RESOLVED FIXED 224033
ASSERTION FAILED: isReactionAllowed() in enqueueDisconnectedCallbackIfNeeded during document teardown 
https://bugs.webkit.org/show_bug.cgi?id=224033
Summary ASSERTION FAILED: isReactionAllowed() in enqueueDisconnectedCallbackIfNeeded ...
Robert Jenner
Reported 2021-03-31 18:23:40 PDT
imported/w3c/web-platform-tests/custom-elements/reactions/HTMLMediaElement.html is a flakey crashing in iOS and macOS Debug. HISTORY URL: https://results.webkit.org/?suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Fcustom-elements%2Freactions%2FHTMLMediaElement.html ASSERTION FAILED: CustomElementReactionDisallowedScope::isReactionAllowed() ./dom/CustomElementReactionQueue.cpp(175) : static void WebCore::CustomElementReactionQueue::enqueueDisconnectedCallbackIfNeeded(WebCore::Element &) 1 0x1333a9128 WTFCrash 2 0x113e4c4c0 WebCore::JSANGLEInstancedArrays::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) 3 0x11679baac WebCore::CustomElementReactionQueue::enqueueDisconnectedCallbackIfNeeded(WebCore::Element&) 4 0x1168daf60 WebCore::Element::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) 5 0x116799f40 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) 6 0x11679a010 WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) 7 0x116799dc0 WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&) 8 0x11679a5f4 WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) 9 0x11679a6c4 WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) 10 0x116773684 WebCore::ContainerNode::removeDetachedChildren() 11 0x1167de61c WebCore::Document::removedLastRef() 12 0x1169a6588 WebCore::Node::removedLastRef() 13 0x113f80444 WebCore::Node::deref() const 14 0x11699df48 WebCore::Node::derefEventTarget() 15 0x113ee7a44 WebCore::EventTarget::deref() 16 0x113ee7a10 WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget> >::~Ref() 17 0x113f5ae60 WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget> >::~Ref() 18 0x11425828c WebCore::JSDOMWrapper<WebCore::EventTarget>::~JSDOMWrapper() 19 0x114258254 WebCore::JSEventTarget::~JSEventTarget() 20 0x1141c97e0 WebCore::JSEventTarget::~JSEventTarget() 21 0x11415ed50 WebCore::JSEventTarget::destroy(JSC::JSCell*) 22 0x134cf0594 JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const 23 0x134d087a0 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(void*)::operator()(void*) const 24 0x134d0880c void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'(unsigned long)::operator()(unsigned long) const 25 0x134d02248 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) 26 0x134cf0528 void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) 27 0x134cf03e8 JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) 28 0x13461e238 JSC::Subspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) 29 0x1345f65d8 JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) 30 0x1345df124 JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) 31 0x1345dee6c JSC::LocalAllocator::tryAllocateWithoutCollecting() LEAK: 1 WebPageProxy
Attachments
Fixes the bug (4.35 KB, patch)
2021-05-17 22:37 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Robert Jenner
Comment 1 2021-03-31 18:36:37 PDT
I did attempt to reproduce the crash, but I was unable to an Intel Mac. The crashing is v very flakey and rarely occurs. Most recent crashes have been on an Apple silicon Mac. I don't have access to an AS Mac, so I could not attempt to reproduce the crash there.
Radar WebKit Bug Importer
Comment 2 2021-03-31 18:36:55 PDT
<rdar://problem/76082151>
Robert Jenner
Comment 3 2021-03-31 18:43:48 PDT
Updated test expectations to Pass Crash while test is reviewed here: https://trac.webkit.org/changeset/275335/webkit
Ryosuke Niwa
Comment 4 2021-05-17 22:37:39 PDT
Created attachment 428913 [details] Fixes the bug
Maciej Stachowiak
Comment 5 2021-05-17 23:02:36 PDT
Comment on attachment 428913 [details] Fixes the bug r=ne
Ryosuke Niwa
Comment 6 2021-05-18 01:44:55 PDT
Comment on attachment 428913 [details] Fixes the bug Clearing flags on attachment: 428913 Committed r277646 (237852@main): <https://commits.webkit.org/237852@main>
Ryosuke Niwa
Comment 7 2021-05-18 01:44:57 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.