WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED WORKSFORME
159452
[GTK][EFL] SIGSEGV in AccessibilityRenderObject::remoteSVGRootElement
https://bugs.webkit.org/show_bug.cgi?id=159452
Summary
[GTK][EFL] SIGSEGV in AccessibilityRenderObject::remoteSVGRootElement
Fujii Hironori
Reported
2016-07-05 23:37:06 PDT
BuildBot of GTK Linux 64-bit Release fails.
https://build.webkit.org/builders/GTK%20Linux%2064-bit%20Release%20%28Tests%29/builds/16841/steps/layout-test/logs/stdio
> fast/history/page-cache-geolocation-active-oneshot.html [ Crash ]
I tested with trunk@202817, Gtk port, release build, 64bit. This can not be reproduced with single test case fast/history/page-cache-geolocation-active-oneshot.html. I can reproduce this with two test cases:
> $ ./Tools/Scripts/run-webkit-tests --gtk --release fast/history/page-cache-destroy-document.html fast/history/page-cache-geolocation-active-oneshot.html
Callstack:
> #0 0x00007f12c82847e2 in WebCore::AccessibilityRenderObject::remoteSVGRootElement(WebCore::AccessibilityRenderObject::CreationChoice) const () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #1 0x00007f12c828550e in WebCore::AccessibilityRenderObject::detachRemoteSVGRoot() () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #2 0x00007f12c8287ac1 in WebCore::AccessibilityRenderObject::detach(WebCore::AccessibilityDetachmentType, WebCore::AXObjectCache*) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #3 0x00007f12c8252848 in WebCore::AXObjectCache::~AXObjectCache() () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #4 0x00007f12c8492c30 in WebCore::Document::clearAXObjectCache() () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #5 0x00007f12c8496f98 in WebCore::Document::destroyRenderTree() () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #6 0x00007f12c84a9fc8 in WebCore::Document::prepareForDestruction() () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #7 0x00007f12c86218e7 in WebCore::CachedFrame::destroy() () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #8 0x00007f12c86219e2 in WebCore::CachedPage::~CachedPage() () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #9 0x00007f12c862609f in WebCore::PageCache::prune(WebCore::PruningReason) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #10 0x00007f12c8626166 in WebCore::PageCache::pruneToSizeNow(unsigned int, WebCore::PruningReason) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #11 0x00007f12c7f7fa80 in WebKit::WebPage::updatePreferences(WebKit::WebPreferencesStore const&) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #12 0x00007f12c80ba734 in void IPC::handleMessage<Messages::WebPage::PreferencesDidChange, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::WebPreferencesStore const&)>(IPC::MessageDecoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::WebPreferencesStore const&)) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #13 0x00007f12c80b88d3 in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::MessageDecoder&) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #14 0x00007f12c7da39e9 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::MessageDecoder&) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #15 0x00007f12c7ed24f6 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::MessageDecoder&) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #16 0x00007f12c7d9fe96 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::MessageDecoder, std::default_delete<IPC::MessageDecoder> >) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #17 0x00007f12c7da08c3 in IPC::Connection::dispatchOneMessage() () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #18 0x00007f12c699c62d in WTF::RunLoop::performWork() () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 > #19 0x00007f12c69cd169 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 > #20 0x00007f12c10645f7 in g_main_dispatch () from /home/fujii/work/webkit/w1/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0 > #21 0x00007f12c106542e in g_main_context_dispatch () from /home/fujii/work/webkit/w1/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0 > #22 0x00007f12c1065612 in g_main_context_iterate () from /home/fujii/work/webkit/w1/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0 > #23 0x00007f12c1065a38 in g_main_loop_run () from /home/fujii/work/webkit/w1/WebKitBuild/DependenciesGTK/Root/lib/libglib-2.0.so.0 > #24 0x00007f12c69cda20 in WTF::RunLoop::run() () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libjavascriptcoregtk-4.0.so.18 > #25 0x00007f12c8069682 in int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) () from /home/fujii/work/webkit/w1/WebKitBuild/Release/lib/libwebkit2gtk-4.0.so.37 > #26 0x00007f12bc066731 in __libc_start_main () from /lib64/libc.so.6 > #27 0x0000000000400b99 in _start ()
EFL Linux 64-bit Release has the same crash.
https://build.webkit.org/results/EFL%20Linux%2064-bit%20Release%20WK2/r202838%20(28753)/fast/history/page-cache-geolocation-active-oneshot-crash-log.txt
Attachments
backtrace, registers and disassemble by gdb
(12.88 KB, text/plain)
2016-07-05 23:38 PDT
,
Fujii Hironori
no flags
Details
workadound patch
(1.29 KB, patch)
2016-07-07 02:05 PDT
,
Fujii Hironori
no flags
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2016-07-05 23:37:21 PDT
<
rdar://problem/27190536
>
Fujii Hironori
Comment 2
2016-07-05 23:38:46 PDT
Created
attachment 282853
[details]
backtrace, registers and disassemble by gdb
Fujii Hironori
Comment 3
2016-07-05 23:40:20 PDT
This is a crash bug with the similar callstack:
Bug 158098
– AX: crash at AccessibilityRenderObject::remoteSVGRootElement const
chris fleizach
Comment 4
2016-07-05 23:45:09 PDT
(In reply to
comment #3
)
> This is a crash bug with the similar callstack: > >
Bug 158098
– AX: crash at AccessibilityRenderObject::remoteSVGRootElement > const
this has been befuddling me for a while. maybe Joanie can help too since this retros on GTK (Something I've never been able to do)
Fujii Hironori
Comment 5
2016-07-06 01:30:58 PDT
fast/history/page-cache-geolocation-active-oneshot.html is not needed to reproduce.
> ./Tools/Scripts/run-webkit-tests --gtk --release --iteration=2 fast/history/page-cache-destroy-document.html
In debug build, some assertions fail.
> ./Tools/Scripts/run-webkit-tests --gtk --debug --iteration=2 fast/history/page-cache-destroy-document.html
> ASSERTION FAILED: !m_frame.document() || !m_frame.document()->inPageCache() > ../../Source/WebCore/loader/FrameLoader.cpp(1600) : void WebCore::FrameLoader::stopAllLoaders(WebCore::ClearProvisionalItemPolicy) > 1 0x7f7a03e871dc /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f7a03e871dc] > 2 0x7f7a0add51af /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::FrameLoader::stopAllLoaders(WebCore::ClearProvisionalItemPolicy)+0x73) [0x7f7a0add51af] > 3 0x7f7a0add8c04 /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::FrameLoader::frameDetached()+0x34) [0x7f7a0add8c04] > 4 0x7f7a0ab36f97 /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::HTMLFrameOwnerElement::disconnectContentFrame()+0x4b) [0x7f7a0ab36f97] > 5 0x7f7a0a87769a /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::disconnectSubframes(WebCore::ContainerNode&, WebCore::SubframeDisconnectPolicy)+0x145) [0x7f7a0a87769a] > 6 0x7f7a0a86e14f /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::disconnectSubframesIfNeeded(WebCore::ContainerNode&, WebCore::SubframeDisconnectPolicy)+0x35) [0x7f7a0a86e14f] > 7 0x7f7a0a86b6e8 /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(+0x57e16e8) [0x7f7a0a86b6e8] > 8 0x7f7a0a86b9ee /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::ContainerNode::removeChild(WebCore::Node&, int&)+0x116) [0x7f7a0a86b9ee] > 9 0x7f7a0a9567c2 /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::Node::removeChild(WebCore::Node&, int&)+0x5a) [0x7f7a0a9567c2] > 10 0x7f7a0a5be726 /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::JSNode::removeChild(JSC::ExecState&)+0xa8) [0x7f7a0a5be726] > 11 0x7f7a0bb759a1 /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37(WebCore::jsNodePrototypeFunctionRemoveChild(JSC::ExecState*)+0x141) [0x7f7a0bb759a1] > 12 0x7f79ab688028 [0x7f79ab688028]
Fujii Hironori
Comment 6
2016-07-06 01:33:43 PDT
This is skipped for Debug.
>
webkit.org/b/159370
[ Debug ] fast/history/page-cache-destroy-document.html [ Skip ]
Bug 159370
– Page cache: Ensure consistent page cache state when subframe is removed while dispatching pagehide event.
Joanmarie Diggs
Comment 7
2016-07-06 09:06:37 PDT
(In reply to
comment #4
)
> (In reply to
comment #3
) > > This is a crash bug with the similar callstack: > > > >
Bug 158098
– AX: crash at AccessibilityRenderObject::remoteSVGRootElement > > const > > this has been befuddling me for a while. maybe Joanie can help too since > this retros on GTK (Something I've never been able to do)
I'll take a look. Thanks for the ping!
Fujii Hironori
Comment 8
2016-07-06 23:52:34 PDT
I investigated further assertions to fail by disabling preceding failed assertins. Secound ASSERTION FAILED:
> ASSERTION FAILED: !m_inPageCache > ../../Source/WebCore/dom/Document.cpp(2292) : void WebCore::Document::destroyRenderTree()
> #0 0x00007fab71e13395 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323 > #1 0x00007fab7882614f in (anonymous namespace)::Document::destroyRenderTree (this=0x7fab59ed3000) at ../../Source/WebCore/dom/Document.cpp:2292 > #2 0x00007fab788263c3 in (anonymous namespace)::Document::prepareForDestruction (this=0x7fab59ed3000) at ../../Source/WebCore/dom/Document.cpp:2352 > #3 0x00007fab7881faf8 in (anonymous namespace)::Document::removedLastRef (this=0x7fab59ed3000) at ../../Source/WebCore/dom/Document.cpp:676 > #4 0x00007fab788f106e in (anonymous namespace)::Node::removedLastRef (this=0x7fab59ed3000) at ../../Source/WebCore/dom/Node.cpp:2319 > #5 0x00007fab77dd5b8a in (anonymous namespace)::Node::deref (this=0x7fab59ed3000) at ../../Source/WebCore/dom/Node.h:732 > #6 0x00007fab77dee1cc in WTF::derefIfNotNull<WebCore::Document> (ptr=0x7fab59ed3000) at ../../Source/WTF/wtf/PassRefPtr.h:40 > #7 0x00007fab77dede07 in WTF::RefPtr<WebCore::Document>::~RefPtr (this=0x7ffd30a36820, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefPtr.h:62 > #8 0x00007fab78c80722 in WTF::RefPtr<WebCore::Document>::operator=(<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x10724f>) (this=0x7fab59f896a0, o=<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x10724f>) at ../../Source/WTF/wtf/RefPtr.h:170 > #9 0x00007fab78eabb22 in (anonymous namespace)::Frame::setDocument(<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x1797b9>) (this=0x7fab59f89380, newDocument=<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x1797b9>) at ../../Source/WebCore/page/Frame.cpp:273 > #10 0x00007fab78d6264e in (anonymous namespace)::FrameLoader::clear (this=0x7fab59f89418, newDocument=0x7fab59ed3000, clearWindowProperties=false, clearScriptObjects=true, clearFrameView=true) at ../../Source/WebCore/loader/FrameLoader.cpp:620 > #11 0x00007fab78d623e4 in (anonymous namespace)::FrameLoader::cancelAndClear (this=0x7fab59f89418) at ../../Source/WebCore/loader/FrameLoader.cpp:581 > #12 0x00007fab78eab661 in (anonymous namespace)::Frame::~Frame (this=0x7fab59f89380, __in_chrg=<optimized out>) at ../../Source/WebCore/page/Frame.cpp:210 > #13 0x00007fab78eab852 in (anonymous namespace)::Frame::~Frame (this=0x7fab59f89380, __in_chrg=<optimized out>) at ../../Source/WebCore/page/Frame.cpp:225 > #14 0x00007fab77dfe654 in WTF::ThreadSafeRefCounted<WebCore::Frame>::deref (this=0x7fab59f89388) at ../../Source/WTF/wtf/ThreadSafeRefCounted.h:79 > #15 0x00007fab77f004db in WTF::Ref<WebCore::Frame>::~Ref (this=0x7fab183d8ee0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/Ref.h:59 > #16 0x00007fab78eb633c in (anonymous namespace)::FrameView::~FrameView (this=0x7fab183d8d80, __in_chrg=<optimized out>) at ../../Source/WebCore/page/FrameView.cpp:269 > #17 0x00007fab78eb6390 in (anonymous namespace)::FrameView::~FrameView (this=0x7fab183d8d80, __in_chrg=<optimized out>) at ../../Source/WebCore/page/FrameView.cpp:287 > #18 0x00007fab77e57bec in WTF::RefCounted<WebCore::Widget>::deref (this=0x7fab183d8d88) at ../../Source/WTF/wtf/RefCounted.h:146 > #19 0x00007fab77ed7148 in WTF::derefIfNotNull<WebCore::Widget> (ptr=0x7fab183d8d80) at ../../Source/WTF/wtf/PassRefPtr.h:40 > #20 0x00007fab77ed4eb5 in WTF::RefPtr<WebCore::Widget>::~RefPtr (this=0x7fab59f837e0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefPtr.h:62 > #21 0x00007fab793ec724 in WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair (this=0x7fab59f837e0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/HashTraits.h:260 > #22 0x00007fab793ec77f in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable (table=0x7fab59f83780, size=8) at ../../Source/WTF/wtf/HashTable.h:1158 > #23 0x00007fab793ebdbe in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable (this=0x7ffd30a36bc0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/HashTable.h:362 > #24 0x00007fab793ebbac in WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap (this=0x7ffd30a36bc0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/HashMap.h:36 > #25 0x00007fab793e9ab0 in (anonymous namespace)::WidgetHierarchyUpdatesSuspensionScope::moveWidgets (this=0x7ffd30a36c7f) at ../../Source/WebCore/rendering/RenderWidget.cpp:55 > #26 0x00007fab78800e7f in (anonymous namespace)::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope (this=0x7ffd30a36c7f, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderWidget.h:43 > #27 0x00007fab787fe9f3 in (anonymous namespace)::ContainerNode::removeChild (this=0x7fab59fdc820, oldChild=..., ec=@0x7ffd30a36d1c: 0) at ../../Source/WebCore/dom/ContainerNode.cpp:543 > #28 0x00007fab788e9700 in (anonymous namespace)::Node::removeChild (this=0x7fab59fdc820, oldChild=..., ec=@0x7ffd30a36d1c: 0) at ../../Source/WebCore/dom/Node.cpp:429 > #29 0x00007fab78551664 in (anonymous namespace)::JSNode::removeChild (this=0x7fab11167c00, state=...) at ../../Source/WebCore/bindings/js/JSNodeCustom.cpp:161 > #30 0x00007fab79b08983 in (anonymous namespace)::jsNodePrototypeFunctionRemoveChild (state=0x7ffd30a36d90) at DerivedSources/WebCore/JSNode.cpp:598 > #31 0x00007fab195b8028 in ?? () > #32 0x00007ffd30a36e10 in ?? () > #33 0x00007fab71a43de2 in llint_entry () at ../../Source/WTF/wtf/RefPtr.h:79
Third ASSERTION FAILED:
> ASSERTION FAILED: !m_hasAXObject > ../../Source/WebCore/rendering/RenderObject.cpp(137) : virtual WebCore::RenderObject::~RenderObject()
> #0 0x00007f17b36fa395 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323 > #1 0x00007f17bac4a9ff in (anonymous namespace)::RenderObject::~RenderObject (this=0x7f17593f0580, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderObject.cpp:137 > #2 0x00007f17bab541c1 in (anonymous namespace)::RenderElement::~RenderElement (this=0x7f17593f0580, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderElement.cpp:121 > #3 0x00007f17bac147e2 in (anonymous namespace)::RenderLayerModelObject::~RenderLayerModelObject (this=0x7f17593f0580, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderLayerModelObject.cpp:50 > #4 0x00007f17bab2b33a in (anonymous namespace)::RenderBoxModelObject::~RenderBoxModelObject (this=0x7f17593f0580, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderBoxModelObject.cpp:175 > #5 0x00007f17bab057ba in (anonymous namespace)::RenderBox::~RenderBox (this=0x7f17593f0580, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderBox.cpp:143 > #6 0x00007f17baa9e7b5 in (anonymous namespace)::RenderBlock::~RenderBlock (this=0x7f17593f0580, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderBlock.cpp:341 > #7 0x00007f17baad0726 in (anonymous namespace)::RenderBlockFlow::~RenderBlockFlow (this=0x7f17593f0580, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderBlockFlow.cpp:120 > #8 0x00007f17bacbb298 in (anonymous namespace)::RenderView::~RenderView (this=0x7f17593f0580, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderView.cpp:154 > #9 0x00007f17bacbb2b4 in (anonymous namespace)::RenderView::~RenderView (this=0x7f17593f0580, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderView.cpp:156 > #10 0x00007f17bac4ff88 in (anonymous namespace)::RenderObject::destroy (this=0x7f17593f0580) at ../../Source/WebCore/rendering/RenderObject.cpp:1647 > #11 0x00007f17ba137ad5 in (anonymous namespace)::RenderPtr<WebCore::RenderView>::clear (this=0x7f179b8d38f0) at ../../Source/WebCore/rendering/RenderPtr.h:88 > #12 0x00007f17ba12aa58 in (anonymous namespace)::RenderPtr<WebCore::RenderView>::operator= (this=0x7f179b8d38f0) at ../../Source/WebCore/rendering/RenderPtr.h:66 > #13 0x00007f17ba10d275 in (anonymous namespace)::Document::destroyRenderTree (this=0x7f179b8d3000) at ../../Source/WebCore/dom/Document.cpp:2321 > #14 0x00007f17ba10d391 in (anonymous namespace)::Document::prepareForDestruction (this=0x7f179b8d3000) at ../../Source/WebCore/dom/Document.cpp:2352 > #15 0x00007f17ba106af8 in (anonymous namespace)::Document::removedLastRef (this=0x7f179b8d3000) at ../../Source/WebCore/dom/Document.cpp:676 > #16 0x00007f17ba1d803c in (anonymous namespace)::Node::removedLastRef (this=0x7f179b8d3000) at ../../Source/WebCore/dom/Node.cpp:2319 > #17 0x00007f17b96bcb8a in (anonymous namespace)::Node::deref (this=0x7f179b8d3000) at ../../Source/WebCore/dom/Node.h:732 > #18 0x00007f17b96d51cc in WTF::derefIfNotNull<WebCore::Document> (ptr=0x7f179b8d3000) at ../../Source/WTF/wtf/PassRefPtr.h:40 > #19 0x00007f17b96d4e07 in WTF::RefPtr<WebCore::Document>::~RefPtr (this=0x7ffe347e8140, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefPtr.h:62 > #20 0x00007f17ba5676f0 in WTF::RefPtr<WebCore::Document>::operator=(<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x10724f>) (this=0x7f179b9896a0, o=<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x10724f>) at ../../Source/WTF/wtf/RefPtr.h:170 > #21 0x00007f17ba792af0 in (anonymous namespace)::Frame::setDocument(<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x1797b9>) (this=0x7f179b989380, newDocument=<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x1797b9>) at ../../Source/WebCore/page/Frame.cpp:273 > #22 0x00007f17ba64961c in (anonymous namespace)::FrameLoader::clear (this=0x7f179b989418, newDocument=0x7f179b8d3000, clearWindowProperties=false, clearScriptObjects=true, clearFrameView=true) at ../../Source/WebCore/loader/FrameLoader.cpp:620 > #23 0x00007f17ba6493b2 in (anonymous namespace)::FrameLoader::cancelAndClear (this=0x7f179b989418) at ../../Source/WebCore/loader/FrameLoader.cpp:581 > #24 0x00007f17ba79262f in (anonymous namespace)::Frame::~Frame (this=0x7f179b989380, __in_chrg=<optimized out>) at ../../Source/WebCore/page/Frame.cpp:210 > #25 0x00007f17ba792820 in (anonymous namespace)::Frame::~Frame (this=0x7f179b989380, __in_chrg=<optimized out>) at ../../Source/WebCore/page/Frame.cpp:225 > #26 0x00007f17b96e5654 in WTF::ThreadSafeRefCounted<WebCore::Frame>::deref (this=0x7f179b989388) at ../../Source/WTF/wtf/ThreadSafeRefCounted.h:79 > #27 0x00007f17b97e74db in WTF::Ref<WebCore::Frame>::~Ref (this=0x7f17593d8ee0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/Ref.h:59 > #28 0x00007f17ba79d30a in (anonymous namespace)::FrameView::~FrameView (this=0x7f17593d8d80, __in_chrg=<optimized out>) at ../../Source/WebCore/page/FrameView.cpp:269 > #29 0x00007f17ba79d35e in (anonymous namespace)::FrameView::~FrameView (this=0x7f17593d8d80, __in_chrg=<optimized out>) at ../../Source/WebCore/page/FrameView.cpp:287 > #30 0x00007f17b973ebec in WTF::RefCounted<WebCore::Widget>::deref (this=0x7f17593d8d88) at ../../Source/WTF/wtf/RefCounted.h:146 > #31 0x00007f17b97be148 in WTF::derefIfNotNull<WebCore::Widget> (ptr=0x7f17593d8d80) at ../../Source/WTF/wtf/PassRefPtr.h:40 > #32 0x00007f17b97bbeb5 in WTF::RefPtr<WebCore::Widget>::~RefPtr (this=0x7f179b9837c0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefPtr.h:62 > #33 0x00007f17bacd36f2 in WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair (this=0x7f179b9837c0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/HashTraits.h:260 > #34 0x00007f17bacd374d in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable (table=0x7f179b983780, size=8) at ../../Source/WTF/wtf/HashTable.h:1158 > #35 0x00007f17bacd2d8c in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable (this=0x7ffe347e84e0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/HashTable.h:362 > #36 0x00007f17bacd2b7a in WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap (this=0x7ffe347e84e0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/HashMap.h:36 > #37 0x00007f17bacd0a7e in (anonymous namespace)::WidgetHierarchyUpdatesSuspensionScope::moveWidgets (this=0x7ffe347e859f) at ../../Source/WebCore/rendering/RenderWidget.cpp:55 > #38 0x00007f17ba0e7e7f in (anonymous namespace)::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope (this=0x7ffe347e859f, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderWidget.h:43 > #39 0x00007f17ba0e59f3 in (anonymous namespace)::ContainerNode::removeChild (this=0x7f179b9db820, oldChild=..., ec=@0x7ffe347e863c: 0) at ../../Source/WebCore/dom/ContainerNode.cpp:543 > #40 0x00007f17ba1d06ce in (anonymous namespace)::Node::removeChild (this=0x7f179b9db820, oldChild=..., ec=@0x7ffe347e863c: 0) at ../../Source/WebCore/dom/Node.cpp:429 > #41 0x00007f17b9e38664 in (anonymous namespace)::JSNode::removeChild (this=0x7f174a967c00, state=...) at ../../Source/WebCore/bindings/js/JSNodeCustom.cpp:161 > #42 0x00007f17bb3ef951 in (anonymous namespace)::jsNodePrototypeFunctionRemoveChild (state=0x7ffe347e86b0) at DerivedSources/WebCore/JSNode.cpp:598 > #43 0x00007f175ae88028 in ?? () > #44 0x00007ffe347e8730 in ?? () > #45 0x00007f17b332ade2 in llint_entry () at ../../Source/WTF/wtf/RefPtr.h:79
Forth ASSERTION FAILED:
> STDERR: ASSERTION FAILED: !m_inPageCache > STDERR: ../../Source/WebCore/dom/Document.cpp(599) : virtual WebCore::Document::~Document()
> #0 0x00007fc1a53af395 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:323 > #1 0x00007fc1abdbaf2b in (anonymous namespace)::Document::~Document (this=0x7fc18d4d6000, __in_chrg=<optimized out>) at ../../Source/WebCore/dom/Document.cpp:599 > #2 0x00007fc1ac0464c2 in (anonymous namespace)::HTMLDocument::~HTMLDocument (this=0x7fc18d4d6000, __in_chrg=<optimized out>) at ../../Source/WebCore/html/HTMLDocument.cpp:92 > #3 0x00007fc1ac0464f6 in (anonymous namespace)::HTMLDocument::~HTMLDocument (this=0x7fc18d4d6000, __in_chrg=<optimized out>) at ../../Source/WebCore/html/HTMLDocument.cpp:94 > #4 0x00007fc1abdd6507 in (anonymous namespace)::Document::decrementReferencingNodeCount (this=0x7fc18d4d6000) at ../../Source/WebCore/dom/Document.h:332 > #5 0x00007fc1abdbbc48 in (anonymous namespace)::Document::removedLastRef (this=0x7fc18d4d6000) at ../../Source/WebCore/dom/Document.cpp:711 > #6 0x00007fc1abe8d03c in (anonymous namespace)::Node::removedLastRef (this=0x7fc18d4d6000) at ../../Source/WebCore/dom/Node.cpp:2319 > #7 0x00007fc1ab371b8a in (anonymous namespace)::Node::deref (this=0x7fc18d4d6000) at ../../Source/WebCore/dom/Node.h:732 > #8 0x00007fc1ab38a1cc in WTF::derefIfNotNull<WebCore::Document> (ptr=0x7fc18d4d6000) at ../../Source/WTF/wtf/PassRefPtr.h:40 > #9 0x00007fc1ab389e07 in WTF::RefPtr<WebCore::Document>::~RefPtr (this=0x7ffcba1c67a0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefPtr.h:62 > #10 0x00007fc1ac21c6f0 in WTF::RefPtr<WebCore::Document>::operator=(<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x10724f>) (this=0x7fc18d5876a0, o=<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x10724f>) at ../../Source/WTF/wtf/RefPtr.h:170 > #11 0x00007fc1ac447af0 in (anonymous namespace)::Frame::setDocument(<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x1797b9>) (this=0x7fc18d587380, newDocument=<unknown type in /home/fujii/work/webkit/w1/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37, CU 0x0, DIE 0x1797b9>) at ../../Source/WebCore/page/Frame.cpp:273 > #12 0x00007fc1ac2fe61c in (anonymous namespace)::FrameLoader::clear (this=0x7fc18d587418, newDocument=0x7fc18d4d6000, clearWindowProperties=false, clearScriptObjects=true, clearFrameView=true) at ../../Source/WebCore/loader/FrameLoader.cpp:620 > #13 0x00007fc1ac2fe3b2 in (anonymous namespace)::FrameLoader::cancelAndClear (this=0x7fc18d587418) at ../../Source/WebCore/loader/FrameLoader.cpp:581 > #14 0x00007fc1ac44762f in (anonymous namespace)::Frame::~Frame (this=0x7fc18d587380, __in_chrg=<optimized out>) at ../../Source/WebCore/page/Frame.cpp:210 > #15 0x00007fc1ac447820 in (anonymous namespace)::Frame::~Frame (this=0x7fc18d587380, __in_chrg=<optimized out>) at ../../Source/WebCore/page/Frame.cpp:225 > #16 0x00007fc1ab39a654 in WTF::ThreadSafeRefCounted<WebCore::Frame>::deref (this=0x7fc18d587388) at ../../Source/WTF/wtf/ThreadSafeRefCounted.h:79 > #17 0x00007fc1ab49c4db in WTF::Ref<WebCore::Frame>::~Ref (this=0x7fc146dd8ee0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/Ref.h:59 > #18 0x00007fc1ac45230a in (anonymous namespace)::FrameView::~FrameView (this=0x7fc146dd8d80, __in_chrg=<optimized out>) at ../../Source/WebCore/page/FrameView.cpp:269 > #19 0x00007fc1ac45235e in (anonymous namespace)::FrameView::~FrameView (this=0x7fc146dd8d80, __in_chrg=<optimized out>) at ../../Source/WebCore/page/FrameView.cpp:287 > #20 0x00007fc1ab3f3bec in WTF::RefCounted<WebCore::Widget>::deref (this=0x7fc146dd8d88) at ../../Source/WTF/wtf/RefCounted.h:146 > #21 0x00007fc1ab473148 in WTF::derefIfNotNull<WebCore::Widget> (ptr=0x7fc146dd8d80) at ../../Source/WTF/wtf/PassRefPtr.h:40 > #22 0x00007fc1ab470eb5 in WTF::RefPtr<WebCore::Widget>::~RefPtr (this=0x7fc18d5827b0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/RefPtr.h:62 > #23 0x00007fc1ac9886c0 in WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair (this=0x7fc18d5827b0, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/HashTraits.h:260 > #24 0x00007fc1ac98871b in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable (table=0x7fc18d582780, size=8) at ../../Source/WTF/wtf/HashTable.h:1158 > #25 0x00007fc1ac987d5a in WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable (this=0x7ffcba1c6b40, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/HashTable.h:362 > #26 0x00007fc1ac987b48 in WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap (this=0x7ffcba1c6b40, __in_chrg=<optimized out>) at ../../Source/WTF/wtf/HashMap.h:36 > #27 0x00007fc1ac985a4c in (anonymous namespace)::WidgetHierarchyUpdatesSuspensionScope::moveWidgets (this=0x7ffcba1c6bff) at ../../Source/WebCore/rendering/RenderWidget.cpp:55 > #28 0x00007fc1abd9ce7f in (anonymous namespace)::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope (this=0x7ffcba1c6bff, __in_chrg=<optimized out>) at ../../Source/WebCore/rendering/RenderWidget.h:43 > #29 0x00007fc1abd9a9f3 in (anonymous namespace)::ContainerNode::removeChild (this=0x7fc18d5da820, oldChild=..., ec=@0x7ffcba1c6c9c: 0) at ../../Source/WebCore/dom/ContainerNode.cpp:543 > #30 0x00007fc1abe856ce in (anonymous namespace)::Node::removeChild (this=0x7fc18d5da820, oldChild=..., ec=@0x7ffcba1c6c9c: 0) at ../../Source/WebCore/dom/Node.cpp:429 > #31 0x00007fc1abaed664 in (anonymous namespace)::JSNode::removeChild (this=0x7fc144567c00, state=...) at ../../Source/WebCore/bindings/js/JSNodeCustom.cpp:161 > #32 0x00007fc1ad0a491f in (anonymous namespace)::jsNodePrototypeFunctionRemoveChild (state=0x7ffcba1c6d10) at DerivedSources/WebCore/JSNode.cpp:598 > #33 0x00007fc14cbb8028 in ?? () > #34 0x00007ffcba1c6d90 in ?? () > #35 0x00007fc1a4fdfde2 in llint_entry () at ../../Source/WTF/wtf/RefPtr.h:79
Fujii Hironori
Comment 9
2016-07-07 02:05:36 PDT
Created
attachment 283000
[details]
workadound patch fast/history/page-cache-destroy-document.html tests the case iframe is removed in pagehide event. But, there callstack are truncated and miss the important part under JSC. In PageCache::addIfCacheable, proceeded in the following order: 1) Make sure all the documents know they are being added to the PageCache. 2) Fire the pagehide event in all frames. Then, documents marked InPageCache are removed. This makes a log of assertion failed. I attached workaround patch swapping the order. This solves these assertion failures and the crash. Unfortunately, This workaround patch makes fast/history/page-cache-geolocation-active-oneshot.html text failure. Need more investigation.
> ./Tools/Scripts/run-webkit-tests --gtk --release fast/history/page-cache-destroy-document.html fast/history/page-cache-geolocation-active-oneshot.html
Fujii Hironori
Comment 10
2016-09-12 03:18:05 PDT
Fixed.
https://trac.webkit.org/changeset/205786
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug