263217 – REGRESSION(269369@main) ASSERTION FAILED: !m_inRemovedLastRefFunction in WebCore::Node::ref

Bug 263217 - REGRESSION(269369@main) ASSERTION FAILED: !m_inRemovedLastRefFunction in WebCore::Node::ref

Summary: REGRESSION(269369@main) ASSERTION FAILED: !m_inRemovedLastRefFunction in WebC...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-10-16 14:04 PDT by Fujii Hironori
Modified:	2023-10-16 14:28 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fujii Hironori 2023-10-16 14:04:45 PDT

I'm running layout test with Windows port Debug build 269374@main.

Regressions: Unexpected crashes (2)
  fast/css/content/quote-crash-when-floating.html [ Crash ]
  fast/forms/form-submission-crash-successful-submit-button.html [ Crash ]

ASSERTION FAILED: !m_inRemovedLastRefFunction
C:\home\webkit\gc\Source\WebCore\dom/Node.h(803) : ref
1   00007FF92FAD1C19 WTFCrash
2   00007FF8F24A5EED WTFCrashWithInfo
3   00007FF8F2748F0B WebCore::Node::ref
4   00007FF8F4146F5A WTF::Ref<WebCore::Document,WTF::RawPtrTraits<WebCore::Document> >::Ref
5   00007FF8F4E28DAC WebCore::ContainerNode::removeNodeWithScriptAssertion
6   00007FF8F4E1E99C WebCore::ContainerNode::removeChild
7   00007FF8F54AF3EE WebCore::ValidationMessage::deleteBubbleTree
8   00007FF8F54AF1C6 WebCore::ValidationMessage::~ValidationMessage
9   00007FF8F54B8DFC std::default_delete<WebCore::ValidationMessage>::operator()
10  00007FF8F54B8E89 std::unique_ptr<WebCore::ValidationMessage,std::default_delete<WebCore::ValidationMessage> >::reset
11  00007FF8F54B47D1 std::unique_ptr<WebCore::ValidationMessage,std::default_delete<WebCore::ValidationMessage> >::operator=
12  00007FF8F54AE919 WebCore::ValidatedFormListedElement::removedFromAncestor
13  00007FF8F5365F1A WebCore::HTMLFormControlElement::removedFromAncestor
14  00007FF8F539AF85 WebCore::HTMLInputElement::removedFromAncestor
15  00007FF8F4E24B7F WebCore::notifyNodeRemovedFromDocument
16  00007FF8F4E24C65 WebCore::notifyNodeRemovedFromDocument
17  00007FF8F4E24C65 WebCore::notifyNodeRemovedFromDocument
18  00007FF8F4E24A05 WebCore::notifyChildNodeRemoved
19  00007FF8F4E1EDD1 WebCore::removeDetachedChildrenInContainer
20  00007FF8F4E1EBE7 WebCore::ContainerNode::removeDetachedChildren
21  00007FF8F4E7DB18 WebCore::Document::removedLastRef
22  00007FF8F5017208 WebCore::Node::removedLastRef
23  00007FF8F274936E WebCore::Node::deref
24  00007FF8F2CAC21B WTF::Ref<WebCore::Document,WTF::RawPtrTraits<WebCore::Document> >::~Ref
25  00007FF8F4E9A156 WebCore::Document::queueTaskToDispatchEvent::<lambda_7>::~`lambda at C:\home\webkit\gc\Source\WebCore\dom\Document.cpp:5508:35'
26  00007FF8F4EB4246 WTF::Detail::CallableWrapper<`lambda at C:\home\webkit\gc\Source\WebCore\dom\Document.cpp:5508:35',void>::~CallableWrapper
27  00007FF8F4EB41D9 WTF::Detail::CallableWrapper<`lambda at C:\home\webkit\gc\Source\WebCore\dom\Document.cpp:5508:35',void>::~CallableWrapper
28  00007FF8F2665761 std::default_delete<WTF::Detail::CallableWrapperBase<void> >::operator()
29  00007FF8F2665717 std::unique_ptr<WTF::Detail::CallableWrapperBase<void>,std::default_delete<WTF::Detail::CallableWrapperBase<void> > >::~unique_ptr
30  00007FF8F26656D3 WTF::Function<void ()>::~Function
31  00007FF8F4FAA266 WebCore::EventLoopFunctionDispatchTask::~EventLoopFunctionDispatchTask

Comment 1 Chris Dumez 2023-10-16 14:06:50 PDT

Yes, this is a pain. I really wish we had https://github.com/WebKit/WebKit/pull/8748...

Comment 2 Fujii Hironori 2023-10-16 14:08:12 PDT

fast/css/content/quote-crash-when-floating.html isn't crashing sololy.
> python .\Tools\Scripts\run-webkit-tests --debug fast/css/content/quote-crash-when-floating.html --iterations=5 -v

The preceding test fast/css/content/display-contents-on-focus-crash.html is making the following test crash.

> python .\Tools\Scripts\run-webkit-tests --debug fast/css/content/display-contents-on-focus-crash.html --iterations=5 -v

[1/5] fast/css/content/display-contents-on-focus-crash.html passed
[2/5] fast/css/content/display-contents-on-focus-crash.html failed unexpectedly (WebProcess crashed [pid=876])
[3/5] fast/css/content/display-contents-on-focus-crash.html passed
[4/5] fast/css/content/display-contents-on-focus-crash.html failed unexpectedly (WebKitTestRunner crashed [pid=34556])
[5/5] fast/css/content/display-contents-on-focus-crash.html passed

Comment 3 Chris Dumez 2023-10-16 14:08:46 PDT

Will do a partial revert.

Comment 4 Chris Dumez 2023-10-16 14:13:15 PDT

Pull request: https://github.com/WebKit/WebKit/pull/19131

Comment 5 EWS 2023-10-16 14:27:07 PDT

Committed 269383@main (4878f0893799): <https://commits.webkit.org/269383@main>

Reviewed commits have been landed. Closing PR #19131 and removing active labels.

Comment 6 Radar WebKit Bug Importer 2023-10-16 14:28:14 PDT

<rdar://problem/117037687>