d0bb63b WebCore::CachedResource::deleteIfPossible() + 91 (CachedResource.cpp:605) 20 com.apple.WebCore 0x000000011d0bd0e6 WebCore::CachedResource::unregisterHandle(WebCore::CachedResourceHandleBase*) + 166 Seen here with LayoutTest fast/shapes/shape-outside-floats/shape-outside-floats-image-threshold-002.html https://build.webkit.org/results/Apple%20Sierra%20Debug%20WK1%20(Tests)/r225971%20(5322)/results.html
Attachments
crash log (105.95 KB, text/plain)
2017-12-15 17:50 PST, Ryan Haddad 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Ryan Haddad
Comment 1 2017-12-15 17:50:16 PST
Created attachment 329548 [details] crash log
Ryan Haddad
Comment 2 2017-12-15 17:51:33 PST
Oh, this is a new assert added in https://trac.webkit.org/changeset/225969/webkit
Ryan Haddad
Comment 3 2017-12-15 17:53:50 PST
Also here with fast/shapes/shape-outside-floats/shape-outside-floats-margin-crash.html https://build.webkit.org/results/Apple%20High%20Sierra%20Release%20WK2%20(Tests)/r225990%20(1798)/results.html
Ryan Haddad
Comment 4 2017-12-15 17:59:24 PST
I can reproduce the crash on a release build with: run-webkit-tests fast/shapes/shape-outside-floats/shape-outside-floats-image-threshold-002.html -fg --iter 50
Ryan Haddad
Comment 5 2017-12-15 18:06:25 PST
*** This bug has been marked as a duplicate of bug 180817 ***
Note You need to log in before you can comment on or make changes to this bug.