Bug 305689

Summary: Release assert in performLayout via WebPage::unapplyEditCommand through WebEditorClient::undo
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: New BugsAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 305770    

Ryosuke Niwa
Reported 2026-01-17 00:20:51 PST
e.g. #0 0x00016b808e80 in WTFCrashWithInfo(int, char const*, char const*, int)+0x64 (WebCore:arm64e+0x6b8e80) #1 0x0001758cea54 in WebCore::LocalFrameViewLayoutContext::performLayout(bool)+0x2a30 (WebCore:arm64e+0xa77ea54) #2 0x00017583d87c in WebCore::LocalFrameViewLayoutContext::layout(bool)+0x158 (WebCore:arm64e+0xa6ed87c) #3 0x0001735a2790 in WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions, (WTF::ConcurrencyTag)0>, WebCore::Element const*)+0xf84 (WebCore:arm64e+0x8452790) #4 0x000173c52a7c in WebCore::EditCommandComposition::unapply(WebCore::EditCommandComposition::AddToUndoStack)+0x414 (WebCore:arm64e+0x8b02a7c) #5 0x00011b3b0e98 in WebKit::WebPage::unapplyEditCommand(unsigned long long)+0x200 (WebKit:arm64e+0x12ce98) #6 0x00011e264d64 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x36c0 (WebKit:arm64e+0x2fe0d64) #7 0x0001224086b4 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x474 (WebKit:arm64e+0x71846b4) #8 0x00011fc87ea4 in WebKit::AuxiliaryProcess::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x44 (WebKit:arm64e+0x4a03ea4) #9 0x00011d2de6bc in WebKit::AuxiliaryProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x180 (WebKit:arm64e+0x205a6bc) #10 0x00011e3c83cc in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x994 (WebKit:arm64e+0x31443cc) #11 0x000122355980 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>)+0xf6c (WebKit:arm64e+0x70d1980) #12 0x00012233f0bc in IPC::Connection::SyncMessageState::ConnectionAndIncomingMessage::dispatch()+0xcc (WebKit:arm64e+0x70bb0bc) #13 0x00012233e6c0 in IPC::Connection::SyncMessageState::dispatchMessages(WTF::Function<void (IPC::MessageName, unsigned long long)>&&)+0x430 (WebKit:arm64e+0x70ba6c0) #14 0x00012234c730 in IPC::Connection::waitForSyncReply(WTF::ObjectIdentifierGeneric<IPC::SyncRequestIDType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, IPC::MessageName, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x170 (WebKit:arm64e+0x70c8730) #15 0x0001223471f4 in IPC::Connection::sendSyncMessage(WTF::ObjectIdentifierGeneric<IPC::SyncRequestIDType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, WTF::UniqueRef<IPC::Encoder>&&, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x300 (WebKit:arm64e+0x70c31f4) #16 0x0001216448dc in IPC::ConnectionSendSyncResult<Messages::RemoteImageDecoderAVFProxy::CreateFrameImageAtIndex> IPC::Connection::sendSync<Messages::RemoteImageDecoderAVFProxy::CreateFrameImageAtIndex>(Messages::RemoteImageDecoderAVFProxy::CreateFrameImageAtIndex&&, unsigned long long, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x1c8 (WebKit:arm64e+0x63c08dc) #17 0x000121643488 in WTF::Detail::CallableWrapper<WebKit::RemoteImageDecoderAVF::createFrameImageAtIndex(unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&)::$_0, void>::call()+0x244 (WebKit:arm64e+0x63bf488) #18 0x000127067d14 in WTF::callOnMainRunLoopAndWait(WTF::Function<void ()>&&)+0x118 (JavaScriptCore:arm64e+0x5c3d14) #19 0x0001215eab44 in WebKit::RemoteImageDecoderAVF::createFrameImageAtIndex(unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&)+0x438 (WebKit:arm64e+0x6366b44) #20 0x000176102fc4 in WebCore::BitmapImageSource::nativeImageAtIndexCacheIfNeeded(unsigned int, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&)+0x5e0 (WebCore:arm64e+0xafb2fc4) #21 0x000176106764 in WebCore::BitmapImageSource::nativeImageAtIndex(unsigned int)+0xb8 (WebCore:arm64e+0xafb6764) #22 0x0001760f1ad4 in WebCore::DestinationColorSpace WebCore::BitmapImageDescriptor::primaryNativeImageMetadata<WebCore::DestinationColorSpace>(WebCore::DestinationColorSpace&, WebCore::DestinationColorSpace const&, WebCore::BitmapImageDescriptor::CachedFlag, WebCore::DestinationColorSpace (WebCore::NativeImage::*)() const) const+0x108 (WebCore:arm64e+0xafa1ad4) #23 0x0001760f35b0 in WebCore::BitmapImageDescriptor::hasHDRColorSpace() const+0x428 (WebCore:arm64e+0xafa35b0) #24 0x00017614c93c in WebCore::BitmapImageSource::hasHDRContent() const+0x40 (WebCore:arm64e+0xaffc93c) #25 0x0001770153d0 in WebCore::RenderElement::imageContentChanged(WebCore::CachedImage&)+0x114 (WebCore:arm64e+0xbec53d0) #26 0x000177014f68 in WebCore::RenderElement::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0xe8 (WebCore:arm64e+0xbec4f68) #27 0x000177129e90 in WebCore::RenderImage::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0x480 (WebCore:arm64e+0xbfd9e90) #28 0x00017549f704 in WebCore::CachedResource::didAddClient(WebCore::CachedResourceClient&)+0x360 (WebCore:arm64e+0xa34f704) #29 0x0001754b1888 in WebCore::CachedImage::didAddClient(WebCore::CachedResourceClient&)+0x344 (WebCore:arm64e+0xa361888) #30 0x000177130158 in WebCore::RenderImageResource::setCachedImage(WebCore::CachedResourceHandle<WebCore::CachedImage>&&)+0x370 (WebCore:arm64e+0xbfe0158) #31 0x00017421f590 in WebCore::HTMLImageElement::didAttachRenderers()+0x350 (WebCore:arm64e+0x90cf590) #32 0x0001778e3d34 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&)+0x36cc (WebCore:arm64e+0xc793d34) #33 0x0001778de948 in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update>>)+0x278 (WebCore:arm64e+0xc78e948) #34 0x00017359c7b0 in WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update>>)+0x138 (WebCore:arm64e+0x844c7b0) #35 0x00017359d02c in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)+0x700 (WebCore:arm64e+0x844d02c) #36 0x0001735a204c in WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions, (WTF::ConcurrencyTag)0>, WebCore::Element const*)+0x840 (WebCore:arm64e+0x845204c) #37 0x000173d121e4 in WebCore::Editor::unappliedEditing(WebCore::EditCommandComposition&)+0x150 (WebCore:arm64e+0x8bc21e4) #38 0x000173c52d9c in WebCore::EditCommandComposition::unapply(WebCore::EditCommandComposition::AddToUndoStack)+0x734 (WebCore:arm64e+0x8b02d9c) #39 0x00011b3b0e98 in WebKit::WebPage::unapplyEditCommand(unsigned long long)+0x200 (WebKit:arm64e+0x12ce98) #40 0x00011e264d64 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x36c0 (WebKit:arm64e+0x2fe0d64) #41 0x0001224086b4 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x474 (WebKit:arm64e+0x71846b4) #42 0x00011fc87ea4 in WebKit::AuxiliaryProcess::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x44 (WebKit:arm64e+0x4a03ea4) #43 0x00011d2de6bc in WebKit::AuxiliaryProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x180 (WebKit:arm64e+0x205a6bc) #44 0x00011e3c83cc in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x994 (WebKit:arm64e+0x31443cc) #45 0x000122355980 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>)+0xf6c (WebKit:arm64e+0x70d1980) #46 0x00012233f0bc in IPC::Connection::SyncMessageState::ConnectionAndIncomingMessage::dispatch()+0xcc (WebKit:arm64e+0x70bb0bc) #47 0x00012233e6c0 in IPC::Connection::SyncMessageState::dispatchMessages(WTF::Function<void (IPC::MessageName, unsigned long long)>&&)+0x430 (WebKit:arm64e+0x70ba6c0) #48 0x00012234c730 in IPC::Connection::waitForSyncReply(WTF::ObjectIdentifierGeneric<IPC::SyncRequestIDType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, IPC::MessageName, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x170 (WebKit:arm64e+0x70c8730) #49 0x0001223471f4 in IPC::Connection::sendSyncMessage(WTF::ObjectIdentifierGeneric<IPC::SyncRequestIDType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, WTF::UniqueRef<IPC::Encoder>&&, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x300 (WebKit:arm64e+0x70c31f4) #50 0x000121a8f108 in IPC::ConnectionSendSyncResult<Messages::WebPageProxy::ExecuteUndoRedo> IPC::Connection::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, unsigned long long, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x198 (WebKit:arm64e+0x680b108) #51 0x000121a8eb58 in IPC::ConnectionSendSyncResult<Messages::WebPageProxy::ExecuteUndoRedo> IPC::MessageSender::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, unsigned long long, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x278 (WebKit:arm64e+0x680ab58) #52 0x00011b3b0854 in WebKit::WebEditorClient::undo()+0x120 (WebKit:arm64e+0x12c854) <rdar://163994841>
Attachments
Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2026-01-17 00:22:13 PST
rdar://163994841
Ryosuke Niwa
Comment 2 2026-01-17 00:45:21 PST
Pull request: https://github.com/WebKit/WebKit/pull/56757
EWS
Comment 3 2026-01-18 08:37:43 PST
Committed 305778@main (b08cb7a8eb99): <https://commits.webkit.org/305778@main> Reviewed commits have been landed. Closing PR #56757 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.