Bug 262413

Summary:	REGRESSION (268511@main): Crash under ~LegacyRenderSVGRoot() when loading nytimes.com
Product:	WebKit	Reporter:	Chris Dumez <cdumez>
Component:	Layout and Rendering	Assignee:	Chris Dumez <cdumez>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	bfulgham, simon.fraser, webkit-bug-importer, zalan
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Chris Dumez

Reported 2023-09-29 16:32:08 PDT

Crash under ~LegacyRenderSVGRoot() when loading nytimes.com since 268511@main: ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebCore 0x113b77ed4 WTFCrashWithInfo(int, char const*, char const*, int) + 20 (Assertions.h:778) 1 WebCore 0x114ab0bfc WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() + 28 (CheckedRef.h:250) [inlined] 2 WebCore 0x114ab0bfc WebCore::RenderObject::~RenderObject() + 164 (RenderObject.cpp:172) 3 WebCore 0x114bc56b4 WebCore::LegacyRenderSVGRoot::~LegacyRenderSVGRoot() + 16 (LegacyRenderSVGRoot.cpp:76) [inlined] 4 WebCore 0x114bc56b4 WebCore::LegacyRenderSVGRoot::~LegacyRenderSVGRoot() + 16 (LegacyRenderSVGRoot.cpp:76) [inlined] 5 WebCore 0x114bc56b4 WebCore::LegacyRenderSVGRoot::~LegacyRenderSVGRoot() + 44 (LegacyRenderSVGRoot.cpp:76) 6 WebCore 0x114bc95fc std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::reset[abi:v160006](WebCore::RenderObject*) + 16 (unique_ptr.h:297) [inlined] 7 WebCore 0x114bc95fc std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr[abi:v160006]() + 16 (unique_ptr.h:263) [inlined] 8 WebCore 0x114bc95fc std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr[abi:v160006]() + 16 (unique_ptr.h:263) [inlined] 9 WebCore 0x114bc95fc WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) + 192 (RenderTreeBuilder.cpp:175) 10 WebCore 0x114bcd3d8 WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) + 240 (RenderTreeBuilder.cpp:892) 11 WebCore 0x114bd9d6c WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_9::operator()(unsigned int) const + 248 (RenderTreeUpdater.cpp:641) [inlined] 12 WebCore 0x114bd9d6c WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) + 2176 (RenderTreeUpdater.cpp:664) ```

Attachments
Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2023-09-29 16:32:16 PDT

<rdar://116257845>

Chris Dumez

Comment 2 2023-09-29 16:34:20 PDT

Pull request: https://github.com/WebKit/WebKit/pull/18447

EWS

Comment 3 2023-09-29 16:55:54 PDT

Committed 268678@main (b4da3e2a9e8d): <https://commits.webkit.org/268678@main> Reviewed commits have been landed. Closing PR #18447 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.