RESOLVED FIXED 280214
Debug assertion on https://www.browserbench.org/MotionMark1.3.1/developer.html 
https://bugs.webkit.org/show_bug.cgi?id=280214
Summary Debug assertion on https://www.browserbench.org/MotionMark1.3.1/developer.html
Nikolas Zimmermann
Reported 2024-09-23 14:40:12 PDT
m_isOwnedByMainThread == isMainThread() /host/home/nzimmermann/Software/GitRepositories/WebKit/WebKitBuild/WPE/Release/WTF/Headers/wtf/RefCounted.h(124) : void WTF::RefCountedBase::applyRefDerefThreadingCheck() const 1 0x7dde91da2911 WTF::RefCountedBase::derefAllowingPartiallyDestroyedBase() const 2 0x7dde920f10e1 WebCore::ToggleButtonPart::~ToggleButtonPart() 3 0x7dde97ef183e WebCore::RenderObject::RenderObjectRareData::~RenderObjectRareData() 4 0x7dde97ef49a2 WebCore::RenderObject::removeRareData() 5 0x7dde97e0d059 WebCore::RenderElement::willBeDestroyed() 6 0x7dde97eda7b8 WebCore::RenderObject::destroy() 7 0x7dde980d0bda WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) 8 0x7dde980d157e WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&, WebCore::RenderElement const*) 9 0x7dde980e7766 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::{lambda(unsigned int)#1}::operator()(unsigned int) const 10 0x7dde980e6d43 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) 11 0x7dde980e9473 WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) 12 0x7dde980eb410 WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) 13 0x7dde980eb8cd WebCore::RenderTreeUpdater::commit(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) 14 0x7dde96c0b79e WebCore::Document::updateRenderTree(std::unique_ptr<WebCore::Style::Update, std::default_delete<WebCore::Style::Update> >) 15 0x7dde96c796fe WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) 16 0x7dde96c79ad9 WebCore::Document::updateStyleIfNeeded() 17 0x7dde96c79cbd WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions>, WebCore::Element const*) 18 0x7dde97076576 WebCore::HTMLLabelElement::defaultEventHandler(WebCore::Event&) 19 0x7dde96ce2f08 WebCore::EventDispatcher::dispatchEvent(WebCore::Node&, WebCore::Event&) 20 0x7dde9779701f WebCore::PointerCaptureController::dispatchEvent(WebCore::PointerEvent&, WebCore::EventTarget*) [clone .part.0] 21 0x7dde96cc979e WebCore::Element::dispatchMouseEvent(WebCore::PlatformMouseEvent const&, WTF::AtomString const&, int, WebCore::Element*, WebCore::IsSyntheticClick) 22 0x7dde97669d31 WebCore::EventHandler::dispatchMouseEvent(WTF::AtomString const&, WebCore::Node*, int, WebCore::PlatformMouseEvent const&, WebCore::EventHandler::FireMouseOverOut) 23 0x7dde9766aa9b WebCore::EventHandler::swallowAnyClickEvent(WebCore::PlatformMouseEvent const&, WebCore::MouseEventWithHitTestResults const&, WebCore::EventHandler::IgnoreAncestorNodesForClickEvent) 24 0x7dde9767b0ad WebCore::EventHandler::handleMouseReleaseEvent(WebCore::PlatformMouseEvent const&) 25 0x7dde92b6cd82 WebKit::WebFrame::handleMouseEvent(WebKit::WebMouseEvent const&) 26 0x7dde92b3f957 WebKit::WebPage::mouseEvent(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long, (WTF::SupportsObjectIdentifierNullState)0> >, WebKit::WebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&) 27 0x7dde9204717e void IPC::handleMessage<Messages::WebPage::MouseEvent, WebKit::WebPage, WebKit::WebPage, void (WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long, (WTF::SupportsObjectIdentifierNullState)0> >, WebKit::WebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)>(IPC::Connection&, IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::FrameIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long>, unsigned long, (WTF::SupportsObjectIdentifierNullState)0> >, WebKit::WebMouseEvent const&, std::optional<WTF::Vector<WebKit::SandboxExtensionHandle, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> >&&)) [clone .isra.0] 28 0x7dde92058685 WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 29 0x7dde9252e7e7 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) 30 0x7dde91f0f395 WebKit::AuxiliaryProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 31 0x7dde92528dad IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) [clone .part.0] Just opened the page, and made a random mouse movement, when I saw this. Opening a ticket, so we don't forget.
Attachments
Add attachment proposed patch, testcase, etc.
Nikolas Zimmermann
Comment 1 2024-09-24 15:38:15 PDT
I can reproduce it every time on WPE, with threaded CPU rendering activated, when clicking on the 'Run Benchmark' button. I checked how ControlParts are created: RenderBox::paintBoxDecorations() calls RenderBox::ensureControlPartForRenderer(), which calls RenderBox::ensureControlPart(), which in turns calls theme().createControlPart() which creates a ToggleButtonPart object for the 'Run benchmark' button. In the threaded CPU rendering case, the ControlPart creation happens from within the worker thread, when we replay the previously recorded DisplayList (recording happened on the main thread). As can be seen from the backtrace, the destruction of the RenderObjectRareData, and thus the ToggleButtonPart was triggered from the main thread during layout / style resolving. Since ControlPart is not ThreadSafeRefCounted, the assertion popped up.
Nikolas Zimmermann
Comment 2 2024-09-24 15:47:22 PDT
This fixes the assertion for me: diff --git a/Source/WebCore/platform/graphics/controls/ControlPart.h b/Source/WebCore/platform/graphics/controls/ControlPart.h index 8aa1fd401bbe..ec931ea345aa 100644 --- a/Source/WebCore/platform/graphics/controls/ControlPart.h +++ b/Source/WebCore/platform/graphics/controls/ControlPart.h @@ -29,7 +29,7 @@ #include "ControlFactory.h" #include "PlatformControl.h" #include "StyleAppearance.h" -#include <wtf/RefCounted.h> +#include <wtf/ThreadSafeRefCounted.h> namespace WebCore { @@ -37,7 +37,7 @@ class FloatRect; class GraphicsContext; class ControlFactory; -class ControlPart : public RefCounted<ControlPart> { +class ControlPart : public ThreadSafeRefCounted<ControlPart> { public: virtual ~ControlPart() = default;
Nikolas Zimmermann
Comment 3 2024-09-24 23:53:23 PDT
Pull request: https://github.com/WebKit/WebKit/pull/34215
EWS
Comment 4 2024-09-25 14:29:16 PDT
Committed 284244@main (f9961c9edb08): <https://commits.webkit.org/284244@main> Reviewed commits have been landed. Closing PR #34215 and removing active labels.
Radar WebKit Bug Importer
Comment 5 2024-09-25 14:30:20 PDT
<rdar://problem/136707099>
Note You need to log in before you can comment on or make changes to this bug.