172514 – ASSERTION FAILED: !renderer() in WebCore::Text::~Text

Bug 172514 - ASSERTION FAILED: !renderer() in WebCore::Text::~Text

Summary: ASSERTION FAILED: !renderer() in WebCore::Text::~Text

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2017-05-23 11:32 PDT by Ryan Haddad
Modified:	2019-09-14 01:52 PDT (History)
CC List:	7 users (show)

See Also:	172503

Attachments
patch (1.28 KB, patch) 2019-09-14 00:26 PDT, Antti Koivisto	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryan Haddad 2017-05-23 11:32:57 PDT

This assertion failure is seen with LayoutTest imported/w3c/web-platform-tests/innerText/getter.html

https://build.webkit.org/results/Apple%20El%20Capitan%20Debug%20WK2%20(Tests)/r217275%20(1295)/results.html

ASSERTION FAILED: !renderer()
/Volumes/Data/slave/elcapitan-debug/build/Source/WebCore/dom/Text.cpp(57) : virtual WebCore::Text::~Text()
1   0x113da9380 WTFCrash
2   0x1091f2f2d WebCore::Text::~Text()
3   0x1091f2f65 WebCore::Text::~Text()
4   0x1091f2f89 WebCore::Text::~Text()
5   0x1069d38a8 WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&)
6   0x1069c07fe WebCore::ContainerNode::removeDetachedChildren()
7   0x1069c11d0 WebCore::ContainerNode::~ContainerNode()
8   0x106f3029f WebCore::Element::~Element()
9   0x1090012c7 WebCore::StyledElement::~StyledElement()
10  0x1067c9d75 WebCore::HTMLElement::~HTMLElement()
11  0x1067c9d55 WebCore::HTMLDivElement::~HTMLDivElement()
12  0x10734c255 WebCore::HTMLDivElement::~HTMLDivElement()
13  0x10734c279 WebCore::HTMLDivElement::~HTMLDivElement()
14  0x10875e5bd WebCore::Node::removedLastRef()
15  0x10663b25e WebCore::Node::deref()
16  0x108756f05 WebCore::Node::derefEventTarget()
17  0x106deedc9 WebCore::EventTarget::deref()
18  0x106ec2ccd WTF::Ref<WebCore::EventTarget>::~Ref()
19  0x106eb5115 WTF::Ref<WebCore::EventTarget>::~Ref()
20  0x107b1078c WebCore::JSDOMWrapper<WebCore::EventTarget>::~JSDOMWrapper()
21  0x107b10765 WebCore::JSEventTarget::~JSEventTarget()
22  0x107b100a5 WebCore::JSEventTarget::~JSEventTarget()
23  0x107b0e47d WebCore::JSEventTarget::destroy(JSC::JSCell*)
24  0x11373ea6a JSC::(anonymous namespace)::DestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const
25  0x11374070b JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const
26  0x11373f0df JSC::FreeList JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::(anonymous namespace)::DestroyFunc const&)
27  0x11373e9ef JSC::FreeList JSC::MarkedBlock::Handle::finishSweepKnowingSubspace<JSC::(anonymous namespace)::DestroyFunc>(JSC::MarkedBlock::Handle::SweepMode, JSC::(anonymous namespace)::DestroyFunc const&)
28  0x11373e86d JSC::JSDestructibleObjectSubspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::MarkedBlock::Handle::SweepMode)
29  0x11390310f JSC::MarkedBlock::Handle::sweep(JSC::MarkedBlock::Handle::SweepMode)
30  0x1138fe1c5 JSC::MarkedAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*)
31  0x1138fe035 JSC::MarkedAllocator::tryAllocateWithoutCollecting()

Comment 1 Ryan Haddad 2017-05-23 11:33:48 PDT

This is related to https://trac.webkit.org/changeset/217273

Comment 2 Ryan Haddad 2017-05-23 11:37:04 PDT

Skipped test in https://trac.webkit.org/changeset/217285/webkit

Comment 3 Ryan Haddad 2017-05-30 13:28:22 PDT

This test was unskipped with http://trac.webkit.org/changeset/217477, but it is still a flaky crash.

Comment 4 Radar WebKit Bug Importer 2017-05-30 13:35:08 PDT

<rdar://problem/32470509>

Comment 5 Ryan Haddad 2017-05-30 13:38:28 PDT

Skipped test again in https://trac.webkit.org/changeset/217569/webkit

Comment 6 Antti Koivisto 2019-09-14 00:26:35 PDT

Created attachment 378788 [details]
patch

Comment 7 WebKit Commit Bot 2019-09-14 01:52:56 PDT

Comment on attachment 378788 [details]
patch

Clearing flags on attachment: 378788

Committed r249871: <https://trac.webkit.org/changeset/249871>

Comment 8 WebKit Commit Bot 2019-09-14 01:52:57 PDT

All reviewed patches have been landed.  Closing bug.