291738 – Tab Crash When ASSERTION FAILED: startList->size() == endList->size()

RESOLVED FIXED291738

Tab Crash When ASSERTION FAILED: startList->size() == endList->size()

https://bugs.webkit.org/show_bug.cgi?id=291738

Summary Tab Crash When ASSERTION FAILED: startList->size() == endList->size()

pubmailaddr

Reported 2025-04-18 02:01:22 PDT

Created attachment 474955 [details] Example used for reproduction # Steps to reproduce the problem: 1. Prepare Webkit build with version 2.49.1. 2. Launch the browser and open the 2267.html 3. Wait a few seconds 4. Tab Crashed # Some Additional Informarion ## Settings OS Version: Ubuntu 22.04.4 LTS Webkit Version: webkitgtk-2.49.1 (Instrumented With Asan) ## ASan Report ``` libEGL warning: DRI2: failed to authenticate WARNING: ASAN interferes with JSC signal handlers; useWasmFastMemory and useWasmFaultSignalHandler will be disabled. libEGL warning: DRI2: failed to authenticate WARNING: ASAN interferes with JSC signal handlers; useWasmFastMemory and useWasmFaultSignalHandler will be disabled. libEGL warning: DRI2: failed to authenticate ERROR: Failed to make thread real time: GDBus.Error:org.freedesktop.DBus.Error.Failed: No such file or directory /home/mojo/webkit-git/WebKit/Source/WTF/wtf/linux/RealTimeThreads.cpp(224) : void WTF::RealTimeThreads::realTimeKitMakeThreadRealTime(uint64_t, uint64_t, uint32_t) WARNING: ASAN interferes with JSC signal handlers; useWasmFastMemory and useWasmFaultSignalHandler will be disabled. libEGL warning: pci id for fd 16: 1234:1111, driver (null) ERROR: Failed to make thread real time: GDBus.Error:org.freedesktop.DBus.Error.Failed: GDBus.Error:org.freedesktop.DBus.Error.Failed: No such file or directory /home/mojo/webkit-git/WebKit/Source/WTF/wtf/linux/RealTimeThreads.cpp(224) : void WTF::RealTimeThreads::realTimeKitMakeThreadRealTime(uint64_t, uint64_t, uint32_t) libEGL warning: DRI2: failed to authenticate WARNING: ASAN interferes with JSC signal handlers; useWasmFastMemory and useWasmFaultSignalHandler will be disabled. libEGL warning: pci id for fd 18: 1234:1111, driver (null) ERROR: Failed to make thread real time: GDBus.Error:org.freedesktop.DBus.Error.Failed: GDBus.Error:org.freedesktop.DBus.Error.Failed: No such file or directory /home/mojo/webkit-git/WebKit/Source/WTF/wtf/linux/RealTimeThreads.cpp(224) : void WTF::RealTimeThreads::realTimeKitMakeThreadRealTime(uint64_t, uint64_t, uint32_t) ASSERTION FAILED: startList->size() == endList->size() /home/mojo/webkit-git/WebKit/Source/WebCore/css/ShorthandSerializer.cpp(1395) : String WebCore::ShorthandSerializer::serializeAnimationRange() const 1 0x72d7fb470272 WTFReportBacktrace 2 0x72d8147f6d23 WebCore::ShorthandSerializer::serializeAnimationRange() const 3 0x72d8147ee15d WebCore::ShorthandSerializer::serialize() 4 0x72d8147fda19 WebCore::serializeShorthandValue(WebCore::CSS::SerializationContext const&, WebCore::StyleProperties const&, WebCore::CSSPropertyID) 5 0x72d8147fee13 WebCore::StyleProperties::serializeShorthandValue(WebCore::CSS::SerializationContext const&, WebCore::CSSPropertyID) const 6 0x72d8148011b4 WebCore::StyleProperties::asTextInternal(WebCore::CSS::SerializationContext const&) const 7 0x72d81480075b WebCore::StyleProperties::asText(WebCore::CSS::SerializationContext const&) const 8 0x72d815ce802a WebCore::StyledMarkupAccumulator::appendStartTag(WTF::StringBuilder&, WebCore::Element const&, bool, WebCore::StyledMarkupAccumulator::RangeFullySelectsNode) 9 0x72d815cf80bf WebCore::StyledMarkupAccumulator::appendStartTag(WTF::StringBuilder&, WebCore::Element const&, WTF::HashMap<WTF::AtomString, WTF::AtomStringImpl*, WTF::DefaultHash<WTF::AtomString>, WTF::HashTraits<WTF::AtomString>, WTF::HashTraits<WTF::AtomStringImpl*>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0, WTF::FastMalloc>*) 10 0x72d815be514e WebCore::MarkupAccumulator::startAppendingNode(WebCore::Node const&, WTF::HashMap<WTF::AtomString, WTF::AtomStringImpl*, WTF::DefaultHash<WTF::AtomString>, WTF::HashTraits<WTF::AtomString>, WTF::HashTraits<WTF::AtomStringImpl*>, WTF::HashTableTraits, (WTF::ShouldValidateKey)0, WTF::FastMalloc>*) 11 0x72d815ceca1f WebCore::StyledMarkupAccumulator::traverseNodesForSerialization(WebCore::Node&, WebCore::Node*, WebCore::StyledMarkupAccumulator::NodeTraversalMode)::$_1::operator()(WebCore::Node&) const 12 0x72d815cebad2 WebCore::StyledMarkupAccumulator::traverseNodesForSerialization(WebCore::Node&, WebCore::Node*, WebCore::StyledMarkupAccumulator::NodeTraversalMode) 13 0x72d815ceb14f WebCore::StyledMarkupAccumulator::serializeNodes(WebCore::Position const&, WebCore::Position const&) 14 0x72d815ceeff2 WebCore::serializePreservingVisualAppearanceInternal(WebCore::Position const&, WebCore::Position const&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WebCore::IgnoreUserSelectNone, WebCore::AnnotateForInterchange, WebCore::ConvertBlocksToInlines, WebCore::StandardFontFamilySerializationMode, WebCore::MSOListMode, WebCore::PreserveBaseElement, WebCore::PreserveDirectionForInlineText) 15 0x72d815cefaae WebCore::serializePreservingVisualAppearance(WebCore::VisibleSelection const&, WebCore::ResolveURLs, WebCore::SerializeComposedTree, WebCore::IgnoreUserSelectNone, WebCore::PreserveBaseElement, WebCore::PreserveDirectionForInlineText, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node>, WTF::DefaultRefDerefTraits<WebCore::Node> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) 16 0x72d80e6aa43b WebKit::WebEditorClient::updateGlobalSelection(WebCore::LocalFrame*) 17 0x72d80e55d887 WebKit::WebEditorClient::respondToChangedSelection(WebCore::LocalFrame*) 18 0x72d815b6f408 WebCore::Editor::respondToChangedSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>) 19 0x72d815b7fe00 WebCore::FrameSelection::setSelectionWithoutUpdatingAppearance(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) 20 0x72d815b39412 WebCore::FrameSelection::setSelection(WebCore::VisibleSelection const&, WTF::OptionSet<WebCore::FrameSelection::SetSelectionOption>, WebCore::AXTextStateChangeIntent, WebCore::FrameSelection::CursorAlignOnScroll, WebCore::TextGranularity) 21 0x72d815b377b2 WebCore::FrameSelection::selectAll() 22 0x72d815ba9b4a WebCore::executeSelectAll(WebCore::LocalFrame&, WebCore::Event*, WebCore::EditorCommandSource, WTF::String const&) 23 0x72d815b54386 WebCore::Editor::Command::execute(WTF::String const&, WebCore::Event*) const 24 0x72d8154d3d76 WebCore::Document::execCommand(WTF::String const&, bool, std::variant<WTF::String, WTF::RefPtr<WebCore::TrustedHTML, WTF::RawPtrTraits<WebCore::TrustedHTML>, WTF::DefaultRefDerefTraits<WebCore::TrustedHTML> > > const&) 25 0x72d810247fe9 WebCore::jsDocumentPrototypeFunction_execCommandBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSDocument*) 26 0x72d810247876 long WebCore::IDLOperation<WebCore::JSDocument>::call<&WebCore::jsDocumentPrototypeFunction_execCommandBody, (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) 27 0x72d810211054 WebCore::jsDocumentPrototypeFunction_execCommand(JSC::JSGlobalObject*, JSC::CallFrame*) 28 0x72d76e810038 ??? ** (MiniBrowser:205348): WARNING **: 04:59:34.808: WebProcess CRASHED ```

Attachments
Example used for reproduction (367 bytes, text/html) 2025-04-18 02:01 PDT, pubmailaddr	no flags	Details
video demonstration of the reproduction (12.22 MB, video/mp4) 2025-05-05 05:10 PDT, pubmailaddr	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2025-04-21 17:49:03 PDT

FWIW, I cannot reproduce this on macOS. Which is strange, as this trace and test both look pretty cross-platform.

Radar WebKit Bug Importer

Comment 2 2025-04-25 02:02:15 PDT

<rdar://problem/150018184>

Antoine Quint

Comment 3 2025-05-05 02:10:28 PDT

Indeed, this does not reproduce with an ASan build with 294498@main. Can the person who filed this bug reproduce this reliably? If so, with what revision?

pubmailaddr

Comment 4 2025-05-05 05:10:31 PDT

Created attachment 475138 [details] video demonstration of the reproduction

pubmailaddr

Comment 5 2025-05-05 05:10:56 PDT

We built WebKit using this commit: commit 91bc53c356a3bbe243cb58a622c61768f840d279 (HEAD, tag: wpewebkit-2.49.1) which allows us to reliably reproduce the case. We have also uploaded a video demonstration of the reproduction.

Antoine Quint

Comment 6 2025-05-14 08:37:33 PDT

I could not reproduce the issue with either ASan or Debug builds with revisions 293152@main (matches the reported revision) and ToT.

pubmailaddr

Comment 7 2025-05-14 08:41:16 PDT

Do you reproduce it on Linux or macOS? If on Linux, perhaps I can provide some more help.

Antoine Quint

Comment 8 2025-05-14 08:44:44 PDT

`ShorthandSerializer::serializeAnimationRange()` does not get hit when I load the test file, so somehow Linux and Mac end up in diverging codepaths here.

Antoine Quint

Comment 9 2025-05-14 08:45:05 PDT

I only have access to macOS, so this was tested on Mac.

Antoine Quint

Comment 10 2025-05-14 08:49:43 PDT

The stack trace is GTK-specific, since `WebEditorClient::updateGlobalSelection()` is involved.

pubmailaddr

Comment 11 2025-05-14 08:51:21 PDT

We ran the testing on Linux, and it seems there are so many differences between macOS and Linux. BTW, could you please teach me how we build a webkit on macOS and then test it using Selenium to drive it? So that we can test the macOS version. I didn't find any driver stuff on macOS like WebKitWebDriver of Linux to be used together with Selenium.

pubmailaddr

Comment 12 2025-05-14 08:53:59 PDT

I also attempted to launch the custom-built WebKit with Safari by setting the DYLD_FRAMEWORK_PATH environment, but it failed somehow.

pubmailaddr

Comment 13 2025-05-14 08:56:21 PDT

I wonder whether it is still valuable or not for us to test the GTK version. seems that you pay more attention to the macOS version.

Antoine Quint

Comment 14 2025-05-14 09:04:48 PDT

OK, on macOs you need to also hit Cmd+C to actually trigger a copy which will yield a similar call stack and hit the assertion. Great, now I can debug this.

pubmailaddr

Comment 15 2025-05-14 09:08:31 PDT

congrats :)

Antoine Quint

Comment 16 2025-05-14 09:16:56 PDT

I expect we're hitting this assertion because during parsing of `animation-range` we typically ensure we have matching lengths for the longhands `animation-range-start` and `animation-range-end` but under this code path, there is no such provision.

Antoine Quint

Comment 17 2025-05-14 09:39:01 PDT

Pull request: https://github.com/WebKit/WebKit/pull/45373

EWS

Comment 18 2025-05-16 03:23:40 PDT

Committed 294999@main (a8cec25e37d5): <https://commits.webkit.org/294999@main> Reviewed commits have been landed. Closing PR #45373 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Local Build

Hardware Unspecified

OS Linux

Product WebKit

Component Animations

Assignee

Antoine Quint

Reported

2025-04-18 02:01 PDT

Modified

2025-05-16 03:23 PDT History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks