Bug 256664

Summary:

Crash when destroying invalid ElementBox from LineLayout::removedFromTree

Product:

WebKit

Reporter:

Michael Catanzaro <mcatanzaro>

Component:

Layout and Rendering

Assignee:

Nobody <webkit-unassigned>

Status:

NEW ---

Severity:

Normal

CC:

bfulgham, mcatanzaro, simon.fraser, webkit-bug-importer, zalan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

OS:

Linux

Attachments:

Description	Flags
Almost full backtrace (truncated at frame 37 because I got impatient waiting for gdb)	none

Description Michael Catanzaro 2023-05-11 14:29:10 PDT

Here's another crash I found in my coredumpctl. I have not seen this one before so it's probably not common. Not sure what web page triggered it. It's a failing assert here in CheckedRef.h:

    ~CanMakeCheckedPtrBase() { RELEASE_ASSERT(!m_count); }

which means the refcount was somehow nonzero when the CanMakeCheckedPtrBase was destroyed. Problem is the ElementBox that is being destroyed is an invalid pointer 0x2.

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
    at pthread_kill.c:44
#1  0x00007f3f2d0911f3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f3f2d03f00e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007f3f2d0287fc in __GI_abort () at abort.c:79
#4  0x00007f3f2daec4cf in WTFCrashWithInfo(int, char const*, char const*, int) () at WTF/Headers/wtf/Assertions.h:758
#5  0x00007f3f2f7180fd in WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() (this=0x7f3e4941f1f8) at WTF/Headers/wtf/CheckedRef.h:242
#6  WebCore::Layout::Box::~Box() (this=0x7f3e4941f1f0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/layout/layouttree/LayoutBox.cpp:58
#7  0x00007f3f2f719905 in WebCore::Layout::ElementBox::~ElementBox() (this=0x2)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/layout/layouttree/LayoutElementBox.cpp:60
#8  0x00007f3f2f71785f in std::default_delete<WebCore::Layout::Box>::operator()(WebCore::Layout::Box*) const
    (this=0x7ffce69d7320, __ptr=0x2)
    at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/12.2.0/../../../../include/c++/12.2.0/bits/unique_ptr.h:95
#9  std::unique_ptr<WebCore::Layout::Box, std::default_delete<WebCore::Layout::Box> >::~unique_ptr()
    (this=0x7ffce69d7320)
    at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/12.2.0/../../../../include/c++/12.2.0/bits/unique_ptr.h:396
#10 WTF::UniqueRef<WebCore::Layout::Box>::~UniqueRef() (this=0x7ffce69d7320) at WTF/Headers/wtf/UniqueRef.h:57
#11 WebCore::LayoutIntegration::LineLayout::removedFromTree(WebCore::RenderElement const&, WebCore::RenderObject&)
    (this=<optimized out>, parent=<optimized out>, child=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:1247
#12 0x00007f3f2fd4407c in WebCore::invalidateLineLayoutAfterTreeMutationIfNeeded(WebCore::RenderObject&, WebCore::IsRemoval) (renderer=..., isRemoval=WebCore::IsRemoval::Yes)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.cpp:1732
#13 WebCore::RenderObject::willBeRemovedFromTree(WebCore::RenderObject::IsInternalMove) (this=0x7f3e7a0b5060)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.cpp:1750
#14 0x00007f3f2fd12358 in WebCore::RenderLayerModelObject::willBeRemovedFromTree(WebCore::RenderObject::IsInternalMove) (this=0x7f3e7a0b5060, isInternalMove=WebCore::RenderObject::IsInternalMove::No)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerModelObject.cpp:92
#15 0x00007f3f2fe6efc3 in WebCore::RenderTreeBuilder::detachFromRenderElement(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::WillBeDestroyed)
     (this=0x7ffce69d9ec8, parent=..., child=..., willBeDestroyed=WebCore::RenderTreeBuilder::WillBeDestroyed::Yes)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:970
#16 0x00007f3f2fe6e603 in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlock&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock)
    (this=0x7f3ca55dbd90, parent=..., oldChild=..., canCollapseAnonymousBlock=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:297
#17 0x00007f3f2fe6e169 in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlockFlow&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock)
    (this=0x7f3ca55dbd90, parent=..., child=..., canCollapseAnonymousBlock=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:391
#18 0x00007f3f2fe6ba4a in WebCore::RenderTreeBuilder::detach(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock)
    (this=0x7ffce69d9ec8, parent=..., child=<optimized out>, canCollapseAnonymousBlock=WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock::Yes)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:395
#19 0x00007f3f2fe6b4e1 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) (this=0x7ffce69d9ec8, renderer=..., canCollapseAnonymousBlock=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:153
#20 0x00007f3f2fe71245 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&)
    (this=0x7ffce69d9ec8, rendererToDestroy=...)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:885
--Type <RET> for more, q to quit, c to continue without paging--c
#21 0x00007f3f2fe7f0c2 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_10::operator()(unsigned int) const (this=this@entry=0x7ffce69d7660, depth=15) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:643
#22 0x00007f3f2fe7de7b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) (root=..., teardownType=WebCore::RenderTreeUpdater::TeardownType::FullAfterSlotChange, builder=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:656
#23 0x00007f3f2fe7ed2b in WebCore::RenderTreeUpdater::tearDownRenderersAfterSlotChange(WebCore::Element&) (host=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:576
#24 0x00007f3f2f2c840b in WebCore::NamedSlotAssignment::didChangeSlot(WTF::AtomString const&, WebCore::ShadowRoot&) (this=0x7f3e717dde20, slotAttrValue=<optimized out>, shadowRoot=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/SlotAssignment.cpp:299
#25 0x00007f3f2f240b31 in WebCore::ShadowRoot::hostChildElementDidChange(WebCore::Element const&) (this=0x6, childElement=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/SlotAssignment.h:213
#26 WebCore::Element::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) (this=0x7f3ca51d8ee0, insertionType=..., parentOfInsertedTree=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Element.cpp:2674
#27 0x00007f3f2f412df9 in WebCore::HTMLElement::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) (this=0x2, insertionType=..., parentOfInsertedTree=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/html/HTMLElement.cpp:433
#28 0x00007f3f2f4425af in WebCore::HTMLMaybeFormAssociatedCustomElement::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) (this=0x2, insertionType=..., parentOfInsertedTree=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/html/HTMLMaybeFormAssociatedCustomElement.cpp:124
#29 0x00007f3f2f1d257d in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WebCore::TreeScopeChange, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) (parentOfInsertedTree=..., node=..., treeScopeChange=WebCore::TreeScopeChange::Changed, postInsertionNotificationTargets=WTF::Vector of length 0, capacity 3103784944) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:50
#30 0x00007f3f2f1d246a in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) (parentOfInsertedTree=..., node=..., postInsertionNotificationTargets=WTF::Vector of length 0, capacity 11) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:105
#31 0x00007f3f2f1cd5a7 in WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4>(WebCore::ContainerNode&, WebCore::Node&, WebCore::Node*, WebCore::ContainerNode::ChildChange::Source, WebCore::ReplacedAllChildren, WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4) (containerNode=..., child=..., beforeChild=0x0, source=WebCore::ContainerNode::ChildChange::Source::API, replacedAllChildren=WebCore::ReplacedAllChildren::No, doNodeInsertion=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/ContainerNode.cpp:289
#32 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) (this=0x7f3e7a025710, newChild=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/ContainerNode.cpp:838
#33 0x00007f3f2f1ccaaa in WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*) (this=0x7f3e7a025710, newChild=..., refChild=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/ContainerNode.cpp:478
#34 0x00007f3f2f28b652 in WebCore::Node::insertBefore(WebCore::Node&, WebCore::Node*) (this=0x2, newChild=..., refChild=0x7f3f2d091184 <__pthread_kill_implementation+292>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Node.cpp:521
#35 0x00007f3f2e87f69c in WebCore::jsNodePrototypeFunction_insertBeforeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*)::{lambda()#1}::operator()() const (this=<optimized out>) at WebCore/DerivedSources/JSNode.cpp:839
#36 WebCore::invokeFunctorPropagatingExceptionIfNecessary<WebCore::jsNodePrototypeFunction_insertBeforeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*)::{lambda()#1}>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsNodePrototypeFunction_insertBeforeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*)::{lambda()#1}&&) (lexicalGlobalObject=..., throwScope=..., functor=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/bindings/js/JSDOMExceptionHandling.h:96
#37 WebCore::jsNodePrototypeFunction_insertBeforeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*) (lexicalGlobalObject=0x7f3ec5019068, callFrame=<optimized out>, castedThis=<optimized out>) at WebCore/DerivedSources/JSNode.cpp:839
#38 WebCore::IDLOperation<WebCore::JSNode>::call<&WebCore::jsNodePrototypeFunction_insertBeforeBody, (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (lexicalGlobalObject=..., callFrame=<optimized out>, operationName=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/bindings/js/JSDOMOperation.h:63
#39 WebCore::jsNodePrototypeFunction_insertBefore(JSC::JSGlobalObject*, JSC::CallFrame*) (lexicalGlobalObject=0x7f3ec5019068, callFrame=<optimized out>) at WebCore/DerivedSources/JSNode.cpp:845
#40 0x00007f3ec80081b8 in  ()
#41 0x00007ffce69da590 in  ()
#42 0x00007f3ec85ee0eb in  ()
#43 0x0000000000000000 in  ()

This backtrace is taken with WebKitGTK 2.41.3.

Comment 1 Michael Catanzaro 2023-05-11 14:33:46 PDT

Created attachment 466323 [details]
Almost full backtrace (truncated at frame 37 because I got impatient waiting for gdb)

Comment 2 zalan 2023-05-11 18:53:46 PDT

is this ToT? if not, this might be a dupe of bug 255744.

Comment 3 Michael Catanzaro 2023-05-12 08:06:53 PDT

(In reply to zalan from comment #2)
> is this ToT?

It's WebKitGTK 2.41.3 which is 263229@main, so the fix in 263234@main is not included (just a little too late!).

Comment 4 Radar WebKit Bug Importer 2023-05-18 14:30:21 PDT

<rdar://problem/109532478>