RESOLVED FIXED264828
RELEASE_ASSERT(!m_count); in WebCore::RenderObject::~RenderObject() 
https://bugs.webkit.org/show_bug.cgi?id=264828
Summary RELEASE_ASSERT(!m_count); in WebCore::RenderObject::~RenderObject()
Nicole Rosario
Reported 2023-11-14 10:58:15 PST
RELEASE_ASSERT(!m_count); in WebCore::RenderObject::~RenderObject(): Exception Type: EXC_BREAKPOINT (SIGTRAP) Exception Codes: 0x0000000000000001, 0x0000000112922674 Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 WebCore 0x112922674 WTFCrashWithInfo(int, char const*, char const*, int) + 20 (Assertions.h:778) 1 WebCore 0x11393a8c0 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() + 28 (CheckedRef.h:325) [inlined] 2 WebCore 0x11393a8c0 WebCore::RenderObject::~RenderObject() + 232 (RenderObject.cpp:162) 3 WebCore 0x1138ccb88 WebCore::RenderImage::~RenderImage() + 112 (RenderImage.cpp:170) [inlined] 4 WebCore 0x1138ccb88 WebCore::RenderImage::~RenderImage() + 112 (RenderImage.cpp:168) [inlined] 5 WebCore 0x1138ccb88 WebCore::RenderImage::~RenderImage() + 132 (RenderImage.cpp:168) 6 WebCore 0x113a6dd78 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::reset[abi:v160006](WebCore::RenderObject*) + 16 (unique_ptr.h:297) [inlined] 7 WebCore 0x113a6dd78 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr[abi:v160006]() + 16 (unique_ptr.h:263) [inlined] 8 WebCore 0x113a6dd78 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr[abi:v160006]() + 16 (unique_ptr.h:263) [inlined] 9 WebCore 0x113a6dd78 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) + 188 (RenderTreeBuilder.cpp:175) 10 WebCore 0x113a72608 WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) + 220 (RenderTreeBuilder.cpp:892) 11 WebCore 0x113a7f4d4 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_5::operator()(unsigned int) const + 340 (RenderTreeUpdater.cpp:641) [inlined] 12 WebCore 0x113a7f4d4 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) + 2384 (RenderTreeUpdater.cpp:664) 13 WebCore 0x113a7dc3c WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) + 84 (RenderTreeUpdater.cpp:340) [inlined] 14 WebCore 0x113a7dc3c WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 4156 (RenderTreeUpdater.cpp:192) 15 WebCore 0x113a7c994 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>) + 200 (RenderTreeUpdater.cpp:118) 16 WebCore 0x112e096a8 WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>) + 100 (Document.cpp:2131) 17 WebCore 0x112e09918 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 504 (Document.cpp:2228) 18 WebCore 0x112e0a090 WebCore::Document::updateStyleIfNeeded() + 164 (Document.cpp:2330) 19 WebCore 0x113476be0 WebCore::LocalFrameViewLayoutContext::updateStyleForLayout() + 64 (LocalFrameViewLayoutContext.cpp:546) [inlined] 20 WebCore 0x113476be0 WebCore::LocalFrameViewLayoutContext::performLayout() + 344 (LocalFrameViewLayoutContext.cpp:209) 21 WebCore 0x114002784 WebCore::LocalFrameViewLayoutContext::layout() + 52 (LocalFrameViewLayoutContext.cpp:151) 22 WebCore 0x112e06ac4 WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions>, WebCore::Element const*) + 844 (Document.cpp:2383) 23 WebCore 0x112e0a8f8 WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WTF::OptionSet<WebCore::DimensionsCheck>) + 736 (Document.cpp:2534) 24 WebCore 0x112e4fc04 WebCore::Element::offsetWidth() + 56 (Element.cpp:1400) 25 WebCore 0x111e64f50 WebCore::jsHTMLElement_offsetWidthGetter(JSC::JSGlobalObject&, WebCore::JSHTMLElement&) + 24 (JSHTMLElement.cpp:4459) [inlined] 26 WebCore 0x111e64f50 long long WebCore::IDLAttribute<WebCore::JSHTMLElement>::get<&WebCore::jsHTMLElement_offsetWidthGetter(JSC::JSGlobalObject&, WebCore::JSHTMLElement&), (WebCore::CastedThisErrorBehavior)3>(JSC::JSGlobalObject&, long long, JSC::PropertyName) + 104 (JSDOMAttribute.h:89) [inlined] 27 WebCore 0x111e64f50 WebCore::jsHTMLElement_offsetWidth(JSC::JSGlobalObject*, long long, JSC::PropertyName) + 128 (JSHTMLElement.cpp:4464)
Attachments
Add attachment proposed patch, testcase, etc.
Nicole Rosario
Comment 1 2023-11-14 11:19:17 PST
<rdar://problem/117994923>
Nicole Rosario
Comment 2 2023-11-14 12:27:48 PST
Pull request: https://github.com/WebKit/WebKit/pull/20354
EWS
Comment 3 2023-11-14 20:56:26 PST
Committed 270747@main (834ac739e603): <https://commits.webkit.org/270747@main> Reviewed commits have been landed. Closing PR #20354 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.