269784 – REGRESSION(274827@main): ASSERTION FAILED: !deletionHasBegun()

Bug 269784 - REGRESSION(274827@main): ASSERTION FAILED: !deletionHasBegun()

Summary: REGRESSION(274827@main): ASSERTION FAILED: !deletionHasBegun()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2024-02-20 05:26 PST by Vitaly Dyackhov
Modified:	2024-02-21 08:09 PST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Vitaly Dyackhov 2024-02-20 05:26:48 PST

Many tests crash because of this assertion on WPE and GTK debug bots with stack trace:

#0  WTFCrash() () at /app/webkit/Source/WTF/wtf/Assertions.cpp:351
#1  0x00007f4545191f10 in WTFCrashWithInfo(int, char const*, char const*, int) () at /app/webkit/WebKitBuild/WPE/Debug/WTF/Headers/wtf/Assertions.h:780
#2  0x00007f45460ebd13 in WebCore::Node::ref() const (this=0x7f44e5123600) at /app/webkit/WebKitBuild/WPE/Debug/WebCore/PrivateHeaders/WebCore/Node.h:818
#3  0x00007f45468608b4 in WTF::DefaultRefDerefTraits<WebCore::Document>::refIfNotNull(WebCore::Document*) (ptr=0x7f44e5123600) at /app/webkit/WebKitBuild/WPE/Debug/WTF/Headers/wtf/Ref.h:49
#4  0x00007f454685af78 in WTF::RefPtr<WebCore::Document, WTF::RawPtrTraits<WebCore::Document>, WTF::DefaultRefDerefTraits<WebCore::Document> >::RefPtr(WebCore::Document*) (this=0x7ffd0f2b7980, ptr=0x7f44e5123600) at /app/webkit/WebKitBuild/WPE/Debug/WTF/Headers/wtf/RefPtr.h:48
#5  0x00007f454d46b53a in WebCore::LocalDOMWindow::removeAllEventListeners() (this=0x7f44c9004130) at /app/webkit/Source/WebCore/page/LocalDOMWindow.cpp:2412
#6  0x00007f454c479a1b in WebCore::Document::removeAllEventListeners() (this=0x7f44e5123600) at /app/webkit/Source/WebCore/dom/Document.cpp:3253
#7  0x00007f454c46b586 in WebCore::Document::~Document() (this=0x7f44e5123600, __in_chrg=<optimized out>) at /app/webkit/Source/WebCore/dom/Document.cpp:737
#8  0x00007f454c9e5544 in WebCore::HTMLDocument::~HTMLDocument() (this=0x7f44e5123600, __in_chrg=<optimized out>) at /app/webkit/Source/WebCore/html/HTMLDocument.cpp:104
#9  0x00007f454c9e55a8 in WebCore::HTMLDocument::~HTMLDocument() (this=0x7f44e5123600, __in_chrg=<optimized out>) at /app/webkit/Source/WebCore/html/HTMLDocument.cpp:104
#10 0x00007f454c4baf8a in WebCore::Document::decrementReferencingNodeCount(unsigned int) (this=0x7f44e5123600, count=1) at /app/webkit/Source/WebCore/dom/Document.h:454
#11 0x00007f454c46c9e6 in WebCore::Document::removedLastRef() (this=0x7f44e5123600) at /app/webkit/Source/WebCore/dom/Document.cpp:848
#12 0x00007f454c66878a in WebCore::Node::removedLastRef() (this=0x7f44e5123600) at /app/webkit/Source/WebCore/dom/Node.cpp:2843
#13 0x00007f45460ec182 in WebCore::Node::derefAllowingPartiallyDestroyed() const (this=0x7f44e5123600) at /app/webkit/WebKitBuild/WPE/Debug/WebCore/PrivateHeaders/WebCore/Node.h:856
#14 0x00007f45460ebfaa in WebCore::Node::deref() const (this=0x7f44e5123600) at /app/webkit/WebKitBuild/WPE/Debug/WebCore/PrivateHeaders/WebCore/Node.h:836
#15 0x00007f4549487c44 in WebCore::EventTarget::deref() (this=0x7f44e5123600) at /app/webkit/Source/WebCore/dom/Node.h:945
#16 0x00007f4549488a8e in WTF::DefaultRefDerefTraits<WebCore::EventTarget>::derefIfNotNull(WebCore::EventTarget*) (ptr=0x7f44e5123600) at /app/webkit/WebKitBuild/WPE/Debug/WTF/Headers/wtf/Ref.h:62
#17 0x00007f4549523b67 in WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>, WTF::DefaultRefDerefTraits<WebCore::EventTarget> >::~Ref() (this=0x7f4528019d20, __in_chrg=<optimized out>) at /app/webkit/WebKitBuild/WPE/Debug/WTF/Headers/wtf/Ref.h:82
#18 0x00007f4549b76276 in WebCore::JSDOMWrapper<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget> >::~JSDOMWrapper() (this=0x7f4528019d08, __in_chrg=<optimized out>) at /app/webkit/Source/WebCore/bindings/js/JSDOMWrapper.h:74
#19 0x00007f4549b76292 in WebCore::JSEventTarget::~JSEventTarget() (this=0x7f4528019d08, __in_chrg=<optimized out>) at /app/webkit/WebKitBuild/WPE/Debug/WebCore/DerivedSources/JSEventTarget.h:29
#20 0x00007f4549b6ce32 in WebCore::JSEventTarget::destroy(JSC::JSCell*) (cell=0x7f4528019d08) at /app/webkit/WebKitBuild/WPE/Debug/WebCore/DerivedSources/JSEventTarget.cpp:196
#21 0x00007f45486d3ecb in JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const (this=0x7ffd0f2b7cd7, cell=0x7f4528019d08) at /app/webkit/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:43
#22 0x00007f45486d3308 in JSC::JSDestructibleObjectHeapCellType::destroy(JSC::VM&, JSC::JSCell*) const (this=0x7f44e5400788, vm=..., cell=0x7f4528019d08) at /app/webkit/Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:63
#23 0x00007f45480029fd in JSC::Subspace::destroy(JSC::VM&, JSC::JSCell*) (this=0x7f452814b100, vm=..., cell=0x7f4528019d08) at /app/webkit/Source/JavaScriptCore/heap/Subspace.cpp:68
#24 0x00007f4547ff8e88 in JSC::PreciseAllocation::sweep() (this=0x7f4528019c98) at /app/webkit/Source/JavaScriptCore/heap/PreciseAllocation.cpp:273
#25 0x00007f4547fded9c in JSC::MarkedSpace::sweepPreciseAllocations() (this=0x7f44e5400150) at /app/webkit/Source/JavaScriptCore/heap/MarkedSpace.cpp:235
#26 0x00007f4547f282be in JSC::Heap::sweepInFinalize() (this=0x7f44e54000a0) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:2284
#27 0x00007f4547f27c66 in JSC::Heap::finalize() (this=0x7f44e54000a0) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:2217
#28 0x00007f4547f27a0c in JSC::Heap::handleNeedFinalize(unsigned int) (this=0x7f44e54000a0, oldState=13) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:2155
#29 0x00007f4547f27a60 in JSC::Heap::handleNeedFinalize() (this=0x7f44e54000a0) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:2166
#30 0x00007f4547f26360 in JSC::Heap::finishChangingPhase(JSC::GCConductor) (this=0x7f44e54000a0, conn=JSC::GCConductor::Mutator) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1762
#31 0x00007f4547f2622f in JSC::Heap::changePhase(JSC::GCConductor, JSC::CollectorPhase) (this=0x7f44e54000a0, conn=JSC::GCConductor::Mutator, nextPhase=JSC::CollectorPhase::NotRunning) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1736
#32 0x00007f4547f261b5 in JSC::Heap::runEndPhase(JSC::GCConductor) (this=0x7f44e54000a0, conn=JSC::GCConductor::Mutator) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1726
#33 0x00007f4547f24937 in JSC::Heap::runCurrentPhase(JSC::GCConductor, JSC::CurrentThreadState*) (this=0x7f44e54000a0, conn=JSC::GCConductor::Mutator, currentThreadState=0x7ffd0f2b8050) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1376
#34 0x00007f4547f27286 in operator()(JSC::CurrentThreadState&) const (__closure=0x7ffd0f2b80f0, state=...) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1993
#35 0x00007f4547f42365 in WTF::ScopedLambdaFunctor<void(JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::<lambda(JSC::CurrentThreadState&)> >::implFunction(void *, JSC::CurrentThreadState &) (argument=0x7ffd0f2b80e0, arguments#0=...) at /app/webkit/WebKitBuild/WPE/Debug/WTF/Headers/wtf/ScopedLambda.h:106
#36 0x00007f4547fec703 in WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(JSC::CurrentThreadState&) const (this=0x7ffd0f2b80e0) at /app/webkit/WebKitBuild/WPE/Debug/WTF/Headers/wtf/ScopedLambda.h:58
#37 0x00007f4547fdb6bc in JSC::callWithCurrentThreadState(WTF::ScopedLambda<void (JSC::CurrentThreadState&)> const&) (lambda=...) at /app/webkit/Source/JavaScriptCore/heap/MachineStackMarker.cpp:227
#38 0x00007f4547f2739f in JSC::Heap::collectInMutatorThread() (this=0x7f44e54000a0) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:2005
#39 0x00007f4547f27257 in JSC::Heap::stopIfNecessarySlow(unsigned int) (this=0x7f44e54000a0, oldState=21) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1974
#40 0x00007f4547f3dc80 in JSC::Heap::waitForCollector<JSC::Heap::waitForCollection(Ticket)::<lambda(const WTF::AbstractLocker&)> >(const struct {...} &) (this=0x7f44e54000a0, func=...) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:2031
#41 0x00007f4547f28288 in JSC::Heap::waitForCollection(unsigned long) (this=0x7f44e54000a0, ticket=1) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:2276
#42 0x00007f4547f241e7 in JSC::Heap::collectSync(JSC::GCRequest) (this=0x7f44e54000a0, request=...) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1283
#43 0x00007f4547f23cfa in JSC::Heap::collect(JSC::Synchronousness, JSC::GCRequest) (this=0x7f44e54000a0, synchronousness=JSC::Sync, request=...) at /app/webkit/Source/JavaScriptCore/heap/Heap.cpp:1203
#44 0x00007f4547f0bbd6 in JSC::EdenGCActivityCallback::doCollection(JSC::VM&) (this=0x7f452800d4a0, vm=...) at /app/webkit/Source/JavaScriptCore/heap/EdenGCActivityCallback.cpp:43
#45 0x00007f454d4ee321 in WebCore::OpportunisticTaskScheduler::EdenGCActivityCallback::doCollection(JSC::VM&) (this=0x7f452800d4a0, vm=...) at /app/webkit/Source/WebCore/page/OpportunisticTaskScheduler.cpp:263
#46 0x00007f4547f141e1 in JSC::GCActivityCallback::doWork(JSC::VM&) (this=0x7f452800d4a0, vm=...) at /app/webkit/Source/JavaScriptCore/heap/GCActivityCallback.cpp:66
#47 0x00007f45487e0f39 in JSC::JSRunLoopTimer::timerDidFire() (this=0x7f452800d4a0) at /app/webkit/Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:236
#48 0x00007f45487e0179 in JSC::JSRunLoopTimer::Manager::timerDidFire() (this=0x7f4528014c60) at /app/webkit/Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:109
#49 0x00007f45487dfc86 in JSC::JSRunLoopTimer::Manager::timerDidFireCallback() (this=0x7f4528014c60) at /app/webkit/Source/JavaScriptCore/runtime/JSRunLoopTimer.cpp:56
#50 0x00007f45487fd2bc in std::__invoke_impl<void, void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&>(std::__invoke_memfun_deref, void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&) (__f=@0x7f4528014ca8: (void (JSC::JSRunLoopTimer::Manager::*)(JSC::JSRunLoopTimer::Manager * const)) 0x7f45487dfc6e <JSC::JSRunLoopTimer::Manager::timerDidFireCallback()>, __t=@0x7f4528014cb8: 0x7f4528014c60) at /usr/include/c++/13.2.0/bits/invoke.h:74
#51 0x00007f45487fd235 in std::__invoke<void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&>(void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&) (__fn=@0x7f4528014ca8: (void (JSC::JSRunLoopTimer::Manager::*)(JSC::JSRunLoopTimer::Manager * const)) 0x7f45487dfc6e <JSC::JSRunLoopTimer::Manager::timerDidFireCallback()>) at /usr/include/c++/13.2.0/bits/invoke.h:96
#52 0x00007f45487fd1ab in std::_Bind<void (JSC::JSRunLoopTimer::Manager::*(JSC::JSRunLoopTimer::Manager*))()>::__call<void, , 0ul>(std::tuple<>&&, std::_Index_tuple<0ul>) (this=0x7f4528014ca8, __args=...) at /usr/include/c++/13.2.0/functional:506
#53 0x00007f45487fd13d in std::_Bind<void (JSC::JSRunLoopTimer::Manager::*(JSC::JSRunLoopTimer::Manager*))()>::operator()<, void>() (this=0x7f4528014ca8) at /usr/include/c++/13.2.0/functional:591
#54 0x00007f45487fd106 in WTF::Detail::CallableWrapper<std::_Bind<void (JSC::JSRunLoopTimer::Manager::*(JSC::JSRunLoopTimer::Manager*))()>, void>::call() (this=0x7f4528014ca0) at /app/webkit/WebKitBuild/WPE/Debug/WTF/Headers/wtf/Function.h:53
#55 0x00007f4545be5255 in WTF::Function<void ()>::operator()() const (this=0x7f4528024838) at /app/webkit/WebKitBuild/WPE/Debug/WTF/Headers/wtf/Function.h:82
#56 0x00007f4545cf6e72 in WTF::RunLoop::Timer::fired() (this=0x7f4528024810) at /app/webkit/WebKitBuild/WPE/Debug/WTF/Headers/wtf/RunLoop.h:195
#57 0x00007f45491f9fb1 in operator()(gpointer) const (__closure=0x0, userData=0x7f4528024810) at /app/webkit/Source/WTF/wtf/glib/RunLoopGLib.cpp:177
#58 0x00007f45491f9ff1 in _FUN(gpointer) () at /app/webkit/Source/WTF/wtf/glib/RunLoopGLib.cpp:181
#59 0x00007f45491f94ed in operator()(GSource*, GSourceFunc, gpointer) const (__closure=0x0, source=0x5587d3554c30, callback=0x7f45491f9fd4 <_FUN(gpointer)>, userData=0x7f4528024810) at /app/webkit/Source/WTF/wtf/glib/RunLoopGLib.cpp:53
#60 0x00007f45491f953b in _FUN(GSource*, GSourceFunc, gpointer) () at /app/webkit/Source/WTF/wtf/glib/RunLoopGLib.cpp:56
#61 0x00007f4539defd36 in g_main_dispatch (context=0x5587d3202120) at ../glib/gmain.c:3460
#62 g_main_context_dispatch (context=0x5587d3202120) at ../glib/gmain.c:4200
#63 0x00007f4539e4d2b8 in g_main_context_iterate.isra.0 (context=0x5587d3202120, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:4276
#64 0x00007f4539def3ff in g_main_loop_run (loop=0x5587d3202260) at ../glib/gmain.c:4479
#65 0x00007f45491f9bb6 in WTF::RunLoop::run() () at /app/webkit/Source/WTF/wtf/glib/RunLoopGLib.cpp:108
#66 0x00007f4546c1dac1 in WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess, true>::run(int, char**) (this=0x7ffd0f2b8880, argc=4, argv=0x7ffd0f2b8a48) at /app/webkit/Source/WebKit/Shared/AuxiliaryProcessMain.h:72
#67 0x00007f4546c19379 in WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWPE>(int, char**) (argc=4, argv=0x7ffd0f2b8a48) at /app/webkit/Source/WebKit/Shared/AuxiliaryProcessMain.h:98
#68 0x00007f4546c0f518 in WebKit::WebProcessMain(int, char**) (argc=4, argv=0x7ffd0f2b8a48) at /app/webkit/Source/WebKit/WebProcess/wpe/WebProcessMainWPE.cpp:83
#69 0x00005587d2f608c9 in main(int, char**) (argc=4, argv=0x7ffd0f2b8a48) at /app/webkit/Source/WebKit/WebProcess/EntryPoint/unix/WebProcessMain.cpp:31

Comment 1 Vitaly Dyackhov 2024-02-20 05:49:09 PST

Pull request: https://github.com/WebKit/WebKit/pull/24810

Comment 2 EWS 2024-02-21 08:08:37 PST

Committed 275098@main (bbf9f2b123cb): <https://commits.webkit.org/275098@main>

Reviewed commits have been landed. Closing PR #24810 and removing active labels.

Comment 3 Radar WebKit Bug Importer 2024-02-21 08:09:13 PST

<rdar://problem/123381594>