Bug 263217

Summary: REGRESSION(269369@main) ASSERTION FAILED: !m_inRemovedLastRefFunction in WebCore::Node::ref
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: DOMAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Fujii Hironori
Reported 2023-10-16 14:04:45 PDT
I'm running layout test with Windows port Debug build 269374@main. Regressions: Unexpected crashes (2) fast/css/content/quote-crash-when-floating.html [ Crash ] fast/forms/form-submission-crash-successful-submit-button.html [ Crash ] ASSERTION FAILED: !m_inRemovedLastRefFunction C:\home\webkit\gc\Source\WebCore\dom/Node.h(803) : ref 1 00007FF92FAD1C19 WTFCrash 2 00007FF8F24A5EED WTFCrashWithInfo 3 00007FF8F2748F0B WebCore::Node::ref 4 00007FF8F4146F5A WTF::Ref<WebCore::Document,WTF::RawPtrTraits<WebCore::Document> >::Ref 5 00007FF8F4E28DAC WebCore::ContainerNode::removeNodeWithScriptAssertion 6 00007FF8F4E1E99C WebCore::ContainerNode::removeChild 7 00007FF8F54AF3EE WebCore::ValidationMessage::deleteBubbleTree 8 00007FF8F54AF1C6 WebCore::ValidationMessage::~ValidationMessage 9 00007FF8F54B8DFC std::default_delete<WebCore::ValidationMessage>::operator() 10 00007FF8F54B8E89 std::unique_ptr<WebCore::ValidationMessage,std::default_delete<WebCore::ValidationMessage> >::reset 11 00007FF8F54B47D1 std::unique_ptr<WebCore::ValidationMessage,std::default_delete<WebCore::ValidationMessage> >::operator= 12 00007FF8F54AE919 WebCore::ValidatedFormListedElement::removedFromAncestor 13 00007FF8F5365F1A WebCore::HTMLFormControlElement::removedFromAncestor 14 00007FF8F539AF85 WebCore::HTMLInputElement::removedFromAncestor 15 00007FF8F4E24B7F WebCore::notifyNodeRemovedFromDocument 16 00007FF8F4E24C65 WebCore::notifyNodeRemovedFromDocument 17 00007FF8F4E24C65 WebCore::notifyNodeRemovedFromDocument 18 00007FF8F4E24A05 WebCore::notifyChildNodeRemoved 19 00007FF8F4E1EDD1 WebCore::removeDetachedChildrenInContainer 20 00007FF8F4E1EBE7 WebCore::ContainerNode::removeDetachedChildren 21 00007FF8F4E7DB18 WebCore::Document::removedLastRef 22 00007FF8F5017208 WebCore::Node::removedLastRef 23 00007FF8F274936E WebCore::Node::deref 24 00007FF8F2CAC21B WTF::Ref<WebCore::Document,WTF::RawPtrTraits<WebCore::Document> >::~Ref 25 00007FF8F4E9A156 WebCore::Document::queueTaskToDispatchEvent::<lambda_7>::~`lambda at C:\home\webkit\gc\Source\WebCore\dom\Document.cpp:5508:35' 26 00007FF8F4EB4246 WTF::Detail::CallableWrapper<`lambda at C:\home\webkit\gc\Source\WebCore\dom\Document.cpp:5508:35',void>::~CallableWrapper 27 00007FF8F4EB41D9 WTF::Detail::CallableWrapper<`lambda at C:\home\webkit\gc\Source\WebCore\dom\Document.cpp:5508:35',void>::~CallableWrapper 28 00007FF8F2665761 std::default_delete<WTF::Detail::CallableWrapperBase<void> >::operator() 29 00007FF8F2665717 std::unique_ptr<WTF::Detail::CallableWrapperBase<void>,std::default_delete<WTF::Detail::CallableWrapperBase<void> > >::~unique_ptr 30 00007FF8F26656D3 WTF::Function<void ()>::~Function 31 00007FF8F4FAA266 WebCore::EventLoopFunctionDispatchTask::~EventLoopFunctionDispatchTask
Attachments
Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2023-10-16 14:06:50 PDT
Yes, this is a pain. I really wish we had https://github.com/WebKit/WebKit/pull/8748...
Fujii Hironori
Comment 2 2023-10-16 14:08:12 PDT
fast/css/content/quote-crash-when-floating.html isn't crashing sololy. > python .\Tools\Scripts\run-webkit-tests --debug fast/css/content/quote-crash-when-floating.html --iterations=5 -v The preceding test fast/css/content/display-contents-on-focus-crash.html is making the following test crash. > python .\Tools\Scripts\run-webkit-tests --debug fast/css/content/display-contents-on-focus-crash.html --iterations=5 -v [1/5] fast/css/content/display-contents-on-focus-crash.html passed [2/5] fast/css/content/display-contents-on-focus-crash.html failed unexpectedly (WebProcess crashed [pid=876]) [3/5] fast/css/content/display-contents-on-focus-crash.html passed [4/5] fast/css/content/display-contents-on-focus-crash.html failed unexpectedly (WebKitTestRunner crashed [pid=34556]) [5/5] fast/css/content/display-contents-on-focus-crash.html passed
Chris Dumez
Comment 3 2023-10-16 14:08:46 PDT
Will do a partial revert.
Chris Dumez
Comment 4 2023-10-16 14:13:15 PDT
Pull request: https://github.com/WebKit/WebKit/pull/19131
EWS
Comment 5 2023-10-16 14:27:07 PDT
Committed 269383@main (4878f0893799): <https://commits.webkit.org/269383@main> Reviewed commits have been landed. Closing PR #19131 and removing active labels.
Radar WebKit Bug Importer
Comment 6 2023-10-16 14:28:14 PDT
<rdar://problem/117037687>
Note You need to log in before you can comment on or make changes to this bug.