Bug 191532

Summary:

ASSERTION FAILED: !m_embeddedObjectsToUpdate->contains(nullptr) in WebCore::FrameView::updateEmbeddedObjects

Product:

WebKit

Reporter:

Renata Hodovan <hodovan>

Component:

WebCore Misc.

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

cdumez, commit-queue, darin, esprehn+autocc, ews-watchlist, gyuyoung.kim, rhodovan.u-szeged, rniwa, shihchieh_lee, simon.fraser, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Mac

OS:

macOS 10.14

Bug Depends on:

Bug Blocks:

116980

Attachments:

Description	Flags
Test	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none

Renata Hodovan

Reported 2018-11-11 18:28:01 PST

Created attachment 354522 [details] Test Load the attached test with debug WebKitTestRunner / MiniBrowser: <object> <object> <object>a</object> </object> <object onbeforeload="event.target.parentNode.removeChild(event.target)"></object> Checked revision: 2698c9fc7de The issue can be reproduced both on Mac and GTK. Backtrace: ASSERTION FAILED: !m_embeddedObjectsToUpdate->contains(nullptr) ./page/FrameView.cpp(3198) : bool WebCore::FrameView::updateEmbeddedObjects() 1 0x58800fd39 WTFCrash 2 0x562b210b0 WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul>::Vector() 3 0x569bfa4f7 WebCore::FrameView::updateEmbeddedObjects() 4 0x569bc2858 WebCore::FrameView::updateEmbeddedObjectsTimerFired() 5 0x569bfac19 WebCore::FrameView::flushAnyPendingPostLayoutTasks() 6 0x5681c8008 WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) 7 0x568da092c WebCore::HTMLObjectElement::renderWidgetLoadingPlugin() const 8 0x568de198f WebCore::HTMLPlugInElement::pluginWidget(WebCore::HTMLPlugInElement::PluginLoadingPolicy) const 9 0x56763ba00 WebCore::pluginScriptObjectFromPluginViewBase(WebCore::HTMLPlugInElement&, JSC::JSGlobalObject*) 10 0x56763b93b WebCore::pluginScriptObject(JSC::ExecState*, WebCore::JSHTMLElement*) 11 0x56763be94 WebCore::pluginElementCustomGetOwnPropertySlot(WebCore::JSHTMLElement*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 12 0x564a80e26 WebCore::JSHTMLObjectElement::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 13 0x58902ce3c JSC::JSObject::getNonIndexPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 14 0x58902a93f bool JSC::JSObject::getPropertySlot<false>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 15 0x58a94b205 JSC::JSValue::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const 16 0x58a9002ec JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const 17 0x58b5df82f llint_slow_path_get_by_id 18 0x588f99af2 llint_entry 19 0x588f92662 vmEntryToJavaScript 20 0x58b26a4d9 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 21 0x58b26b620 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 22 0x58ba764c7 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) 23 0x58ba76a3d JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 24 0x58ba777d3 JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 25 0x5675435c6 WebCore::JSExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) 26 0x5675fb435 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) 27 0x568416ffa WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul>, WebCore::EventTarget::EventInvokePhase) 28 0x56840c64c WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) 29 0x568505c73 WebCore::Node::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) 30 0x5683cbebe WebCore::EventContext::handleLocalEvents(WebCore::Event&, WebCore::EventTarget::EventInvokePhase) const 31 0x568404fb3 WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&)

Attachments
Test (146 bytes, text/html) 2018-11-11 18:28 PST, Renata Hodovan	no flags	Details
Patch (8.58 KB, patch) 2020-02-15 00:20 PST, Jack	no flags	Details Formatted Diff Diff
Patch (8.55 KB, patch) 2020-02-15 13:17 PST, Jack	no flags	Details Formatted Diff Diff
Patch (11.37 KB, patch) 2020-02-16 21:38 PST, Jack	no flags	Details Formatted Diff Diff
Patch (11.37 KB, patch) 2020-02-16 22:39 PST, Jack	no flags	Details Formatted Diff Diff
Patch (11.38 KB, patch) 2020-02-17 14:47 PST, Jack	no flags	Details Formatted Diff Diff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2018-11-17 12:35:26 PST

<rdar://problem/46151555>

Jack

Comment 2 2020-02-14 22:32:46 PST

The assertion is caused by reentrancy in FrameView::updateEmbeddedObjects(). Below is the complete call stack at the crash: (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_INSTRUCTION (code=EXC_I386_INVOP, subcode=0x0) frame #0: 0x0000000111ad86fe JavaScriptCore`::WTFCrash() at Assertions.cpp:303:5 frame #1: 0x000000012f4bd2a0 WebCore`WTFCrashWithInfo((null)=3279, (null)="./page/FrameView.cpp", (null)="bool WebCore::FrameView::updateEmbeddedObjects()", (null)=2542) at Assertions.h:618:5 * frame #2: 0x000000013770d945 WebCore`WebCore::FrameView::updateEmbeddedObjects(this=0x00006190000e5680) at FrameView.cpp:3279:5 frame #3: 0x00000001376d7767 WebCore`WebCore::FrameView::updateEmbeddedObjectsTimerFired(this=0x00006190000e5680) at FrameView.cpp:3297:13 frame #4: 0x000000013770df39 WebCore`WebCore::FrameView::flushAnyPendingPostLayoutTasks(this=0x00006190000e5680) at FrameView.cpp:3306:9 frame #5: 0x0000000135913166 WebCore`WebCore::Document::updateLayoutIgnorePendingStylesheets(this={ origin = file://, url = file:///Users/jacklee/browser2/56695849/min-56695849-reduction.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, runPostLayoutTasks=Synchronously) at Document.cpp:2131:17 frame #6: 0x000000013651fccc WebCore`WebCore::HTMLObjectElement::renderWidgetLoadingPlugin(this=0x00006150000acd80) const at HTMLObjectElement.cpp:85:16 frame #7: 0x0000000136541491 WebCore`WebCore::HTMLPlugInElement::pluginWidget(this=0x00006150000acd80, loadPolicy=Load) const at HTMLPlugInElement.cpp:153:76 frame #8: 0x0000000134da8fce WebCore`WebCore::pluginScriptObjectFromPluginViewBase(pluginElement=0x00006150000acd80, globalObject=0x000061f0000356e8) at JSPluginElementFunctions.cpp:51:42 frame #9: 0x0000000134da8f0b WebCore`WebCore::pluginScriptObject(lexicalGlobalObject=0x000061f0000356e8, jsHTMLElement=0x000062d000180060) at JSPluginElementFunctions.cpp:84:30 frame #10: 0x0000000134da9464 WebCore`WebCore::pluginElementCustomGetOwnPropertySlot(element=0x000062d000180060, lexicalGlobalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69be0c0, slot=0x00007ffee69bf220) at JSPluginElementFunctions.cpp:120:30 frame #11: 0x00000001311aa8a6 WebCore`WebCore::JSHTMLObjectElement::getOwnPropertySlot(object=0x000062d000180060, lexicalGlobalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69be2e0, slot=0x00007ffee69bf220) at JSHTMLObjectElement.cpp:233:9 frame #12: 0x0000000115eca18d JavaScriptCore`JSC::JSObject::getNonIndexPropertySlot(this=0x000062d000180060, globalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69be4a0, slot=0x00007ffee69bf220) at JSObjectInlines.h:168:28 frame #13: 0x0000000115bec260 JavaScriptCore`bool JSC::JSObject::getPropertySlot<false>(this=0x000062d000180060, globalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69be8a0, slot=0x00007ffee69bf220) at JSObject.h:1428:28 frame #14: 0x0000000115c1ad64 JavaScriptCore`JSC::JSValue::getPropertySlot(this=0x00007ffee69bf1f0, globalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69bebe0, slot=0x00007ffee69bf220) const at JSCJSValueInlines.h:925:5 frame #15: 0x00000001158abd16 JavaScriptCore`JSC::JSValue::get(this=0x00007ffee69bf1f0, globalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69beea0, slot=0x00007ffee69bf220) const at JSCJSValueInlines.h:882:20 frame #16: 0x0000000115450acc JavaScriptCore`::llint_slow_path_get_by_id(callFrame=0x00007ffee69bf8d0, pc=0x00006070005f7e1c) at LLIntSlowPaths.cpp:763:32 frame #17: 0x0000000112aeeb1a JavaScriptCore`llint_entry at LowLevelInterpreter64.asm:97 frame #18: 0x0000000112b01b65 JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1023 frame #19: 0x0000000112ae48d2 JavaScriptCore`vmEntryToJavaScript at LowLevelInterpreter64.asm:296 frame #20: 0x00000001150db707 JavaScriptCore`JSC::JITCode::execute(this=0x0000604000de6a50, vm=0x000062e000018400, protoCallFrame=0x00007ffee69bfe00) at JITCodeInlines.h:38:38 frame #21: 0x00000001150dc7af JavaScriptCore`JSC::Interpreter::executeCall(this=0x000060200001dd90, lexicalGlobalObject=0x000061f0000356e8, function=0x000062d00011e1a0, callType=JS, callData=0x00007ffee69c0dc0, thisValue=JSValue @ 0x00007ffee69bfc80, args=0x00007ffee69c10a0) at Interpreter.cpp:910:81 frame #22: 0x000000011596ad55 JavaScriptCore`JSC::call(globalObject=0x000061f0000356e8, functionObject=JSValue @ 0x00007ffee69c0260, callType=JS, callData=0x00007ffee69c0dc0, thisValue=JSValue @ 0x00007ffee69c0280, args=0x00007ffee69c10a0) at CallData.cpp:59:28 frame #23: 0x000000011596b2d2 JavaScriptCore`JSC::call(globalObject=0x000061f0000356e8, functionObject=JSValue @ 0x00007ffee69c0480, callType=JS, callData=0x00007ffee69c0dc0, thisValue=JSValue @ 0x00007ffee69c04a0, args=0x00007ffee69c10a0, returnedException=0x00007ffee69c1020) at CallData.cpp:66:22 frame #24: 0x000000011596c05e JavaScriptCore`JSC::profiledCall(globalObject=0x000061f0000356e8, reason=Other, functionObject=JSValue @ 0x00007ffee69c07c0, callType=JS, callData=0x00007ffee69c0dc0, thisValue=JSValue @ 0x00007ffee69c07e0, args=0x00007ffee69c10a0, returnedException=0x00007ffee69c1020) at CallData.cpp:87:12 frame #25: 0x0000000134c84ec2 WebCore`WebCore::JSExecState::profiledCall(lexicalGlobalObject=0x000061f0000356e8, reason=Other, functionObject=JSValue @ 0x00007ffee69c0a60, callType=JS, callData=0x00007ffee69c0dc0, thisValue=JSValue @ 0x00007ffee69c0a80, args=0x00007ffee69c10a0, returnedException=0x00007ffee69c1020) at JSExecState.h:73:16 frame #26: 0x0000000134cd31c8 WebCore`WebCore::JSEventListener::handleEvent(this=0x000060b0002d14a0, scriptExecutionContext={ origin = file://, url = file:///Users/jacklee/browser2/56695849/min-56695849-reduction.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, event=0x00006080002804a0) at JSEventListener.cpp:180:22 frame #27: 0x0000000135b939a4 WebCore`WebCore::EventTarget::innerInvokeEventListeners(this=0x000061400046b040, event=0x00006080002804a0, listeners={ size = 1, capacity = 1 }, phase=Bubbling) at EventTarget.cpp:308:40 frame #28: 0x0000000135b8aa86 WebCore`WebCore::EventTarget::fireEventListeners(this=0x000061400046b040, event=0x00006080002804a0, phase=Bubbling) at EventTarget.cpp:246:9 frame #29: 0x0000000135ca37c3 WebCore`WebCore::Node::handleLocalEvents(this=0x000061400046b040, event=0x00006080002804a0, phase=Bubbling) at Node.cpp:2358:5 frame #30: 0x0000000135b619e2 WebCore`WebCore::EventContext::handleLocalEvents(this=0x0000604000de8a50, event=0x00006080002804a0, phase=Bubbling) const at EventContext.cpp:55:17 frame #31: 0x0000000135b62f0c WebCore`WebCore::dispatchEventInDOM(event=0x00006080002804a0, path=0x00007ffee69c1d40) at EventDispatcher.cpp:100:22 frame #32: 0x0000000135b62712 WebCore`WebCore::EventDispatcher::dispatchEvent(node=0x000061400046b040, event=0x00006080002804a0) at EventDispatcher.cpp:154:9 frame #33: 0x0000000135ca381d WebCore`WebCore::Node::dispatchEvent(this=0x000061400046b040, event=0x00006080002804a0) at Node.cpp:2368:5 frame #34: 0x0000000135ca42f4 WebCore`WebCore::Node::dispatchBeforeLoadEvent(this=0x000061400046b040, sourceURL={ length = 16, contents = 'data:text/plain;' }) at Node.cpp:2405:5 frame #35: 0x0000000136541edf WebCore`WebCore::HTMLPlugInElement::guardedDispatchBeforeLoadEvent(this=0x000061400046b040, sourceURL={ length = 16, contents = 'data:text/plain;' }) at HTMLPlugInElement.cpp:140:77 frame #36: 0x0000000136364546 WebCore`WebCore::HTMLEmbedElement::updateWidget(this=0x000061400046b040, createPlugins=Yes) at HTMLEmbedElement.cpp:175:34 frame #37: 0x000000013770d4ad WebCore`WebCore::FrameView::updateEmbeddedObject(this=0x00006190000e5680, embeddedObject=0x000061300015e3c0) at FrameView.cpp:3258:27 frame #38: 0x000000013770da48 WebCore`WebCore::FrameView::updateEmbeddedObjects(this=0x00006190000e5680) at FrameView.cpp:3286:9 frame #39: 0x00000001376d7767 WebCore`WebCore::FrameView::updateEmbeddedObjectsTimerFired(this=0x00006190000e5680) at FrameView.cpp:3297:13 frame #40: 0x000000013770df39 WebCore`WebCore::FrameView::flushAnyPendingPostLayoutTasks(this=0x00006190000e5680) at FrameView.cpp:3306:9 frame #41: 0x0000000135913166 WebCore`WebCore::Document::updateLayoutIgnorePendingStylesheets(this={ origin = file://, url = file:///Users/jacklee/browser2/56695849/min-56695849-reduction.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, runPostLayoutTasks=Synchronously) at Document.cpp:2131:17 frame #42: 0x000000013651fccc WebCore`WebCore::HTMLObjectElement::renderWidgetLoadingPlugin(this=0x00006150000ab700) const at HTMLObjectElement.cpp:85:16 frame #43: 0x0000000136541491 WebCore`WebCore::HTMLPlugInElement::pluginWidget(this=0x00006150000ab700, loadPolicy=Load) const at HTMLPlugInElement.cpp:153:76 frame #44: 0x0000000134da8fce WebCore`WebCore::pluginScriptObjectFromPluginViewBase(pluginElement=0x00006150000ab700, globalObject=0x000061f0000356e8) at JSPluginElementFunctions.cpp:51:42 frame #45: 0x0000000134da8f0b WebCore`WebCore::pluginScriptObject(lexicalGlobalObject=0x000061f0000356e8, jsHTMLElement=0x000062d000180030) at JSPluginElementFunctions.cpp:84:30 frame #46: 0x0000000134da9464 WebCore`WebCore::pluginElementCustomGetOwnPropertySlot(element=0x000062d000180030, lexicalGlobalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69c29a0, slot=0x00007ffee69c3b00) at JSPluginElementFunctions.cpp:120:30 frame #47: 0x00000001311aa8a6 WebCore`WebCore::JSHTMLObjectElement::getOwnPropertySlot(object=0x000062d000180030, lexicalGlobalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69c2bc0, slot=0x00007ffee69c3b00) at JSHTMLObjectElement.cpp:233:9 frame #48: 0x0000000115eca18d JavaScriptCore`JSC::JSObject::getNonIndexPropertySlot(this=0x000062d000180030, globalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69c2d80, slot=0x00007ffee69c3b00) at JSObjectInlines.h:168:28 frame #49: 0x0000000115bec260 JavaScriptCore`bool JSC::JSObject::getPropertySlot<false>(this=0x000062d000180030, globalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69c3180, slot=0x00007ffee69c3b00) at JSObject.h:1428:28 frame #50: 0x0000000115c1ad64 JavaScriptCore`JSC::JSValue::getPropertySlot(this=0x00007ffee69c3ad0, globalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69c34c0, slot=0x00007ffee69c3b00) const at JSCJSValueInlines.h:925:5 frame #51: 0x00000001158abd16 JavaScriptCore`JSC::JSValue::get(this=0x00007ffee69c3ad0, globalObject=0x000061f0000356e8, propertyName=PropertyName @ 0x00007ffee69c3780, slot=0x00007ffee69c3b00) const at JSCJSValueInlines.h:882:20 frame #52: 0x0000000115450acc JavaScriptCore`::llint_slow_path_get_by_id(callFrame=0x00007ffee69c41b0, pc=0x00006070005f7e1c) at LLIntSlowPaths.cpp:763:32 frame #53: 0x0000000112aeeb1a JavaScriptCore`llint_entry at LowLevelInterpreter64.asm:97 frame #54: 0x0000000112b01c08 JavaScriptCore`llint_entry at LowLevelInterpreter.asm:1023 frame #55: 0x0000000112ae48d2 JavaScriptCore`vmEntryToJavaScript at LowLevelInterpreter64.asm:296 frame #56: 0x00000001150db707 JavaScriptCore`JSC::JITCode::execute(this=0x0000604000de6a50, vm=0x000062e000018400, protoCallFrame=0x00007ffee69c46e0) at JITCodeInlines.h:38:38 frame #57: 0x00000001150dc7af JavaScriptCore`JSC::Interpreter::executeCall(this=0x000060200001dd90, lexicalGlobalObject=0x000061f0000356e8, function=0x000062d00011e1a0, callType=JS, callData=0x00007ffee69c56a0, thisValue=JSValue @ 0x00007ffee69c4560, args=0x00007ffee69c5980) at Interpreter.cpp:910:81 frame #58: 0x000000011596ad55 JavaScriptCore`JSC::call(globalObject=0x000061f0000356e8, functionObject=JSValue @ 0x00007ffee69c4b40, callType=JS, callData=0x00007ffee69c56a0, thisValue=JSValue @ 0x00007ffee69c4b60, args=0x00007ffee69c5980) at CallData.cpp:59:28 frame #59: 0x000000011596b2d2 JavaScriptCore`JSC::call(globalObject=0x000061f0000356e8, functionObject=JSValue @ 0x00007ffee69c4d60, callType=JS, callData=0x00007ffee69c56a0, thisValue=JSValue @ 0x00007ffee69c4d80, args=0x00007ffee69c5980, returnedException=0x00007ffee69c5900) at CallData.cpp:66:22 frame #60: 0x000000011596c05e JavaScriptCore`JSC::profiledCall(globalObject=0x000061f0000356e8, reason=Other, functionObject=JSValue @ 0x00007ffee69c50a0, callType=JS, callData=0x00007ffee69c56a0, thisValue=JSValue @ 0x00007ffee69c50c0, args=0x00007ffee69c5980, returnedException=0x00007ffee69c5900) at CallData.cpp:87:12 frame #61: 0x0000000134c84ec2 WebCore`WebCore::JSExecState::profiledCall(lexicalGlobalObject=0x000061f0000356e8, reason=Other, functionObject=JSValue @ 0x00007ffee69c5340, callType=JS, callData=0x00007ffee69c56a0, thisValue=JSValue @ 0x00007ffee69c5360, args=0x00007ffee69c5980, returnedException=0x00007ffee69c5900) at JSExecState.h:73:16 frame #62: 0x0000000134cd31c8 WebCore`WebCore::JSEventListener::handleEvent(this=0x000060b0002d14a0, scriptExecutionContext={ origin = file://, url = file:///Users/jacklee/browser2/56695849/min-56695849-reduction.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, event=0x000060800027f7a0) at JSEventListener.cpp:180:22 frame #63: 0x0000000135b939a4 WebCore`WebCore::EventTarget::innerInvokeEventListeners(this=0x000061400046b040, event=0x000060800027f7a0, listeners={ size = 1, capacity = 1 }, phase=Bubbling) at EventTarget.cpp:308:40 frame #64: 0x0000000135b8aa86 WebCore`WebCore::EventTarget::fireEventListeners(this=0x000061400046b040, event=0x000060800027f7a0, phase=Bubbling) at EventTarget.cpp:246:9 frame #65: 0x0000000135ca37c3 WebCore`WebCore::Node::handleLocalEvents(this=0x000061400046b040, event=0x000060800027f7a0, phase=Bubbling) at Node.cpp:2358:5 frame #66: 0x0000000135b619e2 WebCore`WebCore::EventContext::handleLocalEvents(this=0x0000604000de59d0, event=0x000060800027f7a0, phase=Bubbling) const at EventContext.cpp:55:17 frame #67: 0x0000000135b62f0c WebCore`WebCore::dispatchEventInDOM(event=0x000060800027f7a0, path=0x00007ffee69c6620) at EventDispatcher.cpp:100:22 frame #68: 0x0000000135b62712 WebCore`WebCore::EventDispatcher::dispatchEvent(node=0x000061400046b040, event=0x000060800027f7a0) at EventDispatcher.cpp:154:9 frame #69: 0x0000000135ca381d WebCore`WebCore::Node::dispatchEvent(this=0x000061400046b040, event=0x000060800027f7a0) at Node.cpp:2368:5 frame #70: 0x0000000135ca42f4 WebCore`WebCore::Node::dispatchBeforeLoadEvent(this=0x000061400046b040, sourceURL={ length = 16, contents = 'data:text/plain;' }) at Node.cpp:2405:5 frame #71: 0x0000000136541edf WebCore`WebCore::HTMLPlugInElement::guardedDispatchBeforeLoadEvent(this=0x000061400046b040, sourceURL={ length = 16, contents = 'data:text/plain;' }) at HTMLPlugInElement.cpp:140:77 frame #72: 0x0000000136364546 WebCore`WebCore::HTMLEmbedElement::updateWidget(this=0x000061400046b040, createPlugins=No) at HTMLEmbedElement.cpp:175:34 frame #73: 0x0000000136549dd4 WebCore`WebCore::HTMLPlugInImageElement::updateAfterStyleResolution(this=0x000061400046b040) at HTMLPlugInImageElement.cpp:298:17 frame #74: 0x0000000136578cad WebCore`WebCore::HTMLPlugInImageElement::scheduleUpdateForAfterStyleResolution(this=0x00006020000f2078)::$_0::operator()() const at HTMLPlugInImageElement.cpp:276:24 frame #75: 0x0000000136578769 WebCore`WTF::Detail::CallableWrapper<WebCore::HTMLPlugInImageElement::scheduleUpdateForAfterStyleResolution()::$_0, void>::call(this=0x00006020000f2070) at Function.h:52:39 frame #76: 0x000000012f4e0002 WebCore`WTF::Function<void ()>::operator(this=0x000060c0005b2700)() const at Function.h:84:35 frame #77: 0x00000001398a0b6e WebCore`WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler(this=0x00007ffee69c6f80) at StyleTreeResolver.cpp:644:17 frame #78: 0x00000001398a0da5 WebCore`WebCore::Style::PostResolutionCallbackDisabler::~PostResolutionCallbackDisabler(this=0x00007ffee69c6f80) at StyleTreeResolver.cpp:638:1 frame #79: 0x000000013591997c WebCore`WebCore::Document::resolveStyle(this={ origin = file://, url = file:///Users/jacklee/browser2/56695849/min-56695849-reduction.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }, type=Rebuild) at Document.cpp:2017:5 frame #80: 0x000000013591ac03 WebCore`WebCore::Document::updateStyleIfNeeded(this={ origin = file://, url = file:///Users/jacklee/browser2/56695849/min-56695849-reduction.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:2087:5 frame #81: 0x0000000135955d7f WebCore`WebCore::Document::finishedParsing(this={ origin = file://, url = file:///Users/jacklee/browser2/56695849/min-56695849-reduction.html, inMainFrame = 1, backForwardCacheState = NotInBackForwardCache }) at Document.cpp:5834:9 frame #82: 0x0000000136932e98 WebCore`WebCore::HTMLConstructionSite::finishedParsing(this=0x000061200027ace0) at HTMLConstructionSite.cpp:419:16 frame #83: 0x00000001369babee WebCore`WebCore::HTMLTreeBuilder::finished(this=0x000061200027acc0) at HTMLTreeBuilder.cpp:2843:12 frame #84: 0x0000000136940e12 WebCore`WebCore::HTMLDocumentParser::end(this=0x0000625000af0100) at HTMLDocumentParser.cpp:430:20 frame #85: 0x000000013693cee2 WebCore`WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd(this=0x0000625000af0100) at HTMLDocumentParser.cpp:439:5 frame #86: 0x000000013693cb1f WebCore`WebCore::HTMLDocumentParser::prepareToStopParsing(this=0x0000625000af0100) at HTMLDocumentParser.cpp:144:5 frame #87: 0x0000000136940f2e WebCore`WebCore::HTMLDocumentParser::attemptToEnd(this=0x0000625000af0100) at HTMLDocumentParser.cpp:451:5 frame #88: 0x0000000136941064 WebCore`WebCore::HTMLDocumentParser::finish(this=0x0000625000af0100) at HTMLDocumentParser.cpp:479:5 frame #89: 0x00000001371aaf90 WebCore`WebCore::DocumentWriter::end(this=0x000062000000a110) at DocumentWriter.cpp:288:15 frame #90: 0x00000001371a8ab2 WebCore`WebCore::DocumentLoader::finishedLoading(this=0x000062000000a080) at DocumentLoader.cpp:446:14 frame #91: 0x00000001371a81e7 WebCore`WebCore::DocumentLoader::notifyFinished(this=0x000062000000a080, resource=0x000061a000c71a80) at DocumentLoader.cpp:393:9 frame #92: 0x00000001374af160 WebCore`WebCore::CachedResource::checkNotify(this=0x000061a000c71a80) at CachedResource.cpp:355:17 frame #93: 0x00000001374a60c8 WebCore`WebCore::CachedResource::finishLoading(this=0x000061a000c71a80, (null)=0x0000606000f8f4e0) at CachedResource.cpp:371:5 frame #94: 0x00000001374a8838 WebCore`WebCore::CachedRawResource::finishLoading(this=0x000061a000c71a80, data=0x0000606000f8f4e0) at CachedRawResource.cpp:120:21 frame #95: 0x00000001373b3fa5 WebCore`WebCore::SubresourceLoader::didFinishLoading(this=0x000061b000042180, networkLoadMetrics=0x00007ffee69c8a80) at SubresourceLoader.cpp:701:17 frame #96: 0x000000013738085f WebCore`WebCore::ResourceLoader::didFinishLoading(this=0x000061b000042180, (null)=0x0000603000284c50) at ResourceLoader.cpp:703:5 frame #97: 0x000000013a71316c WebCore`-[WebCoreResourceHandleAsOperationQueueDelegate connectionDidFinishLoading:]::$_7::operator(this=0x00006030002879b8)() at WebCoreResourceHandleAsOperationQueueDelegate.mm:321:29 frame #98: 0x000000013a712de9 WebCore`WTF::Detail::CallableWrapper<-[WebCoreResourceHandleAsOperationQueueDelegate connectionDidFinishLoading:]::$_7, void>::call(this=0x00006030002879b0) at Function.h:52:39 frame #99: 0x0000000111b3a272 JavaScriptCore`WTF::Function<void ()>::operator(this=0x00007ffee69c8d60)() const at Function.h:84:35 frame #100: 0x0000000111bea9d6 JavaScriptCore`WTF::dispatchFunctionsFromMainThread() at MainThread.cpp:94:9 frame #101: 0x0000000111bf01f5 JavaScriptCore`::-[JSWTFMainThreadCaller call](self=0x000060200000a910, _cmd="call") at MainThreadCocoa.mm:54:5 frame #102: 0x00007fff33ef128a Foundation`__NSThreadPerformPerform + 254 frame #103: 0x00007fff317d8b81 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 frame #104: 0x00007fff317d8b20 CoreFoundation`__CFRunLoopDoSource0 + 103 frame #105: 0x00007fff317bc154 CoreFoundation`__CFRunLoopDoSources0 + 209 frame #106: 0x00007fff317bb760 CoreFoundation`__CFRunLoopRun + 1272 frame #107: 0x00007fff317bafe3 CoreFoundation`CFRunLoopRunSpecific + 499 frame #108: 0x0000000109292e63 DumpRenderTree`runTest(inputLine="../../../56695849/min-56695849-reduction.html") at DumpRenderTree.mm:2119:13 frame #109: 0x000000010928f9ba DumpRenderTree`dumpRenderTree(argc=2, argv=0x00007ffee69ca9d0) at DumpRenderTree.mm:1348:13 frame #110: 0x000000010929441c DumpRenderTree`DumpRenderTreeMain(argc=2, argv=0x00007ffee69ca9d0) at DumpRenderTree.mm:1457:9 frame #111: 0x00000001093e4602 DumpRenderTree`main(argc=2, argv=0x00007ffee69ca9d0) at DumpRenderTreeMain.mm:34:12 frame #112: 0x00007fff68c022e5 libdyld.dylib`start + 1 (lldb)

Jack

Comment 3 2020-02-14 23:17:52 PST

Without the assertion (in release build), there is no crash. The only issue with recursively calling updateEmbeddedObjectsTimerFired causes the first nullptr embeddedObject (marker) to be flushed by the recursive call, so the update doesn't stop at the intended marker position, potentially prolong the process and defeat the purpose of putting a marker.

Jack

Comment 4 2020-02-14 23:19:58 PST

2/14/20, 7:55 AM Alan Bujtas: Sadly RenderCombineText triggers layout/post layout task running on every style change even with diff = equal (that’s why we end up running flushAnyPendingPostLayoutTasks all over again).

Jack

Comment 5 2020-02-15 00:03:30 PST

Simon and Alan suggested that we add reentrancy check for FrameView::updateEmbeddedObjects().

Jack

Comment 6 2020-02-15 00:08:53 PST

New test case is reported in <rdar://problem/56695849>, reduced by Simon and Alan. <style> body { -webkit-writing-mode: vertical-lr; -webkit-text-combine: horizontal; } ::selection { color: red; } </style> <script> function eventhandler() { document.vlinkColor = "red"; document.createElement("object").style.color = "red"; } </script> <embed src="data:text/plain;" onbeforeload=eventhandler()>foo

Jack

Comment 7 2020-02-15 00:20:40 PST

Created attachment 390859 [details] Patch

Simon Fraser (smfr)

Comment 8 2020-02-15 10:27:19 PST

Comment on attachment 390859 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=390859&action=review > Source/WebCore/page/FrameView.h:831 > HashSet<Widget*> m_widgetsInRenderTree; > + bool m_inUpdateEmbeddedObjects { false }; > std::unique_ptr<ListHashSet<RenderEmbeddedObject*>> m_embeddedObjectsToUpdate; This is introducing 3 bytes of wasted padding. Move the bool up with some other bools.

Jack

Comment 9 2020-02-15 13:17:13 PST

Created attachment 390870 [details] Patch

Jack

Comment 10 2020-02-15 13:18:46 PST

Thanks Simon! It's moved to the bottom of the private member section.

Darin Adler

Comment 11 2020-02-16 15:06:55 PST

Comment on attachment 390870 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=390870&action=review > Source/WebCore/html/HTMLEmbedElement.cpp:84 > + if (!view || (!view->inUpdateEmbeddedObjects() && !view->layoutContext().isInLayout() && !view->isPainting())) { Can we put a helper function somewhere so we don’t need to repeat this logic in both HTMLEmbedElement and HTMLObjectElement?

Jack

Comment 12 2020-02-16 21:38:01 PST

Created attachment 390900 [details] Patch

Jack

Comment 13 2020-02-16 21:39:34 PST

Thanks, Darin. The common code is moved to the inherited class.

Jack

Comment 14 2020-02-16 22:39:58 PST

Created attachment 390903 [details] Patch

Jack

Comment 15 2020-02-16 23:15:43 PST

In function findWidgetRenderer, if the parentNode's renderer is not a <RenderWidget>, should we continue to search for the next parent? It is not a problem in this test case. Saw this when I was trying to understand the related functions. static inline RenderWidget* findWidgetRenderer(const Node* node) { - if (!node->renderer()) { - do { - node = node->parentNode(); - } while (node && !is<HTMLObjectElement>(*node)); - } - - if (node && is<RenderWidget>(node->renderer())) - return downcast<RenderWidget>(node->renderer()); + do { + node = node->parentNode(); + } while (node && (!is<HTMLObjectElement>(*node) || !node->renderer() || is<RenderWidget>(node->renderer()))); - return nullptr; + return node? downcast<RenderWidget>(node->renderer()) : nullptr; }

Darin Adler

Comment 16 2020-02-17 12:31:18 PST

Comment on attachment 390903 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=390903&action=review Looks good > Source/WebCore/html/HTMLAppletElement.cpp:99 > + return canEmbedJava()? HTMLPlugInElement::renderWidgetLoadingPlugin() : nullptr; WebKit coding style: Need a space before the "?" here. When calling through to "super", I think it’s usually better style to write the actual base class, HTMLPlugInImageElement, rather than the class that has the function in it skipping a level of inheritance HTMLPlugInElement. > Source/WebCore/html/HTMLEmbedElement.cpp:85 > + RenderWidget* widget = HTMLPlugInElement::renderWidgetLoadingPlugin(); > + > + return widget? widget : findWidgetRenderer(this); Ditto, same two comments here. > Source/WebCore/html/HTMLPlugInElement.cpp:169 > + return renderWidget(); // This will return 0 if the renderer is not a RenderWidget. I think we should say nullptr rather than "0" in this comment. I know we are just moving it.

Jack

Comment 17 2020-02-17 14:47:46 PST

Created attachment 390985 [details] Patch

Jack

Comment 18 2020-02-17 14:56:41 PST

Darin, Simon, thanks for the great advices! It really helps me learn the good practices here.

WebKit Commit Bot

Comment 19 2020-02-18 20:57:34 PST

Comment on attachment 390985 [details] Patch Clearing flags on attachment: 390985 Committed r256905: <https://trac.webkit.org/changeset/256905>

WebKit Commit Bot

Comment 20 2020-02-18 20:57:36 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.