RESOLVED FIXED300692
Crash in LabelsNodeList::~LabelsNodeList 
https://bugs.webkit.org/show_bug.cgi?id=300692
Summary Crash in LabelsNodeList::~LabelsNodeList
Ryosuke Niwa
Reported 2025-10-14 05:06:15 PDT
e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread: 0 WebCore 0x1acd2db58 WTFCrashWithInfo(int, char const*, char const*, int) + 24 (usr/local/include/wtf/Assertions.h:929) [inlined] 1 WebCore 0x1acd2db58 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::decrementCheckedPtrCount() const + 24 (usr/local/include/wtf/CheckedRef.h:290) [inlined] 2 WebCore 0x1acd2db58 WTF::CheckedPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::derefIfNotNull() + 24 (usr/local/include/wtf/CheckedPtr.h:185) [inlined] 3 WebCore 0x1acd2db58 WTF::CheckedPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::~CheckedPtr() + 24 (usr/local/include/wtf/CheckedPtr.h:72) [inlined] 4 WebCore 0x1acd2db58 WTF::CheckedPtr<WebCore::Element, WTF::RawPtrTraits<WebCore::Element>>::~CheckedPtr() + 24 (usr/local/include/wtf/CheckedPtr.h:71) [inlined] 5 WebCore 0x1acd2db58 WebCore::ElementIterator<WebCore::Element>::~ElementIterator() + 56 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/ElementIterator.h:40) [inlined] 6 WebCore 0x1acd2db58 WebCore::ElementDescendantIterator<WebCore::Element>::~ElementDescendantIterator() + 56 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/TypedElementDescendantIterator.h:56) [inlined] 7 WebCore 0x1acd2db58 WebCore::ElementDescendantIterator<WebCore::Element>::~ElementDescendantIterator() + 56 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/TypedElementDescendantIterator.h:56) [inlined] 8 WebCore 0x1acd2db58 WebCore::CollectionIndexCache<WebCore::LabelsNodeList, WebCore::ElementDescendantIterator<WebCore::Element>>::~CollectionIndexCache() + 56 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/CollectionIndexCache.h:37) [inlined] 9 WebCore 0x1acd2db58 WebCore::CollectionIndexCache<WebCore::LabelsNodeList, WebCore::ElementDescendantIterator<WebCore::Element>>::~CollectionIndexCache() + 56 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/CollectionIndexCache.h:37) [inlined] 10 WebCore 0x1acd2db58 WebCore::CachedLiveNodeList<WebCore::LabelsNodeList>::~CachedLiveNodeList() + 88 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/dom/LiveNodeList.h:123) [inlined] 11 WebCore 0x1acd2db58 WebCore::LabelsNodeList::~LabelsNodeList() + 736 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/html/LabelsNodeList.cpp:53) 12 WebCore 0x1acd2db74 WebCore::LabelsNodeList::~LabelsNodeList() + 4 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/html/LabelsNodeList.cpp:51) [inlined] 13 WebCore 0x1acd2db74 WebCore::LabelsNodeList::~LabelsNodeList() + 16 (/Library/Caches/com.apple.xbs/Sources/WebCore/Source/WebCore/html/LabelsNodeList.cpp:51) 14 JavaScriptCore 0x1a5521730 JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const + 24 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/JSDestructibleObjectHeapCellType.cpp:43) [inlined] 15 JavaScriptCore 0x1a5521730 void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::&#39;lambda&#39;(void*)::operator()(void*) const + 32 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/heap/MarkedBlockInlines.h:286) [inlined] 16 JavaScriptCore 0x1a5521730 void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 356 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/heap/MarkedBlockInlines.h:328) [inlined] 17 JavaScriptCore 0x1a5521730 void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::&#39;lambda&#39;()::operator()() const + 396 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/heap/MarkedBlockInlines.h:468) [inlined] 18 JavaScriptCore 0x1a5521730 void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 492 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/heap/MarkedBlockInlines.h:510) [inlined] 19 JavaScriptCore 0x1a5521730 JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) const + 536 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./runtime/JSDestructibleObjectHeapCellType.cpp:56) 20 JavaScriptCore 0x1a436a238 JSC::Subspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 48 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./heap/Subspace.cpp:62) [inlined] 21 JavaScriptCore 0x1a436a238 JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 2192 (/Library/Caches/com.apple.xbs/Sources/JavaScriptCore/Source/JavaScriptCore/./heap/MarkedBlock.cpp:502) <rdar://162254579>
Attachments
Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2025-10-14 05:10:14 PDT
Pull request: https://github.com/WebKit/WebKit/pull/52291
EWS
Comment 2 2025-10-14 17:32:07 PDT
Committed 301516@main (74aabff89f46): <https://commits.webkit.org/301516@main> Reviewed commits have been landed. Closing PR #52291 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.