Bug 264382

Summary: WTFCrash in ~CanMakeCheckedPtrBase of ~EventTarget
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: DOMAssignee: Fujii Hironori <Hironori.Fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=261589
Attachments:
Description Flags
page-cache-iframe-provisional-load-crash-log.txt
none
debugging patch
none
crash log with the debugging patch comment#5
none
WIP patch
none
WIP patch none

Description Fujii Hironori 2023-11-07 21:14:17 PST 
Created attachment 468510 [details]
page-cache-iframe-provisional-load-crash-log.txt

Today, I observed a crash for running layout tests with Windows Release builds of 270344@main.
This is the second time I observed this crash for running layout tests.
I don't know how to reproduce this crash. 

Regressions: Unexpected crashes (1)
  http/tests/navigation/page-cache-iframe-provisional-load.html [ Crash ]


 # Child-SP          RetAddr               Call Site
00 00000018`1915e8d0 00007ffc`5c10a21d     WTF!WTFCrash(void)+0xe [C:\webkit\Source\WTF\wtf\Assertions.cpp @ 333]
01 00000018`1915e900 00007ffc`5d013c8c     WebCore!WTFCrashWithInfo(void)+0x1d [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\Assertions.h @ 778]
02 (Inline Function) --------`--------     WebCore!WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>,unsigned int>::~CanMakeCheckedPtrBase(void)+0xab [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\CheckedRef.h @ 325]
03 00000018`1915e940 00007ffc`5d264480     WebCore!WebCore::EventTarget::~EventTarget(void)+0x11c [C:\webkit\Source\WebCore\dom\EventTarget.cpp @ 77]
04 00000018`1915e980 00007ffc`5d0340ff     WebCore!WebCore::TextDocument::~TextDocument(int should_call_delete = 0n1)+0x10 [C:\webkit\Source\WebCore\html\TextDocument.h @ 31]
05 (Inline Function) --------`--------     WebCore!WebCore::Document::decrementReferencingNodeCount(void)+0x23 [C:\webkit\Source\WebCore\dom\Document.h @ 431]
06 00000018`1915e9c0 00007ffc`5cfe5fff     WebCore!WebCore::Node::~Node(void)+0xcf [C:\webkit\Source\WebCore\dom\Node.cpp @ 453]
07 00000018`1915ea00 00007ffc`5d1d29b0     WebCore!WebCore::Element::~Element(void)+0x13f [C:\webkit\Source\WebCore\dom\Element.cpp @ 277]
08 00000018`1915ea50 00007ffc`5d2bddc4     WebCore!WebCore::HTMLHeadElement::~HTMLHeadElement(int should_call_delete = 0n1)+0x10 [C:\webkit\Source\WebCore\html\HTMLHeadElement.h @ 30]
09 (Inline Function) --------`--------     WebCore!WebCore::Node::deref(void)+0x12 [C:\webkit\Source\WebCore\dom\Node.h @ 822]
0a (Inline Function) --------`--------     WebCore!WTF::DefaultRefDerefTraits<WebCore::ContainerNode>::derefIfNotNull(class WebCore::ContainerNode * ptr = <Value unavailable error>)+0x17 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 43]
0b (Inline Function) --------`--------     WebCore!WTF::RefPtr<WebCore::ContainerNode,WTF::RawPtrTraits<WebCore::ContainerNode>,WTF::DefaultRefDerefTraits<WebCore::ContainerNode> >::~RefPtr(void)+0x23 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 75]
0c (Inline Function) --------`--------     WebCore!WebCore::HTMLStackItem::~HTMLStackItem(void)+0x2c [C:\webkit\Source\WebCore\html\parser\HTMLStackItem.h @ 38]
0d 00000018`1915ea90 00007ffc`5d2c80fe     WebCore!WebCore::HTMLConstructionSite::~HTMLConstructionSite(void)+0x84 [C:\webkit\Source\WebCore\html\parser\HTMLConstructionSite.cpp @ 280]
0e 00000018`1915ead0 00007ffc`5d2c2a6e     WebCore!WebCore::HTMLTreeBuilder::~HTMLTreeBuilder(void)+0xce [C:\webkit\Source\WebCore\html\parser\HTMLTreeBuilder.h @ 238]
0f (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::HTMLTreeBuilder>::operator()(class WebCore::HTMLTreeBuilder * _Ptr = 0x0000018d`f7d9e2a0)+0x8 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
10 (Inline Function) --------`--------     WebCore!std::unique_ptr<WebCore::HTMLTreeBuilder,std::default_delete<WebCore::HTMLTreeBuilder> >::~unique_ptr(void)+0x14 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3290]
11 00000018`1915eb10 00007ffc`5d2ecee0     WebCore!WebCore::HTMLDocumentParser::~HTMLDocumentParser(void)+0xee [C:\webkit\Source\WebCore\html\parser\HTMLDocumentParser.cpp @ 96]
12 00000018`1915eb50 00007ffc`5d452e30     WebCore!WebCore::TextDocumentParser::~TextDocumentParser(int should_call_delete = 0n1)+0x10 [C:\webkit\Source\WebCore\html\parser\TextDocumentParser.h @ 31]
13 (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::DocumentParser>::operator()(class WebCore::DocumentParser * _Ptr = <Value unavailable error>)+0xa [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
14 (Inline Function) --------`--------     WebCore!WTF::RefCounted<WebCore::DocumentParser,std::default_delete<WebCore::DocumentParser> >::deref(void)+0x16 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefCounted.h @ 190]
15 (Inline Function) --------`--------     WebCore!WTF::DefaultRefDerefTraits<WebCore::DocumentParser>::derefIfNotNull(class WebCore::DocumentParser * ptr = <Value unavailable error>)+0x1b [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 43]
16 (Inline Function) --------`--------     WebCore!WTF::RefPtr<WebCore::DocumentParser,WTF::RawPtrTraits<WebCore::DocumentParser>,WTF::DefaultRefDerefTraits<WebCore::DocumentParser> >::~RefPtr(void)+0x27 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 75]
17 00000018`1915eb90 00007ffc`5d452a4d     WebCore!WebCore::DocumentWriter::~DocumentWriter(void)+0x30 [C:\webkit\Source\WebCore\loader\DocumentWriter.h @ 44]
18 00000018`1915ebd0 00007ffc`652ba7c1     WebCore!WebCore::DocumentLoader::~DocumentLoader(void)+0xc2d [C:\webkit\Source\WebCore\loader\DocumentLoader.cpp @ 222]
19 00000018`1915ec30 00007ffc`5d186a21     WebKit2!WebKit::WebDocumentLoader::~WebDocumentLoader(int should_call_delete = 0n1)+0x11 [C:\webkit\Source\WebKit\WebProcess\WebPage\WebDocumentLoader.h @ 33]
1a (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::DocumentLoader>::operator()(class WebCore::DocumentLoader * _Ptr = <Value unavailable error>)+0xb [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
1b (Inline Function) --------`--------     WebCore!WTF::RefCounted<WebCore::DocumentLoader,std::default_delete<WebCore::DocumentLoader> >::deref(void)+0x17 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefCounted.h @ 190]
1c (Inline Function) --------`--------     WebCore!WTF::DefaultRefDerefTraits<WebCore::DocumentLoader>::derefIfNotNull(class WebCore::DocumentLoader * ptr = <Value unavailable error>)+0x1c [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 43]
1d (Inline Function) --------`--------     WebCore!WTF::RefPtr<WebCore::DocumentLoader,WTF::RawPtrTraits<WebCore::DocumentLoader>,WTF::DefaultRefDerefTraits<WebCore::DocumentLoader> >::~RefPtr(void)+0x28 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 75]
1e 00000018`1915ec70 00007ffc`5d18695a     WebCore!WebCore::CachedFrameBase::~CachedFrameBase(void)+0x111 [C:\webkit\Source\WebCore\history\CachedFrame.cpp @ 76]
1f (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::CachedFrame>::operator()(class WebCore::CachedFrame * _Ptr = 0x0000018d`f7c5a010)+0x8 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
20 (Inline Function) --------`--------     WebCore!std::unique_ptr<WebCore::CachedFrame,std::default_delete<WebCore::CachedFrame> >::~unique_ptr(void)+0x11 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3290]
21 (Inline Function) --------`--------     WebCore!WTF::UniqueRef<WebCore::CachedFrame>::~UniqueRef(void)+0x11 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\UniqueRef.h @ 57]
22 (Inline Function) --------`--------     WebCore!WTF::VectorDestructor<1,WTF::UniqueRef<WebCore::CachedFrame> >::destruct(class WTF::UniqueRef<WebCore::CachedFrame> * begin = 0x0000018d`f42ad2c0, class WTF::UniqueRef<WebCore::CachedFrame> * end = <Value unavailable error>)+0x2d [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 70]
23 (Inline Function) --------`--------     WebCore!WTF::VectorTypeOperations<WTF::UniqueRef<WebCore::CachedFrame> >::destruct(class WTF::UniqueRef<WebCore::CachedFrame> * begin = 0x0000018d`f42ad2c0, class WTF::UniqueRef<WebCore::CachedFrame> * end = <Value unavailable error>)+0x2d [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 253]
24 (Inline Function) --------`--------     WebCore!WTF::Vector<WTF::UniqueRef<WebCore::CachedFrame>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::~Vector(void)+0x3a [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 766]
25 00000018`1915ecd0 00007ffc`5d183be7     WebCore!WebCore::CachedFrameBase::~CachedFrameBase(void)+0x4a [C:\webkit\Source\WebCore\history\CachedFrame.cpp @ 76]
26 (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::CachedFrame>::operator()(class WebCore::CachedFrame * _Ptr = 0x0000018d`f7c59670)+0x8 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
27 (Inline Function) --------`--------     WebCore!std::unique_ptr<WebCore::CachedFrame,std::default_delete<WebCore::CachedFrame> >::~unique_ptr(void)+0x11 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3290]
28 00000018`1915ed30 00007ffc`5d182552     WebCore!WebCore::CachedPage::~CachedPage(void)+0x97 [C:\webkit\Source\WebCore\history\CachedPage.cpp @ 80]
29 (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::CachedPage>::operator()(class WebCore::CachedPage * _Ptr = 0x0000018d`f430c560)+0x8 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
2a (Inline Function) --------`--------     WebCore!std::unique_ptr<WebCore::CachedPage,std::default_delete<WebCore::CachedPage> >::reset(class WebCore::CachedPage * _Ptr = <Value unavailable error>)+0x18 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3325]
2b (Inline Function) --------`--------     WebCore!std::unique_ptr<WebCore::CachedPage,std::default_delete<WebCore::CachedPage> >::operator=(class std::unique_ptr<WebCore::CachedPage,std::default_delete<WebCore::CachedPage> > * _Right = <Value unavailable error>)+0x18 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3277]
2c (Inline Function) --------`--------     WebCore!WebCore::HistoryItem::setCachedPage(class std::unique_ptr<WebCore::CachedPage,std::default_delete<WebCore::CachedPage> > * cachedPage = <Value unavailable error>)+0x1f [C:\webkit\Source\WebCore\history\HistoryItem.cpp @ 155]
2d 00000018`1915ed80 00007ffc`65155ddb     WebCore!WebCore::BackForwardCache::remove(class WebCore::HistoryItem * item = 0x0000018d`b01cbba0)+0x102 [C:\webkit\Source\WebCore\history\BackForwardCache.cpp @ 599]
2e 00000018`1915edd0 00007ffc`64d416f6     WebKit2!WebKit::WebProcess::clearCachedPage(class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * backForwardItemID = <Value unavailable error>, class WTF::CompletionHandler<void ()> * completionHandler = 0x00000018`1915ee70)+0x2b [C:\webkit\Source\WebKit\WebProcess\WebProcess.cpp @ 1998]
2f (Inline Function) --------`--------     WebKit2!IPC::callMemberFunction<WebKit::WebProcess,WebKit::WebProcess,void (class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * args = <Value unavailable error>)+0x20 [C:\webkit\Source\WebKit\Platform\IPC\HandleMessage.h @ 147]
30 (Inline Function) --------`--------     WebKit2!std::invoke(class IPC::callMemberFunction<WebKit::WebProcess,WebKit::WebProcess,void (WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> >, WTF::CompletionHandler<void ()> &&),std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > >,void ()>::<lambda_1> * _Obj = <Value unavailable error>, class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * _Arg1 = <Value unavailable error>)+0x20 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\type_traits @ 1762]
31 (Inline Function) --------`--------     WebKit2!std::_Apply_impl(class IPC::callMemberFunction<WebKit::WebProcess,WebKit::WebProcess,void (WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> >, WTF::CompletionHandler<void ()> &&),std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > >,void ()>::<lambda_1> * _Obj = <Value unavailable error>, class std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > > * _Tpl = <Value unavailable error>)+0x20 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\tuple @ 1079]
32 (Inline Function) --------`--------     WebKit2!std::apply(class IPC::callMemberFunction<WebKit::WebProcess,WebKit::WebProcess,void (WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> >, WTF::CompletionHandler<void ()> &&),std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > >,void ()>::<lambda_1> * _Obj = <Value unavailable error>, class std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > > * _Tpl = <Value unavailable error>)+0x20 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\tuple @ 1090]
33 (Inline Function) --------`--------     WebKit2!IPC::callMemberFunction(class WebKit::WebProcess * object = <Value unavailable error>, <function> * function = 0x00000000`00000000, class std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > > * tuple = <Value unavailable error>, class WTF::CompletionHandler<void ()> * completionHandler = <Value unavailable error>)+0x20 [C:\webkit\Source\WebKit\Platform\IPC\HandleMessage.h @ 145]
34 00000018`1915ee10 00007ffc`64d3e421     WebKit2!IPC::handleMessageAsync<Messages::WebProcess::ClearCachedPage,WebKit::WebProcess,WebKit::WebProcess,void (class IPC::Connection * connection = 0x0000018d`b01e9d00, class IPC::Decoder * decoder = <Value unavailable error>, class WebKit::WebProcess * object = <Value unavailable error>, <function> * function = 0x00000000`00000000)+0xd6 [C:\webkit\Source\WebKit\Platform\IPC\HandleMessage.h @ 334]
35 00000018`1915eec0 00007ffc`64ff9e2f     WebKit2!WebKit::WebProcess::didReceiveWebProcessMessage(class IPC::Connection * connection = <Value unavailable error>, class IPC::Decoder * decoder = 0x0000018d`f422d170)+0xc1 [C:\webkit\WebKitBuild\Release\WebKit\DerivedSources\WebProcessMessageReceiver.cpp @ 290]
36 00000018`1915f640 00007ffc`64ff9fcc     WebKit2!IPC::Connection::dispatchMessage(class std::unique_ptr<IPC::Decoder,std::default_delete<IPC::Decoder> > message = unique_ptr {...})+0xff [C:\webkit\Source\WebKit\Platform\IPC\Connection.cpp @ 1280]
37 00000018`1915f690 00007ffc`6eae018e     WebKit2!IPC::Connection::dispatchOneIncomingMessage(void)+0xec [C:\webkit\Source\WebKit\Platform\IPC\Connection.cpp @ 1344]
38 (Inline Function) --------`--------     WTF!WTF::Function<void (void)+0x9 [C:\webkit\Source\WTF\wtf\Function.h @ 82]
39 00000018`1915f6f0 00007ffc`6eb45e18     WTF!WTF::RunLoop::performWork(void)+0x19e [C:\webkit\Source\WTF\wtf\RunLoop.cpp @ 148]
3a (Inline Function) --------`--------     WTF!WTF::RunLoop::wndProc(struct HWND__ * hWnd = 0x00000000`001d343a, unsigned int message = 0x401, unsigned int64 wParam = 0x0000018d`b01beb60, int64 lParam = 0n0)+0x18 [C:\webkit\Source\WTF\wtf\win\RunLoopWin.cpp @ 56]
3b 00000018`1915f740 00007ffc`e547e858     WTF!WTF::RunLoop::RunLoopWndProc(struct HWND__ * hWnd = 0x00000000`001d343a, unsigned int message = 0x401, unsigned int64 wParam = 0x0000018d`b01beb60, int64 lParam = 0n0)+0x38 [C:\webkit\Source\WTF\wtf\win\RunLoopWin.cpp @ 39]
3c 00000018`1915f790 00007ffc`e547e299     USER32!UserCallWinProcCheckWow+0x2f8
3d 00000018`1915f920 00007ffc`6eb45f8f     USER32!DispatchMessageWorker+0x249
3e 00000018`1915f9a0 00007ffc`64c4d0fd     WTF!WTF::RunLoop::run(void)+0x5f [C:\webkit\Source\WTF\wtf\win\RunLoopWin.cpp @ 73]
3f (Inline Function) --------`--------     WebKit2!WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess,1>::run(int argc = <Value unavailable error>, char ** argv = <Value unavailable error>)+0x59 [C:\webkit\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 72]
40 00000018`1915fa20 00007ff7`b2c2100a     WebKit2!WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWin>(int argc = 0n8, char ** argv = <Value unavailable error>)+0xad [C:\webkit\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 98]
41 00000018`1915fab0 00007ff7`b2c213bc     WebKitWebProcess!main(int argc = <Value unavailable error>, char ** argv = <Value unavailable error>)+0xa [C:\webkit\Source\WebKit\WebProcess\EntryPoint\win\WebProcessMain.cpp @ 35]
42 (Inline Function) --------`--------     WebKitWebProcess!invoke_main(void)+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
43 00000018`1915fae0 00007ffc`e44b7344     WebKitWebProcess!__scrt_common_main_seh(void)+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
44 00000018`1915fb20 00007ffc`e5f026b1     KERNEL32!BaseThreadInitThunk+0x14
45 00000018`1915fb50 00000000`00000000     ntdll!RtlUserThreadStart+0x21



268146@main made EventTarget a subclass of CanMakeCheckedPtr.
Comment 1 Chris Dumez 2023-11-07 21:20:22 PST 
Can you reproduce the crash? If so, it would be helpful to set CHECKED_POINTER_DEBUG to 1 in CheckedRef.h and rebuild.

It will print out on stderr which CheckedPtr/CheckedRef to the object are still live, before crashing.

Otherwise, it is not super actionable.
Comment 2 Fujii Hironori 2023-11-07 23:19:01 PST 
I'm keeping trying, but no luch so far.
Comment 3 Radar WebKit Bug Importer 2023-11-14 21:15:14 PST 
<rdar://problem/118435976>
Comment 4 Fujii Hironori 2023-11-15 13:24:03 PST 
I conclude that this is not reproducible with CHECKED_POINTER_DEBUG=1.
But, it's easy to reproduce this crash without CHECKED_POINTER_DEBUG=1 on my PC.

> python .\Tools\Scripts\run-webkit-tests --release --no-retry --iter=100 -f http/tests/navigation/page-cache-iframe-provisional-load.html
Comment 5 Fujii Hironori 2023-11-15 18:05:06 PST 
Created attachment 468612 [details]
debugging patch
Comment 6 Fujii Hironori 2023-11-15 18:06:43 PST 
Created attachment 468613 [details]
crash log with the debugging patch comment#5
Comment 7 Chris Dumez 2023-11-15 18:49:15 PST 
(In reply to Fujii Hironori from comment #6)
> Created attachment 468613 [details]
> crash log with the debugging log

Is this with `CHECKED_POINTER_DEBUG=1`, I don't see the allocation traces of the remaining CheckedPtrs / CheckedRefs like I would expect.
Comment 8 Fujii Hironori 2023-11-15 19:28:41 PST 
Created attachment 468614 [details]
WIP patch

Partially reverting 268278@main (bug#261589) fixes the crash.
I need to revert both CheckedRef (m_document and m_attachmentRoot).
Comment 9 Fujii Hironori 2023-11-15 19:35:18 PST 
Created attachment 468615 [details]
WIP patch

destorying m_head after destorying m_document and m_attachmentRoot also fixed the crash.
Comment 10 Fujii Hironori 2023-11-15 20:06:29 PST 
Pull request: https://github.com/WebKit/WebKit/pull/20581
Comment 11 EWS 2023-11-16 00:04:38 PST 
Committed 270813@main (b43c0f571e0a): <https://commits.webkit.org/270813@main>

Reviewed commits have been landed. Closing PR #20581 and removing active labels.