RESOLVED FIXED 267878
REGRESSION(273148@main): Crash on veggiegrill.com 
https://bugs.webkit.org/show_bug.cgi?id=267878
Summary REGRESSION(273148@main): Crash on veggiegrill.com
Ryosuke Niwa
Reported 2024-01-22 13:42:19 PST
In debug, we hit the following assertion, and we crash in release builds. ASSERTION FAILED: m_image /Volumes/Data/safari-2/OpenSource/Source/WebCore/loader/ImageLoader.cpp(350) : void WebCore::ImageLoader::updateFromElementIgnoringPreviousErrorToSameValue() 1 0x137e2ad30 WTFCrash 2 0x282e09acc WebCore::AudioProcessingEvent::AudioProcessingEvent(WTF::AtomString const&, WebCore::AudioProcessingEventInit&&) 3 0x284a923cc WebCore::ImageLoader::updateFromElementIgnoringPreviousErrorToSameValue() 4 0x284279460 WebCore::HTMLImageElement::attributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) 5 0x283d83450 WebCore::Element::notifyAttributeChanged(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&, WebCore::Element::AttributeModificationReason) 6 0x283d95010 WebCore::Element::didModifyAttribute(WebCore::QualifiedName const&, WTF::AtomString const&, WTF::AtomString const&) 7 0x283d82b4c WebCore::Element::setAttributeInternal(unsigned int, WebCore::QualifiedName const&, WTF::AtomString const&, WebCore::Element::InSynchronizationOfLazyAttribute) 8 0x283d830f8 WebCore::Element::setAttributeWithoutSynchronization(WebCore::QualifiedName const&, WTF::AtomString const&) 9 0x2811faa50 WebCore::setJSHTMLImageElement_srcSetter(JSC::JSGlobalObject&, WebCore::JSHTMLImageElement&, JSC::JSValue)::'lambda'()::operator()() const 10 0x2811faa00 void WebCore::invokeFunctorPropagatingExceptionIfNecessary<WebCore::setJSHTMLImageElement_srcSetter(JSC::JSGlobalObject&, WebCore::JSHTMLImageElement&, JSC::JSValue)::'lambda'()>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::setJSHTMLImageElement_srcSetter(JSC::JSGlobalObject&, WebCore::JSHTMLImageElement&, JSC::JSValue)::'lambda'()&&) 11 0x2811fa994 WebCore::setJSHTMLImageElement_srcSetter(JSC::JSGlobalObject&, WebCore::JSHTMLImageElement&, JSC::JSValue) 12 0x2810fd218 bool WebCore::IDLAttribute<WebCore::JSHTMLImageElement>::set<&WebCore::setJSHTMLImageElement_srcSetter(JSC::JSGlobalObject&, WebCore::JSHTMLImageElement&, JSC::JSValue), (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, long long, long long, JSC::PropertyName) 13 0x2810fd0e4 WebCore::setJSHTMLImageElement_src(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName) 14 0x139bcc2d0 WTF::FunctionPtr<(WTF::PtrTag)28258, bool (JSC::JSGlobalObject*, long long, long long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long long, long long, JSC::PropertyName) const 15 0x139cd546c JSC::JSObject::putInlineSlow(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 16 0x139320ba8 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 17 0x139e15544 JSC::JSCell::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 18 0x139322e10 JSC::JSValue::putInline(JSC::JSGlobalObject*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) 19 0x139915f64 llint_slow_path_put_by_id <rdar://121376760>
Attachments
Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2024-01-22 13:49:20 PST
Pull request: https://github.com/WebKit/WebKit/pull/23064
EWS
Comment 2 2024-01-22 14:51:01 PST
Committed 273321@main (18063444ac99): <https://commits.webkit.org/273321@main> Reviewed commits have been landed. Closing PR #23064 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.