Bug 256290
| Summary: | Regression(262252@main) Flaky crash under ~CanMakeCheckedPtrBase() for ScriptExecutionContext | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Chris Dumez <cdumez> |
| Component: | WebCore Misc. | Assignee: | Chris Dumez <cdumez> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | chirag_m_shah, fujii.hironori, rniwa, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=254347 | ||
Chris Dumez
Flaky crash under ~CanMakeCheckedPtrBase() for ScriptExecutionContext:
ASSERTION FAILED: !m_count
/Volumes/Data/worker/macOS-AppleSilicon-Ventura-Debug-Build-EWS/build/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h(242) : WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() [StorageType = WTF::SingleThreadIntegralWrapper<unsigned int>, PtrCounterType = unsigned int]
1 0x1352bfb44 WTFCrash
2 0x2806fdf20 JSC::VMTraps::maybeNeedHandling() const
3 0x2836e05b0 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase()
4 0x2837b320c WebCore::ScriptExecutionContext::~ScriptExecutionContext()
5 0x2835a7228 WebCore::Document::~Document()
6 0x283a8ca08 WebCore::HTMLDocument::~HTMLDocument()
7 0x283a8ca34 WebCore::HTMLDocument::~HTMLDocument()
8 0x283a8cb08 WebCore::HTMLDocument::~HTMLDocument()
9 0x2835a9718 WebCore::Document::decrementReferencingNodeCount()
10 0x283762ea0 WebCore::Node::~Node()
11 0x28354dabc WebCore::ContainerNode::~ContainerNode()
12 0x283683f88 WebCore::Element::~Element()
13 0x283811a8c WebCore::StyledElement::~StyledElement()
14 0x2805fad08 WebCore::HTMLElement::~HTMLElement()
15 0x283b87aec WebCore::HTMLSpanElement::~HTMLSpanElement()
16 0x283b7b764 WebCore::HTMLSpanElement::~HTMLSpanElement()
17 0x283b7b790 WebCore::HTMLSpanElement::~HTMLSpanElement()
18 0x28376e444 WebCore::Node::removedLastRef()
19 0x2807623f0 WebCore::Node::deref() const
20 0x2810902e0 WebCore::EventTarget::deref()
21 0x280796904 WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~Ref()
22 0x28062717c WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~Ref()
23 0x280c17580 WebCore::JSDOMWrapper<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~JSDOMWrapper()
24 0x280c17550 WebCore::JSEventTarget::~JSEventTarget()
25 0x280ba17d0 WebCore::JSEventTarget::~JSEventTarget()
26 0x280b74114 WebCore::JSEventTarget::destroy(JSC::JSCell*)
27 0x136e660c8 JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const
28 0x136e775b8 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const
29 0x136e77638 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const
30 0x136e70824 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)
31 0x136e66058 void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)
com.apple.WebKit.WebContent.Development terminated (pid 5793) for reason: crash
LEAK: 1 WebPageProxy
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Chris Dumez
Pull request: https://github.com/WebKit/WebKit/pull/13431
EWS
Committed 263662@main (1116cdd2710a): <https://commits.webkit.org/263662@main>
Reviewed commits have been landed. Closing PR #13431 and removing active labels.
Radar WebKit Bug Importer
<rdar://problem/108876874>
Fujii Hironori
*** Bug 255381 has been marked as a duplicate of this bug. ***