Bug 268768

Summary: ASAN_SEGV | WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers; WebCore::RenderTreeUpdater::tearDownRenderers; WebCore::RenderTreeUpdater::updateRenderTree
Product: WebKit Reporter: John Wilander <wilander>
Component: Layout and RenderingAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: abifox, bfulgham, cgarcia, csaavedra, fred.wang, gpoo, koivisto, mikhail, msaboff, pgriffis, rbuis, simon.fraser, webkit-bug-importer, xan.lopez, zalan, zdobersek
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=268770
Attachments:
Description Flags
Repro case none

John Wilander
Reported 2024-02-05 12:01:00 PST
Created attachment 469726 [details] Repro case See attached repro case. <rdar://122122545>
Attachments
Repro case (109.08 KB, text/html)
2024-02-05 12:01 PST, John Wilander
no flags
Claudio Saavedra
Comment 1 2024-02-19 05:26:45 PST
ASSERTION FAILED: parent.firstChild()->style().display() == DisplayType::Ruby Looks like a duplicate of bug #268770. #0 WTFCrash() () at /app/webkit/Source/WTF/wtf/Assertions.cpp:351 #1 0x00007f87d7ebf3b0 in WTFCrashWithInfo(int, char const*, char const*, int) () at /app/webkit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Assertions.h:780 #2 0x00007f87decc25ab in WebCore::RenderTreeBuilder::Ruby::findOrCreateParentForStyleBasedRubyChild(WebCore::RenderElement&, WebCore::RenderObject const&, WebCore::RenderObject*&) (this=0x7f87b84da660, parent=..., child=..., beforeChild=@0x7ffde28b40e0: 0x0) at /app/webkit/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp:276 #3 0x00007f87decae4c2 in WebCore::RenderTreeBuilder::attachInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=0x7ffde28b6e60, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=0x0) at /app/webkit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:323 #4 0x00007f87decad733 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=0x7ffde28b6e60, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=0x0) at /app/webkit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:192 #5 0x00007f87deccffb5 in WebCore::RenderTreeUpdater::createTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) (this=0x7ffde28b6e30, textNode=..., textUpdate=0x7f87b8137a18) at /app/webkit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:585 #6 0x00007f87decd0296 in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) (this=0x7ffde28b6e30, text=..., textUpdate=0x7f87b8137a18) at /app/webkit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:624 #7 0x00007f87decce543 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (this=0x7ffde28b6e30, root=...) at /app/webkit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:238 #8 0x00007f87deccdae4 in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) (this=0x7ffde28b6e30, styleUpdate=std::unique_ptr<WebCore::Style::Update> = {...}) at /app/webkit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:127 #9 0x00007f87dcc6442f in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) (this=0x7f87a6121200, styleUpdate=std::unique_ptr<WebCore::Style::Update> = {...}) at /app/webkit/Source/WebCore/dom/Document.cpp:2482 #10 0x00007f87dcc64c93 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (this=0x7f87a6121200, type=WebCore::Document::ResolveStyleType::Rebuild) at /app/webkit/Source/WebCore/dom/Document.cpp:2580 #11 0x00007f87dcc65373 in WebCore::Document::updateStyleIfNeeded() (this=0x7f87a6121200) at /app/webkit/Source/WebCore/dom/Document.cpp:2682 #12 0x00007f87dcc7f677 in WebCore::Document::finishedParsing() (this=0x7f87a6121200) at /app/webkit/Source/WebCore/dom/Document.cpp:7218 #13 0x00007f87dd51d2ae in WebCore::HTMLConstructionSite::finishedParsing() (this=0x7f87b80a24b8) at /app/webkit/Source/WebCore/html/parser/HTMLConstructionSite.cpp:461 #14 0x00007f87dd5765ce in WebCore::HTMLTreeBuilder::finished() (this=0x7f87b80a2480) at /app/webkit/Source/WebCore/html/parser/HTMLTreeBuilder.cpp:3114 #15 0x00007f87dd5227cc in WebCore::HTMLDocumentParser::end() (this=0x7f87a603b000) at /app/webkit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:446 #16 0x00007f87dd5228fc in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (this=0x7f87a603b000) at /app/webkit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:455 #17 0x00007f87dd521184 in WebCore::HTMLDocumentParser::prepareToStopParsing() (this=0x7f87a603b000) at /app/webkit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:150 #18 0x00007f87dd522937 in WebCore::HTMLDocumentParser::attemptToEnd() (this=0x7f87a603b000) at /app/webkit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:467 #19 0x00007f87dd5229eb in WebCore::HTMLDocumentParser::finish() (this=0x7f87a603b000) at /app/webkit/Source/WebCore/html/parser/HTMLDocumentParser.cpp:495 #20 0x00007f87dda048fc in WebCore::DocumentWriter::end() (this=0x7f87a60390d8) at /app/webkit/Source/WebCore/loader/DocumentWriter.cpp:351 #21 0x00007f87dd9eea31 in WebCore::DocumentLoader::finishedLoading() (this=0x7f87a6039000) at /app/webkit/Source/WebCore/loader/DocumentLoader.cpp:504 #22 0x00007f87dd9ee476 in WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&) (this=0x7f87a6039000, resource=..., metrics=...) at /app/webkit/Source/WebCore/loader/DocumentLoader.cpp:449 #23 0x00007f87ddb74083 in WebCore::CachedResource::checkNotify(WebCore::NetworkLoadMetrics const&) (this=0x7f87b80739c0, metrics=...) at /app/webkit/Source/WebCore/loader/cache/CachedResource.cpp:331 #24 0x00007f87ddb741f7 in WebCore::CachedResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) (this=0x7f87b80739c0, metrics=...) at /app/webkit/Source/WebCore/loader/cache/CachedResource.cpp:348 #25 0x00007f87ddb6f4b3 in WebCore::CachedRawResource::finishLoading(WebCore::FragmentedSharedBuffer const*, WebCore::NetworkLoadMetrics const&) (this=0x7f87b80739c0, data=0x7f87b8095600, metrics=...) at /app/webkit/Source/WebCore/loader/cache/CachedRawResource.cpp:128 #26 0x00007f87ddaef87c in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (this=0x7f87b80ba6c0, networkLoadMetrics=...) at /app/webkit/Source/WebCore/loader/SubresourceLoader.cpp:774 #27 0x00007f87d970d11c in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&) (this=0x7f87b8114a00, networkLoadMetrics=...) at /app/webkit/Source/WebKit/WebProcess/Network/WebResourceLoader.cpp:276 #28 0x00007f87d83b2acc in _ZZN3IPC18callMemberFunctionIN6WebKit17WebResourceLoaderES2_FvON7WebCore18NetworkLoadMetricsEESt5tupleIJS4_EEEEvPT_MT0_T1_OT2_ENKUlDpOT_E_clIJS4_EEEDaSI_ (__closure=0x7ffde28b7ac0) at /app/webkit/Source/WebKit/Platform/IPC/HandleMessage.h:135 #29 0x00007f87d83b5ccb in _ZSt13__invoke_implIvZN3IPC18callMemberFunctionIN6WebKit17WebResourceLoaderES3_FvON7WebCore18NetworkLoadMetricsEESt5tupleIJS5_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JS5_EESA_St14__invoke_otherOSC_DpOT1_ (__f=...) at /usr/include/c++/13.2.0/bits/invoke.h:61 #30 0x00007f87d83b4861 in _ZSt8__invokeIZN3IPC18callMemberFunctionIN6WebKit17WebResourceLoaderES3_FvON7WebCore18NetworkLoadMetricsEESt5tupleIJS5_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_JS5_EENSt15__invoke_resultISA_JDpT0_EE4typeEOSA_DpOSM_ (__fn=...) at /usr/include/c++/13.2.0/bits/invoke.h:96 #31 0x00007f87d83b2b15 in _ZSt12__apply_implIZN3IPC18callMemberFunctionIN6WebKit17WebResourceLoaderES3_FvON7WebCore18NetworkLoadMetricsEESt5tupleIJS5_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_S9_JLm0EEEDcOSA_OSC_St16integer_sequenceImJXspT1_EEE (__f=..., __t=...) at /usr/include/c++/13.2.0/tuple:2288 #32 0x00007f87d83b2b53 in _ZSt5applyIZN3IPC18callMemberFunctionIN6WebKit17WebResourceLoaderES3_FvON7WebCore18NetworkLoadMetricsEESt5tupleIJS5_EEEEvPT_MT0_T1_OT2_EUlDpOT_E_S9_EDcOSA_OSC_ (__f=..., __t=...) at /usr/include/c++/13.2.0/tuple:2299 #33 0x00007f87d83b2bb8 in IPC::callMemberFunction<WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics> >(WebKit::WebResourceLoader*,--Type <RET> for more, q to quit, c to continue without paging-- void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&), std::tuple<WebCore::NetworkLoadMetrics>&&) (object=0x7f87b8114a00, function=(void (WebKit::WebResourceLoader::*)(WebKit::WebResourceLoader * const, WebCore::NetworkLoadMetrics &&)) 0x7f87d970cdb4 <WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&)>, tuple=...) at /app/webkit/Source/WebKit/Platform/IPC/HandleMessage.h:133 #34 0x00007f87d83b12d9 in IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, WebKit::WebResourceLoader, void (WebCore::NetworkLoadMetrics&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics&&)) (connection=..., decoder=..., object=0x7f87b8114a00, function=(void (WebKit::WebResourceLoader::*)(WebKit::WebResourceLoader * const, WebCore::NetworkLoadMetrics &&)) 0x7f87d970cdb4 <WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics&&)>) at /app/webkit/Source/WebKit/Platform/IPC/HandleMessage.h:235 #35 0x00007f87d83b068a in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f87b8114a00, connection=..., decoder=...) at /app/webkit/WebKitBuild/GTK/Debug/DerivedSources/WebKit/WebResourceLoaderMessageReceiver.cpp:78 #36 0x00007f87d9702341 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (this=0x7f87b800c300, connection=..., decoder=...) at /app/webkit/Source/WebKit/WebProcess/Network/NetworkProcessConnection.cpp:101 #37 0x00007f87d8df8543 in IPC::Connection::dispatchMessage(IPC::Decoder&) (this=0x7f87b805c3c0, decoder=...) at /app/webkit/Source/WebKit/Platform/IPC/Connection.cpp:1244 #38 0x00007f87d8df8792 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) (this=0x7f87b805c3c0, message=...) at /app/webkit/Source/WebKit/Platform/IPC/Connection.cpp:1292 #39 0x00007f87d8df8b6f in IPC::Connection::dispatchOneIncomingMessage() (this=0x7f87b805c3c0) at /app/webkit/Source/WebKit/Platform/IPC/Connection.cpp:1357 #40 0x00007f87d8df8186 in operator()() const (__closure=0x7f87b8208388) at /app/webkit/Source/WebKit/Platform/IPC/Connection.cpp:1206 #41 0x00007f87d8dfe5c0 in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(WTF::UniqueRef<IPC::Decoder>)::<lambda()>, void>::call(void) (this=0x7f87b8208380) at /app/webkit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:53 #42 0x00007f87cba5acd1 in WTF::Function<void ()>::operator()() const (this=0x7ffde28b7f50) at /app/webkit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/Function.h:82 #43 0x00007f87cd178c77 in WTF::RunLoop::performWork() (this=0x7f87b80180c0) at /app/webkit/Source/WTF/wtf/RunLoop.cpp:147 #44 0x00007f87cd23a940 in operator()(gpointer) const (__closure=0x0, userData=0x7f87b80180c0) at /app/webkit/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #45 0x00007f87cd23a964 in _FUN(gpointer) () at /app/webkit/Source/WTF/wtf/glib/RunLoopGLib.cpp:82 #46 0x00007f87cd23a8d3 in operator()(GSource*, GSourceFunc, gpointer) const (__closure=0x0, source=0x5616b2a97450, callback=0x7f87cd23a947 <_FUN(gpointer)>, userData=0x7f87b80180c0) at /app/webkit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #47 0x00007f87cd23a921 in _FUN(GSource*, GSourceFunc, gpointer) () at /app/webkit/Source/WTF/wtf/glib/RunLoopGLib.cpp:56 #48 0x00007f87c8917d36 in g_main_dispatch (context=0x5616b2a5ad70) at ../glib/gmain.c:3460 #49 g_main_context_dispatch (context=0x5616b2a5ad70) at ../glib/gmain.c:4200 #50 0x00007f87c89752b8 in g_main_context_iterate.isra.0 (context=0x5616b2a5ad70, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4276 #51 0x00007f87c89173ff in g_main_loop_run (loop=0x5616b2a4d620) at ../glib/gmain.c:4479 #52 0x00007f87cd23af9c in WTF::RunLoop::run() () at /app/webkit/Source/WTF/wtf/glib/RunLoopGLib.cpp:108 #53 0x00007f87d9a1cd39 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (this=0x7ffde28b8220, argc=4, argv=0x7ffde28b83e8) at /app/webkit/Source/WebKit/Shared/AuxiliaryProcessMain.h:72 #54 0x00007f87d9a196a2 in WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) (argc=4, argv=0x7ffde28b83e8) at /app/webkit/Source/WebKit/Shared/AuxiliaryProcessMain.h:98 #55 0x00007f87d9a11584 in WebKit::WebProcessMain(int, char**) (argc=4, argv=0x7ffde28b83e8) at /app/webkit/Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:90 #56 0x00005616b1fd4959 in main(int, char**) (argc=4, argv=0x7ffde28b83e8) at /app/webkit/Source/WebKit/WebProcess/EntryPoint/unix/WebProcessMain.cpp:31
Frédéric Wang (:fredw)
Comment 2 2024-03-22 11:02:41 PDT
TL;DR: The crash from the original repro case (attachment 469726 [details]) is due to destroyAndCleanUpAnonymousWrappers incorrectly being called with a detached subtree, whose root is an anonymous rubyBase created in findOrCreateParentForStyleBasedRubyChild that is inserted by attachToRenderElementInternal with the following bad configuration: RUBY RenderBlock at (-47.20,663.42) size 792.70x1 renderer (0x7f354601a160) layout box ((nil)) node (0x7f3546005d40) (layout overflow -24.56,0 817.27x234.20) (visual overflow -24.56,0 817.27x224.20) layout->[self][normal child] [parent]------->RenderInline renderer (0x7f354601a610) layout box ((nil)) layout->[self][normal child] RenderInline renderer (0x7f354601a6b0) layout box ((nil)) layout->[self][normal child] RenderInline renderer (0x7f354601c460) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f354601c5e0) layout box ((nil)) node (0x7f3546005e80) length->(1) "\n" layout->[self] RenderInline renderer (0x7f354601a750) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f3546017f20) layout box ((nil)) node (0x7f3546006100) length->(1) "\n" layout->[self] TIME RenderInline renderer (0x7f354601a900) layout box ((nil)) node (0x7f3546006220) continuation->(0x7f354601a9a0) layout->[self][normal child] #text RenderText renderer (0x7f354601a530) layout box ((nil)) node (0x7f3546006160) length->(1) "\n" layout->[self] [beforeChild]-->#text RenderText renderer (0x7f354601ab60) layout box ((nil)) node (0x7f3546006510) length->(1) "\n" layout->[self] For details, see the debugging session below. This is very similar to what I described in bug 268770 comment 7: `<ruby>` is a DisplayType::RubyBlock and RenderTreeBuilder::attachInternal assumes that in that case all the children are wrapped in a DisplayType::Ruby anonymous child (per https://www.w3.org/TR/css-ruby-1/#block-ruby), which is not the case for beforeChild here. There are more bad things (debug ASSERTs failing) happening along the way as the testcase is more complex, but the root of the problem is the same: the ruby subtree is broken. ******************************************************************************** The is the backtrace of the original release assert: Thread 1 received signal SIGSEGV, Segmentation fault. operator() (__closure=<optimized out>, __closure=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:818 818 if (!isAnonymousAndSafeToDelete(destroyRootParent)) #0 operator() (__closure=<optimized out>, __closure=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:818 #1 WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) (this=0x7ffedeacf900, rendererToDestroy=...) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:828 #2 0x00007f35cef41a95 in WebCore::RenderTreeUpdater::tearDownTextRenderer(WebCore::Text&, WebCore::RenderTreeBuilder&) (text=..., builder=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:779 #3 0x00007f35cef45db3 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) (root=..., teardownType=<optimized out>, builder=...) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:762 #4 0x00007f35cef47c45 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (this=this@entry=0x7ffedeacf8d0, element=..., elementUpdate=...) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:424 #5 0x00007f35cef49ce1 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (this=this@entry=0x7ffedeacf8d0, root=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:262 #6 0x00007f35cef4a09b in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) (this=0x7ffedeacf8d0, styleUpdate=std::unique_ptr<WebCore::Style::Update> = {...}) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:127 #7 0x00007f35cdfad411 in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) (this=this@entry=0x7f3555141c00, styleUpdate=std::unique_ptr<WebCore::Style::Update> = {...}) at /usr/include/c++/11/bits/unique_ptr.h:172 #8 0x00007f35cdfe1fce in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (this=this@entry=0x7f3555141c00, type=<optimized out>, type@entry=WebCore::Document::ResolveStyleType::Normal) at /usr/include/c++/11/bits/unique_ptr.h:172 #9 0x00007f35cdfe2475 in WebCore::Document::updateStyleIfNeeded() (this=this@entry=0x7f3555141c00) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:2685 #10 0x00007f35cdfe25a3 in WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions>, WebCore::Element const*) (this=0x7f3555141c00, layoutOptions=layoutOptions@entry=..., context=context@entry=0x0) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:2729 #11 0x00007f35ce2e75f9 in WebCore::HTMLPlugInElement::renderWidgetLoadingPlugin() const (this=0x7f3546020c00) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/OptionSet.h:93 #12 0x00007f35ce2e8ed4 in WebCore::HTMLPlugInElement::pluginWidget(WebCore::HTMLPlugInElement::PluginLoadingPolicy) const (this=<optimized out>, loadPolicy=loadPolicy@entry=WebCore::HTMLPlugInElement::PluginLoadingPolicy::Load) at /home/fred/src-obj/WebKit/Source/WebCore/html/HTMLPlugInElement.cpp:119 #13 0x00007f35ce2e908a in WebCore::HTMLPlugInElement::bindingsInstance() (this=this@entry=0x7f3546020c00) at /home/fred/src-obj/WebKit/Source/WebCore/html/HTMLPlugInElement.cpp:111 #14 0x00007f35cdc37c19 in WebCore::pluginScriptObject(JSC::JSGlobalObject*, WebCore::JSHTMLElement*) (lexicalGlobalObject=lexicalGlobalObject@entry=0x7f355500c088, jsHTMLElement=jsHTMLElement@entry=0x7f35ad0bcec8) at /home/fred/src-obj/WebKit/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:61 #15 0x00007f35cdc37dac in WebCore::pluginElementCustomPut(WebCore::JSHTMLElement*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&, bool&) (element=element@entry=0x7f35ad0bcec8, lexicalGlobalObject=lexicalGlobalObject@entry=0x7f355500c088, propertyName=propertyName@entry=..., value=value@entry=..., slot=..., putResult=putResult@entry=@0x7ffedeacffb7: false) at /home/fred/src-obj/WebKit/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:115 #16 0x00007f35cd2590c4 in WebCore::JSHTMLObjectElement::put(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (cell=0x7f35ad0bcec8, lexicalGlobalObject=0x7f355500c088, propertyName=..., value=..., putPropertySlot=...) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WebCore/DerivedSources/JSHTMLObjectElement.cpp:298 #17 0x00007f35caa72e74 in JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (slot=..., value=..., propertyName=..., globalObject=0x7f355500c088, this=0x7f35ad0bcec8) at /home/fred/src-obj/WebKit/Source/JavaScriptCore/runtime/JSCellInlines.h:477 #18 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) (slot=..., value=..., propertyName=..., globalObject=0x7f355500c088, this=0x7ffedead0068) at /home/fred/src-obj/WebKit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h:1162 #19 JSC::LLInt::llint_slow_path_put_by_id(JSC::CallFrame*, JSC::JSInstruction const*) (callFrame=<optimized out>, pc=0x7f355598e295) at /home/fred/src-obj/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1026 #20 0x00007f35c9dfa5df in llint_op_put_by_id_wide16 () at /home/fred/src-obj/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:141 #21 0xfffe000000000000 in () #22 0x00007f3558008038 in () #23 0x00007ffedead0560 in () #24 0x00007f35c9e0cb03 in op_call_return_location_wide16 () at /home/fred/src-obj/WebKit/Source/JavaScriptCore/llint/LowLevelInterpreter.asm:1172 #25 0x0000000000000000 in () It's happening because RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers is called for a detached subtree: (rr) p showRenderTree(destroyRoot) I---YG----- -+* RenderInline renderer (0x7f354601b240) layout box ((nil)) layout->[self][normal child] I---YG----- -+ RenderInline renderer (0x7f354601a7f0) layout box ((nil)) layout->[self][normal child] I---------- -+ #text RenderText renderer (0x7f3546017f90) layout box ((nil)) node (0x7f35460064b0) length->(1) "\n" layout->[self] This is the callback for where destroyRoot was initially attached: (rr) watch -l destroyRoot->m_parent (rr) reverse-continue Thread 1 hit Hardware watchpoint 1: -location destroyRoot->m_parent Old value = {m_impl = {m_ptr = 0x7f35ad7777a0}} New value = {m_impl = {m_ptr = 0x0}} (rr) bt #0 0x00007f35cedb0a07 in std::swap<WTF::SingleThreadWeakPtrImpl*>(WTF::SingleThreadWeakPtrImpl*&, WTF::SingleThreadWeakPtrImpl*&) (__b=<synthetic pointer>: <optimized out>, __a=@0x7f354601b260: 0x0) at /usr/include/c++/11/bits/move.h:205 #1 WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>::swap(WTF::SingleThreadWeakPtrImpl*&, WTF::SingleThreadWeakPtrImpl*&) (b=<synthetic pointer>: <optimized out>, a=@0x7f354601b260: 0x0) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/RawPtrTraits.h:43 #2 WTF::RefPtr<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl> >::swap<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl> >(WTF::RefPtr<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl> >&) (o=<synthetic pointer>..., this=0x7f354601b260) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/RefPtr.h:189 #3 WTF::RefPtr<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl> >::operator=(WTF::RefPtr<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl> >&&) (o=<optimized out>, this=0x7f354601b260) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/RefPtr.h:163 #4 WTF::WeakPtr<WebCore::RenderElement, WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl> >::operator=(WTF::WeakPtr<WebCore::RenderElement, WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl> >&&) (this=0x7f354601b260) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/WeakPtr.h:41 #5 WebCore::RenderObject::setParent(WebCore::RenderElement*) (this=0x7f354601b240, parent=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/RenderObject.cpp:331 #6 0x00007f35cecf368f in WebCore::RenderElement::attachRendererInternal(std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=this@entry=0x7f354601a610, child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=0x7f35460007a0) at /usr/include/c++/11/bits/unique_ptr.h:173 #7 0x00007f35cef2998c in WebCore::RenderTreeBuilder::attachToRenderElementInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*, WebCore::RenderObject::IsInternalMove) (this=this@entry=0x7ffedeacf7f0, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=<optimized out>, beforeChild@entry=0x7f354601ab60, isInternalMove=isInternalMove@entry=WebCore::RenderObject::IsInternalMove::No) at /usr/include/c++/11/bits/unique_ptr.h:172 #8 0x00007f35cef3145b in WebCore::RenderTreeBuilder::attachToRenderElementInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*, WebCore::RenderObject::IsInternalMove) (isInternalMove=WebCore::RenderObject::IsInternalMove::No, beforeChild=0x7f354601ab60, child=std::unique_ptr<WebCore::RenderObject> = {...}, parent=..., this=0x7ffedeacf7f0) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:402 #9 WebCore::RenderTreeBuilder::attachToRenderElement(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=0x7ffedeacf7f0, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=beforeChild@entry=0x7f354601ab60) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:396 #10 0x00007f35cef3d34e in WebCore::RenderTreeBuilder::Inline::attachIgnoringContinuation(WebCore::RenderInline&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=<optimized out>, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=0x7f354601ab60) at /usr/include/c++/11/bits/unique_ptr.h:172 #11 0x00007f35cef3d755 in WebCore::RenderTreeBuilder::Inline::attach(WebCore::RenderInline&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=0x7f35ad7742b0, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=<optimized out>) at /usr/include/c++/11/tuple:454 #12 0x00007f35cef3f963 in WebCore::RenderTreeBuilder::Ruby::findOrCreateParentForStyleBasedRubyChild(WebCore::RenderElement&, WebCore::RenderObject const&, WebCore::RenderObject*&) (this=<optimized out>, parent=..., child=<optimized out>, beforeChild=@0x7ffedeaccdc8: 0x7f354601ab60) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp:102 #13 0x00007f35cef310c4 in WebCore::RenderTreeBuilder::attachInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=0x7ffedeacf7f0, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=<optimized out>) at /usr/include/c++/11/bits/unique_ptr.h:173 #14 0x00007f35cef3155b in operator()(WebCore::RenderElement&) const (__closure=0x7ffedeacce90, parentCandidate=...) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:204 #15 0x00007f35cef30cb1 in WebCore::RenderTreeBuilder::attachInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=this@entry=0x7ffedeacf7f0, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=<optimized out>, beforeChild@entry=0x7f354601ab60) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:310 #16 0x00007f35cef31206 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=this@entry=0x7ffedeacf7f0, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=0x7f354601ab60) at /usr/include/c++/11/bits/unique_ptr.h:172 #17 0x00007f35cef490f8 in WebCore::RenderTreeUpdater::createTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) (this=this@entry=0x7ffedeacf7c0, textNode=..., textUpdate=textUpdate@entry=0x7f35ad541e98) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreePosition.h:45 #18 0x00007f35cef494db in WebCore::RenderTreeUpdater::updateTextRenderer(WebCore::Text&, WebCore::Style::TextUpdate const*) (this=this@entry=0x7ffedeacf7c0, text=..., textUpdate=textUpdate@entry=0x7f35ad541e98) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:624 #19 0x00007f35cef49c6e in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (this=this@entry=0x7ffedeacf7c0, root=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:238 #20 0x00007f35cef4a09b in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) (this=0x7ffedeacf7c0, styleUpdate=std::unique_ptr<WebCore::Style::Update> = {...}) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:127 #21 0x00007f35cdfad411 in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) (this=this@entry=0x7f3555141c00, styleUpdate=std::unique_ptr<WebCore::Style::Update> = {...}) at /usr/include/c++/11/bits/unique_ptr.h:172 #22 0x00007f35cdfe1fce in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (this=this@entry=0x7f3555141c00, type=<optimized out>, type@entry=WebCore::Document::ResolveStyleType::Normal) at /usr/include/c++/11/bits/unique_ptr.h:172 #23 0x00007f35cdfe2475 in WebCore::Document::updateStyleIfNeeded() (this=this@entry=0x7f3555141c00) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:2685 #24 0x00007f35cdfe25a3 in WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions>, WebCore::Element const*) (this=0x7f3555141c00, layoutOptions=layoutOptions@entry=..., context=context@entry=0x0) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:2729 #25 0x00007f35ce2e75f9 in WebCore::HTMLPlugInElement::renderWidgetLoadingPlugin() const (this=0x7f3546004c20) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/OptionSet.h:93 #26 0x00007f35ce2e8ed4 in WebCore::HTMLPlugInElement::pluginWidget(WebCore::HTMLPlugInElement::PluginLoadingPolicy) const (this=<optimized out>, loadPolicy=loadPolicy@entry=WebCore::HTMLPlugInElement::PluginLoadingPolicy::Load) at /home/fred/src-obj/WebKit/Source/WebCore/html/HTMLPlugInElement.cpp:119 #27 0x00007f35ce2e908a in WebCore::HTMLPlugInElement::bindingsInstance() (this=this@entry=0x7f3546004c20) at /home/fred/src-obj/WebKit/Source/WebCore/html/HTMLPlugInElement.cpp:111 #28 0x00007f35cdc37c19 in WebCore::pluginScriptObject(JSC::JSGlobalObject*, WebCore::JSHTMLElement*) (lexicalGlobalObject=lexicalGlobalObject@entry=0x7f355500c088, jsHTMLElement=jsHTMLElement@entry=0x7f35ad0bce08) at /home/fred/src-obj/WebKit/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:61 #29 0x00007f35cdc37cac in WebCore::pluginElementCustomGetOwnPropertySlot(WebCore::JSHTMLElement*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) (element=element@entry=0x7f35ad0bce08, lexicalGlobalObject=lexicalGlobalObject@entry=0x7f355500c088, propertyName=..., slot=...) at /home/fred/src-obj/WebKit/Source/WebCore/bindings/js/JSPluginElementFunctions.cpp:102 attachToRenderElementInternal is called with the following bad configuration: (rr) reverse-finish ... RUBY RenderBlock at (-47.20,663.42) size 792.70x1 renderer (0x7f354601a160) layout box ((nil)) node (0x7f3546005d40) (layout overflow -24.56,0 817.27x234.20) (visual overflow -24.56,0 817.27x224.20) layout->[self][normal child] [parent]------->RenderInline renderer (0x7f354601a610) layout box ((nil)) layout->[self][normal child] RenderInline renderer (0x7f354601a6b0) layout box ((nil)) layout->[self][normal child] RenderInline renderer (0x7f354601c460) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f354601c5e0) layout box ((nil)) node (0x7f3546005e80) length->(1) "\n" layout->[self] RenderInline renderer (0x7f354601a750) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f3546017f20) layout box ((nil)) node (0x7f3546006100) length->(1) "\n" layout->[self] TIME RenderInline renderer (0x7f354601a900) layout box ((nil)) node (0x7f3546006220) continuation->(0x7f354601a9a0) layout->[self][normal child] #text RenderText renderer (0x7f354601a530) layout box ((nil)) node (0x7f3546006160) length->(1) "\n" layout->[self] [beforeChild]-->#text RenderText renderer (0x7f354601ab60) layout box ((nil)) node (0x7f3546006510) length->(1) "\n" layout->[self] #text RenderText renderer (0x7f354601b5a0) layout box ((nil)) node (0x7f35460065d0) length->(1) "\n" layout->[self] #text RenderText renderer (0x7f354601b940) layout box ((nil)) node (0x7f3546006770) length->(1) "\n" layout->[self] #text RenderText renderer (0x7f354601c310) layout box ((nil)) node (0x7f3546006e50) length->(1) "\n" layout->[self] #text RenderText renderer (0x7f354601c570) layout box ((nil)) node (0x7f3546007060) length->(1) "\n" layout->[self] TIME RenderInline renderer (0x7f354601a9a0) layout box ((nil)) node (0x7f3546006220) layout->[self] Going further up, the inserted child is actually an anonymous rubyBase created by findOrCreateParentForStyleBasedRubyChild. (rr) finish ... (rr) rn (rr) p showRenderTree(rubyBase.get()) I---YG----- --* RenderInline renderer (0x7f354601b240) layout box ((nil)) Going even further up, this is happening in RenderTreeBuilder::attachInternal for the following case: if (parent.style().display() == DisplayType::Ruby || parent.style().display() == DisplayType::RubyBlock) { auto& parentCandidate = rubyBuilder().findOrCreateParentForStyleBasedRubyChild(parent, *child, beforeChild); if (&parentCandidate == &parent) { rubyBuilder().attachForStyleBasedRuby(parentCandidate, WTFMove(child), beforeChild); return; } insertRecursiveIfNeeded(parentCandidate); return; } The parent is a RubyBlock and findOrCreateParentForStyleBasedRubyChild returns the first child as the parentCandidate.
Frédéric Wang (:fredw)
Comment 3 2024-04-10 04:19:07 PDT
*** This bug has been marked as a duplicate of bug 268770 ***
Note You need to log in before you can comment on or make changes to this bug.