Bug 300692
| Summary: | Crash in LabelsNodeList::~LabelsNodeList | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Ryosuke Niwa <rniwa> |
| Component: | New Bugs | Assignee: | Ryosuke Niwa <rniwa> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | Safari Technology Preview | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Ryosuke Niwa
e.g.
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread:
0 WebCore 0x1acd2db58 WTFCrashWithInfo(int, char const*, char const*, int) + 24 (usr/local/include/wtf/Assertions.h:929) [inlined]
1 WebCore 0x1acd2db58 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::decrementCheckedPtrCount() const + 24 (usr/local/include/wtf/CheckedRef.h:290) [inlined]
2 WebCore 0x1acd2db58 WTF::CheckedPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::derefIfNotNull() + 24 (usr/local/include/wtf/CheckedPtr.h:185) [inlined]
3 WebCore 0x1acd2db58 WTF::CheckedPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::~CheckedPtr() + 24 (usr/local/include/wtf/CheckedPtr.h:72) [inlined]
4 WebCore 0x1acd2db58 WTF::CheckedPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::~CheckedPtr() + 24 (usr/local/include/wtf/CheckedPtr.h:71) [inlined]
5 WebCore 0x1acd2db58 WebCore::ElementIterator<WebCore::Element>::~ElementIterator() + 56 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/ElementIterator.h:40) [inlined]
6 WebCore 0x1acd2db58 WebCore::ElementDescendantIterator<WebCore::Element>::~ElementDescendantIterator() + 56 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/TypedElementDescendantIterator.h:56) [inlined]
7 WebCore 0x1acd2db58 WebCore::ElementDescendantIterator<WebCore::Element>::~ElementDescendantIterator() + 56 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/TypedElementDescendantIterator.h:56) [inlined]
8 WebCore 0x1acd2db58 WebCore::CollectionIndexCache<WebCore::LabelsNodeList, WebCore::ElementDescendantIterator<WebCore::Element>>::~CollectionIndexCache() + 56 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/CollectionIndexCache.h:37) [inlined]
9 WebCore 0x1acd2db58 WebCore::CollectionIndexCache<WebCore::LabelsNodeList, WebCore::ElementDescendantIterator<WebCore::Element>>::~CollectionIndexCache() + 56 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/CollectionIndexCache.h:37) [inlined]
10 WebCore 0x1acd2db58 WebCore::CachedLiveNodeList<WebCore::LabelsNodeList>::~CachedLiveNodeList() + 88 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/LiveNodeList.h:123) [inlined]
11 WebCore 0x1acd2db58 WebCore::LabelsNodeList::~LabelsNodeList() + 736 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/html/LabelsNodeList.cpp:53)
12 WebCore 0x1acd2db74 WebCore::LabelsNodeList::~LabelsNodeList() + 4 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/html/LabelsNodeList.cpp:51) [inlined]
13 WebCore 0x1acd2db74 WebCore::LabelsNodeList::~LabelsNodeList() + 16 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/html/LabelsNodeList.cpp:51)
14 JavaScriptCore 0x1a5521730 JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const + 24 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/JSDestructibleObjectHeapCellType.cpp:43) [inlined]
15 JavaScriptCore 0x1a5521730 void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const + 32 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/heap/MarkedBlockInlines.h:286) [inlined]
16 JavaScriptCore 0x1a5521730 void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 356 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/heap/MarkedBlockInlines.h:328) [inlined]
17 JavaScriptCore 0x1a5521730 void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const + 396 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/heap/MarkedBlockInlines.h:468) [inlined]
18 JavaScriptCore 0x1a5521730 void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 492 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/heap/MarkedBlockInlines.h:510) [inlined]
19 JavaScriptCore 0x1a5521730 JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) const + 536 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/JSDestructibleObjectHeapCellType.cpp:56)
20 JavaScriptCore 0x1a436a238 JSC::Subspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 48 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./heap/Subspace.cpp:62) [inlined]
21 JavaScriptCore 0x1a436a238 JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 2192 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./heap/MarkedBlock.cpp:502)
<rdar://162254579>
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Ryosuke Niwa
Pull request: https://github.com/WebKit/WebKit/pull/52291
EWS
Committed 301516@main (74aabff89f46): <https://commits.webkit.org/301516@main>
Reviewed commits have been landed. Closing PR #52291 and removing active labels.