263671 – Regression(268375@main) Crash under ~Node() due to CheckedRef

Bug 263671 - Regression(268375@main) Crash under ~Node() due to CheckedRef

Summary: Regression(268375@main) Crash under ~Node() due to CheckedRef

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:	261983
	Show dependency tree / graph

Reported:	2023-10-25 10:31 PDT by Chris Dumez
Modified:	2023-10-26 16:25 PDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2023-10-25 10:31:53 PDT

Crash under ~Node() due to CheckedRef:
```
ASSERTION FAILED: !m_count
/Volumes/Work/WebKit/OpenSource/WebKitBuild/Debug/usr/local/include/wtf/CheckedRef.h(250) : WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() [StorageType = WTF::SingleThreadIntegralWrapper<unsigned int>, PtrCounterType = unsigned int]
1   0x138bbdb3c WTFCrash
2   0x282d68d1c WebCore::BaseAudioContext::markSummingJunctionDirty(WebCore::AudioSummingJunction*)
3   0x28326135c WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase()
4   0x283d3426c WebCore::EventTarget::~EventTarget()
5   0x283daf064 WebCore::Node::~Node()
6   0x283b5bbf4 WebCore::ContainerNode::~ContainerNode()
7   0x283cbcb3c WebCore::Element::~Element()
8   0x283e00150 WebCore::PseudoElement::~PseudoElement()
9   0x283e00180 WebCore::PseudoElement::~PseudoElement()
10  0x283e001b0 WebCore::PseudoElement::~PseudoElement()
11  0x283dbaf04 WebCore::Node::removedLastRef()
12  0x2832ca440 WebCore::Node::deref() const
13  0x283d0511c WTF::DefaultRefDerefTraits<WebCore::PseudoElement>::derefIfNotNull(WebCore::PseudoElement*)
14  0x283d050dc WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::~RefPtr()
15  0x283cd85e0 WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::~RefPtr()
16  0x283cf6020 WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>::operator=(WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>&&)
17  0x283cd8ecc WebCore::ElementRareData::setBeforePseudoElement(WTF::RefPtr<WebCore::PseudoElement, WTF::RawPtrTraits<WebCore::PseudoElement>, WTF::DefaultRefDerefTraits<WebCore::PseudoElement>>&&)
18  0x283cd90fc WebCore::Element::clearBeforePseudoElementSlow()
19  0x283cd0024 WebCore::Element::clearBeforePseudoElement()
20  0x285bd1424 WebCore::RenderTreeUpdater::GeneratedContent::removeBeforePseudoElement(WebCore::Element&, WebCore::RenderTreeBuilder&)
21  0x285bd06d0 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_5::operator()(unsigned int) const
22  0x285bcf090 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)
23  0x285bcde5c WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&)
24  0x285bcd3fc WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&)
25  0x285bccc28 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>)
26  0x283bd6650 WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>)
27  0x283bd6cf8 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)
28  0x283bd7a8c WebCore::Document::updateStyleIfNeeded()
29  0x284c03f80 WebCore::LocalFrameViewLayoutContext::layout()
30  0x284c18608 WebCore::LocalFrameView::updateContentsSize()
31  0x284ee692c WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&)
```

Test case:
```
<style>
    html {
        content: "a" url();
    }

    html::before {
        container-type: size;
        content: url();
        float: left;
    }
</style>
```

Comment 1 Radar WebKit Bug Importer 2023-10-25 10:33:25 PDT

<rdar://problem/117483509>

Comment 2 Chris Dumez 2023-10-25 18:47:48 PDT

Remaining CheckedRef:
```
1   0x2a5d3adc4 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::SharedStackTrace::create()
2   0x2a5d3acc8 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::registerCheckedPtr(void const*) const
3   0x2a89a1f20 WTF::CheckedRef<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::CheckedRef(WebCore::Element&)
4   0x2a8999760 WTF::CheckedRef<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::CheckedRef(WebCore::Element&)
5   0x2aab07310 WebCore::Style::Scope::updateQueryContainerState(WebCore::Style::Scope::QueryContainerUpdateContext&)
6   0x2a9a76300 WebCore::LocalFrameViewLayoutContext::layout()
7   0x2a9a8a9a8 WebCore::LocalFrameView::updateContentsSize()
8   0x2a9d5a2ac WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&)
9   0x2a9d5bfb8 WebCore::ScrollView::setContentsSize(WebCore::IntSize const&)
10  0x2a9a79a40 WebCore::LocalFrameView::setContentsSize(WebCore::IntSize const&)
11  0x2a9a73544 WebCore::LocalFrameView::adjustViewSize()
12  0x2a9a9a470 WebCore::LocalFrameViewLayoutContext::performLayout()
13  0x2a9a7629c WebCore::LocalFrameViewLayoutContext::layout()
14  0x2a8a4f648 WebCore::Document::implicitClose()
15  0x2a9803b78 WebCore::FrameLoader::checkCallImplicitClose()
16  0x2a980359c WebCore::FrameLoader::checkCompleted()

```

Comment 3 Chris Dumez 2023-10-25 21:31:27 PDT

Pull request: https://github.com/WebKit/WebKit/pull/19582

Comment 4 EWS 2023-10-26 16:25:08 PDT

Committed 269829@main (f747a6b78181): <https://commits.webkit.org/269829@main>

Reviewed commits have been landed. Closing PR #19582 and removing active labels.