256664 – Crash when destroying invalid ElementBox from LineLayout::removedFromTree

Bug 256664 - Crash when destroying invalid ElementBox from LineLayout::removedFromTree

Summary: Crash when destroying invalid ElementBox from LineLayout::removedFromTree

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Layout and Rendering (show other bugs)
Version:	WebKit Nightly Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-05-11 14:29 PDT by Michael Catanzaro
Modified:	2023-05-18 14:30 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Almost full backtrace (truncated at frame 37 because I got impatient waiting for gdb) (720.30 KB, text/plain) 2023-05-11 14:33 PDT, Michael Catanzaro	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Catanzaro 2023-05-11 14:29:10 PDT

Here's another crash I found in my coredumpctl. I have not seen this one before so it's probably not common. Not sure what web page triggered it. It's a failing assert here in CheckedRef.h:

    ~CanMakeCheckedPtrBase() { RELEASE_ASSERT(!m_count); }

which means the refcount was somehow nonzero when the CanMakeCheckedPtrBase was destroyed. Problem is the ElementBox that is being destroyed is an invalid pointer 0x2.

#0  __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
    at pthread_kill.c:44
#1  0x00007f3f2d0911f3 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78
#2  0x00007f3f2d03f00e in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3  0x00007f3f2d0287fc in __GI_abort () at abort.c:79
#4  0x00007f3f2daec4cf in WTFCrashWithInfo(int, char const*, char const*, int) () at WTF/Headers/wtf/Assertions.h:758
#5  0x00007f3f2f7180fd in WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>, unsigned int>::~CanMakeCheckedPtrBase() (this=0x7f3e4941f1f8) at WTF/Headers/wtf/CheckedRef.h:242
#6  WebCore::Layout::Box::~Box() (this=0x7f3e4941f1f0)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/layout/layouttree/LayoutBox.cpp:58
#7  0x00007f3f2f719905 in WebCore::Layout::ElementBox::~ElementBox() (this=0x2)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/layout/layouttree/LayoutElementBox.cpp:60
#8  0x00007f3f2f71785f in std::default_delete<WebCore::Layout::Box>::operator()(WebCore::Layout::Box*) const
    (this=0x7ffce69d7320, __ptr=0x2)
    at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/12.2.0/../../../../include/c++/12.2.0/bits/unique_ptr.h:95
#9  std::unique_ptr<WebCore::Layout::Box, std::default_delete<WebCore::Layout::Box> >::~unique_ptr()
    (this=0x7ffce69d7320)
    at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/12.2.0/../../../../include/c++/12.2.0/bits/unique_ptr.h:396
#10 WTF::UniqueRef<WebCore::Layout::Box>::~UniqueRef() (this=0x7ffce69d7320) at WTF/Headers/wtf/UniqueRef.h:57
#11 WebCore::LayoutIntegration::LineLayout::removedFromTree(WebCore::RenderElement const&, WebCore::RenderObject&)
    (this=<optimized out>, parent=<optimized out>, child=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/layout/integration/inline/LayoutIntegrationLineLayout.cpp:1247
#12 0x00007f3f2fd4407c in WebCore::invalidateLineLayoutAfterTreeMutationIfNeeded(WebCore::RenderObject&, WebCore::IsRemoval) (renderer=..., isRemoval=WebCore::IsRemoval::Yes)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.cpp:1732
#13 WebCore::RenderObject::willBeRemovedFromTree(WebCore::RenderObject::IsInternalMove) (this=0x7f3e7a0b5060)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderObject.cpp:1750
#14 0x00007f3f2fd12358 in WebCore::RenderLayerModelObject::willBeRemovedFromTree(WebCore::RenderObject::IsInternalMove) (this=0x7f3e7a0b5060, isInternalMove=WebCore::RenderObject::IsInternalMove::No)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/RenderLayerModelObject.cpp:92
#15 0x00007f3f2fe6efc3 in WebCore::RenderTreeBuilder::detachFromRenderElement(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::WillBeDestroyed)
     (this=0x7ffce69d9ec8, parent=..., child=..., willBeDestroyed=WebCore::RenderTreeBuilder::WillBeDestroyed::Yes)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:970
#16 0x00007f3f2fe6e603 in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlock&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock)
    (this=0x7f3ca55dbd90, parent=..., oldChild=..., canCollapseAnonymousBlock=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:297
#17 0x00007f3f2fe6e169 in WebCore::RenderTreeBuilder::Block::detach(WebCore::RenderBlockFlow&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock)
    (this=0x7f3ca55dbd90, parent=..., child=..., canCollapseAnonymousBlock=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilderBlock.cpp:391
#18 0x00007f3f2fe6ba4a in WebCore::RenderTreeBuilder::detach(WebCore::RenderElement&, WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock)
    (this=0x7ffce69d9ec8, parent=..., child=<optimized out>, canCollapseAnonymousBlock=WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock::Yes)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:395
#19 0x00007f3f2fe6b4e1 in WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock) (this=0x7ffce69d9ec8, renderer=..., canCollapseAnonymousBlock=<optimized out>)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:153
#20 0x00007f3f2fe71245 in WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&)
    (this=0x7ffce69d9ec8, rendererToDestroy=...)
    at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeBuilder.cpp:885
--Type <RET> for more, q to quit, c to continue without paging--c
#21 0x00007f3f2fe7f0c2 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_10::operator()(unsigned int) const (this=this@entry=0x7ffce69d7660, depth=15) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:643
#22 0x00007f3f2fe7de7b in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&) (root=..., teardownType=WebCore::RenderTreeUpdater::TeardownType::FullAfterSlotChange, builder=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:656
#23 0x00007f3f2fe7ed2b in WebCore::RenderTreeUpdater::tearDownRenderersAfterSlotChange(WebCore::Element&) (host=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/rendering/updating/RenderTreeUpdater.cpp:576
#24 0x00007f3f2f2c840b in WebCore::NamedSlotAssignment::didChangeSlot(WTF::AtomString const&, WebCore::ShadowRoot&) (this=0x7f3e717dde20, slotAttrValue=<optimized out>, shadowRoot=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/SlotAssignment.cpp:299
#25 0x00007f3f2f240b31 in WebCore::ShadowRoot::hostChildElementDidChange(WebCore::Element const&) (this=0x6, childElement=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/SlotAssignment.h:213
#26 WebCore::Element::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) (this=0x7f3ca51d8ee0, insertionType=..., parentOfInsertedTree=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Element.cpp:2674
#27 0x00007f3f2f412df9 in WebCore::HTMLElement::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) (this=0x2, insertionType=..., parentOfInsertedTree=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/html/HTMLElement.cpp:433
#28 0x00007f3f2f4425af in WebCore::HTMLMaybeFormAssociatedCustomElement::insertedIntoAncestor(WebCore::Node::InsertionType, WebCore::ContainerNode&) (this=0x2, insertionType=..., parentOfInsertedTree=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/html/HTMLMaybeFormAssociatedCustomElement.cpp:124
#29 0x00007f3f2f1d257d in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WebCore::TreeScopeChange, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) (parentOfInsertedTree=..., node=..., treeScopeChange=WebCore::TreeScopeChange::Changed, postInsertionNotificationTargets=WTF::Vector of length 0, capacity 3103784944) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:50
#30 0x00007f3f2f1d246a in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node, WTF::RawPtrTraits<WebCore::Node> >, 11ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&) (parentOfInsertedTree=..., node=..., postInsertionNotificationTargets=WTF::Vector of length 0, capacity 11) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/ContainerNodeAlgorithms.cpp:105
#31 0x00007f3f2f1cd5a7 in WebCore::executeNodeInsertionWithScriptAssertion<WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4>(WebCore::ContainerNode&, WebCore::Node&, WebCore::Node*, WebCore::ContainerNode::ChildChange::Source, WebCore::ReplacedAllChildren, WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&)::$_4) (containerNode=..., child=..., beforeChild=0x0, source=WebCore::ContainerNode::ChildChange::Source::API, replacedAllChildren=WebCore::ReplacedAllChildren::No, doNodeInsertion=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/ContainerNode.cpp:289
#32 WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) (this=0x7f3e7a025710, newChild=...) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/ContainerNode.cpp:838
#33 0x00007f3f2f1ccaaa in WebCore::ContainerNode::insertBefore(WebCore::Node&, WebCore::Node*) (this=0x7f3e7a025710, newChild=..., refChild=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/ContainerNode.cpp:478
#34 0x00007f3f2f28b652 in WebCore::Node::insertBefore(WebCore::Node&, WebCore::Node*) (this=0x2, newChild=..., refChild=0x7f3f2d091184 <__pthread_kill_implementation+292>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/dom/Node.cpp:521
#35 0x00007f3f2e87f69c in WebCore::jsNodePrototypeFunction_insertBeforeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*)::{lambda()#1}::operator()() const (this=<optimized out>) at WebCore/DerivedSources/JSNode.cpp:839
#36 WebCore::invokeFunctorPropagatingExceptionIfNecessary<WebCore::jsNodePrototypeFunction_insertBeforeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*)::{lambda()#1}>(JSC::JSGlobalObject&, JSC::ThrowScope&, WebCore::jsNodePrototypeFunction_insertBeforeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*)::{lambda()#1}&&) (lexicalGlobalObject=..., throwScope=..., functor=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/bindings/js/JSDOMExceptionHandling.h:96
#37 WebCore::jsNodePrototypeFunction_insertBeforeBody(JSC::JSGlobalObject*, JSC::CallFrame*, WebCore::JSNode*) (lexicalGlobalObject=0x7f3ec5019068, callFrame=<optimized out>, castedThis=<optimized out>) at WebCore/DerivedSources/JSNode.cpp:839
#38 WebCore::IDLOperation<WebCore::JSNode>::call<&WebCore::jsNodePrototypeFunction_insertBeforeBody, (WebCore::CastedThisErrorBehavior)0>(JSC::JSGlobalObject&, JSC::CallFrame&, char const*) (lexicalGlobalObject=..., callFrame=<optimized out>, operationName=<optimized out>) at /buildstream/gnome/sdk/webkitgtk-6.0.bst/Source/WebCore/bindings/js/JSDOMOperation.h:63
#39 WebCore::jsNodePrototypeFunction_insertBefore(JSC::JSGlobalObject*, JSC::CallFrame*) (lexicalGlobalObject=0x7f3ec5019068, callFrame=<optimized out>) at WebCore/DerivedSources/JSNode.cpp:845
#40 0x00007f3ec80081b8 in  ()
#41 0x00007ffce69da590 in  ()
#42 0x00007f3ec85ee0eb in  ()
#43 0x0000000000000000 in  ()

This backtrace is taken with WebKitGTK 2.41.3.

Comment 1 Michael Catanzaro 2023-05-11 14:33:46 PDT

Created attachment 466323 [details]
Almost full backtrace (truncated at frame 37 because I got impatient waiting for gdb)

Comment 2 zalan 2023-05-11 18:53:46 PDT

is this ToT? if not, this might be a dupe of bug 255744.

Comment 3 Michael Catanzaro 2023-05-12 08:06:53 PDT

(In reply to zalan from comment #2)
> is this ToT?

It's WebKitGTK 2.41.3 which is 263229@main, so the fix in 263234@main is not included (just a little too late!).

Comment 4 Radar WebKit Bug Importer 2023-05-18 14:30:21 PDT

<rdar://problem/109532478>