261998 – [Win] REGRESSION(268343@main): Crash under WebCore::PositionedDescendantsMap::removeContainingBlock

RESOLVED FIXED261998

[Win] REGRESSION(268343@main): Crash under WebCore::PositionedDescendantsMap::removeContainingBlock

https://bugs.webkit.org/show_bug.cgi?id=261998

Summary [Win] REGRESSION(268343@main): Crash under WebCore::PositionedDescendantsMap:...

Fujii Hironori

Reported 2023-09-23 05:49:59 PDT

WinCairo is crashing for some layout tests. Regressions: Unexpected crashes (18) compositing/composited-parent-clipping-layer-on-subpixel-position.html [ Crash ] compositing/hidpi-ancestor-subpixel-clipping.html [ Crash ] compositing/hidpi-box-positioned-off-by-one-when-non-compositing-transform-is-present.html [ Crash ] compositing/hidpi-composited-container-and-graphics-layer-gap-changes.html [ Crash ] compositing/hidpi-compositing-layer-with-zero-sized-container-offsets-above-one.html [ Crash ] compositing/hidpi-compositing-layer-with-zero-sized-container.html [ Crash ] compositing/hidpi-compositing-vs-non-compositing-check-on-testing-framework.html [ Crash ] compositing/hidpi-non-simple-compositing-layer-with-fractional-size-and-background.html [ Crash ] compositing/hidpi-sibling-composited-content-offset.html [ Crash ] compositing/hidpi-simple-container-layer-on-device-pixel.html [ Crash ] compositing/hidpi-subpixel-transform-origin.html [ Crash ] compositing/hidpi-transform-with-render-layer-on-fractional-pixel-value.html [ Crash ] compositing/layer-creation/mismatched-transform-transition-overlap.html [ Crash ] compositing/layer-creation/subtree-div-overlaps-multiple-negative-z-divs.html [ Crash ] compositing/layer-creation/translate-transition-overlap.html [ Crash ] compositing/parent-clipping-layer-on-subpixel-position.html [ Crash ] css3/filters/reference-filter-change-repaint.html [ Crash ] fast/forms/hidpi-textarea-on-subpixel-position.html [ Crash ] 268332@main good 268348@main bad https://build.webkit.org/#/builders/728/builds/2210 268334@main good 268352@main bad https://build.webkit.org/#/builders/727/builds/20987 # Child-SP RetAddr Call Site 00 000000dc`1fd5c320 00007ff8`c3996cd7 WebCore!WTF::CompactPointerTuple<WTF::DefaultWeakPtrImpl *,unsigned short>::pointer(void)+0x19 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\CompactPointerTuple.h @ 85] 01 000000dc`1fd5c350 00007ff8`c7be922a WebCore!WTF::CompactRefPtrTuple<WTF::DefaultWeakPtrImpl,unsigned short>::pointer(void)+0x17 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\CompactRefPtrTuple.h @ 48] 02 000000dc`1fd5c380 00007ff8`c7c220a8 WebCore!WTF::WeakHashMap<WebCore::RenderBox const ,WTF::WeakPtr<WebCore::RenderBlock const ,WTF::DefaultWeakPtrImpl>,WTF::DefaultWeakPtrImpl>::keyImplIfExists<WebCore::RenderBox>(class WebCore::RenderBox * key = 0x0000025c`77715cd0)+0x2a [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\WeakHashMap.h @ 379] 03 000000dc`1fd5c3c0 00007ff8`c7c2256a WebCore!WTF::WeakHashMap<WebCore::RenderBox const ,WTF::WeakPtr<WebCore::RenderBlock const ,WTF::DefaultWeakPtrImpl>,WTF::DefaultWeakPtrImpl>::remove(class WebCore::RenderBox * key = 0x0000025c`77715cd0)+0x28 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\WeakHashMap.h @ 275] 04 000000dc`1fd5c400 00007ff8`c7ba21a7 WebCore!WebCore::PositionedDescendantsMap::removeContainingBlock(class WebCore::RenderBlock * containingBlock = 0x0000025c`34985860)+0x11a [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\rendering\RenderBlock.cpp @ 222] 05 000000dc`1fd5c510 00007ff8`c7ba8629 WebCore!WebCore::RenderBlock::blockWillBeDestroyed(void)+0x37 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\rendering\RenderBlock.cpp @ 366] 06 000000dc`1fd5c550 00007ff8`c7d7e3f3 WebCore!WebCore::RenderBlockFlow::willBeDestroyed(void)+0x139 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\rendering\RenderBlockFlow.cpp @ 171] 07 000000dc`1fd5c5b0 00007ff8`c658de0d WebCore!WebCore::RenderObject::destroy(void)+0x1c3 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\rendering\RenderObject.cpp @ 1779] 08 000000dc`1fd5c600 00007ff8`c658e10e WebCore!WebCore::Document::destroyRenderTree(void)+0x39d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\dom\Document.cpp @ 2730] 09 000000dc`1fd5c730 00007ff8`c7425e2d WebCore!WebCore::Document::willBeRemovedFromFrame(void)+0x25e [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\dom\Document.cpp @ 2790] 0a 000000dc`1fd5c910 00007ff8`c742607b WebCore!WebCore::LocalFrame::setView(class WTF::RefPtr<WebCore::LocalFrameView,WTF::RawPtrTraits<WebCore::LocalFrameView>,WTF::DefaultRefDerefTraits<WebCore::LocalFrameView> > * view = 0x000000dc`1fd5c9a8)+0xad [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\page\LocalFrame.cpp @ 244] 0b 000000dc`1fd5c940 00007ff8`de85d3fa WebCore!WebCore::LocalFrame::createView(class WebCore::IntSize * viewportSize = 0x0000025c`349ce960, class std::optional<WebCore::Color> * backgroundColor = 0x0000025c`349ceca8, class WebCore::IntSize * fixedLayoutSize = 0x000000dc`1fd5cc60, class WebCore::IntRect * fixedVisibleContentRect = 0x000000dc`1fd5caa8, bool useFixedLayout = false, WebCore::ScrollbarMode horizontalScrollbarMode = Auto (0n0), bool horizontalLock = false, WebCore::ScrollbarMode verticalScrollbarMode = Auto (0n0), bool verticalLock = false)+0x11b [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\page\LocalFrame.cpp @ 879] 0c 000000dc`1fd5ca30 00007ff8`c720247f WebKit2!WebKit::WebLocalFrameLoaderClient::transitionToCommittedForNewPage(void)+0x5aa [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\WebCoreSupport\WebLocalFrameLoaderClient.cpp @ 1508] 0d 000000dc`1fd5ce20 00007ff8`c71fd806 WebCore!WebCore::FrameLoader::transitionToCommitted(class WebCore::CachedPage * cachedPage = 0x00000000`00000000)+0x61f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 2318] 0e 000000dc`1fd5cf40 00007ff8`c71b0ae8 WebCore!WebCore::FrameLoader::commitProvisionalLoad(void)+0x5b6 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 2127] 0f 000000dc`1fd5d790 00007ff8`c71b27c3 WebCore!WebCore::DocumentLoader::commitIfReady(void)+0x38 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 416] 10 000000dc`1fd5d7c0 00007ff8`c71b507c WebCore!WebCore::DocumentLoader::finishedLoading(void)+0x223 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 488] 11 000000dc`1fd5d930 00007ff8`c71ab700 WebCore!WebCore::DocumentLoader::maybeLoadEmpty(void)+0x59c [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 2084] 12 000000dc`1fd5dc90 00007ff8`c7210f6c WebCore!WebCore::DocumentLoader::startLoadingMainResource(void)+0x2b0 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\DocumentLoader.cpp @ 2115] 13 000000dc`1fd5dfa0 00007ff8`c721335b WebCore!`WebCore::FrameLoader::continueLoadAfterNavigationPolicy'::`2'::<lambda_1>::operator()(void)+0xac [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 3793] 14 000000dc`1fd5dfe0 00007ff8`c39d5d64 WebCore!WTF::Detail::CallableWrapper<`WebCore::FrameLoader::continueLoadAfterNavigationPolicy'::`2'::<lambda_1>,void>::call(void)+0x1b [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53] 15 000000dc`1fd5e010 00007ff8`c39f527f WebCore!WTF::Function<void __cdecl(void)+0x94 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 83] 16 000000dc`1fd5e050 00007ff8`c7203dd3 WebCore!WTF::CompletionHandler<void __cdecl(void)+0x8f [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\CompletionHandler.h @ 75] 17 000000dc`1fd5e0a0 00007ff8`c7210775 WebCore!WebCore::FrameLoader::continueLoadAfterNavigationPolicy(class WebCore::ResourceRequest * request = 0x0000025c`7745d2c0, class WebCore::FormState * formState = 0x00000000`00000000, WebCore::NavigationPolicyDecision navigationPolicyDecision = ContinueLoad (0n0), WebCore::AllowNavigationToInvalidURL allowNavigationToInvalidURL = Yes (0n1))+0x753 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 3797] 18 000000dc`1fd5e550 00007ff8`c7212be1 WebCore!`WebCore::FrameLoader::loadWithDocumentLoader'::`2'::<lambda_2>::operator()(class WebCore::ResourceRequest * request = 0x0000025c`7745d2c0, class WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl> * formState = 0x000000dc`1fd5ea30, WebCore::NavigationPolicyDecision navigationPolicyDecision = ContinueLoad (0n0))+0x65 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\FrameLoader.cpp @ 1703] 19 000000dc`1fd5e5b0 00007ff8`c727f51d WebCore!WTF::Detail::CallableWrapper<`WebCore::FrameLoader::loadWithDocumentLoader'::`2'::<lambda_2>,void,WebCore::ResourceRequest &&,WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl> &&,enum WebCore::NavigationPolicyDecision>::call(class WebCore::ResourceRequest * <in_0> = 0x0000025c`7745d2c0, class WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl> * <in_1> = 0x000000dc`1fd5ea30, WebCore::NavigationPolicyDecision <in_2> = ContinueLoad (0n0))+0x41 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53] 1a 000000dc`1fd5e5f0 00007ff8`c727f365 WebCore!WTF::Function<void __cdecl(class WebCore::ResourceRequest * <in_0> = 0x0000025c`7745d2c0, class WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl> * <in_1> = 0x000000dc`1fd5ea30, WebCore::NavigationPolicyDecision <in_2> = ContinueLoad (0n0))+0xbd [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 83] 1b 000000dc`1fd5e630 00007ff8`c72716a1 WebCore!WTF::CompletionHandler<void __cdecl(class WebCore::ResourceRequest * <in_0> = 0x0000025c`7745d2c0, class WTF::WeakPtr<WebCore::FormState,WTF::DefaultWeakPtrImpl> * <in_1> = 0x000000dc`1fd5ea30, WebCore::NavigationPolicyDecision <in_2> = ContinueLoad (0n0))+0xb5 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\CompletionHandler.h @ 75] 1c 000000dc`1fd5e690 00007ff8`c7274eaa WebCore!`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy'::`2'::<lambda_1>::operator()(WebCore::PolicyAction policyAction = Use (0n0), class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::PolicyCheckIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * responseIdentifier = 0x000000dc`1fd5eaf0)+0x471 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebCore\loader\PolicyChecker.cpp @ 234] 1d 000000dc`1fd5ead0 00007ff8`de897ac0 WebCore!WTF::Detail::CallableWrapper<`WebCore::FrameLoader::PolicyChecker::checkNavigationPolicy'::`2'::<lambda_1>,void,enum WebCore::PolicyAction,WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::PolicyCheckIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > >::call(WebCore::PolicyAction <in_0> = Use (0n0), class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::PolicyCheckIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * <in_1> = 0x000000dc`1fd5eb60)+0x4a [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53] 1e 000000dc`1fd5eb30 00007ff8`de96bb93 WebKit2!WTF::Function<void __cdecl(WebCore::PolicyAction <in_0> = Use (0n0), class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::PolicyCheckIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * <in_1> = 0x000000dc`1fd5ec60)+0xe0 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 83] 1f 000000dc`1fd5eba0 00007ff8`de861d3e WebKit2!WebKit::WebFrame::didReceivePolicyDecision(unsigned int64 listenerID = 4, class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::PolicyCheckIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * identifier = 0x000000dc`1fd5ed40, struct WebKit::PolicyDecision * policyDecision = 0x000000dc`1fd5ee60)+0x4d3 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\WebPage\WebFrame.cpp @ 503] 20 000000dc`1fd5ed00 00007ff8`de87e36e WebKit2!`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1>::operator()(struct WebKit::PolicyDecision * policyDecision = 0x000000dc`1fd5ee60)+0xae [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\WebCoreSupport\WebFrameLoaderClient.cpp @ 177] 21 000000dc`1fd5ed90 00007ff8`de8728db WebKit2!std::invoke<`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1>,WebKit::PolicyDecision>(class WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction::__l2::<lambda_1> * _Obj = 0x0000025c`776e43b8, struct WebKit::PolicyDecision * _Arg1 = 0x000000dc`1fd5ee60)+0x1e [C:\MSVS\VC\Tools\MSVC\14.37.32822\include\type_traits @ 1777] 22 000000dc`1fd5edc0 00007ff8`de873da5 WebKit2!std::_Apply_impl<`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1>,std::tuple<WebKit::PolicyDecision>,0>(class WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction::__l2::<lambda_1> * _Obj = 0x0000025c`776e43b8, class std::tuple<WebKit::PolicyDecision> * _Tpl = 0x000000dc`1fd5ee60, struct std::integer_sequence<unsigned __int64,0> __formal = struct std::integer_sequence<unsigned __int64,0>)+0x2b [C:\MSVS\VC\Tools\MSVC\14.37.32822\include\tuple @ 1080] 23 000000dc`1fd5edf0 00007ff8`de874322 WebKit2!std::apply<`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1>,std::tuple<WebKit::PolicyDecision> >(class WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction::__l2::<lambda_1> * _Obj = 0x0000025c`776e43b8, class std::tuple<WebKit::PolicyDecision> * _Tpl = 0x000000dc`1fd5ee60)+0x35 [C:\MSVS\VC\Tools\MSVC\14.37.32822\include\tuple @ 1092] 24 000000dc`1fd5ee30 00007ff8`de864b32 WebKit2!IPC::Connection::callReply<Messages::WebPageProxy::DecidePolicyForNavigationActionAsync,`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1> >(class IPC::Decoder * decoder = 0x0000025c`77abfae0, class WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction::__l2::<lambda_1> * completionHandler = 0x0000025c`776e43b8)+0x82 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.h @ 826] 25 000000dc`1fd5ef50 00007ff8`de8668cc WebKit2!`IPC::Connection::makeAsyncReplyHandler<Messages::WebPageProxy::DecidePolicyForNavigationActionAsync,`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1> >'::`2'::<lambda_1>::operator()(class IPC::Decoder * decoder = 0x0000025c`77abfae0)+0x42 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.h @ 808] 26 000000dc`1fd5ef80 00007ff8`dded9628 WebKit2!WTF::Detail::CallableWrapper<`IPC::Connection::makeAsyncReplyHandler<Messages::WebPageProxy::DecidePolicyForNavigationActionAsync,`WebKit::WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction'::`2'::<lambda_1> >'::`2'::<lambda_1>,void,IPC::Decoder *>::call(class IPC::Decoder * <in_0> = 0x0000025c`77abfae0)+0x2c [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53] 27 000000dc`1fd5efc0 00007ff8`dded9570 WebKit2!WTF::Function<void __cdecl(class IPC::Decoder * <in_0> = 0x0000025c`77abfae0)+0xa8 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 83] 28 000000dc`1fd5f000 00007ff8`ddebf14f WebKit2!WTF::CompletionHandler<void __cdecl(class IPC::Decoder * <in_0> = 0x0000025c`77abfae0)+0xa0 [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\CompletionHandler.h @ 75] 29 000000dc`1fd5f060 00007ff8`ddebee29 WebKit2!IPC::Connection::dispatchMessage(class IPC::Decoder * decoder = 0x0000025c`77abfae0)+0x17f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1216] 2a 000000dc`1fd5f0e0 00007ff8`ddebe6bd WebKit2!IPC::Connection::dispatchMessage(class std::unique_ptr<IPC::Decoder,std::default_delete<IPC::Decoder> > * message = 0x000000dc`1fd5f228)+0x2f9 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1283] 2b 000000dc`1fd5f1b0 00007ff8`ddec16ff WebKit2!IPC::Connection::dispatchOneIncomingMessage(void)+0x10d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1347] 2c 000000dc`1fd5f260 00007ff8`ddec306b WebKit2!`IPC::Connection::enqueueIncomingMessage'::`19'::<lambda_2>::operator()(void)+0x1f [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Platform\IPC\Connection.cpp @ 1196] 2d 000000dc`1fd5f290 00007ff9`0451a9c3 WebKit2!WTF::Detail::CallableWrapper<`IPC::Connection::enqueueIncomingMessage'::`19'::<lambda_2>,void>::call(void)+0x1b [C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53] 2e 000000dc`1fd5f2c0 00007ff9`045b1098 WTF!WTF::Function<void __cdecl(void)+0x93 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\Function.h @ 83] 2f 000000dc`1fd5f300 00007ff9`04694c01 WTF!WTF::RunLoop::performWork(void)+0x198 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\RunLoop.cpp @ 148] 30 000000dc`1fd5f410 00007ff9`04694b64 WTF!WTF::RunLoop::wndProc(struct HWND__ * hWnd = 0x00000000`5f4d00de, unsigned int message = 0x401, unsigned int64 wParam = 0x0000025c`348ee420, int64 lParam = 0n0)+0x41 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 57] 31 000000dc`1fd5f450 00007ff8`fbe60089 WTF!WTF::RunLoop::RunLoopWndProc(struct HWND__ * hWnd = 0x00000000`5f4d00de, unsigned int message = 0x401, unsigned int64 wParam = 0x0000025c`348ee420, int64 lParam = 0n0)+0x54 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 39] 32 000000dc`1fd5f4a0 00007ff8`fbe5fa02 USER32!CallWindowProcW+0x419 33 000000dc`1fd5f630 00007ff9`04694046 USER32!DispatchMessageW+0x1e2 34 000000dc`1fd5f6b0 00007ff8`dcf71b3b WTF!WTF::RunLoop::run(void)+0x66 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 74] 35 000000dc`1fd5f740 00007ff8`dcf71903 WebKit2!WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess,1>::run(int argc = 0n8, char ** argv = 0x0000025c`348fca20)+0xab [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 73] 36 000000dc`1fd5f790 00007ff8`dcf71745 WebKit2!WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWin>(int argc = 0n8, char ** argv = 0x0000025c`348fca20)+0x73 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 99] 37 000000dc`1fd5f850 00007ff7`30fe163d WebKit2!WebKit::WebProcessMain(int argc = 0n8, char ** argv = 0x0000025c`348fca20)+0x85 [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\win\WebProcessMainWin.cpp @ 58] 38 000000dc`1fd5f890 00007ff7`30fe1af4 WebKitWebProcess!main(int argc = 0n8, char ** argv = 0x0000025c`348fca20)+0x1d [C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\WebProcess\EntryPoint\win\WebProcessMain.cpp @ 35] 39 (Inline Function) --------`-------- WebKitWebProcess!invoke_main+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 3a 000000dc`1fd5f8c0 00007ff9`00c54de0 WebKitWebProcess!__scrt_common_main_seh(void)+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 3b 000000dc`1fd5f900 00007ff9`1541ec4b KERNEL32!BaseThreadInitThunk+0x10 3c 000000dc`1fd5f930 00000000`00000000 ntdll!RtlUserThreadStart+0x2b

Attachments
Add attachment proposed patch, testcase, etc.

Fujii Hironori

Comment 1 2023-09-23 05:50:37 PDT

268343@main (bug#261545) is the culprit?

Fujii Hironori

Comment 2 2023-09-23 07:09:25 PDT

I bisected and confirmed it happened after 268343@main.

Chris Dumez

Comment 3 2023-09-23 11:26:27 PDT

Are you able to figure out which CheckedPtr is causing this? It will be hard for me without reproducing. Then I guess we can revert that particular CheckedPtr for now or switch to a WeakPtr.

Fujii Hironori

Comment 4 2023-09-23 15:25:38 PDT

In removeContainingBlock, renderer doesn't seem to be a valid object. https://github.com/WebKit/WebKit/blob/8aa2481bf186536ad7a85d228abc51f42c53a321/Source/WebCore/rendering/RenderBlock.cpp#L222 In the previous code, it is no problem because the code just removes a raw pointer from m_containerMap.

Fujii Hironori

Comment 5 2023-09-23 15:42:01 PDT

Pull request: https://github.com/WebKit/WebKit/pull/18126

EWS

Comment 6 2023-09-24 11:28:57 PDT

Committed 268373@main (e9f67fe4c9c1): <https://commits.webkit.org/268373@main> Reviewed commits have been landed. Closing PR #18126 and removing active labels.

Radar WebKit Bug Importer

Comment 7 2023-09-24 11:29:13 PDT

<rdar://problem/115962133>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebCore Misc.

Assignee

Fujii Hironori

Reported

2023-09-23 05:49 PDT

Modified

2023-09-24 11:29 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks