Bug 250726

Summary: Assertion failure in ContainerNode::removeNodeWithScriptAssertion via ~PDFPluginTextAnnotation
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   

Ryosuke Niwa
Reported 2023-01-17 13:55:38 PST
e.g. 0 JavaScriptCore 0x19880915e WTFCrash + 14 1 JavaScriptCore 0x19880916e WTFCrashWithSecurityImplication + 14 2 WebCore 0x1c2c62ba9 WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChange::Source) + 697 (ContainerNode.cpp:191) 3 WebCore 0x1c2c5c4b6 WebCore::ContainerNode::removeChild(WebCore::Node&) + 614 (ContainerNode.cpp:673) 4 WebKit 0x1681ed47b WebKit::PDFPluginAnnotation::~PDFPluginAnnotation() + 1067 (PDFPluginAnnotation.mm:96) 5 WebKit 0x168304f82 WebKit::PDFPluginTextAnnotation::~PDFPluginTextAnnotation() + 514 (PDFPluginTextAnnotation.mm:79) 6 WebKit 0x168304c52 WebKit::PDFPluginPasswordField::~PDFPluginPasswordField() + 514 (PDFPluginPasswordField.mm:52) 7 WebKit 0x1683050a5 WebKit::PDFPluginPasswordField::~PDFPluginPasswordField() + 21 (PDFPluginPasswordField.mm:50) 8 WebKit 0x1683050c9 WebKit::PDFPluginPasswordField::~PDFPluginPasswordField() + 25 (PDFPluginPasswordField.mm:50) 9 WebKit 0x1682639cd std::__1::default_delete<WebKit::PDFPluginAnnotation>::operator()(WebKit::PDFPluginAnnotation*) const + 141 (unique_ptr.h:57) 10 WebKit 0x1682638ca WTF::RefCounted<WebKit::PDFPluginAnnotation, std::__1::default_delete<WebKit::PDFPluginAnnotation> >::deref() const + 250 (RefCounted.h:190) 11 WebKit 0x168263c52 WTF::DefaultRefDerefTraits<WebKit::PDFPluginPasswordField>::derefIfNotNull(WebKit::PDFPluginPasswordField*) + 50 (RefPtr.h:42) 12 WebKit 0x168263ba4 WTF::RefPtr<WebKit::PDFPluginPasswordField, WTF::RawPtrTraits<WebKit::PDFPluginPasswordField>, WTF::DefaultRefDerefTraits<WebKit::PDFPluginPasswordField> >::~RefPtr() + 276 (RefPtr.h:74) 13 WebKit 0x1681b59a5 WTF::RefPtr<WebKit::PDFPluginPasswordField, WTF::RawPtrTraits<WebKit::PDFPluginPasswordField>, WTF::DefaultRefDerefTraits<WebKit::PDFPluginPasswordField> >::~RefPtr() + 21 (RefPtr.h:74) 14 WebKit 0x1681b5df0 WebKit::PDFPlugin::~PDFPlugin() + 928 (PDFPlugin.mm:696) 15 WebKit 0x1681b5f15 WebKit::PDFPlugin::~PDFPlugin() + 21 (PDFPlugin.mm:691) 16 WebKit 0x1682125eb WTF::ThreadSafeRefCounted<WebKit::PDFPlugin, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const + 91 (ThreadSafeRefCounted.h:115) 17 WebKit 0x168212512 WTF::ThreadSafeRefCounted<WebKit::PDFPlugin, (WTF::DestructionThread)0>::deref() const + 290 (ThreadSafeRefCounted.h:127) 18 WebKit 0x168262044 WTF::Ref<WebKit::PDFPlugin, WTF::RawPtrTraits<WebKit::PDFPlugin> >::~Ref() + 340 (Ref.h:61) 19 WebKit 0x1681b6845 WTF::Ref<WebKit::PDFPlugin, WTF::RawPtrTraits<WebKit::PDFPlugin> >::~Ref() + 21 (Ref.h:55) 20 WebKit 0x169c5b474 WebKit::PluginView::~PluginView() + 292 (PluginView.cpp:232) 21 WebKit 0x169c5b5f5 WebKit::PluginView::~PluginView() + 21 (PluginView.cpp:226) 22 WebKit 0x169c5b619 WebKit::PluginView::~PluginView() + 25 (PluginView.cpp:226) 23 WebCore 0x1bda60acd std::__1::default_delete<WebCore::Widget>::operator()(WebCore::Widget*) const + 141 (unique_ptr.h:57) 24 WebCore 0x1bda609ca WTF::RefCounted<WebCore::Widget, std::__1::default_delete<WebCore::Widget> >::deref() const + 250 (RefCounted.h:190) 25 WebCore 0x1bda60892 WTF::DefaultRefDerefTraits<WebCore::Widget>::derefIfNotNull(WebCore::Widget*) + 50 (RefPtr.h:42) 26 WebCore 0x1bda607e4 WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >::~RefPtr() + 276 (RefPtr.h:74) 27 WebCore 0x1bda3c615 WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >::~RefPtr() + 21 (RefPtr.h:74) 28 WebCore 0x1c7290495 WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>::~KeyValuePair() + 21 (KeyValuePair.h:33) 29 WebCore 0x1c7290425 WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>::~KeyValuePair() + 21 (KeyValuePair.h:33) 30 WebCore 0x1c72903b7 WTF::HashTable<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*> >, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*>, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > > >::deallocateTable(WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>*) + 167 (HashTable.h:1179) 31 WebCore 0x1c72902bd WTF::HashTable<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*> >, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*>, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > > >::~HashTable() + 141 (HashTable.h:435) 32 WebCore 0x1c728ff45 WTF::HashTable<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*> >, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*>, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > > >::~HashTable() + 21 (HashTable.h:432) 33 WebCore 0x1c72904b5 WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*>, WTF::HashTableTraits>::~HashMap() + 21 (HashMap.h:35) 34 WebCore 0x1c7265745 WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*>, WTF::HashTableTraits>::~HashMap() + 21 (HashMap.h:35) 35 WebCore 0x1c72655ca WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets() + 1018 (RenderWidget.cpp:77) 36 WebCore 0x1bda59cc0 WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() + 384 (RenderWidget.h:41) 37 WebCore 0x1bda3c235 WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() + 21 (RenderWidget.h:38) 38 WebCore 0x1c2d4504b WebCore::Document::destroyRenderTree() + 1355 (Document.cpp:2673) 39 WebCore 0x1c2d4597f WebCore::Document::willBeRemovedFromFrame() + 1327 (Document.cpp:2720) 40 WebCore 0x1c4f1a565 WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView, WTF::RawPtrTraits<WebCore::FrameView>, WTF::DefaultRefDerefTraits<WebCore::FrameView> >&&) + 181 (Frame.cpp:241) 41 WebCore 0x1c4a1872e WebCore::FrameLoader::closeAndRemoveChild(WebCore::Frame&) + 270 (FrameLoader.cpp:2811) 42 WebCore 0x1c4a1846b WebCore::FrameLoader::detachFromParent() + 667 (FrameLoader.cpp:2938) 43 WebCore 0x1c49fc493 WebCore::FrameLoader::detachChildren() + 1203 (FrameLoader.cpp:2804) 44 WebCore 0x1c49e4750 WebCore::FrameLoader::setDocumentLoader(WebCore::DocumentLoader*) + 1520 (FrameLoader.cpp:1986) 45 WebCore 0x1c4a11003 WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) + 1491 (FrameLoader.cpp:2243) 46 WebCore 0x1c4a0f003 WebCore::FrameLoader::commitProvisionalLoad() + 3715 (FrameLoader.cpp:2099) <rdar://103613680>
Attachments
Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2023-01-17 14:11:24 PST
Pull request: https://github.com/WebKit/WebKit/pull/8734
EWS
Comment 2 2023-01-18 09:41:52 PST
Committed 259033@main (70f33f17ad48): <https://commits.webkit.org/259033@main> Reviewed commits have been landed. Closing PR #8734 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.