Bug 263671
| Summary: | Regression(268375@main) Crash under ~Node() due to CheckedRef | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Chris Dumez <cdumez> |
| Component: | DOM | Assignee: | Chris Dumez <cdumez> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | heycam, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=280723 | ||
| Bug Depends on: | |||
| Bug Blocks: | 261983 | ||
Chris Dumez
Crash under ~Node() due to CheckedRef:
```
ASSERTION FAILED: !m_count
/Volumes/Work/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h(250) : WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() [StorageType = WTF::SingleThreadIntegralWrapper<unsigned int>, PtrCounterType = unsigned int]
1 0x138bbdb3c WTFCrash
2 0x282d68d1c WebCore::BaseAudioContext::markSummingJunctionDirty(WebCore::AudioSummingJunction*)
3 0x28326135c WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase()
4 0x283d3426c WebCore::EventTarget::~EventTarget()
5 0x283daf064 WebCore::Node::~Node()
6 0x283b5bbf4 WebCore::ContainerNode::~ContainerNode()
7 0x283cbcb3c WebCore::Element::~Element()
8 0x283e00150 WebCore::PseudoElement::~PseudoElement()
9 0x283e00180 WebCore::PseudoElement::~PseudoElement()
10 0x283e001b0 WebCore::PseudoElement::~PseudoElement()
11 0x283dbaf04 WebCore::Node::removedLastRef()
12 0x2832ca440 WebCore::Node::deref() const
13 0x283d0511c WTF::DefaultRefDerefTraits<WebCore::PseudoElement>::derefIfNotNull(WebCore::PseudoElement*)
14 0x283d050dc WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::~RefPtr()
15 0x283cd85e0 WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::~RefPtr()
16 0x283cf6020 WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::operator=(WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>&&)
17 0x283cd8ecc WebCore::ElementRareData::setBeforePseudoElement(WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>&&)
18 0x283cd90fc WebCore::Element::clearBeforePseudoElementSlow()
19 0x283cd0024 WebCore::Element::clearBeforePseudoElement()
20 0x285bd1424 WebCore::RenderTreeUpdater::GeneratedContent::removeBeforePseudoElement(WebCore::Element&, WebCore::RenderTreeBuilder&)
21 0x285bd06d0 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_5::operator()(unsigned int) const
22 0x285bcf090 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)
23 0x285bcde5c WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&)
24 0x285bcd3fc WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&)
25 0x285bccc28 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>)
26 0x283bd6650 WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>)
27 0x283bd6cf8 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)
28 0x283bd7a8c WebCore::Document::updateStyleIfNeeded()
29 0x284c03f80 WebCore::LocalFrameViewLayoutContext::layout()
30 0x284c18608 WebCore::LocalFrameView::updateContentsSize()
31 0x284ee692c WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&)
```
Test case:
```
<style>
html {
content: "a" url();
}
html::before {
container-type: size;
content: url();
float: left;
}
</style>
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Radar WebKit Bug Importer
<rdar://problem/117483509>
Chris Dumez
Remaining CheckedRef:
```
1 0x2a5d3adc4 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::SharedStackTrace::create()
2 0x2a5d3acc8 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::registerCheckedPtr(void const*) const
3 0x2a89a1f20 WTF::CheckedRef<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::CheckedRef(WebCore::Element&)
4 0x2a8999760 WTF::CheckedRef<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::CheckedRef(WebCore::Element&)
5 0x2aab07310 WebCore::Style::Scope::updateQueryContainerState(WebCore::Style::Scope::QueryContainerUpdateContext&)
6 0x2a9a76300 WebCore::LocalFrameViewLayoutContext::layout()
7 0x2a9a8a9a8 WebCore::LocalFrameView::updateContentsSize()
8 0x2a9d5a2ac WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&)
9 0x2a9d5bfb8 WebCore::ScrollView::setContentsSize(WebCore::IntSize const&)
10 0x2a9a79a40 WebCore::LocalFrameView::setContentsSize(WebCore::IntSize const&)
11 0x2a9a73544 WebCore::LocalFrameView::adjustViewSize()
12 0x2a9a9a470 WebCore::LocalFrameViewLayoutContext::performLayout()
13 0x2a9a7629c WebCore::LocalFrameViewLayoutContext::layout()
14 0x2a8a4f648 WebCore::Document::implicitClose()
15 0x2a9803b78 WebCore::FrameLoader::checkCallImplicitClose()
16 0x2a980359c WebCore::FrameLoader::checkCompleted()
```
Chris Dumez
Pull request: https://github.com/WebKit/WebKit/pull/19582
EWS
Committed 269829@main (f747a6b78181): <https://commits.webkit.org/269829@main>
Reviewed commits have been landed. Closing PR #19582 and removing active labels.