WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
288752
ASAN_TRAP | WTF::HashTable::lookup; WebCore::LegacyRenderSVGResourceClipper::removeClientFromCache; WebCore::SVGResources::removeClientFromCache
https://bugs.webkit.org/show_bug.cgi?id=288752
Summary
ASAN_TRAP | WTF::HashTable::lookup; WebCore::LegacyRenderSVGResourceClipper::...
Adan Lopez
Reported
2025-02-27 14:08:50 PST
Test case: <!DOCTYPE html> <body> <script> function addFrame() { const iframe = document.createElement('iframe'); document.body.appendChild(iframe); iframe.contentDocument.open(); iframe.contentDocument.write(`data:text/html,<style>* { -webkit-clip-path: url(#clipPath); }</style> <picture><select></select><svg><clipPath id="clipPath">`); iframe.contentDocument.close(); } window?.testRunner?.dumpAsText(); window?.testRunner?.waitUntilDone(); for (let i = 0; i < 50; ++i) addFrame(); onload = () => { requestAnimationFrame(() => { window?.testRunner?.notifyDone(); }) } </script> Backtrace: frame #0: WebCore`WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>* WTF::HashTable<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, (WTF::ShouldValidateKey)0>::lookup<WTF::HashMapTranslator<WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>>, WebCore::RenderObject const*>(WebCore::RenderObject const* const&)+0x12c frame #1: WebCore`WebCore::LegacyRenderSVGResourceClipper::removeClientFromCache(WebCore::RenderElement&, bool)+0x6d frame #2: WebCore`WebCore::SVGResources::removeClientFromCache(WebCore::RenderElement&, bool) const+0x3a7 frame #3: WebCore`WebCore::LegacyRenderSVGShape::layout()+0x4e4 frame #4: WebCore`WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool)+0x42d frame #5: WebCore`WebCore::LegacyRenderSVGRoot::layout()+0x2ed frame #6: WebCore`WebCore::LayoutIntegration::layoutWithFormattingContextForBox(WebCore::Layout::ElementBox const&, std::__1::optional<WebCore::LayoutUnit>, WebCore::Layout::LayoutState&)+0xb2 frame #7: WebCore`WebCore::Layout::LineBuilder::candidateContentForLine(WebCore::Layout::LineCandidate&, unsigned long, WebCore::Layout::InlineItemRange const&, float)+0xafc frame #8: WebCore`WebCore::Layout::LineBuilder::placeInlineAndFloatContent(WebCore::Layout::InlineItemRange const&)+0x39b frame #9: WebCore`WebCore::Layout::LineBuilder::layoutInlineContent(WebCore::Layout::LineInput const&, std::__1::optional<WebCore::Layout::PreviousLine> const&)+0x155 frame #10: WebCore`WebCore::Layout::InlineFormattingContext::lineLayout(WebCore::Layout::AbstractLineBuilder&, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::Layout::InlineItemRange, std::__1::optional<WebCore::Layout::PreviousLine>, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineDamage const*)+0x13a4 frame #11: WebCore`WebCore::Layout::InlineFormattingContext::layout(WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineDamage*)+0xaeb frame #12: WebCore`WebCore::LayoutIntegration::LineLayout::layout()+0xcea frame #13: WebCore`WebCore::RenderBlockFlow::layoutInlineContent(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1cdc frame #14: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x469 frame #15: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 frame #16: WebCore`WebCore::RenderBlock::layout()+0x112 frame #17: WebCore`WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808 frame #18: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9 frame #19: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 frame #20: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 frame #21: WebCore`WebCore::RenderBlock::layout()+0x112 frame #22: WebCore`WebCore::RenderFragmentedFlow::layout()+0x80 frame #23: WebCore`WebCore::RenderMultiColumnFlow::layout()+0x31e frame #24: WebCore`WebCore::RenderBlockFlow::layoutExcludedChildren(bool)+0x22e frame #25: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x3d7 frame #26: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 frame #27: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 frame #28: WebCore`WebCore::RenderBlock::layout()+0x112 frame #29: WebCore`WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808 frame #30: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9 frame #31: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 frame #32: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 frame #33: WebCore`WebCore::RenderBlock::layout()+0x112 frame #34: WebCore`WebCore::RenderFragmentedFlow::layout()+0x80 frame #35: WebCore`WebCore::RenderMultiColumnFlow::layout()+0x31e frame #36: WebCore`WebCore::RenderBlockFlow::layoutExcludedChildren(bool)+0x22e frame #37: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x3d7 frame #38: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 frame #39: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 frame #40: WebCore`WebCore::RenderBlock::layout()+0x112 frame #41: WebCore`WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808 frame #42: WebCore`WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9 frame #43: WebCore`WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 frame #44: WebCore`WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 frame #45: WebCore`WebCore::RenderBlock::layout()+0x112 frame #46: WebCore`WebCore::RenderView::layout()+0x4cd frame #47: WebCore`WebCore::LocalFrameViewLayoutContext::performLayout(bool)+0xa6d frame #48: WebCore`WebCore::LocalFrameViewLayoutContext::layout(bool)+0x141 frame #49: WebCore`WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions>, WebCore::Element const*)+0xb8f frame #50: WebCore`WebCore::HTMLPlugInElement::renderWidgetLoadingPlugin() const+0x22b frame #51: WebCore`WebCore::HTMLPlugInElement::bindingsInstance()+0x21a frame #52: WebCore`WebCore::pluginElementCustomGetOwnPropertySlot(WebCore::JSHTMLElement*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&)+0x2c9 frame #53: WebCore`WebCore::JSHTMLObjectElement::legacyPlatformObjectGetOwnProperty(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&, bool)+0xf3 frame #54: JavaScriptCore`JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)+0x72ef frame #55: JavaScriptCore`llint_slow_path_get_by_id+0x38b frame #56: JavaScriptCore`jsc_llint_llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__177_fn__opGetByIdSlow_LowLevelInterpreter_asm_508+0xd frame #57: JavaScriptCore`jsc_llint_commonCallOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__696_callHelper__dispatch_LowLevelInterpreter64_asm_2538+0x2 frame #58: JavaScriptCore`llint_call_javascript+0x5 frame #59: JavaScriptCore`JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x8c1 frame #60: JavaScriptCore`JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xfa frame #61: WebCore`WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xb60 frame #62: WebCore`WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 frame #63: WebCore`WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x65b frame #64: WebCore`WebCore::LocalDOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)+0x3d8 frame #65: WebCore`WebCore::LocalDOMWindow::dispatchLoadEvent()+0x483 frame #66: WebCore`WebCore::Document::dispatchWindowLoadEvent()+0x119 frame #67: WebCore`WebCore::Document::implicitClose()+0x6db frame #68: WebCore`WebCore::FrameLoader::checkCallImplicitClose()+0x1c5 frame #69: WebCore`WebCore::FrameLoader::checkCompleted()+0x4cb frame #70: WebCore`WebCore::FrameLoader::checkCompletenessNow()+0x30b frame #71: WebCore`WTF::Detail::CallableWrapper<WebCore::Timer::Timer<WebCore::FrameLoader, WebCore::FrameLoader>(WebCore::FrameLoader&, void (WebCore::FrameLoader::*)())::'lambda'(), void>::call()+0x19a frame #72: WebCore`WebCore::ThreadTimers::sharedTimerFiredInternal()+0x397 frame #73: WebCore`WebCore::timerFired(__CFRunLoopTimer*, void*)+0x78 frame #74: CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__+0x13 frame #75: CoreFoundation`__CFRunLoopDoTimer+0x325 frame #76: CoreFoundation`__CFRunLoopDoTimers+0x10e frame #77: CoreFoundation`__CFRunLoopRun+0x8da frame #78: CoreFoundation`CFRunLoopRunSpecific+0x217 frame #79: Foundation`-[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 frame #80: Foundation`-[NSRunLoop(NSRunLoop) run]+0x4b frame #81: libxpc.dylib`_xpc_objc_main+0x271 frame #82: libxpc.dylib`_xpc_main+0x20 frame #83: libxpc.dylib`xpc_main+0x37 frame #84: WebKit`WebKit::XPCServiceMain(int, char const**)+0x8f frame #85: dyld`start+0xbef asan log: AddressSanitizer:DEADLYSIGNAL ================================================================= ==2699==ERROR: AddressSanitizer: TRAP on unknown address 0x000158dd603c (pc 0x000158dd603c bp 0x7ff7b951d190 sp 0x7ff7b951d190 T0) #0 0x000158dd603c in WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>* WTF::HashTable<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, (WTF::ShouldValidateKey)0>::lookup<WTF::HashMapTranslator<WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>>, WebCore::RenderObject const*>(WebCore::RenderObject const* const&)+0x12c (WebCore:x86_64+0x829603c) #1 0x000158dc291d in WebCore::LegacyRenderSVGResourceClipper::removeClientFromCache(WebCore::RenderElement&, bool)+0x6d (WebCore:x86_64+0x828291d) #2 0x000159cbf547 in WebCore::SVGResources::removeClientFromCache(WebCore::RenderElement&, bool) const+0x3a7 (WebCore:x86_64+0x917f547) #3 0x000158df0074 in WebCore::LegacyRenderSVGShape::layout()+0x4e4 (WebCore:x86_64+0x82b0074) #4 0x000158d5904d in WebCore::SVGRenderSupport::layoutChildren(WebCore::RenderElement&, bool)+0x42d (WebCore:x86_64+0x821904d) #5 0x000158de60dd in WebCore::LegacyRenderSVGRoot::layout()+0x2ed (WebCore:x86_64+0x82a60dd) #6 0x000157031482 in WebCore::LayoutIntegration::layoutWithFormattingContextForBox(WebCore::Layout::ElementBox const&, std::__1::optional<WebCore::LayoutUnit>, WebCore::Layout::LayoutState&)+0xb2 (WebCore:x86_64+0x64f1482) #7 0x000156fae79c in WebCore::Layout::LineBuilder::candidateContentForLine(WebCore::Layout::LineCandidate&, unsigned long, WebCore::Layout::InlineItemRange const&, float)+0xafc (WebCore:x86_64+0x646e79c) #8 0x000156fa988b in WebCore::Layout::LineBuilder::placeInlineAndFloatContent(WebCore::Layout::InlineItemRange const&)+0x39b (WebCore:x86_64+0x646988b) #9 0x000156fa5a25 in WebCore::Layout::LineBuilder::layoutInlineContent(WebCore::Layout::LineInput const&, std::__1::optional<WebCore::Layout::PreviousLine> const&)+0x155 (WebCore:x86_64+0x6465a25) #10 0x000156f59714 in WebCore::Layout::InlineFormattingContext::lineLayout(WebCore::Layout::AbstractLineBuilder&, WTF::Vector<WebCore::Layout::InlineItem, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::Layout::InlineItemRange, std::__1::optional<WebCore::Layout::PreviousLine>, WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineDamage const*)+0x13a4 (WebCore:x86_64+0x6419714) #11 0x000156f55bfb in WebCore::Layout::InlineFormattingContext::layout(WebCore::Layout::ConstraintsForInlineContent const&, WebCore::Layout::InlineDamage*)+0xaeb (WebCore:x86_64+0x6415bfb) #12 0x0001570664fa in WebCore::LayoutIntegration::LineLayout::layout()+0xcea (WebCore:x86_64+0x65264fa) #13 0x000158636cec in WebCore::RenderBlockFlow::layoutInlineContent(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1cdc (WebCore:x86_64+0x7af6cec) #14 0x0001586258e9 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x469 (WebCore:x86_64+0x7ae58e9) #15 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559) #16 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2) #17 0x00015862d038 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808 (WebCore:x86_64+0x7aed038) #18 0x000158629289 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9 (WebCore:x86_64+0x7ae9289) #19 0x000158625e66 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 (WebCore:x86_64+0x7ae5e66) #20 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559) #21 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2) #22 0x00015879e240 in WebCore::RenderFragmentedFlow::layout()+0x80 (WebCore:x86_64+0x7c5e240) #23 0x00015897a88e in WebCore::RenderMultiColumnFlow::layout()+0x31e (WebCore:x86_64+0x7e3a88e) #24 0x00015866f08e in WebCore::RenderBlockFlow::layoutExcludedChildren(bool)+0x22e (WebCore:x86_64+0x7b2f08e) #25 0x000158628f97 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x3d7 (WebCore:x86_64+0x7ae8f97) #26 0x000158625e66 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 (WebCore:x86_64+0x7ae5e66) #27 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559) #28 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2) #29 0x00015862d038 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808 (WebCore:x86_64+0x7aed038) #30 0x000158629289 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9 (WebCore:x86_64+0x7ae9289) #31 0x000158625e66 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 (WebCore:x86_64+0x7ae5e66) #32 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559) #33 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2) #34 0x00015879e240 in WebCore::RenderFragmentedFlow::layout()+0x80 (WebCore:x86_64+0x7c5e240) #35 0x00015897a88e in WebCore::RenderMultiColumnFlow::layout()+0x31e (WebCore:x86_64+0x7e3a88e) #36 0x00015866f08e in WebCore::RenderBlockFlow::layoutExcludedChildren(bool)+0x22e (WebCore:x86_64+0x7b2f08e) #37 0x000158628f97 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x3d7 (WebCore:x86_64+0x7ae8f97) #38 0x000158625e66 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 (WebCore:x86_64+0x7ae5e66) #39 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559) #40 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2) #41 0x00015862d038 in WebCore::RenderBlockFlow::layoutBlockChild(WebCore::RenderBox&, WebCore::RenderBlockFlow::MarginInfo&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x1808 (WebCore:x86_64+0x7aed038) #42 0x000158629289 in WebCore::RenderBlockFlow::layoutBlockChildren(bool, WebCore::LayoutUnit&)+0x6c9 (WebCore:x86_64+0x7ae9289) #43 0x000158625e66 in WebCore::RenderBlockFlow::layoutInFlowChildren(bool, WebCore::LayoutUnit&, WebCore::LayoutUnit&, WebCore::LayoutUnit&)+0x9e6 (WebCore:x86_64+0x7ae5e66) #44 0x00015861d559 in WebCore::RenderBlockFlow::layoutBlock(bool, WebCore::LayoutUnit)+0x1199 (WebCore:x86_64+0x7add559) #45 0x0001585bc1e2 in WebCore::RenderBlock::layout()+0x112 (WebCore:x86_64+0x7a7c1e2) #46 0x000158afbbdd in WebCore::RenderView::layout()+0x4cd (WebCore:x86_64+0x7fbbbdd) #47 0x000157683fdd in WebCore::LocalFrameViewLayoutContext::performLayout(bool)+0xa6d (WebCore:x86_64+0x6b43fdd) #48 0x000157644ba1 in WebCore::LocalFrameViewLayoutContext::layout(bool)+0x141 (WebCore:x86_64+0x6b04ba1) #49 0x000155c1c52f in WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions>, WebCore::Element const*)+0xb8f (WebCore:x86_64+0x50dc52f) #50 0x0001566fab3b in WebCore::HTMLPlugInElement::renderWidgetLoadingPlugin() const+0x22b (WebCore:x86_64+0x5bbab3b) #51 0x0001566fa17a in WebCore::HTMLPlugInElement::bindingsInstance()+0x21a (WebCore:x86_64+0x5bba17a) #52 0x000154de03b9 in WebCore::pluginElementCustomGetOwnPropertySlot(WebCore::JSHTMLElement*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&)+0x2c9 (WebCore:x86_64+0x42a03b9) #53 0x0001523a7f13 in WebCore::JSHTMLObjectElement::legacyPlatformObjectGetOwnProperty(JSC::JSObject*, JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&, bool)+0xf3 (WebCore:x86_64+0x1867f13) #54 0x00012f16fa7f in JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)+0x72ef (JavaScriptCore:x86_64+0x2d82a7f) #55 0x00012f16816b in llint_slow_path_get_by_id+0x38b (JavaScriptCore:x86_64+0x2d7b16b) #56 0x0001310231f1 in jsc_llint_llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__177_fn__opGetByIdSlow_LowLevelInterpreter_asm_508+0xd (JavaScriptCore:x86_64+0x4c361f1) #57 0x0001310399ee in jsc_llint_commonCallOp__llintOpWithMetadata__llintOpWithReturn__llintOp__commonOp__fn__fn__makeReturn__fn__fn__fn__696_callHelper__dispatch_LowLevelInterpreter64_asm_2538+0x2 (JavaScriptCore:x86_64+0x4c4c9ee) #58 0x0001310182c9 in llint_call_javascript+0x5 (JavaScriptCore:x86_64+0x4c2b2c9) #59 0x00012ec17bb1 in JSC::Interpreter::executeCall(JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)+0x8c1 (JavaScriptCore:x86_64+0x282abb1) #60 0x00012f39d47a in JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&)+0xfa (JavaScriptCore:x86_64+0x2fb047a) #61 0x000154db44e0 in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&)+0xb60 (WebCore:x86_64+0x42744e0) #62 0x000155df5a62 in WebCore::EventTarget::innerInvokeEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::RawPtrTraits<WebCore::RegisteredEventListener>, WTF::DefaultRefDerefTraits<WebCore::RegisteredEventListener>>, 1ul, WTF::CrashOnOverflow, 2ul, WTF::FastMalloc>, WebCore::EventTarget::EventInvokePhase)+0x522 (WebCore:x86_64+0x52b5a62) #63 0x000155dd4ecb in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WebCore::EventTarget::EventInvokePhase)+0x65b (WebCore:x86_64+0x5294ecb) #64 0x0001575c63d8 in WebCore::LocalDOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*)+0x3d8 (WebCore:x86_64+0x6a863d8) #65 0x0001575f2a43 in WebCore::LocalDOMWindow::dispatchLoadEvent()+0x483 (WebCore:x86_64+0x6ab2a43) #66 0x000155c326d9 in WebCore::Document::dispatchWindowLoadEvent()+0x119 (WebCore:x86_64+0x50f26d9) #67 0x000155c308db in WebCore::Document::implicitClose()+0x6db (WebCore:x86_64+0x50f08db) #68 0x000157151685 in WebCore::FrameLoader::checkCallImplicitClose()+0x1c5 (WebCore:x86_64+0x6611685) #69 0x00015714f7cb in WebCore::FrameLoader::checkCompleted()+0x4cb (WebCore:x86_64+0x660f7cb) #70 0x00015715278b in WebCore::FrameLoader::checkCompletenessNow()+0x30b (WebCore:x86_64+0x661278b) #71 0x0001571dd9da in WTF::Detail::CallableWrapper<WebCore::Timer::Timer<WebCore::FrameLoader, WebCore::FrameLoader>(WebCore::FrameLoader&, void (WebCore::FrameLoader::*)())::'lambda'(), void>::call()+0x19a (WebCore:x86_64+0x669d9da) #72 0x000157a6c377 in WebCore::ThreadTimers::sharedTimerFiredInternal()+0x397 (WebCore:x86_64+0x6f2c377) #73 0x000157ba50e8 in WebCore::timerFired(__CFRunLoopTimer*, void*)+0x78 (WebCore:x86_64+0x70650e8) #74 0x7ff8085e3bec in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__+0x13 (CoreFoundation:x86_64h+0x92bec) #75 0x7ff8085e37d7 in __CFRunLoopDoTimer+0x325 (CoreFoundation:x86_64h+0x927d7) #76 0x7ff8085e33f5 in __CFRunLoopDoTimers+0x10e (CoreFoundation:x86_64h+0x923f5) #77 0x7ff8085cb153 in __CFRunLoopRun+0x8da (CoreFoundation:x86_64h+0x7a153) #78 0x7ff8085ca241 in CFRunLoopRunSpecific+0x217 (CoreFoundation:x86_64h+0x79241) #79 0x7ff809632d62 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd7 (Foundation:x86_64+0x5ad62) #80 0x7ff8096b3396 in -[NSRunLoop(NSRunLoop) run]+0x4b (Foundation:x86_64+0xdb396) #81 0x7ff8081ed1bf in _xpc_objc_main+0x271 (libxpc.dylib:x86_64+0x151bf) #82 0x7ff8081fa6f1 in _xpc_main+0x20 (libxpc.dylib:x86_64+0x226f1) #83 0x7ff8081ecdda in xpc_main+0x37 (libxpc.dylib:x86_64+0x14dda) #84 0x00011878d72f in WebKit::XPCServiceMain(int, char const**)+0x8f (WebKit:x86_64+0x15d072f) #85 0x7ff80813f52f in start+0xbef (dyld:x86_64+0xfffffffffff3252f) ==2699==Register values: rax = 0x000060d00034db30 rbx = 0x0000612000165ef8 rcx = 0x0000000000000030 rdx = 0x000000015a342960 rdi = 0x000000000000005c rsi = 0x000000015a341600 rbp = 0x00007ff7b951d190 rsp = 0x00007ff7b951d190 r8 = 0x0000000000000007 r9 = 0x0000000000000005 r10 = 0x0000000000000002 r11 = 0x00001c040001cc0f r12 = 0x0000100000000000 r13 = 0x00000c240002cbdf r14 = 0x00006120001657c0 r15 = 0x0000000000000000 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: TRAP (WebCore:x86_64+0x829603c) in WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>* WTF::HashTable<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, (WTF::ShouldValidateKey)0>::lookup<WTF::HashMapTranslator<WTF::HashMap<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>, std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>, WTF::HashTraits<std::__1::unique_ptr<WebCore::ClipperData, std::__1::default_delete<WebCore::ClipperData>>>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0>::KeyValuePairTraits, WTF::DefaultHash<WTF::WeakRef<WebCore::RenderObject const, WTF::SingleThreadWeakPtrImpl>>>, WebCore::RenderObject const*>(WebCore::RenderObject const* const&)+0x12c ==2699==ABORTING com.apple.WebKit.WebContent.Development terminated (pid 2699) for reason: crash #CRASHED - com.apple.WebKit.WebContent.Development (pid 2699)
Attachments
Add attachment
proposed patch, testcase, etc.
Adan Lopez
Comment 1
2025-02-27 14:18:28 PST
<
rdar://problem/144407636
>
Adan Lopez
Comment 2
2025-02-27 14:22:39 PST
Pull request:
https://github.com/WebKit/WebKit/pull/41552
Adan Lopez
Comment 3
2025-02-27 14:28:49 PST
Pull request:
https://github.com/WebKit/WebKit/pull/41555
EWS
Comment 4
2025-03-04 17:57:08 PST
Committed
291601@main
(10ac38dba49e): <
https://commits.webkit.org/291601@main
> Reviewed commits have been landed. Closing PR #41555 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug