[webkit-changes] [WebKit/WebKit] b43c0f: REGRESSION(268278 at main): WTFCrash in ~CanMakeCheck...

[Fujii Hironori]

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: b43c0f571e0a944810dd7e721ea2b0dea21ffc2f
      https://github.com/WebKit/WebKit/commit/b43c0f571e0a944810dd7e721ea2b0dea21ffc2f
  Author: Fujii Hironori <Hironori.Fujii at sony.com>
  Date:   2023-11-16 (Thu, 16 Nov 2023)

  Changed paths:
    M Source/WebCore/html/parser/HTMLConstructionSite.h

  Log Message:
  -----------
  REGRESSION(268278 at main): WTFCrash in ~CanMakeCheckedPtrBase of ~EventTarget
https://bugs.webkit.org/show_bug.cgi?id=264382

Reviewed by Chris Dumez.

Windows port was ocationally observing a CheckedPtr release check
failure in ~EventTarget with the following backtrace.

> WebCore!WTFCrashWithInfo(void)+0x1d
> WebCore!WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>,unsigned int>::~CanMakeCheckedPtrBase(void)+0xab
> WebCore!WebCore::EventTarget::~EventTarget(void)+0x11c
> WebCore!WebCore::TextDocument::~TextDocument(int should_call_delete = 0n1)+0x10
> WebCore!WebCore::Document::decrementReferencingNodeCount(void)+0x23
> WebCore!WebCore::Node::~Node(void)+0xcf
> WebCore!WebCore::Element::~Element(void)+0x13f
> WebCore!WebCore::HTMLHeadElement::~HTMLHeadElement(int should_call_delete = 0n1)+0x10
> WebCore!WebCore::Node::deref(void)+0x12
> WebCore!WTF::DefaultRefDerefTraits<WebCore::ContainerNode>::derefIfNotNull(class WebCore::ContainerNode * ptr = <Value unavailable error>)+0x17
> WebCore!WTF::RefPtr<WebCore::ContainerNode,WTF::RawPtrTraits<WebCore::ContainerNode>,WTF::DefaultRefDerefTraits<WebCore::ContainerNode> >::~RefPtr(void)+0x23
> WebCore!WebCore::HTMLStackItem::~HTMLStackItem(void)+0x2c
> WebCore!WebCore::HTMLConstructionSite::~HTMLConstructionSite(void)+0x84
> WebCore!WebCore::HTMLTreeBuilder::~HTMLTreeBuilder(void)+0xce
> [...]

This is under ~HTMLStackItem and ~HTMLConstructionSite. While
destroying m_head of HTMLConstructionSite, something still had a
CheckedPtr to the EventTarget.

268278 at main adopted CheckedRef to m_document and m_attachmentRoot of
HTMLConstructionSite. m_document and m_attachmentRoot should be
destroyed before destroying m_head.

* Source/WebCore/html/parser/HTMLConstructionSite.h:
Reodered member variables so that m_head is destroyed after m_document
and m_attachmentRoot.

Canonical link: https://commits.webkit.org/270813@main