250726 – Assertion failure in ContainerNode::removeNodeWithScriptAssertion via ~PDFPluginTextAnnotation

Bug 250726 - Assertion failure in ContainerNode::removeNodeWithScriptAssertion via ~PDFPluginTextAnnotation

Summary: Assertion failure in ContainerNode::removeNodeWithScriptAssertion via ~PDFPlu...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-01-17 13:55 PST by Ryosuke Niwa
Modified:	2023-01-18 09:41 PST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2023-01-17 13:55:38 PST

e.g.
0   JavaScriptCore                	       0x19880915e WTFCrash + 14
1   JavaScriptCore                	       0x19880916e WTFCrashWithSecurityImplication + 14
2   WebCore                       	       0x1c2c62ba9 WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChange::Source) + 697 (ContainerNode.cpp:191)
3   WebCore                       	       0x1c2c5c4b6 WebCore::ContainerNode::removeChild(WebCore::Node&) + 614 (ContainerNode.cpp:673)
4   WebKit                        	       0x1681ed47b WebKit::PDFPluginAnnotation::~PDFPluginAnnotation() + 1067 (PDFPluginAnnotation.mm:96)
5   WebKit                        	       0x168304f82 WebKit::PDFPluginTextAnnotation::~PDFPluginTextAnnotation() + 514 (PDFPluginTextAnnotation.mm:79)
6   WebKit                        	       0x168304c52 WebKit::PDFPluginPasswordField::~PDFPluginPasswordField() + 514 (PDFPluginPasswordField.mm:52)
7   WebKit                        	       0x1683050a5 WebKit::PDFPluginPasswordField::~PDFPluginPasswordField() + 21 (PDFPluginPasswordField.mm:50)
8   WebKit                        	       0x1683050c9 WebKit::PDFPluginPasswordField::~PDFPluginPasswordField() + 25 (PDFPluginPasswordField.mm:50)
9   WebKit                        	       0x1682639cd std::__1::default_delete<WebKit::PDFPluginAnnotation>::operator()(WebKit::PDFPluginAnnotation*) const + 141 (unique_ptr.h:57)
10  WebKit                        	       0x1682638ca WTF::RefCounted<WebKit::PDFPluginAnnotation, std::__1::default_delete<WebKit::PDFPluginAnnotation> >::deref() const + 250 (RefCounted.h:190)
11  WebKit                        	       0x168263c52 WTF::DefaultRefDerefTraits<WebKit::PDFPluginPasswordField>::derefIfNotNull(WebKit::PDFPluginPasswordField*) + 50 (RefPtr.h:42)
12  WebKit                        	       0x168263ba4 WTF::RefPtr<WebKit::PDFPluginPasswordField, WTF::RawPtrTraits<WebKit::PDFPluginPasswordField>, WTF::DefaultRefDerefTraits<WebKit::PDFPluginPasswordField> >::~RefPtr() + 276 (RefPtr.h:74)
13  WebKit                        	       0x1681b59a5 WTF::RefPtr<WebKit::PDFPluginPasswordField, WTF::RawPtrTraits<WebKit::PDFPluginPasswordField>, WTF::DefaultRefDerefTraits<WebKit::PDFPluginPasswordField> >::~RefPtr() + 21 (RefPtr.h:74)
14  WebKit                        	       0x1681b5df0 WebKit::PDFPlugin::~PDFPlugin() + 928 (PDFPlugin.mm:696)
15  WebKit                        	       0x1681b5f15 WebKit::PDFPlugin::~PDFPlugin() + 21 (PDFPlugin.mm:691)
16  WebKit                        	       0x1682125eb WTF::ThreadSafeRefCounted<WebKit::PDFPlugin, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const + 91 (ThreadSafeRefCounted.h:115)
17  WebKit                        	       0x168212512 WTF::ThreadSafeRefCounted<WebKit::PDFPlugin, (WTF::DestructionThread)0>::deref() const + 290 (ThreadSafeRefCounted.h:127)
18  WebKit                        	       0x168262044 WTF::Ref<WebKit::PDFPlugin, WTF::RawPtrTraits<WebKit::PDFPlugin> >::~Ref() + 340 (Ref.h:61)
19  WebKit                        	       0x1681b6845 WTF::Ref<WebKit::PDFPlugin, WTF::RawPtrTraits<WebKit::PDFPlugin> >::~Ref() + 21 (Ref.h:55)
20  WebKit                        	       0x169c5b474 WebKit::PluginView::~PluginView() + 292 (PluginView.cpp:232)
21  WebKit                        	       0x169c5b5f5 WebKit::PluginView::~PluginView() + 21 (PluginView.cpp:226)
22  WebKit                        	       0x169c5b619 WebKit::PluginView::~PluginView() + 25 (PluginView.cpp:226)
23  WebCore                       	       0x1bda60acd std::__1::default_delete<WebCore::Widget>::operator()(WebCore::Widget*) const + 141 (unique_ptr.h:57)
24  WebCore                       	       0x1bda609ca WTF::RefCounted<WebCore::Widget, std::__1::default_delete<WebCore::Widget> >::deref() const + 250 (RefCounted.h:190)
25  WebCore                       	       0x1bda60892 WTF::DefaultRefDerefTraits<WebCore::Widget>::derefIfNotNull(WebCore::Widget*) + 50 (RefPtr.h:42)
26  WebCore                       	       0x1bda607e4 WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >::~RefPtr() + 276 (RefPtr.h:74)
27  WebCore                       	       0x1bda3c615 WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >::~RefPtr() + 21 (RefPtr.h:74)
28  WebCore                       	       0x1c7290495 WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>::~KeyValuePair() + 21 (KeyValuePair.h:33)
29  WebCore                       	       0x1c7290425 WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>::~KeyValuePair() + 21 (KeyValuePair.h:33)
30  WebCore                       	       0x1c72903b7 WTF::HashTable<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*> >, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*>, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > > >::deallocateTable(WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>*) + 167 (HashTable.h:1179)
31  WebCore                       	       0x1c72902bd WTF::HashTable<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*> >, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*>, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > > >::~HashTable() + 141 (HashTable.h:435)
32  WebCore                       	       0x1c728ff45 WTF::HashTable<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*> >, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*>, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > > >::~HashTable() + 21 (HashTable.h:432)
33  WebCore                       	       0x1c72904b5 WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*>, WTF::HashTableTraits>::~HashMap() + 21 (HashMap.h:35)
34  WebCore                       	       0x1c7265745 WTF::HashMap<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> >, WebCore::FrameView*, WTF::DefaultHash<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget, WTF::RawPtrTraits<WebCore::Widget>, WTF::DefaultRefDerefTraits<WebCore::Widget> > >, WTF::HashTraits<WebCore::FrameView*>, WTF::HashTableTraits>::~HashMap() + 21 (HashMap.h:35)
35  WebCore                       	       0x1c72655ca WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets() + 1018 (RenderWidget.cpp:77)
36  WebCore                       	       0x1bda59cc0 WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() + 384 (RenderWidget.h:41)
37  WebCore                       	       0x1bda3c235 WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() + 21 (RenderWidget.h:38)
38  WebCore                       	       0x1c2d4504b WebCore::Document::destroyRenderTree() + 1355 (Document.cpp:2673)
39  WebCore                       	       0x1c2d4597f WebCore::Document::willBeRemovedFromFrame() + 1327 (Document.cpp:2720)
40  WebCore                       	       0x1c4f1a565 WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView, WTF::RawPtrTraits<WebCore::FrameView>, WTF::DefaultRefDerefTraits<WebCore::FrameView> >&&) + 181 (Frame.cpp:241)
41  WebCore                       	       0x1c4a1872e WebCore::FrameLoader::closeAndRemoveChild(WebCore::Frame&) + 270 (FrameLoader.cpp:2811)
42  WebCore                       	       0x1c4a1846b WebCore::FrameLoader::detachFromParent() + 667 (FrameLoader.cpp:2938)
43  WebCore                       	       0x1c49fc493 WebCore::FrameLoader::detachChildren() + 1203 (FrameLoader.cpp:2804)
44  WebCore                       	       0x1c49e4750 WebCore::FrameLoader::setDocumentLoader(WebCore::DocumentLoader*) + 1520 (FrameLoader.cpp:1986)
45  WebCore                       	       0x1c4a11003 WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*) + 1491 (FrameLoader.cpp:2243)
46  WebCore                       	       0x1c4a0f003 WebCore::FrameLoader::commitProvisionalLoad() + 3715 (FrameLoader.cpp:2099)

<rdar://103613680>

Comment 1 Ryosuke Niwa 2023-01-17 14:11:24 PST

Pull request: https://github.com/WebKit/WebKit/pull/8734

Comment 2 EWS 2023-01-18 09:41:52 PST

Committed 259033@main (70f33f17ad48): <https://commits.webkit.org/259033@main>

Reviewed commits have been landed. Closing PR #8734 and removing active labels.