Bug 261998

Summary: [Win] REGRESSION(268343@main): Crash under WebCore::PositionedDescendantsMap::removeContainingBlock
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: WebCore Misc.Assignee: Fujii Hironori <Hironori.Fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Fujii Hironori 2023-09-23 05:49:59 PDT 
WinCairo is crashing for some layout tests.

Regressions: Unexpected crashes (18)
  compositing/composited-parent-clipping-layer-on-subpixel-position.html [ Crash ]
  compositing/hidpi-ancestor-subpixel-clipping.html [ Crash ]
  compositing/hidpi-box-positioned-off-by-one-when-non-compositing-transform-is-present.html [ Crash ]
  compositing/hidpi-composited-container-and-graphics-layer-gap-changes.html [ Crash ]
  compositing/hidpi-compositing-layer-with-zero-sized-container-offsets-above-one.html [ Crash ]
  compositing/hidpi-compositing-layer-with-zero-sized-container.html [ Crash ]
  compositing/hidpi-compositing-vs-non-compositing-check-on-testing-framework.html [ Crash ]
  compositing/hidpi-non-simple-compositing-layer-with-fractional-size-and-background.html [ Crash ]
  compositing/hidpi-sibling-composited-content-offset.html [ Crash ]
  compositing/hidpi-simple-container-layer-on-device-pixel.html [ Crash ]
  compositing/hidpi-subpixel-transform-origin.html [ Crash ]
  compositing/hidpi-transform-with-render-layer-on-fractional-pixel-value.html [ Crash ]
  compositing/layer-creation/mismatched-transform-transition-overlap.html [ Crash ]
  compositing/layer-creation/subtree-div-overlaps-multiple-negative-z-divs.html [ Crash ]
  compositing/layer-creation/translate-transition-overlap.html [ Crash ]
  compositing/parent-clipping-layer-on-subpixel-position.html [ Crash ]
  css3/filters/reference-filter-change-repaint.html [ Crash ]
  fast/forms/hidpi-textarea-on-subpixel-position.html [ Crash ]

268332@main good
268348@main bad https://build.webkit.org/#/builders/728/builds/2210

268334@main good
268352@main bad https://build.webkit.org/#/builders/727/builds/20987

 # Child-SP          RetAddr           Call Site
00 000000dc`1fd5c320 00007ff8`c3996cd7 WebCore!WTF::CompactPointerTuple<WTF::DefaultWeakPtrImpl *,unsigned short>::pointer(void)+0x19 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\CompactPointerTuple.h @ 85]
01 000000dc`1fd5c350 00007ff8`c7be922a WebCore!WTF::CompactRefPtrTuple<WTF::DefaultWeakPtrImpl,unsigned short>::pointer(void)+0x17 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\CompactRefPtrTuple.h @ 48]
02 000000dc`1fd5c380 00007ff8`c7c220a8 WebCore!WTF::WeakHashMap<WebCore::RenderBox const ,WTF::WeakPtr<WebCore::RenderBlock const ,WTF::DefaultWeakPtrImpl>,WTF::DefaultWeakPtrImpl>::keyImplIfExists<WebCore::RenderBox>(class WebCore::RenderBox * key = 0x0000025c`77715cd0)+0x2a [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\WeakHashMap.h @ 379]
03 000000dc`1fd5c3c0 00007ff8`c7c2256a WebCore!WTF::WeakHashMap<WebCore::RenderBox const ,WTF::WeakPtr<WebCore::RenderBlock const ,WTF::DefaultWeakPtrImpl>,WTF::DefaultWeakPtrImpl>::remove(class WebCore::RenderBox * key = 0x0000025c`77715cd0)+0x28 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\WeakHashMap.h @ 275]
04 000000dc`1fd5c400 00007ff8`c7ba21a7 WebCore!WebCore::PositionedDescendantsMap::removeContainingBlock(class WebCore::RenderBlock * containingBlock = 0x0000025c`34985860)+0x11a [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\rendering\RenderBlock.cpp @ 222]
05 000000dc`1fd5c510 00007ff8`c7ba8629 WebCore!WebCore::RenderBlock::blockWillBeDestroyed(void)+0x37 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\rendering\RenderBlock.cpp @ 366]
06 000000dc`1fd5c550 00007ff8`c7d7e3f3 WebCore!WebCore::RenderBlockFlow::willBeDestroyed(void)+0x139 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\rendering\RenderBlockFlow.cpp @ 171]
07 000000dc`1fd5c5b0 00007ff8`c658de0d WebCore!WebCore::RenderObject::destroy(void)+0x1c3 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\rendering\RenderObject.cpp @ 1779]
08 000000dc`1fd5c600 00007ff8`c658e10e WebCore!WebCore::Document::destroyRenderTree(void)+0x39d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\dom\Document.cpp @ 2730]
09 000000dc`1fd5c730 00007ff8`c7425e2d WebCore!WebCore::Document::willBeRemovedFromFrame(void)+0x25e [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\dom\Document.cpp @ 2790]
0a 000000dc`1fd5c910 00007ff8`c742607b WebCore!WebCore::LocalFrame::setView(class WTF::RefPtr<WebCore::LocalFrameView,WTF::RawPtrTraits<WebCore::LocalFrameView>,WTF::DefaultRefDerefTraits<WebCore::LocalFrameView> > * view = 0x000000dc`1fd5c9a8)+0xad [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\page\LocalFrame.cpp @ 244]
0b 000000dc`1fd5c940 00007ff8`de85d3fa WebCore!WebCore::LocalFrame::createView(class WebCore::IntSize * viewportSize = 0x0000025c`349ce960, class std::optional<WebCore::Color> * backgroundColor = 0x0000025c`349ceca8, class WebCore::IntSize * fixedLayoutSize = 0x000000dc`1fd5cc60, class WebCore::IntRect * fixedVisibleContentRect = 0x000000dc`1fd5caa8, bool useFixedLayout = false, WebCore::ScrollbarMode horizontalScrollbarMode = Auto (0n0), bool horizontalLock = false, WebCore::ScrollbarMode verticalScrollbarMode = Auto (0n0), bool verticalLock = false)+0x11b [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\page\LocalFrame.cpp @ 879]
0c 000000dc`1fd5ca30 00007ff8`c720247f WebKit2!WebKit::WebLocalFrameLoaderClient::transitionToCommittedForNewPage(void)+0x5aa [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\WebCoreSupport\WebLocalFrameLoaderClient.cpp @ 1508]
0d 000000dc`1fd5ce20 00007ff8`c71fd806 WebCore!WebCore::FrameLoader::transitionToCommitted(class WebCore::CachedPage * cachedPage = 0x00000000`00000000)+0x61f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 2318]
0e 000000dc`1fd5cf40 00007ff8`c71b0ae8 WebCore!WebCore::FrameLoader::commitProvisionalLoad(void)+0x5b6 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 2127]
0f 000000dc`1fd5d790 00007ff8`c71b27c3 WebCore!WebCore::DocumentLoader::commitIfReady(void)+0x38 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 416]
10 000000dc`1fd5d7c0 00007ff8`c71b507c WebCore!WebCore::DocumentLoader::finishedLoading(void)+0x223 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 488]
11 000000dc`1fd5d930 00007ff8`c71ab700 WebCore!WebCore::DocumentLoader::maybeLoadEmpty(void)+0x59c [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 2084]
12 000000dc`1fd5dc90 00007ff8`c7210f6c WebCore!WebCore::DocumentLoader::startLoadingMainResource(void)+0x2b0 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 2115]
13 000000dc`1fd5dfa0 00007ff8`c721335b WebCore!`WebCore::FrameLoader::continueLoadAfterNavigationPolicy'::`2'::<lambda_1>::operator()(void)+0xac [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 3793]
14 000000dc`1fd5dfe0 00007ff8`c39d5d64 WebCore!WTF::Detail::CallableWrapper<`WebCore::FrameLoader::continueLoadAfterNavigationPolicy'::`2'::<lambda_1>,void>::call(void)+0x1b [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53]
15 000000dc`1fd5e010 00007ff8`c39f527f WebCore!WTF::Function<void __cdecl(void)+0x94 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 83]
16 000000dc`1fd5e050 00007ff8`c7203dd3 WebCore!WTF::CompletionHandler<void __cdecl(void)+0x8f [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\CompletionHandler.h @ 75]
17 000000dc`1fd5e0a0 00007ff8`c7210775 WebCore!WebCore::FrameLoader::continueLoadAfterNavigationPolicy(class WebCore::ResourceRequest * request = 0x0000025c`7745d2c0, class WebCore::FormState * formState = 0x00000000`00000000, WebCore::NavigationPolicyDecision navigationPolicyDecision = ContinueLoad (0n0), WebCore::AllowNavigationToInvalidURL allowNavigationToInvalidURL = Yes (0n1))+0x753 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 3797]
18 000000dc`1fd5e550 00007ff8`c7212be1 WebCore!`WebCore::FrameLoader::loadWithDocumentLoader'::`2'::<lambda_2>::operator()(class WebCore::ResourceRequest * request = 0x0000025c`7745d2c0, class WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl> * formState = 0x000000dc`1fd5ea30, WebCore::NavigationPolicyDecision navigationPolicyDecision = ContinueLoad (0n0))+0x65 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 1703]
19 000000dc`1fd5e5b0 00007ff8`c727f51d WebCore!WTF::Detail::CallableWrapper<`WebCore::FrameLoader::loadWithDocumentLoader'::`2'::<lambda_2>,void,WebCore::ResourceRequest &&,WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl> &&,enum WebCore::NavigationPolicyDecision>::call(class WebCore::ResourceRequest * <in_0> = 0x0000025c`7745d2c0, class WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl> * <in_1> = 0x000000dc`1fd5ea30, WebCore::NavigationPolicyDecision <in_2> = ContinueLoad (0n0))+0x41 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53]
1a 000000dc`1fd5e5f0 00007ff8`c727f365 WebCore!WTF::Function<void __cdecl(class WebCore::ResourceRequest * <in_0> = 0x0000025c`7745d2c0, class WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl> * <in_1> = 0x000000dc`1fd5ea30, WebCore::NavigationPolicyDecision <in_2> = ContinueLoad (0n0))+0xbd [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 83]
1b 000000dc`1fd5e630 00007ff8`c72716a1 WebCore!WTF::CompletionHandler<void __cdecl(class WebCore::ResourceRequest * <in_0> = 0x0000025c`7745d2c0, class WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl> * <in_1> = 0x000000dc`1fd5ea30, WebCore::NavigationPolicyDecision <in_2> = ContinueLoad (0n0))+0xb5 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\CompletionHandler.h @ 75]
1c 000000dc`1fd5e690 00007ff8`c7274eaa WebCore!`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy'::`2'::<lambda_1>::operator()(WebCore::PolicyAction policyAction = Use (0n0), class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::PolicyCheckIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * responseIdentifier = 0x000000dc`1fd5eaf0)+0x471 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\PolicyChecker.cpp @ 234]
1d 000000dc`1fd5ead0 00007ff8`de897ac0 WebCore!WTF::Detail::CallableWrapper<`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy'::`2'::<lambda_1>,void,enum WebCore::PolicyAction,WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::PolicyCheckIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > >::call(WebCore::PolicyAction <in_0> = Use (0n0), class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::PolicyCheckIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * <in_1> = 0x000000dc`1fd5eb60)+0x4a [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53]
1e 000000dc`1fd5eb30 00007ff8`de96bb93 WebKit2!WTF::Function<void __cdecl(WebCore::PolicyAction <in_0> = Use (0n0), class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::PolicyCheckIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * <in_1> = 0x000000dc`1fd5ec60)+0xe0 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 83]
1f 000000dc`1fd5eba0 00007ff8`de861d3e WebKit2!WebKit::WebFrame::didReceivePolicyDecision(unsigned int64 listenerID = 4, class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::PolicyCheckIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * identifier = 0x000000dc`1fd5ed40, struct WebKit::PolicyDecision * policyDecision = 0x000000dc`1fd5ee60)+0x4d3 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\WebPage\WebFrame.cpp @ 503]
20 000000dc`1fd5ed00 00007ff8`de87e36e WebKit2!`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1>::operator()(struct WebKit::PolicyDecision * policyDecision = 0x000000dc`1fd5ee60)+0xae [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\WebCoreSupport\WebFrameLoaderClient.cpp @ 177]
21 000000dc`1fd5ed90 00007ff8`de8728db WebKit2!std::invoke<`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1>,WebKit::PolicyDecision>(class WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction::__l2::<lambda_1> * _Obj = 0x0000025c`776e43b8, struct WebKit::PolicyDecision * _Arg1 = 0x000000dc`1fd5ee60)+0x1e [C:\MSVS\VC\Tools\MSVC\14.37.32822\include\type_traits @ 1777]
22 000000dc`1fd5edc0 00007ff8`de873da5 WebKit2!std::_Apply_impl<`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1>,std::tuple<WebKit::PolicyDecision>,0>(class WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction::__l2::<lambda_1> * _Obj = 0x0000025c`776e43b8, class std::tuple<WebKit::PolicyDecision> * _Tpl = 0x000000dc`1fd5ee60, struct std::integer_sequence<unsigned __int64,0> __formal = struct std::integer_sequence<unsigned __int64,0>)+0x2b [C:\MSVS\VC\Tools\MSVC\14.37.32822\include\tuple @ 1080]
23 000000dc`1fd5edf0 00007ff8`de874322 WebKit2!std::apply<`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1>,std::tuple<WebKit::PolicyDecision> >(class WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction::__l2::<lambda_1> * _Obj = 0x0000025c`776e43b8, class std::tuple<WebKit::PolicyDecision> * _Tpl = 0x000000dc`1fd5ee60)+0x35 [C:\MSVS\VC\Tools\MSVC\14.37.32822\include\tuple @ 1092]
24 000000dc`1fd5ee30 00007ff8`de864b32 WebKit2!IPC::Connection::callReply<Messages::WebPageProxy::DecidePolicyForNavigationActionAsync,`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1> >(class IPC::Decoder * decoder = 0x0000025c`77abfae0, class WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction::__l2::<lambda_1> * completionHandler = 0x0000025c`776e43b8)+0x82 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.h @ 826]
25 000000dc`1fd5ef50 00007ff8`de8668cc WebKit2!`IPC::Connection::makeAsyncReplyHandler<Messages::WebPageProxy::DecidePolicyForNavigationActionAsync,`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1> >'::`2'::<lambda_1>::operator()(class IPC::Decoder * decoder = 0x0000025c`77abfae0)+0x42 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.h @ 808]
26 000000dc`1fd5ef80 00007ff8`dded9628 WebKit2!WTF::Detail::CallableWrapper<`IPC::Connection::makeAsyncReplyHandler<Messages::WebPageProxy::DecidePolicyForNavigationActionAsync,`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1> >'::`2'::<lambda_1>,void,IPC::Decoder *>::call(class IPC::Decoder * <in_0> = 0x0000025c`77abfae0)+0x2c [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53]
27 000000dc`1fd5efc0 00007ff8`dded9570 WebKit2!WTF::Function<void __cdecl(class IPC::Decoder * <in_0> = 0x0000025c`77abfae0)+0xa8 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 83]
28 000000dc`1fd5f000 00007ff8`ddebf14f WebKit2!WTF::CompletionHandler<void __cdecl(class IPC::Decoder * <in_0> = 0x0000025c`77abfae0)+0xa0 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\CompletionHandler.h @ 75]
29 000000dc`1fd5f060 00007ff8`ddebee29 WebKit2!IPC::Connection::dispatchMessage(class IPC::Decoder * decoder = 0x0000025c`77abfae0)+0x17f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1216]
2a 000000dc`1fd5f0e0 00007ff8`ddebe6bd WebKit2!IPC::Connection::dispatchMessage(class std::unique_ptr<IPC::Decoder,std::default_delete<IPC::Decoder> > * message = 0x000000dc`1fd5f228)+0x2f9 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1283]
2b 000000dc`1fd5f1b0 00007ff8`ddec16ff WebKit2!IPC::Connection::dispatchOneIncomingMessage(void)+0x10d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1347]
2c 000000dc`1fd5f260 00007ff8`ddec306b WebKit2!`IPC::Connection::enqueueIncomingMessage'::`19'::<lambda_2>::operator()(void)+0x1f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1196]
2d 000000dc`1fd5f290 00007ff9`0451a9c3 WebKit2!WTF::Detail::CallableWrapper<`IPC::Connection::enqueueIncomingMessage'::`19'::<lambda_2>,void>::call(void)+0x1b [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53]
2e 000000dc`1fd5f2c0 00007ff9`045b1098 WTF!WTF::Function<void __cdecl(void)+0x93 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\Function.h @ 83]
2f 000000dc`1fd5f300 00007ff9`04694c01 WTF!WTF::RunLoop::performWork(void)+0x198 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\RunLoop.cpp @ 148]
30 000000dc`1fd5f410 00007ff9`04694b64 WTF!WTF::RunLoop::wndProc(struct HWND__ * hWnd = 0x00000000`5f4d00de, unsigned int message = 0x401, unsigned int64 wParam = 0x0000025c`348ee420, int64 lParam = 0n0)+0x41 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 57]
31 000000dc`1fd5f450 00007ff8`fbe60089 WTF!WTF::RunLoop::RunLoopWndProc(struct HWND__ * hWnd = 0x00000000`5f4d00de, unsigned int message = 0x401, unsigned int64 wParam = 0x0000025c`348ee420, int64 lParam = 0n0)+0x54 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 39]
32 000000dc`1fd5f4a0 00007ff8`fbe5fa02 USER32!CallWindowProcW+0x419
33 000000dc`1fd5f630 00007ff9`04694046 USER32!DispatchMessageW+0x1e2
34 000000dc`1fd5f6b0 00007ff8`dcf71b3b WTF!WTF::RunLoop::run(void)+0x66 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 74]
35 000000dc`1fd5f740 00007ff8`dcf71903 WebKit2!WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess,1>::run(int argc = 0n8, char ** argv = 0x0000025c`348fca20)+0xab [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 73]
36 000000dc`1fd5f790 00007ff8`dcf71745 WebKit2!WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWin>(int argc = 0n8, char ** argv = 0x0000025c`348fca20)+0x73 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 99]
37 000000dc`1fd5f850 00007ff7`30fe163d WebKit2!WebKit::WebProcessMain(int argc = 0n8, char ** argv = 0x0000025c`348fca20)+0x85 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\win\WebProcessMainWin.cpp @ 58]
38 000000dc`1fd5f890 00007ff7`30fe1af4 WebKitWebProcess!main(int argc = 0n8, char ** argv = 0x0000025c`348fca20)+0x1d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\EntryPoint\win\WebProcessMain.cpp @ 35]
39 (Inline Function) --------`-------- WebKitWebProcess!invoke_main+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
3a 000000dc`1fd5f8c0 00007ff9`00c54de0 WebKitWebProcess!__scrt_common_main_seh(void)+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
3b 000000dc`1fd5f900 00007ff9`1541ec4b KERNEL32!BaseThreadInitThunk+0x10
3c 000000dc`1fd5f930 00000000`00000000 ntdll!RtlUserThreadStart+0x2b
Comment 1 Fujii Hironori 2023-09-23 05:50:37 PDT 
268343@main (bug#261545) is the culprit?
Comment 2 Fujii Hironori 2023-09-23 07:09:25 PDT 
I bisected and confirmed it happened after 268343@main.
Comment 3 Chris Dumez 2023-09-23 11:26:27 PDT 
Are you able to figure out which CheckedPtr is causing this? It will be hard for me without reproducing. Then I guess we can revert that particular CheckedPtr for now or switch to a WeakPtr.
Comment 4 Fujii Hironori 2023-09-23 15:25:38 PDT 
In removeContainingBlock, renderer doesn't seem to be a valid object.
https://github.com/WebKit/WebKit/blob/8aa2481bf186536ad7a85d228abc51f42c53a321/Source/WebCore/rendering/RenderBlock.cpp#L222
In the previous code, it is no problem because the code just removes a raw pointer from m_containerMap.
Comment 5 Fujii Hironori 2023-09-23 15:42:01 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/18126
Comment 6 EWS 2023-09-24 11:28:57 PDT 
Committed 268373@main (e9f67fe4c9c1): <https://commits.webkit.org/268373@main>

Reviewed commits have been landed. Closing PR #18126 and removing active labels.
Comment 7 Radar WebKit Bug Importer 2023-09-24 11:29:13 PDT 
<rdar://problem/115962133>