Bug 271903

Summary:

ASAN_TRAP | WebCore::RenderObject::destroy; WebCore::Document::destroyRenderTree; WebCore::Document::willBeRemovedFromFrame

Product:

WebKit

Reporter:

John Wilander <wilander>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Normal

CC:

abifox, bfulgham, cgarcia, csaavedra, fred.wang, gpoo, koivisto, mikhail, msaboff, pgriffis, rbuis, simon.fraser, webkit-bug-importer, xan.lopez, zalan, zdobersek

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=268770

Attachments:

Description	Flags
Repro case	none

John Wilander

Reported 2024-03-29 12:40:11 PDT

Created attachment 470668 [details] Repro case <rdar://125184036> See attached repro case.

Attachments
Repro case (412 bytes, text/html) 2024-03-29 12:40 PDT, John Wilander	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Frédéric Wang (:fredw)

Comment 1 2024-04-02 01:45:06 PDT

TL;DR: This is similar to what is described in bug 268770 (I remember finding the same backtrace when trying to reduce testcase from bug 268770), but with a RenderInline ruby split into multiple continuations because of forced line breaks caused by block descendants. RELEASE_ASSERT(!m_previous) fails in WebCore::RenderObject::destroy, with a misparented m_previous. It was badly attached in RenderTreeBuilder::Ruby::attachForStyleBasedRuby with the following bad configuration: RenderView at (0,0) size 800x600 renderer (0x7f75960007a0) layout box ((nil)) layout->[normal child] HTML RenderBlock at (0,0) size 800x600 renderer (0x7f75960015e0) layout box ((nil)) node (0x7f75960010e0) layout->[normal child] BODY RenderBody at (8,8) size 784x584 renderer (0x7f75960017f0) layout box ((nil)) node (0x7f7596001230) layout->[self][normal child] RenderBlock at (0,0) size 0x0 renderer (0x7f7596005820) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f7596005ae0) layout box ((nil)) node (0x7f75960050e0) length->(3) "\n\n\n" layout->[self] [parent]------------->RUBY RenderInline renderer (0x7f7596006f10) layout box ((nil)) node (0x7f7596005140) continuation->(0x7f7596005e00) layout->[self][normal child] RenderInline renderer (0x7f7596007130) layout box ((nil)) layout->[self][normal child] RenderInline renderer (0x7f7596005420) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f7596007df0) layout box ((nil)) node (0x7f75960044d0) length->(1) "\n" layout->[self] OUTPUT RenderInline renderer (0x7f75960054c0) layout box ((nil)) node (0x7f7596004650) continuation->(0x7f7596005730) layout->[self][normal child] #text RenderText renderer (0x7f7596005560) layout box ((nil)) node (0x7f7596004710) length->(1) "\n" layout->[self] RenderInline renderer (0x7f7596005ea0) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f75960055d0) layout box ((nil)) node (0x7f7596004e90) length->(1) "\n" layout->[self] OBJECT RenderEmbeddedObject at (0,0) size 0x0 renderer (0x7f7596005b50) layout box ((nil)) node (0x7f7596004f50) layout->[self] RenderBlock at (0,0) size 0x0 renderer (0x7f7596005730) layout box ((nil)) continuation->(0x7f7596005c80) layout->[self][normal child] DETAILS RenderBlock at (0,0) size 0x0 renderer (0x7f7596005640) layout box ((nil)) node (0x7f7596004830) layout->[self][normal child] SUMMARY RenderBlock at (0,0) size 0x0 renderer (0x7f7596007270) layout box ((nil)) node (0x7f7596004a50) layout->[self][normal child] DIV RenderDetailsMarker at (0,0) size 0x0 renderer (0x7f7596005910) layout box ((nil)) node (0x7f7596004c30) layout->[self] RenderBlock at (0,0) size 0x0 renderer (0x7f7596005f40) layout box ((nil)) layout->[self][normal child] RUBY RenderInline renderer (0x7f7596005e00) layout box ((nil)) node (0x7f7596005140) continuation->(0x7f75960076d0) layout->[self][normal child] OUTPUT RenderInline renderer (0x7f7596005c80) layout box ((nil)) node (0x7f7596004650) layout->[self] RUBY RenderInline renderer (0x7f75960076d0) layout box ((nil)) node (0x7f7596005140) layout->[self][normal child] RenderInline renderer (0x7f7596007f50) layout box ((nil)) [beforeChild]------------>#text RenderText renderer (0x7f7596007d80) layout box ((nil)) node (0x7f75960052e0) length->(1) "\n" In debug mode, this would cause ASSERT(!beforeChild || beforeChild->parent() == &parent); to be hit in RenderTreeBuilder::attachToRenderElementInternal. More debugging details below. ******************************************************************************* The backtrace with the original assert is Thread 1 received signal SIGSEGV, Segmentation fault. 0x00007f761e25fe44 in WTFCrash () at /home/fred/src-obj/WebKit/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (rr) bt 0 0x00007f761e25fe44 in WTFCrash() () at /home/fred/src-obj/WebKit/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007f7621bceb8c in WTFCrashWithInfo(int, char const*, char const*, int) () at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/Assertions.h:778 #2 WebCore::RenderObject::destroy() (this=0x7f75960007a0) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/RenderObject.cpp:1834 #3 0x00007f7620e39003 in WebCore::Document::destroyRenderTree() (this=this@entry=0x7f75ae141c00) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:3116 #4 0x00007f7620e63265 in WebCore::Document::willBeRemovedFromFrame() (this=this@entry=0x7f75ae141c00) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:3171 #5 0x00007f76215a45a6 in WebCore::LocalFrame::setView(WTF::RefPtr<WebCore::LocalFrameView, WTF::RawPtrTraits<WebCore::LocalFrameView>, WTF::DefaultRefDerefTraits<WebCore::LocalFrameView> >&&) (this=this@entry=0x7f75fe0bc240, view=...) at /home/fred/src-obj/WebKit/Source/WebCore/page/LocalFrame.cpp:264 #6 0x00007f76215c1ceb in WebCore::LocalFrame::createView(WebCore::IntSize const&, std::optional<WebCore::Color> const&, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) (this=this@entry=0x7f75fe0bc240, viewportSize=..., backgroundColor=std::optional<WebCore::Color> [no contained value], fixedLayoutSize=..., fixedVisibleContentRect=..., useFixedLayout=useFixedLayout@entry=false, horizontalScrollbarMode=WebCore::ScrollbarMode::Auto, horizontalLock=false, verticalScrollbarMode=WebCore::ScrollbarMode::Auto, verticalLock=false) at /home/fred/src-obj/WebKit/Source/WebCore/page/LocalFrame.cpp:928 #7 0x00007f761fb97f1f in WebKit::WebLocalFrameLoaderClient::transitionToCommittedForNewPage() (this=0x7f75fe035710) at /home/fred/src-obj/WebKit/Source/WebKit/WebProcess/WebPage/WebPage.h:442 #8 0x00007f7621473382 in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (this=this@entry=0x7f75fe0ec1a0, cachedPage=cachedPage@entry=0x0) at /home/fred/src-obj/WebKit/Source/WebCore/loader/FrameLoader.cpp:2395 #9 0x00007f762147353f in WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) (cachedPage=0x0, this=0x7f75fe0ec1a0) at /home/fred/src-obj/WebKit/Source/WebCore/loader/FrameLoader.cpp:2314 #10 WebCore::FrameLoader::commitProvisionalLoad() (this=0x7f75fe0ec1a0) at /home/fred/src-obj/WebKit/Source/WebCore/loader/FrameLoader.cpp:2199 #11 0x00007f7621448747 in WebCore::DocumentLoader::commitIfReady() (this=0x7f75ae0b2c00) at /home/fred/src-obj/WebKit/Source/WebCore/loader/DocumentLoader.cpp:417 #12 WebCore::DocumentLoader::commitIfReady() (this=0x7f75ae0b2c00) at /home/fred/src-obj/WebKit/Source/WebCore/loader/DocumentLoader.cpp:413 #13 WebCore::DocumentLoader::finishedLoading() (this=0x7f75ae0b2c00) at /home/fred/src-obj/WebKit/Source/WebCore/loader/DocumentLoader.cpp:488 #14 0x00007f7621448cc8 in WebCore::DocumentLoader::maybeLoadEmpty() (this=this@entry=0x7f75ae0b2c00) at /home/fred/src-obj/WebKit/Source/WebCore/loader/DocumentLoader.cpp:2071 #15 0x00007f762144c0c0 in WebCore::DocumentLoader::startLoadingMainResource() (this=0x7f75ae0b2c00) at /home/fred/src-obj/WebKit/Source/WebCore/loader/DocumentLoader.cpp:2132 #16 0x00007f7621464036 in operator() (__closure=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/loader/FrameLoader.cpp:3883 #17 WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(const WebCore::ResourceRequest&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::<lambda()>, void>::call(void) (this=<optimized out>) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/Function.h:53 #18 0x00007f761f667e99 in WTF::Function<void ()>::operator()() const (this=<optimized out>) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/Function.h:82 #19 WTF::CompletionHandler<void ()>::operator()() (this=<optimized out>) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/CompletionHandler.h:75 #20 0x00007f7621474d6b in WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL) (this=0x7f75fe0ec1a0, request=<optimized out>, formState=0x0, navigationPolicyDecision=<optimized out>, allowNavigationToInvalidURL=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/loader/FrameLoader.cpp:3887 #21 0x00007f762147c9a7 in operator() (navigationPolicyDecision=<optimized out>, formState=<optimized out>, request=<optimized out>, __closure=0x7f75fe0e49f8) at /home/fred/src-obj/WebKit/Source/WebCore/loader/FrameLoader.cpp:1773 #22 WTF::Detail::CallableWrapper<WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState>&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void()>&&)::<lambda(const WebCore::ResourceRequest&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl> >&&, WebCore::NavigationPolicyDecision)>, void, WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl> >&&, WebCore::NavigationPolicyDecision>::call(WebCore::ResourceRequest &&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl> > &&, WebCore::NavigationPolicyDecision) (this=0x7f75fe0e49f0, in#0=<optimized out>, in#1=<optimized out>, in#2=<optimized out>) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/Function.h:53 #23 0x00007f76214a9b3c in WTF::Function<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl> >&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl> >&&, WebCore::NavigationPolicyDecision) const (in#2=WebCore::NavigationPolicyDecision::ContinueLoad, in#1=..., in#0=..., this=<optimized out>) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/Function.h:79 #24 WTF::CompletionHandler<void (WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl> >&&, WebCore::NavigationPolicyDecision)>::operator()(WebCore::ResourceRequest&&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl, WTF::RawPtrTraits<WTF::DefaultWeakPtrImpl> >&&, WebCore::NavigationPolicyDecision) (in#2=WebCore::NavigationPolicyDecision::ContinueLoad, in#1=..., in#0=..., this=0x7f75fe137a98) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/CompletionHandler.h:75 #25 operator()(WebCore::PolicyAction) (__closure=0x7f75fe137a88, policyAction=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/loader/PolicyChecker.cpp:246 #26 0x00007f761fbccc65 in WTF::Function<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) const (in#0=<optimized out>, this=<optimized out>) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/Function.h:79 #27 WTF::CompletionHandler<void (WebCore::PolicyAction)>::operator()(WebCore::PolicyAction) (in#0=<optimized out>, this=0x7ffc1f0472f8) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/CompletionHandler.h:75 #28 WebKit::WebFrame::didReceivePolicyDecision(unsigned long, WebKit::PolicyDecision&&) (this=<optimized out>, listenerID=<optimized out>, policyDecision=...) at /home/fred/src-obj/WebKit/Source/WebKit/WebProcess/WebPage/WebFrame.cpp:518 #29 0x00007f761fb88ddb in std::__invoke_impl<void, WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(const WebCore::NavigationAction&, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&, WebCore::FormState*, const WTF::String&, uint64_t, std::optional<WebCore::HitTestResult>&&, bool, WebCore::SandboxFlags, WebCore::PolicyDecisionMode, WebCore::FramePolicyFunction&&)::<lambda(WebKit::PolicyDecision&&)>, WebKit::PolicyDecision> (__f=...) at /usr/include/c++/11/bits/invoke.h:60 #30 std::__invoke<WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(const WebCore::NavigationAction&, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&, WebCore::FormState*, const WTF::String&, uint64_t, std::optional<WebCore::HitTestResult>&&, bool, WebCore::SandboxFlags, WebCore::PolicyDecisionMode, WebCore::FramePolicyFunction&&)::<lambda(WebKit::PolicyDecision&&)>, WebKit::PolicyDecision> (__fn=...) at /usr/include/c++/11/bits/invoke.h:96 #31 std::__apply_impl<WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(const WebCore::NavigationAction&, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&, WebCore::FormState*, const WTF::String&, uint64_t, std::optional<WebCore::HitTestResult>&&, bool, WebCore::SandboxFlags, WebCore::PolicyDecisionMode, WebCore::FramePolicyFunction&&)::<lambda(WebKit::PolicyDecision&&)>, std::tuple<WebKit::PolicyDecision>, 0> (__t=..., __f=...) at /usr/include/c++/11/tuple:1854 #32 std::apply<WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(const WebCore::NavigationAction&, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&, WebCore::FormState*, const WTF::String&, uint64_t, std::optional<WebCore::HitTestResult>&&, bool, WebCore::SandboxFlags, WebCore::PolicyDecisionMode, WebCore::FramePolicyFunction&&)::<lambda(WebKit::PolicyDecision&&)>, std::tuple<WebKit::PolicyDecision> > (__t=..., __f=...) at /usr/include/c++/11/tuple:1865 #33 IPC::Connection::callReply<Messages::WebPageProxy::DecidePolicyForNavigationActionAsync, WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(const WebCore::NavigationAction&, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&, WebCore::FormState*, const WTF::String&, uint64_t, std::optional<WebCore::HitTestResult>&&, bool, WebCore::SandboxFlags, WebCore::PolicyDecisionMode, WebCore::FramePolicyFunction&&)::<lambda(WebKit::PolicyDecision&&)> > (completionHandler=..., decoder=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebKit/Platform/IPC/Connection.h:761 #34 operator() (decoder=<optimized out>, __closure=0x7f75fe1980c8) at /home/fred/src-obj/WebKit/Source/WebKit/Platform/IPC/Connection.h:744 #35 WTF::Detail::CallableWrapper<IPC::Connection::makeAsyncReplyHandler<Messages::WebPageProxy::DecidePolicyForNavigationActionAsync, WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(const WebCore::NavigationAction&, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&, WebCore::FormState*, const WTF::String&, uint64_t, std::optional<WebCore::HitTestResult>&&, bool, WebCore::SandboxFlags, WebCore::PolicyDecisionMode, WebCore::FramePolicyFunction&&)::<lambda(WebKit::PolicyDecision&&)> >(WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(const WebCore::NavigationAction&, const WebCore::ResourceRequest&, const WebCore::ResourceResponse&, WebCore::FormState*, const WTF::String&, uint64_t, std::optional<WebCore::HitTestResult>&&, bool, WebCore::SandboxFlags, WebCore::PolicyDecisionMode, WebCore::FramePolicyFunction&&)::<lambda(WebKit::PolicyDecision&&)>&&, WTF::ThreadLikeAssertion)::<lambda(IPC::Decoder*)>, void, IPC::Decoder*>::call(IPC::Decoder *) (this=0x7f75fe1980c0, in#0=<optimized out>) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/Function.h:53 #36 0x00007f761f8041d1 in WTF::Function<void (IPC::Decoder*)>::operator()(IPC::Decoder*) const (in#0=0x7f75fe18c180, this=<optimized out>) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/Function.h:79 #37 WTF::CompletionHandler<void (IPC::Decoder*)>::operator()(IPC::Decoder*) (in#0=0x7f75fe18c180, this=0x7ffc1f0474f0) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/CompletionHandler.h:75 #38 IPC::Connection::dispatchMessage(IPC::Decoder&) (this=0x7f75fe02c340, decoder=...) at /home/fred/src-obj/WebKit/Source/WebKit/Platform/IPC/Connection.cpp:1226 #39 0x00007f761f804375 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) (this=0x7f75fe02c340, message=...) at /home/fred/src-obj/WebKit/Source/WebKit/Platform/IPC/Connection.cpp:1292 #40 0x00007f761f806190 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) (message=..., this=0x7f75fe02c340) at /home/fred/src-obj/WebKit/Source/WebKit/Platform/IPC/Connection.cpp:1249 #41 IPC::Connection::dispatchOneIncomingMessage() (this=0x7f75fe02c340) at /home/fred/src-obj/WebKit/Source/WebKit/Platform/IPC/Connection.cpp:1357 #42 0x00007f761e2914a2 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at /home/fred/src-obj/WebKit/Source/WTF/wtf/Function.h:79 #43 WTF::RunLoop::performWork() (this=0x7f75fe0140e0) at /home/fred/src-obj/WebKit/Source/WTF/wtf/RunLoop.cpp:147 #44 0x00007f761e2f156d in operator() (userData=<optimized out>, __closure=0x0) at /home/fred/src-obj/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:80 #45 _FUN(gpointer) () at /home/fred/src-obj/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:82 #46 0x00007f761e2f1ec3 in operator() (__closure=0x0, userData=0x7f75fe0140e0, callback=0x7f761e2f1560 <_FUN(gpointer)>, source=0x55ab05cc7450) at /home/fred/src-obj/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #47 _FUN(GSource*, GSourceFunc, gpointer) () at /home/fred/src-obj/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:56 #48 0x00007f761ab38c44 in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 #49 0x00007f761ab8e258 in () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 #50 0x00007f761ab382b3 in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 #51 0x00007f761e2f2010 in WTF::RunLoop::run() () at /home/fred/src-obj/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:108 #52 0x00007f761fc21a68 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (argc=4, argv=0x7ffc1f0478c8, this=0x7ffc1f047740) at /home/fred/src-obj/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:72 #53 WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (argv=0x7ffc1f0478c8, argc=4, this=0x7ffc1f047740) at /home/fred/src-obj/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:59 #54 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) (argc=4, argv=0x7ffc1f0478c8) at /home/fred/src-obj/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:98 #55 0x00007f761e946d90 in __libc_start_call_main (main=main@entry=0x55ab03cf1060 <main(int, char**)>, argc=argc@entry=4, argv=argv@entry=0x7ffc1f0478c8) at ../sysdeps/nptl/libc_start_call_main.h:58 #56 0x00007f761e946e40 in __libc_start_main_impl (main=0x55ab03cf1060 <main(int, char**)>, argc=4, argv=0x7ffc1f0478c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc1f0478b8) at ../csu/libc-start.c:392 #57 0x000055ab03cf1095 in _start () It happens with a misparented m_previous: (rr) reverse-finish ... 1836 RELEASE_ASSERT(!m_previous); (rr) p m_previous.get() $1 = (WebCore::RenderObject *) 0x7f7596006fb0 (rr) p showRenderTree($1) (B)lock/(I)nline/I(N)line-block, (A)bsolute/Fi(X)ed/(R)elative/Stic(K)y, (F)loating, (O)verflow clip, Anon(Y)mous, (G)enerated, has(L)ayer, hasLayer(S)crollableArea, (C)omposited, Content-visibility:(H)idden/(A)uto, (S)kipped content, (+)Dirty style, (+)Dirty layout I---YG----- -+* RenderInline renderer (0x7f7596006fb0) layout box ((nil)) layout->[self] The parent of m_previous was initially set via the following backtrace: (rr) watch -l $1->m_parent (rr) rc Thread 1 hit Hardware watchpoint 1: -location $1->m_parent New value = {m_impl = {m_ptr = 0x7f75fe1b6070}} Old value = {m_impl = {m_ptr = 0x0}} (rr) bt #0 0x00007f7621bc95f7 in std::swap<WTF::SingleThreadWeakPtrImpl*>(WTF::SingleThreadWeakPtrImpl*&, WTF::SingleThreadWeakPtrImpl*&) (__b=<synthetic pointer>: <optimized out>, __a=@0x7f7596006fd0: 0x0) at /usr/include/c++/11/bits/move.h:205 #1 WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>::swap(WTF::SingleThreadWeakPtrImpl*&, WTF::SingleThreadWeakPtrImpl*&) (b=<synthetic pointer>: <optimized out>, a=@0x7f7596006fd0: 0x0) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/RawPtrTraits.h:43 #2 WTF::RefPtr<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl> >::swap<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl> >(WTF::RefPtr<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl> >&) (o=<synthetic pointer>..., this=0x7f7596006fd0) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/RefPtr.h:189 #3 WTF::RefPtr<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl> >::operator=(WTF::RefPtr<WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl>, WTF::DefaultRefDerefTraits<WTF::SingleThreadWeakPtrImpl> >&&) (o=<optimized out>, this=0x7f7596006fd0) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/RefPtr.h:163 #4 WTF::WeakPtr<WebCore::RenderElement, WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl> >::operator=(WTF::WeakPtr<WebCore::RenderElement, WTF::SingleThreadWeakPtrImpl, WTF::RawPtrTraits<WTF::SingleThreadWeakPtrImpl> >&&) (this=0x7f7596006fd0) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/WeakPtr.h:41 #5 WebCore::RenderObject::setParent(WebCore::RenderElement*) (this=0x7f7596006fb0, parent=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/RenderObject.cpp:332 #6 0x00007f7621b0daef in WebCore::RenderElement::attachRendererInternal(std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=this@entry=0x7f7596006f10, child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=0x7f75960007a0) at /usr/include/c++/11/bits/unique_ptr.h:173 #7 0x00007f7621d46d6c in WebCore::RenderTreeBuilder::attachToRenderElementInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*, WebCore::RenderObject::IsInternalMove) (this=0x7ffc1f046f50, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=<optimized out>, beforeChild@entry=0x7f75960007a0, isInternalMove=WebCore::RenderObject::IsInternalMove::No) at /usr/include/c++/11/bits/unique_ptr.h:172 #8 0x00007f7621d47427 in WebCore::RenderTreeBuilder::attachToRenderElementInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*, WebCore::RenderObject::IsInternalMove) (this=<optimized out>, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=beforeChild@entry=0x7f75960007a0, isInternalMove=isInternalMove@entry=WebCore::RenderObject::IsInternalMove::No) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:465 #9 0x00007f7621d55c18 in WebCore::RenderTreeBuilder::Ruby::attachForStyleBasedRuby(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=0x7f75fe1b6600, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=0x7f75960007a0) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeBuilderRuby.cpp:326 #10 0x00007f7621d4ae4f in WebCore::RenderTreeBuilder::attachInternal(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=this@entry=0x7ffc1f046f50, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=<optimized out>, beforeChild@entry=0x7f7596007d80) at /usr/include/c++/11/bits/unique_ptr.h:172 #11 0x00007f7621d4af16 in WebCore::RenderTreeBuilder::attach(WebCore::RenderElement&, std::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>, WebCore::RenderObject*) (this=0x7ffc1f046f50, parent=..., child=std::unique_ptr<WebCore::RenderObject> = {...}, beforeChild=0x7f7596007d80) at /usr/include/c++/11/bits/unique_ptr.h:172 #12 0x00007f7621d59d2d in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (this=this@entry=0x7ffc1f046f20, element=..., style=...) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreePosition.h:45 #13 0x00007f7621d5a259 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (this=this@entry=0x7ffc1f046f20, element=..., elementUpdate=...) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:458 #14 0x00007f7621d5b171 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (this=this@entry=0x7ffc1f046f20, root=<optimized out>) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:262 #15 0x00007f7621d5b583 in WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) (this=0x7ffc1f046f20, styleUpdate=std::unique_ptr<WebCore::Style::Update> = {...}) at /home/fred/src-obj/WebKit/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:127 #16 0x00007f7620e38da1 in WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) (this=this@entry=0x7f75ae141c00, styleUpdate=std::unique_ptr<WebCore::Style::Update> = {...}) at /usr/include/c++/11/bits/unique_ptr.h:172 #17 0x00007f7620e5a79e in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (this=this@entry=0x7f75ae141c00, type=<optimized out>, type@entry=WebCore::Document::ResolveStyleType::Normal) at /usr/include/c++/11/bits/unique_ptr.h:172 #18 0x00007f7620e5ac45 in WebCore::Document::updateStyleIfNeeded() (this=this@entry=0x7f75ae141c00) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:2668 #19 0x00007f7620e63ac4 in WebCore::Document::implicitClose() (this=this@entry=0x7f75ae141c00) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:3788 #20 0x00007f762145ffcd in WebCore::FrameLoader::checkCallImplicitClose() (this=0x7f75fe0ec1a0) at /home/fred/src-obj/WebKit/Source/WebCore/loader/FrameLoader.cpp:1046 #21 WebCore::FrameLoader::checkCallImplicitClose() (this=0x7f75fe0ec1a0) at /home/fred/src-obj/WebKit/Source/WebCore/loader/FrameLoader.cpp:1036 #22 0x00007f762147109b in WebCore::FrameLoader::checkCompleted() (this=0x7f75fe0ec1a0) at /home/fred/src-obj/WebKit/Source/WebCore/loader/FrameLoader.cpp:987 #23 WebCore::FrameLoader::checkCompleted() (this=0x7f75fe0ec1a0) at /home/fred/src-obj/WebKit/Source/WebCore/loader/FrameLoader.cpp:941 #24 0x00007f7620e2cf7a in WebCore::Document::checkCompleted() (this=this@entry=0x7f75ae141c00) at /home/fred/src-obj/WebKit/WebKitBuild/RelWithDebInfo/WTF/Headers/wtf/RawPtrTraits.h:44 #25 0x00007f7620e2d028 in WebCore::Document::loadEventDelayTimerFired() (this=0x7f75ae141c00) at /home/fred/src-obj/WebKit/Source/WebCore/dom/Document.cpp:7942 #26 0x00007f76216f9ebf in WebCore::ThreadTimers::sharedTimerFiredInternal() (this=0x7f75fe0e4fc0) at /home/fred/src-obj/WebKit/Source/WebCore/platform/ThreadTimers.cpp:125 #27 0x00007f761e2f16b2 in operator() (__closure=0x0, userData=0x7f76237057b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>) at /home/fred/src-obj/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:177 #28 _FUN(gpointer) () at /home/fred/src-obj/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:181 #29 0x00007f761e2f1ec3 in operator() (__closure=0x0, userData=0x7f76237057b0 <WebCore::MainThreadSharedTimer::singleton()::instance+16>, callback=0x7f761e2f1690 <_FUN(gpointer)>, source=0x55ab05ddee80) at /home/fred/src-obj/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53 #30 _FUN(GSource*, GSourceFunc, gpointer) () at /home/fred/src-obj/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:56 #31 0x00007f761ab38c44 in g_main_context_dispatch () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 #32 0x00007f761ab8e258 in () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 #33 0x00007f761ab382b3 in g_main_loop_run () at /lib/x86_64-linux-gnu/libglib-2.0.so.0 #34 0x00007f761e2f2010 in WTF::RunLoop::run() () at /home/fred/src-obj/WebKit/Source/WTF/wtf/glib/RunLoopGLib.cpp:108 #35 0x00007f761fc21a68 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (argc=4, argv=0x7ffc1f0478c8, this=0x7ffc1f047740) at /home/fred/src-obj/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:72 #36 WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (argv=0x7ffc1f0478c8, argc=4, this=0x7ffc1f047740) at /home/fred/src-obj/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:59 #37 WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainGtk>(int, char**) (argc=4, argv=0x7ffc1f0478c8) at /home/fred/src-obj/WebKit/Source/WebKit/Shared/AuxiliaryProcessMain.h:98 #38 0x00007f761e946d90 in __libc_start_call_main (main=main@entry=0x55ab03cf1060 <main(int, char**)>, argc=argc@entry=4, argv=argv@entry=0x7ffc1f0478c8) at ../sysdeps/nptl/libc_start_call_main.h:58 #39 0x00007f761e946e40 in __libc_start_main_impl (main=0x55ab03cf1060 <main(int, char**)>, argc=4, argv=0x7ffc1f0478c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7ffc1f0478b8) at ../csu/libc-start.c:392 #40 0x000055ab03cf1095 in _start () Going further up, WebCore::RenderTreeBuilder::attachToRenderElementInternal is performed with the following bad configuration: (rr) reverse-finish ... [beforeChild]-->RenderView at (0,0) size 800x600 renderer (0x7f75960007a0) layout box ((nil)) layout->[normal child] HTML RenderBlock at (0,0) size 800x600 renderer (0x7f75960015e0) layout box ((nil)) node (0x7f75960010e0) layout->[normal child] BODY RenderBody at (8,8) size 784x584 renderer (0x7f75960017f0) layout box ((nil)) node (0x7f7596001230) layout->[self][normal child] RenderBlock at (0,0) size 0x0 renderer (0x7f7596005820) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f7596005ae0) layout box ((nil)) node (0x7f75960050e0) length->(3) "\n\n\n" layout->[self] [parent]------------->RUBY RenderInline renderer (0x7f7596006f10) layout box ((nil)) node (0x7f7596005140) continuation->(0x7f7596005e00) layout->[self][normal child] RenderInline renderer (0x7f7596007130) layout box ((nil)) layout->[self][normal child] RenderInline renderer (0x7f7596005420) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f7596007df0) layout box ((nil)) node (0x7f75960044d0) length->(1) "\n" layout->[self] OUTPUT RenderInline renderer (0x7f75960054c0) layout box ((nil)) node (0x7f7596004650) continuation->(0x7f7596005730) layout->[self][normal child] #text RenderText renderer (0x7f7596005560) layout box ((nil)) node (0x7f7596004710) length->(1) "\n" layout->[self] RenderInline renderer (0x7f7596005ea0) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f75960055d0) layout box ((nil)) node (0x7f7596004e90) length->(1) "\n" layout->[self] OBJECT RenderEmbeddedObject at (0,0) size 0x0 renderer (0x7f7596005b50) layout box ((nil)) node (0x7f7596004f50) layout->[self] RenderBlock at (0,0) size 0x0 renderer (0x7f7596005730) layout box ((nil)) continuation->(0x7f7596005c80) layout->[self][normal child] DETAILS RenderBlock at (0,0) size 0x0 renderer (0x7f7596005640) layout box ((nil)) node (0x7f7596004830) layout->[self][normal child] SUMMARY RenderBlock at (0,0) size 0x0 renderer (0x7f7596007270) layout box ((nil)) node (0x7f7596004a50) layout->[self][normal child] DIV RenderDetailsMarker at (0,0) size 0x0 renderer (0x7f7596005910) layout box ((nil)) node (0x7f7596004c30) layout->[self] RenderBlock at (0,0) size 0x0 renderer (0x7f7596005f40) layout box ((nil)) layout->[self][normal child] RUBY RenderInline renderer (0x7f7596005e00) layout box ((nil)) node (0x7f7596005140) continuation->(0x7f75960076d0) layout->[self][normal child] OUTPUT RenderInline renderer (0x7f7596005c80) layout box ((nil)) node (0x7f7596004650) layout->[self] RUBY RenderInline renderer (0x7f75960076d0) layout box ((nil)) node (0x7f7596005140) layout->[self][normal child] RenderInline renderer (0x7f7596007f50) layout box ((nil)) Going even further up, RenderTreeBuilder::Ruby::attachForStyleBasedRuby is called with the following bad configuration: RenderView at (0,0) size 800x600 renderer (0x7f75960007a0) layout box ((nil)) layout->[normal child] HTML RenderBlock at (0,0) size 800x600 renderer (0x7f75960015e0) layout box ((nil)) node (0x7f75960010e0) layout->[normal child] BODY RenderBody at (8,8) size 784x584 renderer (0x7f75960017f0) layout box ((nil)) node (0x7f7596001230) layout->[self][normal child] RenderBlock at (0,0) size 0x0 renderer (0x7f7596005820) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f7596005ae0) layout box ((nil)) node (0x7f75960050e0) length->(3) "\n\n\n" layout->[self] [parent]------------->RUBY RenderInline renderer (0x7f7596006f10) layout box ((nil)) node (0x7f7596005140) continuation->(0x7f7596005e00) layout->[self][normal child] RenderInline renderer (0x7f7596007130) layout box ((nil)) layout->[self][normal child] RenderInline renderer (0x7f7596005420) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f7596007df0) layout box ((nil)) node (0x7f75960044d0) length->(1) "\n" layout->[self] OUTPUT RenderInline renderer (0x7f75960054c0) layout box ((nil)) node (0x7f7596004650) continuation->(0x7f7596005730) layout->[self][normal child] #text RenderText renderer (0x7f7596005560) layout box ((nil)) node (0x7f7596004710) length->(1) "\n" layout->[self] RenderInline renderer (0x7f7596005ea0) layout box ((nil)) layout->[self][normal child] #text RenderText renderer (0x7f75960055d0) layout box ((nil)) node (0x7f7596004e90) length->(1) "\n" layout->[self] OBJECT RenderEmbeddedObject at (0,0) size 0x0 renderer (0x7f7596005b50) layout box ((nil)) node (0x7f7596004f50) layout->[self] RenderBlock at (0,0) size 0x0 renderer (0x7f7596005730) layout box ((nil)) continuation->(0x7f7596005c80) layout->[self][normal child] DETAILS RenderBlock at (0,0) size 0x0 renderer (0x7f7596005640) layout box ((nil)) node (0x7f7596004830) layout->[self][normal child] SUMMARY RenderBlock at (0,0) size 0x0 renderer (0x7f7596007270) layout box ((nil)) node (0x7f7596004a50) layout->[self][normal child] DIV RenderDetailsMarker at (0,0) size 0x0 renderer (0x7f7596005910) layout box ((nil)) node (0x7f7596004c30) layout->[self] RenderBlock at (0,0) size 0x0 renderer (0x7f7596005f40) layout box ((nil)) layout->[self][normal child] RUBY RenderInline renderer (0x7f7596005e00) layout box ((nil)) node (0x7f7596005140) continuation->(0x7f75960076d0) layout->[self][normal child] OUTPUT RenderInline renderer (0x7f7596005c80) layout box ((nil)) node (0x7f7596004650) layout->[self] RUBY RenderInline renderer (0x7f75960076d0) layout box ((nil)) node (0x7f7596005140) layout->[self][normal child] RenderInline renderer (0x7f7596007f50) layout box ((nil)) [beforeChild]------------>#text RenderText renderer (0x7f7596007d80) layout box ((nil)) node (0x7f75960052e0) length->(1) "\n" ``` For completeness, the DOM tree is as follows: (rr) p showTree((const WebCore::Node*)0x7f7596005140) BODY 0x7f7596001230 (renderer 0x7f75960017f0) #text 0x7f7596004470 "\n" #text 0x7f75960050e0 "\n\n\n" RUBY 0x7f7596005140 (renderer 0x7f7596006f10) SLOT 0x7f7596004530 (renderer (nil)) #text 0x7f75960044d0 "\n" OUTPUT 0x7f7596004650 (renderer 0x7f75960054c0) CLASS=class4 #text 0x7f7596004710 "\n" DETAILS 0x7f7596004830 (renderer 0x7f7596005640) #document-fragment 0x7f7596004950 (renderer (nil)) (needs style recalc) (child needs style recalc) SLOT 0x7f75960045c0 (renderer (nil)) SUMMARY 0x7f7596004a50 (renderer 0x7f7596007270) #document-fragment 0x7f7596004b30 (renderer (nil)) (needs style recalc) (child needs style recalc) DIV 0x7f7596004c30 (renderer 0x7f7596005910) SLOT 0x7f7596004d10 (renderer (nil)) #text 0x7f7596004770 "Détails" #text 0x7f75960047d0 "\n" #text 0x7f7596004e30 "\n" #text 0x7f7596004e90 "\n" OBJECT 0x7f7596004f50 (renderer 0x7f7596005b50) #text 0x7f7596004ef0 "\n" #text 0x7f7596005080 "\n" #text 0x7f7596005220 "\n" RT 0x7f7596005340 (renderer 0x7f7596007360) #text 0x7f7596005280 "\n" #text 0x7f75960052e0 "\n" RenderTreeBuilder::Ruby::attachForStyleBasedRuby is called when creating the renderer for the rt element (DisplayType::RubyAnnotation). Contrary to what happens in bug 268770, we don't enter the DisplayType::RubyBlock case, since the ruby element is inline. The while loop set beforeChild to the document's root and we go ahead in attachToRenderElementInternal with the bad configuration previously mentioned.

Frédéric Wang (:fredw)

Comment 2 2024-04-10 04:19:19 PDT

*** This bug has been marked as a duplicate of bug 268770 ***

Note You need to log in before you can comment on or make changes to this bug.