WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
263671
Regression(
268375@main
) Crash under ~Node() due to CheckedRef
https://bugs.webkit.org/show_bug.cgi?id=263671
Summary
Regression(268375@main) Crash under ~Node() due to CheckedRef
Chris Dumez
Reported
2023-10-25 10:31:53 PDT
Crash under ~Node() due to CheckedRef: ``` ASSERTION FAILED: !m_count /Volumes/Work/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h(250) : WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() [StorageType = WTF::SingleThreadIntegralWrapper<unsigned int>, PtrCounterType = unsigned int] 1 0x138bbdb3c WTFCrash 2 0x282d68d1c WebCore::BaseAudioContext::markSummingJunctionDirty(WebCore::AudioSummingJunction*) 3 0x28326135c WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() 4 0x283d3426c WebCore::EventTarget::~EventTarget() 5 0x283daf064 WebCore::Node::~Node() 6 0x283b5bbf4 WebCore::ContainerNode::~ContainerNode() 7 0x283cbcb3c WebCore::Element::~Element() 8 0x283e00150 WebCore::PseudoElement::~PseudoElement() 9 0x283e00180 WebCore::PseudoElement::~PseudoElement() 10 0x283e001b0 WebCore::PseudoElement::~PseudoElement() 11 0x283dbaf04 WebCore::Node::removedLastRef() 12 0x2832ca440 WebCore::Node::deref() const 13 0x283d0511c WTF::DefaultRefDerefTraits<WebCore::PseudoElement>::derefIfNotNull(WebCore::PseudoElement*) 14 0x283d050dc WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::~RefPtr() 15 0x283cd85e0 WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::~RefPtr() 16 0x283cf6020 WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::operator=(WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>&&) 17 0x283cd8ecc WebCore::ElementRareData::setBeforePseudoElement(WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>&&) 18 0x283cd90fc WebCore::Element::clearBeforePseudoElementSlow() 19 0x283cd0024 WebCore::Element::clearBeforePseudoElement() 20 0x285bd1424 WebCore::RenderTreeUpdater::GeneratedContent::removeBeforePseudoElement(WebCore::Element&, WebCore::RenderTreeBuilder&) 21 0x285bd06d0 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_5::operator()(unsigned int) const 22 0x285bcf090 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) 23 0x285bcde5c WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) 24 0x285bcd3fc WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) 25 0x285bccc28 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>) 26 0x283bd6650 WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>) 27 0x283bd6cf8 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) 28 0x283bd7a8c WebCore::Document::updateStyleIfNeeded() 29 0x284c03f80 WebCore::LocalFrameViewLayoutContext::layout() 30 0x284c18608 WebCore::LocalFrameView::updateContentsSize() 31 0x284ee692c WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) ``` Test case: ``` <style> html { content: "a" url(); } html::before { container-type: size; content: url(); float: left; } </style> ```
Attachments
Add attachment
proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1
2023-10-25 10:33:25 PDT
<
rdar://problem/117483509
>
Chris Dumez
Comment 2
2023-10-25 18:47:48 PDT
Remaining CheckedRef: ``` 1 0x2a5d3adc4 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::SharedStackTrace::create() 2 0x2a5d3acc8 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::registerCheckedPtr(void const*) const 3 0x2a89a1f20 WTF::CheckedRef<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::CheckedRef(WebCore::Element&) 4 0x2a8999760 WTF::CheckedRef<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::CheckedRef(WebCore::Element&) 5 0x2aab07310 WebCore::Style::Scope::updateQueryContainerState(WebCore::Style::Scope::QueryContainerUpdateContext&) 6 0x2a9a76300 WebCore::LocalFrameViewLayoutContext::layout() 7 0x2a9a8a9a8 WebCore::LocalFrameView::updateContentsSize() 8 0x2a9d5a2ac WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) 9 0x2a9d5bfb8 WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) 10 0x2a9a79a40 WebCore::LocalFrameView::setContentsSize(WebCore::IntSize const&) 11 0x2a9a73544 WebCore::LocalFrameView::adjustViewSize() 12 0x2a9a9a470 WebCore::LocalFrameViewLayoutContext::performLayout() 13 0x2a9a7629c WebCore::LocalFrameViewLayoutContext::layout() 14 0x2a8a4f648 WebCore::Document::implicitClose() 15 0x2a9803b78 WebCore::FrameLoader::checkCallImplicitClose() 16 0x2a980359c WebCore::FrameLoader::checkCompleted() ```
Chris Dumez
Comment 3
2023-10-25 21:31:27 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/19582
EWS
Comment 4
2023-10-26 16:25:08 PDT
Committed
269829@main
(f747a6b78181): <
https://commits.webkit.org/269829@main
> Reviewed commits have been landed. Closing PR #19582 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug