RESOLVED WORKSFORME272127
REGRESSION(277009@main) fast/text/remove-renderer-and-select-crash.html makes a subsequent test crash: RELEASE_ASSERT(index != notFound) in LayoutIntegration::BoxTree::rendererForLayoutBox 
https://bugs.webkit.org/show_bug.cgi?id=272127
Summary REGRESSION(277009@main) fast/text/remove-renderer-and-select-crash.html makes...
Fujii Hironori
Reported 2024-04-03 16:59:38 PDT
After 277009@main added fast/text/remove-renderer-and-select-crash.html, the subsequent test fast/text/remove-text-node-linebox-not-dirty-crash.html is crashing. Buildbot: builder WinCairo-64-bit-Release-Tests build 4098 : 277016@main https://build.webkit.org/#/builders/728/builds/4098 Regressions: Unexpected crashes (1) fast/text/remove-text-node-linebox-not-dirty-crash.html [ Crash ] STACK_TEXT: 000000e1`0612d7c0 00007ff9`8e52ac6d : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : WTF!WTFCrash+0xe 000000e1`0612d7f0 00007ff9`8f8e7e83 : 00000000`3c800000 00000000`00000000 000000e1`0612d950 0000027f`6682e0d0 : WebCore!WTFCrashWithInfo+0x1d 000000e1`0612d830 00007ff9`8fd60d85 : 000000e1`0612ddf0 000000e1`0612d920 000000e1`0612dcd0 000000e1`0612de18 : WebCore!WebCore::LayoutIntegration::BoxTree::rendererForLayoutBox+0x133 000000e1`0612d8b0 00007ff9`8fd4089c : 000000e1`0612ddf0 000000e1`0612de18 000000e1`0612dcd0 000000e1`0612de18 : WebCore!WebCore::RenderBlockFlow::positionForPointWithInlineChildren+0xa75 000000e1`0612da30 00007ff9`8fd618b6 : 00000000`00000000 0000fe29`3810c0f5 0000027f`6682d3d0 00000000`00000000 : WebCore!WebCore::RenderBlock::positionForPoint+0x1ac 000000e1`0612dac0 00007ff9`8fd40420 : 000000e1`00000002 0000027f`66954de0 0000027f`669be8a0 00007ff9`8fd4198b : WebCore!WebCore::RenderBlockFlow::positionForPoint+0x16 000000e1`0612db00 00007ff9`8fd40ac9 : 0000027f`44480000 0000027f`228f0000 00000000`00000000 44160000`44480000 : WebCore!WebCore::positionForPointRespectingEditingBoundaries+0x1a0 000000e1`0612db80 00007ff9`8fd618b6 : 00000000`00000000 000000e1`0612de18 000000e1`0612de18 0000027f`667b5eb0 : WebCore!WebCore::RenderBlock::positionForPoint+0x3d9 000000e1`0612dc10 00007ff9`8fd40420 : 000000e1`0612dcc0 00007ff9`8fea433d 000000e1`0612ddf0 00007ff9`8fd4198b : WebCore!WebCore::RenderBlockFlow::positionForPoint+0x16 000000e1`0612dc50 00007ff9`8fd40ac9 : 00000000`00000000 000000e1`0612e3a0 0000027f`667c7120 0000027f`667b5eb0 : WebCore!WebCore::positionForPointRespectingEditingBoundaries+0x1a0 000000e1`0612dcd0 00007ff9`8fd618b6 : 000000e1`0612de18 00000000`00000000 000000e1`0612e3a0 0000027f`667c7120 : WebCore!WebCore::RenderBlock::positionForPoint+0x3d9 000000e1`0612dd60 00007ff9`8f5968d9 : 00000000`00000000 00000000`00000000 000000e1`0612de88 00007ff9`8fb35cfc : WebCore!WebCore::RenderBlockFlow::positionForPoint+0x16 000000e1`0612dda0 00007ff9`8e043b9a : 00000000`00000001 00007ff9`8e28ad3a 0000027f`667b6f60 0000027f`66884920 : WebCore!WebCore::FrameSelection::contains+0x1f9 000000e1`0612df30 00007ff9`8e2dee7d : 0000027f`667b5eb0 00000000`00000001 000000e1`0612e058 0000027f`6a74f5d0 : WebKit2!WebKit::WebHitTestResultData::WebHitTestResultData+0x1aa 000000e1`0612dfb0 00007ff9`8f9e19c8 : 00000000`00000000 00000000`3f800000 3f800000`3f800000 3f800000`00000000 : WebKit2!WebKit::WebChromeClient::mouseDidMoveOverElement+0x9d 000000e1`0612e2b0 00007ff9`8fa1473a : 00000000`00000000 00007ff9`8e043323 00000000`00000000 00000001`8de4ae00 : WebCore!WebCore::Chrome::mouseDidMoveOverElement+0x1a8 000000e1`0612e370 00007ff9`8e346f70 : 00000000`00000000 00000000`00000002 00000000`00000000 000000e1`0612e549 : WebCore!WebCore::EventHandler::mouseMoved+0x11a 000000e1`0612e480 00007ff9`8e3204fb : 00000000`00000000 00007ff9`8e490e00 00000000`00000001 0000027f`6a754d01 : WebKit2!WebKit::WebFrame::handleMouseEvent+0x130 000000e1`0612e550 00007ff9`8dd5bbad : 00000000`00000000 00000000`00000000 00007ff9`8e376230 0000027f`6a754dc0 : WebKit2!WebKit::WebPage::mouseEvent+0x18b 000000e1`0612e610 00007ff9`8dd59595 : 00000000`00000000 00000000`00000000 0000027f`22936aa0 00000000`00000000 : WebKit2!IPC::handleMessageAsync<Messages::WebPage::MouseEvent,WebKit::WebPage,WebKit::WebPage,void (WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> >, const WebKit::WebMouseEvent &, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle,0,WTF::CrashOnOverflow,16,WTF::FastMalloc> > &&, WTF::CompletionHandler<void (std::optional<WebKit::WebEventType>, bool, std::optional<WebCore::RemoteUserInputEventData>)> &&)>+0xed 000000e1`0612e760 00007ff9`8e037355 : 0000027f`229453c0 00007ffa`4d4d37eb 0000027f`6a75544f 0000027f`0000003d : WebKit2!WebKit::WebPage::didReceiveWebPageMessage+0x1475 000000e1`0612f390 00007ff9`8e19fd79 : 00000000`00000092 00000000`0000000a 0000fe0d`54ba65c8 00000000`00000000 : WebKit2!IPC::MessageReceiverMap::dispatchMessage+0x185 000000e1`0612f410 00007ff9`8e032205 : 0000027f`66a51450 0000027f`228f0000 00000000`00000000 00000000`00000401 : WebKit2!WebKit::WebProcess::didReceiveMessage+0x19 000000e1`0612f450 00007ff9`8e03238c : 00000000`00000401 00000000`00000000 00000000`00000000 00007ffa`4f8b8603 : WebKit2!IPC::Connection::dispatchMessage+0xf5 000000e1`0612f4a0 00007ff9`b87e069e : 0000027f`2515f940 00007ffa`00000000 00000000`00000000 00000000`000a12e4 : WebKit2!IPC::Connection::dispatchOneIncomingMessage+0xec 000000e1`0612f500 00007ff9`b884a088 : 00000000`000a12e4 00000000`00000000 0000027f`22916630 00007ff9`8e59d873 : WTF!WTF::RunLoop::performWork+0x19e 000000e1`0612f550 00007ffa`4f548241 : 000000e1`0612f6d8 00000000`00000000 00000000`00000000 00000000`80000022 : WTF!WTF::RunLoop::RunLoopWndProc+0x38 000000e1`0612f5a0 00007ffa`4f547d01 : 00000000`00000000 00007ff9`b884a050 00000000`000a12e4 000000e1`0612f7a0 : USER32!UserCallWinProcCheckWow+0x2d1 000000e1`0612f700 00007ff9`b884a1ff : 000000e1`0612f7a0 00000000`00000000 00007ffa`4f54a130 000000e1`0612f7a0 : USER32!DispatchMessageWorker+0x1f1 000000e1`0612f780 00007ff9`8dc317bd : 0000027f`00000000 00000000`00000000 0000027f`229010f0 00000000`00000000 : WTF!WTF::RunLoop::run+0x5f 000000e1`0612f800 00007ff6`cd0c100a : 00000000`00000007 00000000`00000001 00000000`00000000 00007ffa`4f8bce70 : WebKit2!WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWin>+0xad 000000e1`0612f890 00007ff6`cd0c13bc : 00000000`00000000 00007ff6`cd0c1435 0000027f`228a0000 00000000`00000000 : WebKitWebProcess!main+0xa 000000e1`0612f8c0 00007ffa`4d72257d : 00000000`00000000 00000000`00000000 000000e1`063d4000 00000000`00000000 : WebKitWebProcess!__scrt_common_main_seh+0x10c 000000e1`0612f900 00007ffa`4f8eaa58 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x1d 000000e1`0612f930 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x28
Attachments
Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2024-04-03 17:13:00 PDT
This isn't a Release build specfic problem, but Debug build can't reproduce this due to another problem bug#272123. By commenting out, it's reproducible with Debug build. diff --git a/Source/WebCore/page/LocalFrameViewLayoutContext.cpp b/Source/WebCore/page/LocalFrameViewLayoutContext.cpp index 7c1b8dfe35e1..e9e189be5d25 100644 --- a/Source/WebCore/page/LocalFrameViewLayoutContext.cpp +++ b/Source/WebCore/page/LocalFrameViewLayoutContext.cpp @@ -232,7 +232,7 @@ void LocalFrameViewLayoutContext::performLayout() SubtreeLayoutStateMaintainer subtreeLayoutStateMaintainer(subtreeLayoutRoot()); RenderView::RepaintRegionAccumulator repaintRegionAccumulator(renderView()); #ifndef NDEBUG - RenderTreeNeedsLayoutChecker checker(*renderView()); + //RenderTreeNeedsLayoutChecker checker(*renderView()); #endif layoutRoot->layout(); ++m_layoutCount; > python .\Tools\Scripts\run-webkit-tests --wincairo --debug --no-retry --iter=2 fast/text/remove-renderer-and-select-crash.html
Fujii Hironori
Comment 2 2024-04-03 17:15:52 PDT
With the above patch, stderr has the following message: ASSERTION FAILED: index != notFound C:\webkit\Source\WebCore\layout/integration/LayoutIntegrationBoxTree.cpp(389) : rendererForLayoutBox 1 00007FF9B20B1CA9 WTFCrash 2 00007FF988862EFD WTFCrashWithInfo 3 00007FF98BFB2DE0 WebCore::LayoutIntegration::BoxTree::rendererForLayoutBox 4 00007FF98BFB304D WebCore::LayoutIntegration::BoxTree::rendererForLayoutBox 5 00007FF98BFF7DF1 WebCore::LayoutIntegration::LineLayout::rendererForLayoutBox 6 00007FF98BFD9595 WebCore::LayoutIntegration::InlineContent::rendererForLayoutBox 7 00007FF98AAADA0C WebCore::InlineIterator::BoxModernPath::renderer 8 00007FF98AAAD9C8 WebCore::InlineIterator::Box::renderer::<lambda_1>::operator()<const WebCore::InlineIterator::BoxModernPath> 9 00007FF98AAAD96D std::invoke<WTF::Visitor<`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>,const WebCore::InlineIterator::BoxModernPath &> 10 00007FF98AAAD8FD std::_Variant_dispatcher<std::integer_sequence<unsigned long long,1> >::_Dispatch2<const WebCore::RenderObject &,WTF::Visitor<`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>,const std::variant<WebCore::InlineIterator::BoxModernPath,WebCore::InlineIterator::BoxLegacyPath> &,0> 11 00007FF98AAAD843 std::_Visit_strategy<1>::_Visit2<const WebCore::RenderObject &,std::_Meta_list<std::integer_sequence<unsigned long long,0>,std::integer_sequence<unsigned long long,1>,std::integer_sequence<unsigned long long,2> >,WTF::Visitor<`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>,const std::variant<WebCore::InlineIterator::BoxModernPath,WebCore::InlineIterator::BoxLegacyPath> &> 12 00007FF98AAAD7DA std::_Visit_impl<3,const WebCore::RenderObject &,std::_Meta_list<std::integer_sequence<unsigned long long,0>,std::integer_sequence<unsigned long long,1>,std::integer_sequence<unsigned long long,2> >,WTF::Visitor<`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>,const std::variant<WebCore::InlineIterator::BoxModernPath,WebCore::InlineIterator::BoxLegacyPath> &> 13 00007FF98AAAD756 std::visit<WTF::Visitor<`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'>,const std::variant<WebCore::InlineIterator::BoxModernPath,WebCore::InlineIterator::BoxLegacyPath> &,void> 14 00007FF98AAAD714 WTF::switchOn<const std::variant<WebCore::InlineIterator::BoxModernPath,WebCore::InlineIterator::BoxLegacyPath> &,`lambda at C:\PSDEV\wb\Source\WebCore\layout\integration\inline\InlineIteratorBox.h:229:41'> 15 00007FF98AA9C1C7 WebCore::InlineIterator::Box::renderer 16 00007FF98CA0E7DA WebCore::RenderBlockFlow::positionForPointWithInlineChildren 17 00007FF98C9EAFB5 WebCore::RenderBlock::positionForPoint 18 00007FF98CA0EE4F WebCore::RenderBlockFlow::positionForPoint 19 00007FF98C9EA876 WebCore::positionForPointRespectingEditingBoundaries 20 00007FF98C9EB325 WebCore::RenderBlock::positionForPoint 21 00007FF98CA0EE4F WebCore::RenderBlockFlow::positionForPoint 22 00007FF98C9EA876 WebCore::positionForPointRespectingEditingBoundaries 23 00007FF98C9EB325 WebCore::RenderBlock::positionForPoint 24 00007FF98CA0EE4F WebCore::RenderBlockFlow::positionForPoint 25 00007FF98B7B4379 WebCore::FrameSelection::contains 26 00007FF98C972199 WebCore::HitTestResult::isSelected 27 00007FF98F7A7B7D WebKit::WebHitTestResultData::WebHitTestResultData 28 00007FF990098A26 WebKit::WebChromeClient::mouseDidMoveOverElement 29 00007FF98C2103CD WebCore::Chrome::mouseDidMoveOverElement 30 00007FF98C267F50 WebCore::EventHandler::mouseMoved 31 00007FF9901DBEE6 WebKit::WebFrame::handleMouseEvent
Radar WebKit Bug Importer
Comment 3 2024-04-10 17:00:15 PDT
<rdar://problem/126240107>
Fujii Hironori
Comment 4 2024-09-10 20:50:04 PDT
No longer reproducible.
Note You need to log in before you can comment on or make changes to this bug.