Created attachment 463063 [details] REVERT of 255626@main Any committer can land this patch automatically by marking it commit-queue+. The commit-queue will build and test the patch before landing to ensure that the revert will be successful. This process takes approximately 15 minutes. If you would like to land the revert faster, you can use the following command: webkit-patch land-attachment ATTACHMENT_ID where ATTACHMENT_ID is the ID of this attachment.

Comment on attachment 463063 [details] REVERT of 255626@main Causes crashes on iOS Debug

<rdar://problem/101385427>

Reverted in https://commits.webkit.org/255793@main.

svg/foreignObject/respect-block-margin.html Is a constant crash since introduced at 255626@main. HISTORY: https://results.webkit.org/?suite=layout-tests&test=svg%2FforeignObject%2Frespect-block-margin.html DIFF: stdout: stderr: ASSERTION FAILED: is<Target>(source) /Volumes/Data/worker/Apple-iOS-16-Simulator-Debug-Build/build/WebKitBuild/Debug-iphonesimulator/usr/local/include/wtf/TypeCasts.h(79) : match_constness_t<Source, Target> &WTF::downcast(Source &) [Target = WebCore::RenderBoxModelObject, Source = WebCore::RenderObject] 1 0x2527f12d9 WTFCrash 2 0x2527f12f9 WTFCrashWithSecurityImplication 3 0x2810017c1 std::__1::conditional<std::is_const_v<WebCore::RenderObject>, std::__1::add_const<WebCore::RenderBoxModelObject>::type, std::__1::remove_const<WebCore::RenderBoxModelObject>::type>::type& WTF::downcast<WebCore::RenderBoxModelObject, WebCore::RenderObject>(WebCore::RenderObject&) 4 0x284d68877 WebCore::RenderObject::destroy() 5 0x284d686a9 WebCore::RenderObjectDeleter::operator()(WebCore::RenderObject*) const 6 0x284fffd7c std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::reset(WebCore::RenderObject*) 7 0x284fffd19 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr() 8 0x284fee015 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr() 9 0x284fed8c5 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) 10 0x284fed8b0 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) 11 0x284ff3da3 WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) 12 0x28501cf19 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_2::operator()(unsigned int) const 13 0x28501ba85 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) 14 0x28501cbc6 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&) 15 0x28302c112 WebCore::Document::destroyRenderTree() 16 0x28302c614 WebCore::Document::willBeRemovedFromFrame() 17 0x283fe8575 WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView, WTF::RawPtrTraits<WebCore::FrameView>, WTF::DefaultRefDerefTraits<WebCore::FrameView> >&&) 18 0x283fed366 WebCore::Frame::createView(WebCore::IntSize const&, std::__1::optional<WebCore::Color> const&, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) 19 0x2352ca9c1 WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() 20 0x283d7d996 WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) 21 0x283d7c5cd WebCore::FrameLoader::commitProvisionalLoad() 22 0x283cfe4a9 WebCore::DocumentLoader::commitIfReady() 23 0x283cfec0d WebCore::DocumentLoader::finishedLoading() 24 0x283d0c8e1 WebCore::DocumentLoader::maybeLoadEmpty() 25 0x283d0cb46 WebCore::DocumentLoader::startLoadingMainResource() 26 0x283db975c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_12::operator()() 27 0x283db9229 WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_12, void>::call() 28 0x27f700a92 WTF::Function<void ()>::operator()() const 29 0x27f75f162 WTF::CompletionHandler<void ()>::operator()() 30 0x283d79830 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL) 31 0x283db5bbc WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_9::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl>&&, WebCore::NavigationPolicyDecision) com.apple.WebKit.WebContent.Development terminated (pid 55349) for reason: crash LEAK: 12 WebPageProxy

This is only crashing on iOS Debug.

*** This bug has been marked as a duplicate of bug 245908 ***

So, I am trying to reproduce this using iOS Simulator -- without luck. I never checked iOS builds before, so I am wondering if this is the correct approach, to use iOS sim to reproduce this on macOS? How else can I tackle this?

Heh, wait, I forgot that I changed the RenderSVGRoot <-> RenderSVGViewportContainer relationship (now the latter holds a WeakPtr to the former, not vice-versa). Eventually that masks the bug on iOS.... I can at least say that I've build-webkit --debug --iphone-simulator and ran the layout tests in svg/, without a crash/assertion in svg/foreignObjct.

Tthis relanded in 256960@main. According to https://results.webkit.org/?suite=layout-tests&test=svg%2FforeignObject%2Frespect-block-margin.html there is no crash in the previously affected test - respect-block-margin.html - anymore.