264382 – WTFCrash in ~CanMakeCheckedPtrBase of ~EventTarget

Bug 264382 - WTFCrash in ~CanMakeCheckedPtrBase of ~EventTarget

Summary: WTFCrash in ~CanMakeCheckedPtrBase of ~EventTarget

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	DOM (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Fujii Hironori

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-11-07 21:14 PST by Fujii Hironori
Modified:	2023-11-16 00:04 PST (History)
CC List:	2 users (show)

See Also:	261589

Attachments
page-cache-iframe-provisional-load-crash-log.txt (148.89 KB, text/plain) 2023-11-07 21:14 PST, Fujii Hironori	no flags	Details
debugging patch (1.17 KB, patch) 2023-11-15 18:05 PST, Fujii Hironori	no flags	Details \| Formatted Diff \| Diff
crash log with the debugging patch comment#5 (145.50 KB, text/plain) 2023-11-15 18:06 PST, Fujii Hironori	no flags	Details
WIP patch (1.85 KB, patch) 2023-11-15 19:28 PST, Fujii Hironori	no flags	Details \| Formatted Diff \| Diff
WIP patch (877 bytes, patch) 2023-11-15 19:35 PST, Fujii Hironori	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fujii Hironori 2023-11-07 21:14:17 PST

Created attachment 468510 [details]
page-cache-iframe-provisional-load-crash-log.txt

Today, I observed a crash for running layout tests with Windows Release builds of 270344@main.
This is the second time I observed this crash for running layout tests.
I don't know how to reproduce this crash. 

Regressions: Unexpected crashes (1)
  http/tests/navigation/page-cache-iframe-provisional-load.html [ Crash ]


 # Child-SP          RetAddr               Call Site
00 00000018`1915e8d0 00007ffc`5c10a21d     WTF!WTFCrash(void)+0xe [C:\webkit\Source\WTF\wtf\Assertions.cpp @ 333]
01 00000018`1915e900 00007ffc`5d013c8c     WebCore!WTFCrashWithInfo(void)+0x1d [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\Assertions.h @ 778]
02 (Inline Function) --------`--------     WebCore!WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>,unsigned int>::~CanMakeCheckedPtrBase(void)+0xab [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\CheckedRef.h @ 325]
03 00000018`1915e940 00007ffc`5d264480     WebCore!WebCore::EventTarget::~EventTarget(void)+0x11c [C:\webkit\Source\WebCore\dom\EventTarget.cpp @ 77]
04 00000018`1915e980 00007ffc`5d0340ff     WebCore!WebCore::TextDocument::~TextDocument(int should_call_delete = 0n1)+0x10 [C:\webkit\Source\WebCore\html\TextDocument.h @ 31]
05 (Inline Function) --------`--------     WebCore!WebCore::Document::decrementReferencingNodeCount(void)+0x23 [C:\webkit\Source\WebCore\dom\Document.h @ 431]
06 00000018`1915e9c0 00007ffc`5cfe5fff     WebCore!WebCore::Node::~Node(void)+0xcf [C:\webkit\Source\WebCore\dom\Node.cpp @ 453]
07 00000018`1915ea00 00007ffc`5d1d29b0     WebCore!WebCore::Element::~Element(void)+0x13f [C:\webkit\Source\WebCore\dom\Element.cpp @ 277]
08 00000018`1915ea50 00007ffc`5d2bddc4     WebCore!WebCore::HTMLHeadElement::~HTMLHeadElement(int should_call_delete = 0n1)+0x10 [C:\webkit\Source\WebCore\html\HTMLHeadElement.h @ 30]
09 (Inline Function) --------`--------     WebCore!WebCore::Node::deref(void)+0x12 [C:\webkit\Source\WebCore\dom\Node.h @ 822]
0a (Inline Function) --------`--------     WebCore!WTF::DefaultRefDerefTraits<WebCore::ContainerNode>::derefIfNotNull(class WebCore::ContainerNode * ptr = <Value unavailable error>)+0x17 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 43]
0b (Inline Function) --------`--------     WebCore!WTF::RefPtr<WebCore::ContainerNode,WTF::RawPtrTraits<WebCore::ContainerNode>,WTF::DefaultRefDerefTraits<WebCore::ContainerNode> >::~RefPtr(void)+0x23 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 75]
0c (Inline Function) --------`--------     WebCore!WebCore::HTMLStackItem::~HTMLStackItem(void)+0x2c [C:\webkit\Source\WebCore\html\parser\HTMLStackItem.h @ 38]
0d 00000018`1915ea90 00007ffc`5d2c80fe     WebCore!WebCore::HTMLConstructionSite::~HTMLConstructionSite(void)+0x84 [C:\webkit\Source\WebCore\html\parser\HTMLConstructionSite.cpp @ 280]
0e 00000018`1915ead0 00007ffc`5d2c2a6e     WebCore!WebCore::HTMLTreeBuilder::~HTMLTreeBuilder(void)+0xce [C:\webkit\Source\WebCore\html\parser\HTMLTreeBuilder.h @ 238]
0f (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::HTMLTreeBuilder>::operator()(class WebCore::HTMLTreeBuilder * _Ptr = 0x0000018d`f7d9e2a0)+0x8 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
10 (Inline Function) --------`--------     WebCore!std::unique_ptr<WebCore::HTMLTreeBuilder,std::default_delete<WebCore::HTMLTreeBuilder> >::~unique_ptr(void)+0x14 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3290]
11 00000018`1915eb10 00007ffc`5d2ecee0     WebCore!WebCore::HTMLDocumentParser::~HTMLDocumentParser(void)+0xee [C:\webkit\Source\WebCore\html\parser\HTMLDocumentParser.cpp @ 96]
12 00000018`1915eb50 00007ffc`5d452e30     WebCore!WebCore::TextDocumentParser::~TextDocumentParser(int should_call_delete = 0n1)+0x10 [C:\webkit\Source\WebCore\html\parser\TextDocumentParser.h @ 31]
13 (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::DocumentParser>::operator()(class WebCore::DocumentParser * _Ptr = <Value unavailable error>)+0xa [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
14 (Inline Function) --------`--------     WebCore!WTF::RefCounted<WebCore::DocumentParser,std::default_delete<WebCore::DocumentParser> >::deref(void)+0x16 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefCounted.h @ 190]
15 (Inline Function) --------`--------     WebCore!WTF::DefaultRefDerefTraits<WebCore::DocumentParser>::derefIfNotNull(class WebCore::DocumentParser * ptr = <Value unavailable error>)+0x1b [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 43]
16 (Inline Function) --------`--------     WebCore!WTF::RefPtr<WebCore::DocumentParser,WTF::RawPtrTraits<WebCore::DocumentParser>,WTF::DefaultRefDerefTraits<WebCore::DocumentParser> >::~RefPtr(void)+0x27 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 75]
17 00000018`1915eb90 00007ffc`5d452a4d     WebCore!WebCore::DocumentWriter::~DocumentWriter(void)+0x30 [C:\webkit\Source\WebCore\loader\DocumentWriter.h @ 44]
18 00000018`1915ebd0 00007ffc`652ba7c1     WebCore!WebCore::DocumentLoader::~DocumentLoader(void)+0xc2d [C:\webkit\Source\WebCore\loader\DocumentLoader.cpp @ 222]
19 00000018`1915ec30 00007ffc`5d186a21     WebKit2!WebKit::WebDocumentLoader::~WebDocumentLoader(int should_call_delete = 0n1)+0x11 [C:\webkit\Source\WebKit\WebProcess\WebPage\WebDocumentLoader.h @ 33]
1a (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::DocumentLoader>::operator()(class WebCore::DocumentLoader * _Ptr = <Value unavailable error>)+0xb [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
1b (Inline Function) --------`--------     WebCore!WTF::RefCounted<WebCore::DocumentLoader,std::default_delete<WebCore::DocumentLoader> >::deref(void)+0x17 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefCounted.h @ 190]
1c (Inline Function) --------`--------     WebCore!WTF::DefaultRefDerefTraits<WebCore::DocumentLoader>::derefIfNotNull(class WebCore::DocumentLoader * ptr = <Value unavailable error>)+0x1c [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 43]
1d (Inline Function) --------`--------     WebCore!WTF::RefPtr<WebCore::DocumentLoader,WTF::RawPtrTraits<WebCore::DocumentLoader>,WTF::DefaultRefDerefTraits<WebCore::DocumentLoader> >::~RefPtr(void)+0x28 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\RefPtr.h @ 75]
1e 00000018`1915ec70 00007ffc`5d18695a     WebCore!WebCore::CachedFrameBase::~CachedFrameBase(void)+0x111 [C:\webkit\Source\WebCore\history\CachedFrame.cpp @ 76]
1f (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::CachedFrame>::operator()(class WebCore::CachedFrame * _Ptr = 0x0000018d`f7c5a010)+0x8 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
20 (Inline Function) --------`--------     WebCore!std::unique_ptr<WebCore::CachedFrame,std::default_delete<WebCore::CachedFrame> >::~unique_ptr(void)+0x11 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3290]
21 (Inline Function) --------`--------     WebCore!WTF::UniqueRef<WebCore::CachedFrame>::~UniqueRef(void)+0x11 [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\UniqueRef.h @ 57]
22 (Inline Function) --------`--------     WebCore!WTF::VectorDestructor<1,WTF::UniqueRef<WebCore::CachedFrame> >::destruct(class WTF::UniqueRef<WebCore::CachedFrame> * begin = 0x0000018d`f42ad2c0, class WTF::UniqueRef<WebCore::CachedFrame> * end = <Value unavailable error>)+0x2d [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 70]
23 (Inline Function) --------`--------     WebCore!WTF::VectorTypeOperations<WTF::UniqueRef<WebCore::CachedFrame> >::destruct(class WTF::UniqueRef<WebCore::CachedFrame> * begin = 0x0000018d`f42ad2c0, class WTF::UniqueRef<WebCore::CachedFrame> * end = <Value unavailable error>)+0x2d [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 253]
24 (Inline Function) --------`--------     WebCore!WTF::Vector<WTF::UniqueRef<WebCore::CachedFrame>,0,WTF::CrashOnOverflow,16,WTF::FastMalloc>::~Vector(void)+0x3a [C:\webkit\WebKitBuild\Release\WTF\Headers\wtf\Vector.h @ 766]
25 00000018`1915ecd0 00007ffc`5d183be7     WebCore!WebCore::CachedFrameBase::~CachedFrameBase(void)+0x4a [C:\webkit\Source\WebCore\history\CachedFrame.cpp @ 76]
26 (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::CachedFrame>::operator()(class WebCore::CachedFrame * _Ptr = 0x0000018d`f7c59670)+0x8 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
27 (Inline Function) --------`--------     WebCore!std::unique_ptr<WebCore::CachedFrame,std::default_delete<WebCore::CachedFrame> >::~unique_ptr(void)+0x11 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3290]
28 00000018`1915ed30 00007ffc`5d182552     WebCore!WebCore::CachedPage::~CachedPage(void)+0x97 [C:\webkit\Source\WebCore\history\CachedPage.cpp @ 80]
29 (Inline Function) --------`--------     WebCore!std::default_delete<WebCore::CachedPage>::operator()(class WebCore::CachedPage * _Ptr = 0x0000018d`f430c560)+0x8 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3180]
2a (Inline Function) --------`--------     WebCore!std::unique_ptr<WebCore::CachedPage,std::default_delete<WebCore::CachedPage> >::reset(class WebCore::CachedPage * _Ptr = <Value unavailable error>)+0x18 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3325]
2b (Inline Function) --------`--------     WebCore!std::unique_ptr<WebCore::CachedPage,std::default_delete<WebCore::CachedPage> >::operator=(class std::unique_ptr<WebCore::CachedPage,std::default_delete<WebCore::CachedPage> > * _Right = <Value unavailable error>)+0x18 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\memory @ 3277]
2c (Inline Function) --------`--------     WebCore!WebCore::HistoryItem::setCachedPage(class std::unique_ptr<WebCore::CachedPage,std::default_delete<WebCore::CachedPage> > * cachedPage = <Value unavailable error>)+0x1f [C:\webkit\Source\WebCore\history\HistoryItem.cpp @ 155]
2d 00000018`1915ed80 00007ffc`65155ddb     WebCore!WebCore::BackForwardCache::remove(class WebCore::HistoryItem * item = 0x0000018d`b01cbba0)+0x102 [C:\webkit\Source\WebCore\history\BackForwardCache.cpp @ 599]
2e 00000018`1915edd0 00007ffc`64d416f6     WebKit2!WebKit::WebProcess::clearCachedPage(class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * backForwardItemID = <Value unavailable error>, class WTF::CompletionHandler<void ()> * completionHandler = 0x00000018`1915ee70)+0x2b [C:\webkit\Source\WebKit\WebProcess\WebProcess.cpp @ 1998]
2f (Inline Function) --------`--------     WebKit2!IPC::callMemberFunction<WebKit::WebProcess,WebKit::WebProcess,void (class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * args = <Value unavailable error>)+0x20 [C:\webkit\Source\WebKit\Platform\IPC\HandleMessage.h @ 147]
30 (Inline Function) --------`--------     WebKit2!std::invoke(class IPC::callMemberFunction<WebKit::WebProcess,WebKit::WebProcess,void (WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> >, WTF::CompletionHandler<void ()> &&),std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > >,void ()>::<lambda_1> * _Obj = <Value unavailable error>, class WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > * _Arg1 = <Value unavailable error>)+0x20 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\type_traits @ 1762]
31 (Inline Function) --------`--------     WebKit2!std::_Apply_impl(class IPC::callMemberFunction<WebKit::WebProcess,WebKit::WebProcess,void (WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> >, WTF::CompletionHandler<void ()> &&),std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > >,void ()>::<lambda_1> * _Obj = <Value unavailable error>, class std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > > * _Tpl = <Value unavailable error>)+0x20 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\tuple @ 1079]
32 (Inline Function) --------`--------     WebKit2!std::apply(class IPC::callMemberFunction<WebKit::WebProcess,WebKit::WebProcess,void (WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> >, WTF::CompletionHandler<void ()> &&),std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > >,void ()>::<lambda_1> * _Obj = <Value unavailable error>, class std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > > * _Tpl = <Value unavailable error>)+0x20 [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.37.32822\include\tuple @ 1090]
33 (Inline Function) --------`--------     WebKit2!IPC::callMemberFunction(class WebKit::WebProcess * object = <Value unavailable error>, <function> * function = 0x00000000`00000000, class std::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifierGeneric<WebCore::BackForwardItemIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits> > > * tuple = <Value unavailable error>, class WTF::CompletionHandler<void ()> * completionHandler = <Value unavailable error>)+0x20 [C:\webkit\Source\WebKit\Platform\IPC\HandleMessage.h @ 145]
34 00000018`1915ee10 00007ffc`64d3e421     WebKit2!IPC::handleMessageAsync<Messages::WebProcess::ClearCachedPage,WebKit::WebProcess,WebKit::WebProcess,void (class IPC::Connection * connection = 0x0000018d`b01e9d00, class IPC::Decoder * decoder = <Value unavailable error>, class WebKit::WebProcess * object = <Value unavailable error>, <function> * function = 0x00000000`00000000)+0xd6 [C:\webkit\Source\WebKit\Platform\IPC\HandleMessage.h @ 334]
35 00000018`1915eec0 00007ffc`64ff9e2f     WebKit2!WebKit::WebProcess::didReceiveWebProcessMessage(class IPC::Connection * connection = <Value unavailable error>, class IPC::Decoder * decoder = 0x0000018d`f422d170)+0xc1 [C:\webkit\WebKitBuild\Release\WebKit\DerivedSources\WebProcessMessageReceiver.cpp @ 290]
36 00000018`1915f640 00007ffc`64ff9fcc     WebKit2!IPC::Connection::dispatchMessage(class std::unique_ptr<IPC::Decoder,std::default_delete<IPC::Decoder> > message = unique_ptr {...})+0xff [C:\webkit\Source\WebKit\Platform\IPC\Connection.cpp @ 1280]
37 00000018`1915f690 00007ffc`6eae018e     WebKit2!IPC::Connection::dispatchOneIncomingMessage(void)+0xec [C:\webkit\Source\WebKit\Platform\IPC\Connection.cpp @ 1344]
38 (Inline Function) --------`--------     WTF!WTF::Function<void (void)+0x9 [C:\webkit\Source\WTF\wtf\Function.h @ 82]
39 00000018`1915f6f0 00007ffc`6eb45e18     WTF!WTF::RunLoop::performWork(void)+0x19e [C:\webkit\Source\WTF\wtf\RunLoop.cpp @ 148]
3a (Inline Function) --------`--------     WTF!WTF::RunLoop::wndProc(struct HWND__ * hWnd = 0x00000000`001d343a, unsigned int message = 0x401, unsigned int64 wParam = 0x0000018d`b01beb60, int64 lParam = 0n0)+0x18 [C:\webkit\Source\WTF\wtf\win\RunLoopWin.cpp @ 56]
3b 00000018`1915f740 00007ffc`e547e858     WTF!WTF::RunLoop::RunLoopWndProc(struct HWND__ * hWnd = 0x00000000`001d343a, unsigned int message = 0x401, unsigned int64 wParam = 0x0000018d`b01beb60, int64 lParam = 0n0)+0x38 [C:\webkit\Source\WTF\wtf\win\RunLoopWin.cpp @ 39]
3c 00000018`1915f790 00007ffc`e547e299     USER32!UserCallWinProcCheckWow+0x2f8
3d 00000018`1915f920 00007ffc`6eb45f8f     USER32!DispatchMessageWorker+0x249
3e 00000018`1915f9a0 00007ffc`64c4d0fd     WTF!WTF::RunLoop::run(void)+0x5f [C:\webkit\Source\WTF\wtf\win\RunLoopWin.cpp @ 73]
3f (Inline Function) --------`--------     WebKit2!WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess,1>::run(int argc = <Value unavailable error>, char ** argv = <Value unavailable error>)+0x59 [C:\webkit\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 72]
40 00000018`1915fa20 00007ff7`b2c2100a     WebKit2!WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWin>(int argc = 0n8, char ** argv = <Value unavailable error>)+0xad [C:\webkit\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 98]
41 00000018`1915fab0 00007ff7`b2c213bc     WebKitWebProcess!main(int argc = <Value unavailable error>, char ** argv = <Value unavailable error>)+0xa [C:\webkit\Source\WebKit\WebProcess\EntryPoint\win\WebProcessMain.cpp @ 35]
42 (Inline Function) --------`--------     WebKitWebProcess!invoke_main(void)+0x22 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78]
43 00000018`1915fae0 00007ffc`e44b7344     WebKitWebProcess!__scrt_common_main_seh(void)+0x10c [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288]
44 00000018`1915fb20 00007ffc`e5f026b1     KERNEL32!BaseThreadInitThunk+0x14
45 00000018`1915fb50 00000000`00000000     ntdll!RtlUserThreadStart+0x21



268146@main made EventTarget a subclass of CanMakeCheckedPtr.

Comment 1 Chris Dumez 2023-11-07 21:20:22 PST

Can you reproduce the crash? If so, it would be helpful to set CHECKED_POINTER_DEBUG to 1 in CheckedRef.h and rebuild.

It will print out on stderr which CheckedPtr/CheckedRef to the object are still live, before crashing.

Otherwise, it is not super actionable.

Comment 2 Fujii Hironori 2023-11-07 23:19:01 PST

I'm keeping trying, but no luch so far.

Comment 3 Radar WebKit Bug Importer 2023-11-14 21:15:14 PST

<rdar://problem/118435976>

Comment 4 Fujii Hironori 2023-11-15 13:24:03 PST

I conclude that this is not reproducible with CHECKED_POINTER_DEBUG=1.
But, it's easy to reproduce this crash without CHECKED_POINTER_DEBUG=1 on my PC.

> python .\Tools\Scripts\run-webkit-tests --release --no-retry --iter=100 -f http/tests/navigation/page-cache-iframe-provisional-load.html

Comment 5 Fujii Hironori 2023-11-15 18:05:06 PST

Created attachment 468612 [details]
debugging patch

Comment 6 Fujii Hironori 2023-11-15 18:06:43 PST

Created attachment 468613 [details]
crash log with the debugging patch comment#5

Comment 7 Chris Dumez 2023-11-15 18:49:15 PST

(In reply to Fujii Hironori from comment #6)
> Created attachment 468613 [details]
> crash log with the debugging log

Is this with `CHECKED_POINTER_DEBUG=1`, I don't see the allocation traces of the remaining CheckedPtrs / CheckedRefs like I would expect.

Comment 8 Fujii Hironori 2023-11-15 19:28:41 PST

Created attachment 468614 [details]
WIP patch

Partially reverting 268278@main (bug#261589) fixes the crash.
I need to revert both CheckedRef (m_document and m_attachmentRoot).

Comment 9 Fujii Hironori 2023-11-15 19:35:18 PST

Created attachment 468615 [details]
WIP patch

destorying m_head after destorying m_document and m_attachmentRoot also fixed the crash.

Comment 10 Fujii Hironori 2023-11-15 20:06:29 PST

Pull request: https://github.com/WebKit/WebKit/pull/20581

Comment 11 EWS 2023-11-16 00:04:38 PST

Committed 270813@main (b43c0f571e0a): <https://commits.webkit.org/270813@main>

Reviewed commits have been landed. Closing PR #20581 and removing active labels.