Bug 288752
| Summary: | ASAN_TRAP | WTF::HashTable::lookup; WebCore::LegacyRenderSVGResourceClipper::removeClientFromCache; WebCore::SVGResources::removeClientFromCache | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Adan Lopez <ja_lopezlozoya> |
| Component: | SVG | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | sabouhallawa, webkit-bug-importer, wilander, zimmermann |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari Technology Preview | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Adan Lopez
Test case:
<!DOCTYPE html>
<body>
<script>
function addFrame() {
const iframe = document.createElement('iframe');
document.body.appendChild(iframe);
iframe.contentDocument.open();
iframe.contentDocument.write(`data:text/html,<style>* { -webkit-clip-path: url(#clipPath); }</style>
<picture><select></select><svg><clipPath id="clipPath">`);
iframe.contentDocument.close();
}
window?.testRunner?.dumpAsText();
window?.testRunner?.waitUntilDone();
for (let i = 0; i < 50; ++i)
addFrame();
onload = () => {
requestAnimationFrame(() => {
window?.testRunner?.notifyDone();
})
}
</script>
Backtrace:
frame #0: WebCore`WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>* WTF::HashTable<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, (WTF::ShouldValidateKey)0>::lookup<WTF::HashMapTranslator<WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>>, WebCore::RenderObject const*>(WebCore::RenderObject const* const&)+0x12c
frame #1: WebCore`WebCore::LegacyRenderSVGResourceClipper::removeClientFromCache(WebCore::RenderElement&, bool)+0x6d
frame #2: WebCore`WebCore::SVGResources::removeClientFromCache(WebCore::RenderElement&, bool) const+0x3a7
frame #3: WebCore`WebCore::LegacyRenderSVGShape::layout()+0x4e4
frame #4: WebCore`WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool)+0x42d
frame #5: WebCore`WebCore::LegacyRenderSVGRoot::layout()+0x2ed
frame #6: WebCore`WebCore::LayoutIntegration::layoutWithFormattingContextForBox(WebCore::Layout::ElementBox const&, std::__1::optional<WebCore::LayoutUnit>, WebCore::Layout::LayoutState&)+0xb2
frame #7: WebCore`WebCore::Layout::LineBuilder::candidateContentForLine(WebCore::Layout::LineCandidate&, unsigned long, WebCore::Layout::InlineItemRange const&, float)+0xafc
frame #8: WebCore`WebCore::Layout::LineBuilder::placeInlineAndFloatContent(WebCore::Layout::InlineItemRange const&)+0x39b
frame #9: WebCore`WebCore::Layout::LineBuilder::layoutInlineContent(WebCore::Layout::LineInput const&, std::__1::optional<WebCore::Layout::PreviousLine> const&)+0x155
frame #10: WebCore`WebCore::Layout::InlineFormattingContext::lineLayout(WebCore::Layout::AbstractLineBuilder&, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::Layout::InlineItemRange, std::__1::optional<WebCore::Layout::PreviousLine>, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineDamage const*)+0x13a4
frame #11: WebCore`WebCore::Layout::InlineFormattingContext::layout(WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineDamage*)+0xaeb
frame #12: WebCore`WebCore::LayoutIntegration::LineLayout::layout()+0xcea
frame #13: WebCore`WebCore::RenderBlockFlow::layoutInlineContent(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1cdc
frame #14: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x469
frame #15: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199
frame #16: WebCore`WebCore::RenderBlock::layout()+0x112
frame #17: WebCore`WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808
frame #18: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9
frame #19: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6
frame #20: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199
frame #21: WebCore`WebCore::RenderBlock::layout()+0x112
frame #22: WebCore`WebCore::RenderFragmentedFlow::layout()+0x80
frame #23: WebCore`WebCore::RenderMultiColumnFlow::layout()+0x31e
frame #24: WebCore`WebCore::RenderBlockFlow::layoutExcludedChildren(bool)+0x22e
frame #25: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x3d7
frame #26: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6
frame #27: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199
frame #28: WebCore`WebCore::RenderBlock::layout()+0x112
frame #29: WebCore`WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808
frame #30: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9
frame #31: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6
frame #32: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199
frame #33: WebCore`WebCore::RenderBlock::layout()+0x112
frame #34: WebCore`WebCore::RenderFragmentedFlow::layout()+0x80
frame #35: WebCore`WebCore::RenderMultiColumnFlow::layout()+0x31e
frame #36: WebCore`WebCore::RenderBlockFlow::layoutExcludedChildren(bool)+0x22e
frame #37: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x3d7
frame #38: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6
frame #39: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199
frame #40: WebCore`WebCore::RenderBlock::layout()+0x112
frame #41: WebCore`WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808
frame #42: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9
frame #43: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6
frame #44: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199
frame #45: WebCore`WebCore::RenderBlock::layout()+0x112
frame #46: WebCore`WebCore::RenderView::layout()+0x4cd
frame #47: WebCore`WebCore::LocalFrameViewLayoutContext::performLayout(bool)+0xa6d
frame #48: WebCore`WebCore::LocalFrameViewLayoutContext::layout(bool)+0x141
frame #49: WebCore`WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions>, WebCore::Element const*)+0xb8f
frame #50: WebCore`WebCore::HTMLPlugInElement::renderWidgetLoadingPlugin() const+0x22b
frame #51: WebCore`WebCore::HTMLPlugInElement::bindingsInstance()+0x21a
frame #52: WebCore`WebCore::pluginElementCustomGetOwnPropertySlot(WebCore::JSHTMLElement*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&)+0x2c9
frame #53: WebCore`WebCore::JSHTMLObjectElement::legacyPlatformObjectGetOwnProperty(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&, bool)+0xf3
frame #54: JavaScriptCore`JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)+0x72ef
frame #55: JavaScriptCore`llint_slow_path_get_by_id+0x38b
frame #56: JavaScriptCore`jsc_llint_llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__177_fn__opGetByIdSlow_LowLevelInterpreter_asm_508+0xd
frame #57: JavaScriptCore`jsc_llint_commonCallOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__696_callHelper__dispatch_LowLevelInterpreter64_asm_2538+0x2
frame #58: JavaScriptCore`llint_call_javascript+0x5
frame #59: JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x8c1
frame #60: JavaScriptCore`JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xfa
frame #61: WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xb60
frame #62: WebCore`WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522
frame #63: WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x65b
frame #64: WebCore`WebCore::LocalDOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)+0x3d8
frame #65: WebCore`WebCore::LocalDOMWindow::dispatchLoadEvent()+0x483
frame #66: WebCore`WebCore::Document::dispatchWindowLoadEvent()+0x119
frame #67: WebCore`WebCore::Document::implicitClose()+0x6db
frame #68: WebCore`WebCore::FrameLoader::checkCallImplicitClose()+0x1c5
frame #69: WebCore`WebCore::FrameLoader::checkCompleted()+0x4cb
frame #70: WebCore`WebCore::FrameLoader::checkCompletenessNow()+0x30b
frame #71: WebCore`WTF::Detail::CallableWrapper<WebCore::Timer::Timer<WebCore::FrameLoader, WebCore::FrameLoader>(WebCore::FrameLoader&, void (WebCore::FrameLoader::*)())::'lambda'(), void>::call()+0x19a
frame #72: WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal()+0x397
frame #73: WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*)+0x78
frame #74: CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__+0x13
frame #75: CoreFoundation`__CFRunLoopDoTimer+0x325
frame #76: CoreFoundation`__CFRunLoopDoTimers+0x10e
frame #77: CoreFoundation`__CFRunLoopRun+0x8da
frame #78: CoreFoundation`CFRunLoopRunSpecific+0x217
frame #79: Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7
frame #80: Foundation`-[NSRunLoop(NSRunLoop) run]+0x4b
frame #81: libxpc.dylib`_xpc_objc_main+0x271
frame #82: libxpc.dylib`_xpc_main+0x20
frame #83: libxpc.dylib`xpc_main+0x37
frame #84: WebKit`WebKit::XPCServiceMain(int, char const**)+0x8f
frame #85: dyld`start+0xbef
asan log:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2699==ERROR: AddressSanitizer: TRAP on unknown address 0x000158dd603c (pc 0x000158dd603c bp 0x7ff7b951d190 sp 0x7ff7b951d190 T0)
#0 0x000158dd603c in WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>* WTF::HashTable<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, (WTF::ShouldValidateKey)0>::lookup<WTF::HashMapTranslator<WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>>, WebCore::RenderObject const*>(WebCore::RenderObject const* const&)+0x12c (WebCore:x86_64+0x829603c)
#1 0x000158dc291d in WebCore::LegacyRenderSVGResourceClipper::removeClientFromCache(WebCore::RenderElement&, bool)+0x6d (WebCore:x86_64+0x828291d)
#2 0x000159cbf547 in WebCore::SVGResources::removeClientFromCache(WebCore::RenderElement&, bool) const+0x3a7 (WebCore:x86_64+0x917f547)
#3 0x000158df0074 in WebCore::LegacyRenderSVGShape::layout()+0x4e4 (WebCore:x86_64+0x82b0074)
#4 0x000158d5904d in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool)+0x42d (WebCore:x86_64+0x821904d)
#5 0x000158de60dd in WebCore::LegacyRenderSVGRoot::layout()+0x2ed (WebCore:x86_64+0x82a60dd)
#6 0x000157031482 in WebCore::LayoutIntegration::layoutWithFormattingContextForBox(WebCore::Layout::ElementBox const&, std::__1::optional<WebCore::LayoutUnit>, WebCore::Layout::LayoutState&)+0xb2 (WebCore:x86_64+0x64f1482)
#7 0x000156fae79c in WebCore::Layout::LineBuilder::candidateContentForLine(WebCore::Layout::LineCandidate&, unsigned long, WebCore::Layout::InlineItemRange const&, float)+0xafc (WebCore:x86_64+0x646e79c)
#8 0x000156fa988b in WebCore::Layout::LineBuilder::placeInlineAndFloatContent(WebCore::Layout::InlineItemRange const&)+0x39b (WebCore:x86_64+0x646988b)
#9 0x000156fa5a25 in WebCore::Layout::LineBuilder::layoutInlineContent(WebCore::Layout::LineInput const&, std::__1::optional<WebCore::Layout::PreviousLine> const&)+0x155 (WebCore:x86_64+0x6465a25)
#10 0x000156f59714 in WebCore::Layout::InlineFormattingContext::lineLayout(WebCore::Layout::AbstractLineBuilder&, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::Layout::InlineItemRange, std::__1::optional<WebCore::Layout::PreviousLine>, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineDamage const*)+0x13a4 (WebCore:x86_64+0x6419714)
#11 0x000156f55bfb in WebCore::Layout::InlineFormattingContext::layout(WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineDamage*)+0xaeb (WebCore:x86_64+0x6415bfb)
#12 0x0001570664fa in WebCore::LayoutIntegration::LineLayout::layout()+0xcea (WebCore:x86_64+0x65264fa)
#13 0x000158636cec in WebCore::RenderBlockFlow::layoutInlineContent(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1cdc (WebCore:x86_64+0x7af6cec)
#14 0x0001586258e9 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x469 (WebCore:x86_64+0x7ae58e9)
#15 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559)
#16 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2)
#17 0x00015862d038 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808 (WebCore:x86_64+0x7aed038)
#18 0x000158629289 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9 (WebCore:x86_64+0x7ae9289)
#19 0x000158625e66 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 (WebCore:x86_64+0x7ae5e66)
#20 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559)
#21 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2)
#22 0x00015879e240 in WebCore::RenderFragmentedFlow::layout()+0x80 (WebCore:x86_64+0x7c5e240)
#23 0x00015897a88e in WebCore::RenderMultiColumnFlow::layout()+0x31e (WebCore:x86_64+0x7e3a88e)
#24 0x00015866f08e in WebCore::RenderBlockFlow::layoutExcludedChildren(bool)+0x22e (WebCore:x86_64+0x7b2f08e)
#25 0x000158628f97 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x3d7 (WebCore:x86_64+0x7ae8f97)
#26 0x000158625e66 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 (WebCore:x86_64+0x7ae5e66)
#27 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559)
#28 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2)
#29 0x00015862d038 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808 (WebCore:x86_64+0x7aed038)
#30 0x000158629289 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9 (WebCore:x86_64+0x7ae9289)
#31 0x000158625e66 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 (WebCore:x86_64+0x7ae5e66)
#32 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559)
#33 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2)
#34 0x00015879e240 in WebCore::RenderFragmentedFlow::layout()+0x80 (WebCore:x86_64+0x7c5e240)
#35 0x00015897a88e in WebCore::RenderMultiColumnFlow::layout()+0x31e (WebCore:x86_64+0x7e3a88e)
#36 0x00015866f08e in WebCore::RenderBlockFlow::layoutExcludedChildren(bool)+0x22e (WebCore:x86_64+0x7b2f08e)
#37 0x000158628f97 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x3d7 (WebCore:x86_64+0x7ae8f97)
#38 0x000158625e66 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 (WebCore:x86_64+0x7ae5e66)
#39 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559)
#40 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2)
#41 0x00015862d038 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808 (WebCore:x86_64+0x7aed038)
#42 0x000158629289 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9 (WebCore:x86_64+0x7ae9289)
#43 0x000158625e66 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 (WebCore:x86_64+0x7ae5e66)
#44 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559)
#45 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2)
#46 0x000158afbbdd in WebCore::RenderView::layout()+0x4cd (WebCore:x86_64+0x7fbbbdd)
#47 0x000157683fdd in WebCore::LocalFrameViewLayoutContext::performLayout(bool)+0xa6d (WebCore:x86_64+0x6b43fdd)
#48 0x000157644ba1 in WebCore::LocalFrameViewLayoutContext::layout(bool)+0x141 (WebCore:x86_64+0x6b04ba1)
#49 0x000155c1c52f in WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions>, WebCore::Element const*)+0xb8f (WebCore:x86_64+0x50dc52f)
#50 0x0001566fab3b in WebCore::HTMLPlugInElement::renderWidgetLoadingPlugin() const+0x22b (WebCore:x86_64+0x5bbab3b)
#51 0x0001566fa17a in WebCore::HTMLPlugInElement::bindingsInstance()+0x21a (WebCore:x86_64+0x5bba17a)
#52 0x000154de03b9 in WebCore::pluginElementCustomGetOwnPropertySlot(WebCore::JSHTMLElement*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&)+0x2c9 (WebCore:x86_64+0x42a03b9)
#53 0x0001523a7f13 in WebCore::JSHTMLObjectElement::legacyPlatformObjectGetOwnProperty(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&, bool)+0xf3 (WebCore:x86_64+0x1867f13)
#54 0x00012f16fa7f in JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)+0x72ef (JavaScriptCore:x86_64+0x2d82a7f)
#55 0x00012f16816b in llint_slow_path_get_by_id+0x38b (JavaScriptCore:x86_64+0x2d7b16b)
#56 0x0001310231f1 in jsc_llint_llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__177_fn__opGetByIdSlow_LowLevelInterpreter_asm_508+0xd (JavaScriptCore:x86_64+0x4c361f1)
#57 0x0001310399ee in jsc_llint_commonCallOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__696_callHelper__dispatch_LowLevelInterpreter64_asm_2538+0x2 (JavaScriptCore:x86_64+0x4c4c9ee)
#58 0x0001310182c9 in llint_call_javascript+0x5 (JavaScriptCore:x86_64+0x4c2b2c9)
#59 0x00012ec17bb1 in JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x8c1 (JavaScriptCore:x86_64+0x282abb1)
#60 0x00012f39d47a in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xfa (JavaScriptCore:x86_64+0x2fb047a)
#61 0x000154db44e0 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xb60 (WebCore:x86_64+0x42744e0)
#62 0x000155df5a62 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 (WebCore:x86_64+0x52b5a62)
#63 0x000155dd4ecb in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x65b (WebCore:x86_64+0x5294ecb)
#64 0x0001575c63d8 in WebCore::LocalDOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)+0x3d8 (WebCore:x86_64+0x6a863d8)
#65 0x0001575f2a43 in WebCore::LocalDOMWindow::dispatchLoadEvent()+0x483 (WebCore:x86_64+0x6ab2a43)
#66 0x000155c326d9 in WebCore::Document::dispatchWindowLoadEvent()+0x119 (WebCore:x86_64+0x50f26d9)
#67 0x000155c308db in WebCore::Document::implicitClose()+0x6db (WebCore:x86_64+0x50f08db)
#68 0x000157151685 in WebCore::FrameLoader::checkCallImplicitClose()+0x1c5 (WebCore:x86_64+0x6611685)
#69 0x00015714f7cb in WebCore::FrameLoader::checkCompleted()+0x4cb (WebCore:x86_64+0x660f7cb)
#70 0x00015715278b in WebCore::FrameLoader::checkCompletenessNow()+0x30b (WebCore:x86_64+0x661278b)
#71 0x0001571dd9da in WTF::Detail::CallableWrapper<WebCore::Timer::Timer<WebCore::FrameLoader, WebCore::FrameLoader>(WebCore::FrameLoader&, void (WebCore::FrameLoader::*)())::'lambda'(), void>::call()+0x19a (WebCore:x86_64+0x669d9da)
#72 0x000157a6c377 in WebCore::ThreadTimers::sharedTimerFiredInternal()+0x397 (WebCore:x86_64+0x6f2c377)
#73 0x000157ba50e8 in WebCore::timerFired(__CFRunLoopTimer*, void*)+0x78 (WebCore:x86_64+0x70650e8)
#74 0x7ff8085e3bec in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__+0x13 (CoreFoundation:x86_64h+0x92bec)
#75 0x7ff8085e37d7 in __CFRunLoopDoTimer+0x325 (CoreFoundation:x86_64h+0x927d7)
#76 0x7ff8085e33f5 in __CFRunLoopDoTimers+0x10e (CoreFoundation:x86_64h+0x923f5)
#77 0x7ff8085cb153 in __CFRunLoopRun+0x8da (CoreFoundation:x86_64h+0x7a153)
#78 0x7ff8085ca241 in CFRunLoopRunSpecific+0x217 (CoreFoundation:x86_64h+0x79241)
#79 0x7ff809632d62 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (Foundation:x86_64+0x5ad62)
#80 0x7ff8096b3396 in -[NSRunLoop(NSRunLoop) run]+0x4b (Foundation:x86_64+0xdb396)
#81 0x7ff8081ed1bf in _xpc_objc_main+0x271 (libxpc.dylib:x86_64+0x151bf)
#82 0x7ff8081fa6f1 in _xpc_main+0x20 (libxpc.dylib:x86_64+0x226f1)
#83 0x7ff8081ecdda in xpc_main+0x37 (libxpc.dylib:x86_64+0x14dda)
#84 0x00011878d72f in WebKit::XPCServiceMain(int, char const**)+0x8f (WebKit:x86_64+0x15d072f)
#85 0x7ff80813f52f in start+0xbef (dyld:x86_64+0xfffffffffff3252f)
==2699==Register values:
rax = 0x000060d00034db30 rbx = 0x0000612000165ef8 rcx = 0x0000000000000030 rdx = 0x000000015a342960
rdi = 0x000000000000005c rsi = 0x000000015a341600 rbp = 0x00007ff7b951d190 rsp = 0x00007ff7b951d190
r8 = 0x0000000000000007 r9 = 0x0000000000000005 r10 = 0x0000000000000002 r11 = 0x00001c040001cc0f
r12 = 0x0000100000000000 r13 = 0x00000c240002cbdf r14 = 0x00006120001657c0 r15 = 0x0000000000000000
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: TRAP (WebCore:x86_64+0x829603c) in WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>* WTF::HashTable<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, (WTF::ShouldValidateKey)0>::lookup<WTF::HashMapTranslator<WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>>, WebCore::RenderObject const*>(WebCore::RenderObject const* const&)+0x12c
==2699==ABORTING
com.apple.WebKit.WebContent.Development terminated (pid 2699) for reason: crash
#CRASHED - com.apple.WebKit.WebContent.Development (pid 2699)
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Adan Lopez
<rdar://problem/144407636>
Adan Lopez
Pull request: https://github.com/WebKit/WebKit/pull/41552
Adan Lopez
Pull request: https://github.com/WebKit/WebKit/pull/41555
EWS
Committed 291601@main (10ac38dba49e): <https://commits.webkit.org/291601@main>
Reviewed commits have been landed. Closing PR #41555 and removing active labels.
EWS
Committed 289651.375@safari-7621-branch (c765aa5d0efc): <https://commits.webkit.org/289651.375@safari-7621-branch>
Reviewed commits have been landed. Closing PR #2926 and removing active labels.
Ryosuke Niwa
*** Bug 288442 has been marked as a duplicate of this bug. ***