166816 – ASSERTION FAILED: m_renderer in RenderImageResource::shutdown while destroying a RenderImage

NEW 166816

ASSERTION FAILED: m_renderer in RenderImageResource::shutdown while destroying a RenderImage

https://bugs.webkit.org/show_bug.cgi?id=166816

Summary ASSERTION FAILED: m_renderer in RenderImageResource::shutdown while destroyin...

Renata Hodovan

Reported 2017-01-08 10:21:57 PST

Load the attached test with debug WebKitTestRunner: Checked version: 217d599 OS: Darwin-15.6.0-x86_64-i386-64bit <img><body style="display:table-column-group"> Backtrace: ASSERTION FAILED: m_renderer WebKit/Source/WebCore/rendering/RenderImageResource.cpp(57) : virtual void WebCore::RenderImageResource::shutdown() 1 0x11484cbf1 WTFCrash 2 0x11e2f7d91 WebCore::RenderImageResource::shutdown() 3 0x11e2e9a47 WebCore::RenderImage::~RenderImage() 4 0x11e519a75 WebCore::RenderMedia::~RenderMedia() 5 0x11e9117da WebCore::RenderVideo::~RenderVideo() 6 0x11e911825 WebCore::RenderVideo::~RenderVideo() 7 0x11e911849 WebCore::RenderVideo::~RenderVideo() 8 0x11e5a9e6f WebCore::RenderObject::destroy() 9 0x11e8fead5 WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) 10 0x11e8fc92c WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate&) 11 0x11e8fbfff WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) 12 0x11e8fb36f WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update> >) 13 0x119ecd965 WebCore::Document::recalcStyle(WebCore::Style::Change) 14 0x119eb810b WebCore::Document::updateStyleIfNeeded() 15 0x119ef3b4a WebCore::Document::finishedParsing() 16 0x11abab566 WebCore::HTMLConstructionSite::finishedParsing() 17 0x11aebbdb8 WebCore::HTMLTreeBuilder::finished() 18 0x11ac2500c WebCore::HTMLDocumentParser::end() 19 0x11ac20cf7 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 20 0x11ac2095e WebCore::HTMLDocumentParser::prepareToStopParsing() 21 0x11ac2217b WebCore::HTMLDocumentParser::endIfDelayed() 22 0x11ac21ff6 WebCore::HTMLDocumentParser::resumeParsingAfterYield() 23 0x11addf366 WebCore::HTMLParserScheduler::continueNextChunkTimerFired() 24 0x11ade3669 void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&>(std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&&&) 25 0x11ade3379 std::__1::__function::__func<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>, std::__1::allocator<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*> >, void ()>::operator()() 26 0x118e59045 std::__1::function<void ()>::operator()() const 27 0x118e58bd9 WebCore::Timer::fired() 28 0x11f7c0c5f WebCore::ThreadTimers::sharedTimerFiredInternal() 29 0x11f7c3e11 WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const 30 0x11f7c3ddd void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&>(WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&&&) 31 0x11f7c3d89 std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator()() ASAN:DEADLYSIGNAL ================================================================= ==8675==ERROR: AddressSanitizer: SEGV on unknown address 0x0000bbadbeef (pc 0x00011484cc29 bp 0x7fff54f97130 sp 0x7fff54f97120 T0) #0 0x11484cc28 in WTFCrash (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2e80c28) #1 0x11e2f7d90 in WebCore::RenderImageResource::shutdown() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5599d90) #2 0x11e2e9a46 in WebCore::RenderImage::~RenderImage() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x558ba46) #3 0x11e519a74 in WebCore::RenderMedia::~RenderMedia() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x57bba74) #4 0x11e9117d9 in WebCore::RenderVideo::~RenderVideo() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5bb37d9) #5 0x11e911824 in WebCore::RenderVideo::~RenderVideo() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5bb3824) #6 0x11e911848 in WebCore::RenderVideo::~RenderVideo() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5bb3848) #7 0x11e5a9e6e in WebCore::RenderObject::destroy() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x584be6e) #8 0x11e8fead4 in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5ba0ad4) #9 0x11e8fc92b in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5b9e92b) #10 0x11e8fbffe in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5b9dffe) #11 0x11e8fb36e in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update> >) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x5b9d36e) #12 0x119ecd964 in WebCore::Document::recalcStyle(WebCore::Style::Change) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x116f964) #13 0x119eb810a in WebCore::Document::updateStyleIfNeeded() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x115a10a) #14 0x119ef3b49 in WebCore::Document::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1195b49) #15 0x11abab565 in WebCore::HTMLConstructionSite::finishedParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1e4d565) #16 0x11aebbdb7 in WebCore::HTMLTreeBuilder::finished() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x215ddb7) #17 0x11ac2500b in WebCore::HTMLDocumentParser::end() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec700b) #18 0x11ac20cf6 in WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec2cf6) #19 0x11ac2095d in WebCore::HTMLDocumentParser::prepareToStopParsing() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec295d) #20 0x11ac2217a in WebCore::HTMLDocumentParser::endIfDelayed() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec417a) #21 0x11ac21ff5 in WebCore::HTMLDocumentParser::resumeParsingAfterYield() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x1ec3ff5) #22 0x11addf365 in WebCore::HTMLParserScheduler::continueNextChunkTimerFired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2081365) #23 0x11ade3668 in void std::__1::__invoke_void_return_wrapper<void>::__call<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&>(std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>&&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2085668) #24 0x11ade3378 in std::__1::__function::__func<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*>, std::__1::allocator<std::__1::__bind<void (WebCore::HTMLParserScheduler::*&)(), WebCore::HTMLParserScheduler*> >, void ()>::operator()() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x2085378) #25 0x118e59044 in std::__1::function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfb044) #26 0x118e58bd8 in WebCore::Timer::fired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfabd8) #27 0x11f7c0c5e in WebCore::ThreadTimers::sharedTimerFiredInternal() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a62c5e) #28 0x11f7c3e10 in WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a65e10) #29 0x11f7c3ddc in void std::__1::__invoke_void_return_wrapper<void>::__call<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&>(WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0&&&) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a65ddc) #30 0x11f7c3d88 in std::__1::__function::__func<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, std::__1::allocator<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0>, void ()>::operator()() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x6a65d88) #31 0x118e59044 in std::__1::function<void ()>::operator()() const (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0xfb044) #32 0x11d58e29d in WebCore::MainThreadSharedTimer::fired() (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x483029d) #33 0x11d58eb22 in WebCore::timerFired(__CFRunLoopTimer*, void*) (WebKit/WebKitBuild/Debug/WebCore.framework/Versions/A/WebCore+0x4830b22) #34 0x7fff927b1af3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92af3) #35 0x7fff927b1782 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x92782) #36 0x7fff927b12d9 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x922d9) #37 0x7fff927a87d0 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x897d0) #38 0x7fff927a7e37 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88e37) #39 0x7fff90b63934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934) #40 0x7fff90b6376e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e) #41 0x7fff90b635ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae) #42 0x7fff95a03df5 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48df5) #43 0x7fff95a03225 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48225) #44 0x7fff959f7d7f in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3cd7f) #45 0x7fff959c1367 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x6367) #46 0x7fff897b8193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193) #47 0x7fff897b6bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd) #48 0x10ac62f73 in main (WebKit/WebKitBuild/Debug/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001f73) #49 0x7fff9c5a45ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #50 0x0 (<unknown module>) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (WebKit/WebKitBuild/Debug/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x2e80c28) in WTFCrash ==8675==ABORTING #CRASHED - com.apple.WebKit.WebContent.Development (pid 8675)

Attachments
Test (46 bytes, text/html) 2017-01-08 10:21 PST, Renata Hodovan	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Renata Hodovan

Comment 1 2017-01-08 10:21:59 PST

Created attachment 298306 [details] Test

Alexey Proskuryakov

Comment 2 2017-01-09 16:17:42 PST

The test case seems suspicious, as there is no video there. Is this actually reproducible?

alan

Comment 3 2017-01-09 16:21:24 PST

updated stacktrace ASSERTION FAILED: m_renderer /Users/zbujtas/OpenSource/Source/WebCore/rendering/RenderImageResource.cpp(57) : virtual void WebCore::RenderImageResource::shutdown() 1 0x1101bee31 WTFCrash 2 0x11a053c01 WebCore::RenderImageResource::shutdown() 3 0x11a045907 WebCore::RenderImage::~RenderImage() 4 0x11a045af5 WebCore::RenderImage::~RenderImage() 5 0x11a045b19 WebCore::RenderImage::~RenderImage() 6 0x11a30e89f WebCore::RenderObject::destroy() 7 0x11a662e85 WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) 8 0x11a6609b0 WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) 9 0x11a65ff23 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) 10 0x11a65ed4f WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) 11 0x115b121e8 WebCore::Document::recalcStyle(WebCore::Style::Change) 12 0x115af73bb WebCore::Document::updateStyleIfNeeded() 13 0x115b43303 WebCore::Document::finishedParsing() 14 0x1168530c6 WebCore::HTMLConstructionSite::finishedParsing() 15 0x116b62088 WebCore::HTMLTreeBuilder::finished() 16 0x1168ccffc WebCore::HTMLDocumentParser::end() 17 0x1168c77a7 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() 18 0x1168c735e WebCore::HTMLDocumentParser::prepareToStopParsing() 19 0x1168cd11c WebCore::HTMLDocumentParser::attemptToEnd() 20 0x1168cd254 WebCore::HTMLDocumentParser::finish() 21 0x115d14260 WebCore::DocumentWriter::end() 22 0x115c5b417 WebCore::DocumentLoader::finishedLoading(double) 23 0x115c5aeeb WebCore::DocumentLoader::notifyFinished(WebCore::CachedResource&) 24 0x114fb98b4 WebCore::CachedResource::checkNotify() 25 0x114fb9f44 WebCore::CachedResource::finishLoading(WebCore::SharedBuffer*) 26 0x114fabed5 WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) 27 0x11b0bb69f WebCore::SubresourceLoader::didFinishLoading(double) 28 0x11a73c404 WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) 29 0x11b9d8496 -[WebCoreResourceHandleAsDelegate connectionDidFinishLoading:] 30 0x7fff9b04db83 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke 31 0x7fff9b04da95 -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

Nobody

Reported

2017-01-08 10:21 PST

Modified

2017-01-09 16:22 PST History

CC List

6 users Show

URL

Keywords

Depends on

Blocks

116980

Dependencies

tree graph