262413 – REGRESSION (268511@main): Crash under ~LegacyRenderSVGRoot() when loading nytimes.com

RESOLVED FIXED262413

REGRESSION (268511@main): Crash under ~LegacyRenderSVGRoot() when loading nytimes.com

https://bugs.webkit.org/show_bug.cgi?id=262413

Summary REGRESSION (268511@main): Crash under ~LegacyRenderSVGRoot() when loading nyt...

Chris Dumez

Reported 2023-09-29 16:32:08 PDT

Crash under ~LegacyRenderSVGRoot() when loading nytimes.com since 268511@main: ``` Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebCore 0x113b77ed4 WTFCrashWithInfo(int, char const*, char const*, int) + 20 (Assertions.h:778) 1 WebCore 0x114ab0bfc WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() + 28 (CheckedRef.h:250) [inlined] 2 WebCore 0x114ab0bfc WebCore::RenderObject::~RenderObject() + 164 (RenderObject.cpp:172) 3 WebCore 0x114bc56b4 WebCore::LegacyRenderSVGRoot::~LegacyRenderSVGRoot() + 16 (LegacyRenderSVGRoot.cpp:76) [inlined] 4 WebCore 0x114bc56b4 WebCore::LegacyRenderSVGRoot::~LegacyRenderSVGRoot() + 16 (LegacyRenderSVGRoot.cpp:76) [inlined] 5 WebCore 0x114bc56b4 WebCore::LegacyRenderSVGRoot::~LegacyRenderSVGRoot() + 44 (LegacyRenderSVGRoot.cpp:76) 6 WebCore 0x114bc95fc std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::reset[abi:v160006](WebCore::RenderObject*) + 16 (unique_ptr.h:297) [inlined] 7 WebCore 0x114bc95fc std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr[abi:v160006]() + 16 (unique_ptr.h:263) [inlined] 8 WebCore 0x114bc95fc std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr[abi:v160006]() + 16 (unique_ptr.h:263) [inlined] 9 WebCore 0x114bc95fc WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) + 192 (RenderTreeBuilder.cpp:175) 10 WebCore 0x114bcd3d8 WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) + 240 (RenderTreeBuilder.cpp:892) 11 WebCore 0x114bd9d6c WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_9::operator()(unsigned int) const + 248 (RenderTreeUpdater.cpp:641) [inlined] 12 WebCore 0x114bd9d6c WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) + 2176 (RenderTreeUpdater.cpp:664) ```

Attachments
Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2023-09-29 16:32:16 PDT

<rdar://116257845>

Chris Dumez

Comment 2 2023-09-29 16:34:20 PDT

Pull request: https://github.com/WebKit/WebKit/pull/18447

EWS

Comment 3 2023-09-29 16:55:54 PDT

Committed 268678@main (b4da3e2a9e8d): <https://commits.webkit.org/268678@main> Reviewed commits have been landed. Closing PR #18447 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Layout and Rendering

Assignee

Chris Dumez

Reported

2023-09-29 16:32 PDT

Modified

2023-09-29 16:55 PDT History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks