Bug 264828

Summary: RELEASE_ASSERT(!m_count); in WebCore::RenderObject::~RenderObject()
Product: WebKit Reporter: Nicole Rosario <Nicole_rosario>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   

Description Nicole Rosario 2023-11-14 10:58:15 PST 
RELEASE_ASSERT(!m_count); in WebCore::RenderObject::~RenderObject():


Exception Type:        EXC_BREAKPOINT (SIGTRAP)
Exception Codes:       0x0000000000000001, 0x0000000112922674

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   WebCore       0x112922674 WTFCrashWithInfo(int, char const*, char const*, int) + 20 (Assertions.h:778)
1   WebCore       0x11393a8c0 WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() + 28 (CheckedRef.h:325) [inlined]
2   WebCore       0x11393a8c0 WebCore::RenderObject::~RenderObject() + 232 (RenderObject.cpp:162)
3   WebCore       0x1138ccb88 WebCore::RenderImage::~RenderImage() + 112 (RenderImage.cpp:170) [inlined]
4   WebCore       0x1138ccb88 WebCore::RenderImage::~RenderImage() + 112 (RenderImage.cpp:168) [inlined]
5   WebCore       0x1138ccb88 WebCore::RenderImage::~RenderImage() + 132 (RenderImage.cpp:168)
6   WebCore       0x113a6dd78 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::reset[abi:v160006](WebCore::RenderObject*) + 16 (unique_ptr.h:297) [inlined]
7   WebCore       0x113a6dd78 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr[abi:v160006]() + 16 (unique_ptr.h:263) [inlined]
8   WebCore       0x113a6dd78 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr[abi:v160006]() + 16 (unique_ptr.h:263) [inlined]
9   WebCore       0x113a6dd78 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) + 188 (RenderTreeBuilder.cpp:175)
10  WebCore       0x113a72608 WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&) + 220 (RenderTreeBuilder.cpp:892)
11  WebCore       0x113a7f4d4 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_5::operator()(unsigned int) const + 340 (RenderTreeUpdater.cpp:641) [inlined]
12  WebCore       0x113a7f4d4 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) + 2384 (RenderTreeUpdater.cpp:664)
13  WebCore       0x113a7dc3c WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) + 84 (RenderTreeUpdater.cpp:340) [inlined]
14  WebCore       0x113a7dc3c WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) + 4156 (RenderTreeUpdater.cpp:192)
15  WebCore       0x113a7c994 WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>) + 200 (RenderTreeUpdater.cpp:118)
16  WebCore       0x112e096a8 WebCore::Document::updateRenderTree(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const>>) + 100 (Document.cpp:2131)
17  WebCore       0x112e09918 WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) + 504 (Document.cpp:2228)
18  WebCore       0x112e0a090 WebCore::Document::updateStyleIfNeeded() + 164 (Document.cpp:2330)
19  WebCore       0x113476be0 WebCore::LocalFrameViewLayoutContext::updateStyleForLayout() + 64 (LocalFrameViewLayoutContext.cpp:546) [inlined]
20  WebCore       0x113476be0 WebCore::LocalFrameViewLayoutContext::performLayout() + 344 (LocalFrameViewLayoutContext.cpp:209)
21  WebCore       0x114002784 WebCore::LocalFrameViewLayoutContext::layout() + 52 (LocalFrameViewLayoutContext.cpp:151)
22  WebCore       0x112e06ac4 WebCore::Document::updateLayout(WTF::OptionSet<WebCore::LayoutOptions>, WebCore::Element const*) + 844 (Document.cpp:2383)
23  WebCore       0x112e0a8f8 WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WTF::OptionSet<WebCore::DimensionsCheck>) + 736 (Document.cpp:2534)
24  WebCore       0x112e4fc04 WebCore::Element::offsetWidth() + 56 (Element.cpp:1400)
25  WebCore       0x111e64f50 WebCore::jsHTMLElement_offsetWidthGetter(JSC::JSGlobalObject&, WebCore::JSHTMLElement&) + 24 (JSHTMLElement.cpp:4459) [inlined]
26  WebCore       0x111e64f50 long long WebCore::IDLAttribute<WebCore::JSHTMLElement>::get<&WebCore::jsHTMLElement_offsetWidthGetter(JSC::JSGlobalObject&, WebCore::JSHTMLElement&), (WebCore::CastedThisErrorBehavior)3>(JSC::JSGlobalObject&, long long, JSC::PropertyName) + 104 (JSDOMAttribute.h:89) [inlined]
27  WebCore       0x111e64f50 WebCore::jsHTMLElement_offsetWidth(JSC::JSGlobalObject*, long long, JSC::PropertyName) + 128 (JSHTMLElement.cpp:4464)
Comment 1 Nicole Rosario 2023-11-14 11:19:17 PST 
<rdar://problem/117994923>
Comment 2 Nicole Rosario 2023-11-14 12:27:48 PST 
Pull request: https://github.com/WebKit/WebKit/pull/20354
Comment 3 EWS 2023-11-14 20:56:26 PST 
Committed 270747@main (834ac739e603): <https://commits.webkit.org/270747@main>

Reviewed commits have been landed. Closing PR #20354 and removing active labels.