WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
305689
Release assert in performLayout via WebPage::unapplyEditCommand through WebEditorClient::undo
https://bugs.webkit.org/show_bug.cgi?id=305689
Summary
Release assert in performLayout via WebPage::unapplyEditCommand through WebEd...
Ryosuke Niwa
Reported
2026-01-17 00:20:51 PST
e.g. #0 0x00016b808e80 in WTFCrashWithInfo(int, char const*, char const*, int)+0x64 (WebCore:arm64e+0x6b8e80) #1 0x0001758cea54 in WebCore::LocalFrameViewLayoutContext::performLayout(bool)+0x2a30 (WebCore:arm64e+0xa77ea54) #2 0x00017583d87c in WebCore::LocalFrameViewLayoutContext::layout(bool)+0x158 (WebCore:arm64e+0xa6ed87c) #3 0x0001735a2790 in WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions, (WTF::ConcurrencyTag)0>, WebCore::Element const*)+0xf84 (WebCore:arm64e+0x8452790) #4 0x000173c52a7c in WebCore::EditCommandComposition::unapply(WebCore::EditCommandComposition::AddToUndoStack)+0x414 (WebCore:arm64e+0x8b02a7c) #5 0x00011b3b0e98 in WebKit::WebPage::unapplyEditCommand(unsigned long long)+0x200 (WebKit:arm64e+0x12ce98) #6 0x00011e264d64 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x36c0 (WebKit:arm64e+0x2fe0d64) #7 0x0001224086b4 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x474 (WebKit:arm64e+0x71846b4) #8 0x00011fc87ea4 in WebKit::AuxiliaryProcess::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x44 (WebKit:arm64e+0x4a03ea4) #9 0x00011d2de6bc in WebKit::AuxiliaryProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x180 (WebKit:arm64e+0x205a6bc) #10 0x00011e3c83cc in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x994 (WebKit:arm64e+0x31443cc) #11 0x000122355980 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>)+0xf6c (WebKit:arm64e+0x70d1980) #12 0x00012233f0bc in IPC::Connection::SyncMessageState::ConnectionAndIncomingMessage::dispatch()+0xcc (WebKit:arm64e+0x70bb0bc) #13 0x00012233e6c0 in IPC::Connection::SyncMessageState::dispatchMessages(WTF::Function<void (IPC::MessageName, unsigned long long)>&&)+0x430 (WebKit:arm64e+0x70ba6c0) #14 0x00012234c730 in IPC::Connection::waitForSyncReply(WTF::ObjectIdentifierGeneric<IPC::SyncRequestIDType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, IPC::MessageName, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x170 (WebKit:arm64e+0x70c8730) #15 0x0001223471f4 in IPC::Connection::sendSyncMessage(WTF::ObjectIdentifierGeneric<IPC::SyncRequestIDType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, WTF::UniqueRef<IPC::Encoder>&&, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x300 (WebKit:arm64e+0x70c31f4) #16 0x0001216448dc in IPC::ConnectionSendSyncResult<Messages::RemoteImageDecoderAVFProxy::CreateFrameImageAtIndex> IPC::Connection::sendSync<Messages::RemoteImageDecoderAVFProxy::CreateFrameImageAtIndex>(Messages::RemoteImageDecoderAVFProxy::CreateFrameImageAtIndex&&, unsigned long long, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x1c8 (WebKit:arm64e+0x63c08dc) #17 0x000121643488 in WTF::Detail::CallableWrapper<WebKit::RemoteImageDecoderAVF::createFrameImageAtIndex(unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&)::$_0, void>::call()+0x244 (WebKit:arm64e+0x63bf488) #18 0x000127067d14 in WTF::callOnMainRunLoopAndWait(WTF::Function<void ()>&&)+0x118 (JavaScriptCore:arm64e+0x5c3d14) #19 0x0001215eab44 in WebKit::RemoteImageDecoderAVF::createFrameImageAtIndex(unsigned long, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&)+0x438 (WebKit:arm64e+0x6366b44) #20 0x000176102fc4 in WebCore::BitmapImageSource::nativeImageAtIndexCacheIfNeeded(unsigned int, WebCore::SubsamplingLevel, WebCore::DecodingOptions const&)+0x5e0 (WebCore:arm64e+0xafb2fc4) #21 0x000176106764 in WebCore::BitmapImageSource::nativeImageAtIndex(unsigned int)+0xb8 (WebCore:arm64e+0xafb6764) #22 0x0001760f1ad4 in WebCore::DestinationColorSpace WebCore::BitmapImageDescriptor::primaryNativeImageMetadata<WebCore::DestinationColorSpace>(WebCore::DestinationColorSpace&, WebCore::DestinationColorSpace const&, WebCore::BitmapImageDescriptor::CachedFlag, WebCore::DestinationColorSpace (WebCore::NativeImage::*)() const) const+0x108 (WebCore:arm64e+0xafa1ad4) #23 0x0001760f35b0 in WebCore::BitmapImageDescriptor::hasHDRColorSpace() const+0x428 (WebCore:arm64e+0xafa35b0) #24 0x00017614c93c in WebCore::BitmapImageSource::hasHDRContent() const+0x40 (WebCore:arm64e+0xaffc93c) #25 0x0001770153d0 in WebCore::RenderElement::imageContentChanged(WebCore::CachedImage&)+0x114 (WebCore:arm64e+0xbec53d0) #26 0x000177014f68 in WebCore::RenderElement::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0xe8 (WebCore:arm64e+0xbec4f68) #27 0x000177129e90 in WebCore::RenderImage::notifyFinished(WebCore::CachedResource&, WebCore::NetworkLoadMetrics const&, WebCore::LoadWillContinueInAnotherProcess)+0x480 (WebCore:arm64e+0xbfd9e90) #28 0x00017549f704 in WebCore::CachedResource::didAddClient(WebCore::CachedResourceClient&)+0x360 (WebCore:arm64e+0xa34f704) #29 0x0001754b1888 in WebCore::CachedImage::didAddClient(WebCore::CachedResourceClient&)+0x344 (WebCore:arm64e+0xa361888) #30 0x000177130158 in WebCore::RenderImageResource::setCachedImage(WebCore::CachedResourceHandle<WebCore::CachedImage>&&)+0x370 (WebCore:arm64e+0xbfe0158) #31 0x00017421f590 in WebCore::HTMLImageElement::didAttachRenderers()+0x350 (WebCore:arm64e+0x90cf590) #32 0x0001778e3d34 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&)+0x36cc (WebCore:arm64e+0xc793d34) #33 0x0001778de948 in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update>>)+0x278 (WebCore:arm64e+0xc78e948) #34 0x00017359c7b0 in WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update, std::__1::default_delete<WebCore::Style::Update>>)+0x138 (WebCore:arm64e+0x844c7b0) #35 0x00017359d02c in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType)+0x700 (WebCore:arm64e+0x844d02c) #36 0x0001735a204c in WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions, (WTF::ConcurrencyTag)0>, WebCore::Element const*)+0x840 (WebCore:arm64e+0x845204c) #37 0x000173d121e4 in WebCore::Editor::unappliedEditing(WebCore::EditCommandComposition&)+0x150 (WebCore:arm64e+0x8bc21e4) #38 0x000173c52d9c in WebCore::EditCommandComposition::unapply(WebCore::EditCommandComposition::AddToUndoStack)+0x734 (WebCore:arm64e+0x8b02d9c) #39 0x00011b3b0e98 in WebKit::WebPage::unapplyEditCommand(unsigned long long)+0x200 (WebKit:arm64e+0x12ce98) #40 0x00011e264d64 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x36c0 (WebKit:arm64e+0x2fe0d64) #41 0x0001224086b4 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x474 (WebKit:arm64e+0x71846b4) #42 0x00011fc87ea4 in WebKit::AuxiliaryProcess::dispatchMessage(IPC::Connection&, IPC::Decoder&)+0x44 (WebKit:arm64e+0x4a03ea4) #43 0x00011d2de6bc in WebKit::AuxiliaryProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x180 (WebKit:arm64e+0x205a6bc) #44 0x00011e3c83cc in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&)+0x994 (WebKit:arm64e+0x31443cc) #45 0x000122355980 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>)+0xf6c (WebKit:arm64e+0x70d1980) #46 0x00012233f0bc in IPC::Connection::SyncMessageState::ConnectionAndIncomingMessage::dispatch()+0xcc (WebKit:arm64e+0x70bb0bc) #47 0x00012233e6c0 in IPC::Connection::SyncMessageState::dispatchMessages(WTF::Function<void (IPC::MessageName, unsigned long long)>&&)+0x430 (WebKit:arm64e+0x70ba6c0) #48 0x00012234c730 in IPC::Connection::waitForSyncReply(WTF::ObjectIdentifierGeneric<IPC::SyncRequestIDType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, IPC::MessageName, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x170 (WebKit:arm64e+0x70c8730) #49 0x0001223471f4 in IPC::Connection::sendSyncMessage(WTF::ObjectIdentifierGeneric<IPC::SyncRequestIDType, WTF::ObjectIdentifierThreadSafeAccessTraits<unsigned long long>, unsigned long long>, WTF::UniqueRef<IPC::Encoder>&&, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x300 (WebKit:arm64e+0x70c31f4) #50 0x000121a8f108 in IPC::ConnectionSendSyncResult<Messages::WebPageProxy::ExecuteUndoRedo> IPC::Connection::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, unsigned long long, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x198 (WebKit:arm64e+0x680b108) #51 0x000121a8eb58 in IPC::ConnectionSendSyncResult<Messages::WebPageProxy::ExecuteUndoRedo> IPC::MessageSender::sendSync<Messages::WebPageProxy::ExecuteUndoRedo>(Messages::WebPageProxy::ExecuteUndoRedo&&, unsigned long long, IPC::Timeout, WTF::OptionSet<IPC::SendSyncOption, (WTF::ConcurrencyTag)0>)+0x278 (WebKit:arm64e+0x680ab58) #52 0x00011b3b0854 in WebKit::WebEditorClient::undo()+0x120 (WebKit:arm64e+0x12c854) <
rdar://163994841
>
Attachments
Add attachment
proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1
2026-01-17 00:22:13 PST
rdar://163994841
Ryosuke Niwa
Comment 2
2026-01-17 00:45:21 PST
Pull request:
https://github.com/WebKit/WebKit/pull/56757
EWS
Comment 3
2026-01-18 08:37:43 PST
Committed
305778@main
(b08cb7a8eb99): <
https://commits.webkit.org/305778@main
> Reviewed commits have been landed. Closing PR #56757 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug