25/09/2016, 14.20 CrashTracer System: * APPLICATION: com.apple.WebKit.WebContent.Development * SIGNATURE: com.apple.WebCore: WTF::match_constness<WebCore::CSSValue, WebCore::CSSContentDistributionValue>::type& WTF::downcast<WebCore::CSSContentDistributionValue, WebCore::CSSValue> + 65 * MORE INFORMATION: https://crashtracer.apple.com/signature/show/54148905?app=com.apple.WebKit.WebContent.Development&build=16B2326&users=internal Summary of a selection of backtraces attributed to this bug. The stack frame considered to be the unique "crash signature" is highlighted ==> like this <==. This frame is used for aggregation when filing these bugs and does not necessarily imply fault. 8 JavaScriptCore: WTFCrash 8 JavaScriptCore: WTFCrashWithSecurityImplication ==> 8 WebCore: WTF::match_constness<WebCore::CSSValue, WebCore::CSSContentDistributionValue>::type& WTF::downcast<WebCore::CSSContentDistributionValue, WebCore::CSSValue>(WebCore::CSSValue&) <== 8 WebCore: WebCore::StyleBuilderConverter::convertContentAlignmentData(WebCore::StyleResolver&, WebCore::CSSValue&) 8 WebCore: WebCore::StyleBuilderFunctions::applyValueJustifyContent(WebCore::StyleResolver&, WebCore::CSSValue&) 8 WebCore: WebCore::StyleBuilder::applyProperty(WebCore::CSSPropertyID, WebCore::StyleResolver&, WebCore::CSSValue&, bool, bool) 8 WebCore: WebCore::StyleResolver::applyProperty(WebCore::CSSPropertyID, WebCore::CSSValue*, WebCore::SelectorChecker::LinkMatchMask, WebCore::StyleResolver::MatchResult const*) 8 WebCore: WebCore::StyleResolver::CascadedProperties::Property::apply(WebCore::StyleResolver&, WebCore::StyleResolver::MatchResult const*) 8 WebCore: WebCore::StyleResolver::applyCascadedProperties(WebCore::StyleResolver::CascadedProperties&, int, int, WebCore::StyleResolver::MatchResult const*) 8 WebCore: WebCore::StyleResolver::applyMatchedProperties(WebCore::StyleResolver::MatchResult const&, WebCore::Element const&, WebCore::StyleResolver::ShouldUseMatchedPropertiesCache) 8 WebCore: WebCore::StyleResolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*, WebCore::SelectorFilter const*) 6 WebCore: WebCore::Style::TreeResolver::styleForElement(WebCore::Element&, WebCore::RenderStyle const&) | 6 WebCore: WebCore::Style::TreeResolver::resolveElement(WebCore::Element&) | 6 WebCore: WebCore::Style::TreeResolver::resolveComposedTree() | 6 WebCore: WebCore::Style::TreeResolver::resolve(WebCore::Style::Change) | 6 WebCore: WebCore::Document::recalcStyle(WebCore::Style::Change) | 6 WebCore: WebCore::Document::updateStyleIfNeeded() | 6 WebCore: WebCore::Document::updateLayout() | 6 WebCore: WebCore::Document::updateLayoutIgnorePendingStylesheets(WebCore::Document::RunPostLayoutTasks) | 4 WebCore: WebCore::Element::getBoundingClientRect() | | 4 WebCore: WebCore::jsElementPrototypeFunctionGetBoundingClientRect(JSC::ExecState*) | | 4 | | 4 JavaScriptCore: llint_entry | | 4 JavaScriptCore: llint_entry | | 4 JavaScriptCore: llint_entry | | 4 JavaScriptCore: llint_entry | | 4 JavaScriptCore: llint_entry | | 4 JavaScriptCore: llint_entry | | 4 JavaScriptCore: llint_entry | | 4 JavaScriptCore: llint_entry | | 4 JavaScriptCore: vmEntryToJavaScript | | 4 JavaScriptCore: JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) | | 4 JavaScriptCore: JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) | | 4 JavaScriptCore: JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) | | 4 WebCore: WebCore::HTMLMediaElement::didAddUserAgentShadowRoot(WebCore::ShadowRoot*) | | 4 WebCore: WebCore::Element::addShadowRoot(WTF::Ref<WebCore::ShadowRoot>&&) | | 4 WebCore: WebCore::Element::ensureUserAgentShadowRoot() | | 4 WebCore: WebCore::HTMLMediaElement::ensureMediaControlsShadowRoot() | | 4 WebCore: WebCore::HTMLMediaElement::configureMediaControls() | | 4 WebCore: WebCore::HTMLMediaElement::insertedInto(WebCore::ContainerNode&) | | 4 WebCore: WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) | | 4 WebCore: WebCore::notifyDescendantInsertedIntoDocument(WebCore::ContainerNode&, WebCore::ContainerNode&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) | | 4 WebCore: WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) | | 4 WebCore: WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) | | 4 WebCore: WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) | | 4 WebCore: WebCore::ContainerNode::updateTreeAfterInsertion(WebCore::Node&) | | 4 WebCore: WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&, int&) | | 4 WebCore: WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*, int&) | | 4 WebCore: WebCore::Node::insertBefore(WebCore::Node&, WebCore::Node*, int&) | | 4 WebCore: WebCore::JSNode::insertBefore(JSC::ExecState&) | | 4 WebCore: WebCore::jsNodePrototypeFunctionInsertBefore(JSC::ExecState*) | | 4 | | truncating... | pruning: 2 WebCore: WebCore::HTMLBodyElement::scrollHeight() pruning: 2 WebCore: WebCore::Element::resolveStyle(WebCore::RenderStyle const*)
rdar://problem/28465278
Created attachment 296650 [details] patch
Comment on attachment 296650 [details] patch Clearing flags on attachment: 296650 Committed r209659: <http://trac.webkit.org/changeset/209659>
All reviewed patches have been landed. Closing bug.