[Webkit-unassigned] [Bug 199445] [GTK] fast/forms/interactive-validation-remove-node-in-handler.html is crashing in an assertion

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 1 14:59:14 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=199445

Fujii Hironori <Hironori.Fujii at sony.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Hironori.Fujii at sony.com

--- Comment #1 from Fujii Hironori <Hironori.Fujii at sony.com> ---
GTK port Debug build is still crashing intermittently.
trunk r266379
https://build.webkit.org/builders/GTK%20Linux%2064-bit%20Debug%20%28Tests%29/builds/7100
https://results.webkit.org/?suite=layout-tests&test=fast%2Fforms%2Finteractive-validation-remove-node-in-handler.html

Thread 1 (Thread 0x7f84d4c3f2c0 (LWP 29094)):
#0  0x00007f84dda567be in WTFCrash() () at ../../Source/WTF/wtf/Assertions.cpp:295
#1  0x00007f84dda567d9 in WTFCrashWithSecurityImplication() () at ../../Source/WTF/wtf/Assertions.cpp:316
#2  0x00007f84ed2267d1 in WebCore::ContainerNode::removeNodeWithScriptAssertion(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (this=0x7f849130bac8, childToRemove=..., source=WebCore::ContainerNode::ChildChangeSource::API) at ../../Source/WebCore/dom/ContainerNode.cpp:132
#3  0x00007f84ed21f5a1 in WebCore::ContainerNode::removeChild(WebCore::Node&) (this=0x7f849130bac8, oldChild=...) at ../../Source/WebCore/dom/ContainerNode.cpp:577
#4  0x00007f84ed84074c in WebCore::ValidationMessage::deleteBubbleTree() (this=0x7f846d8f8300) at ../../Source/WebCore/html/ValidationMessage.cpp:263
#5  0x00007f84ed84057c in WebCore::ValidationMessage::~ValidationMessage() (this=0x7f846d8f8300) at ../../Source/WebCore/html/ValidationMessage.cpp:67
#6  0x00007f84ed6c104b in std::default_delete<WebCore::ValidationMessage>::operator()(WebCore::ValidationMessage*) const (this=0x7f84911eb408, __ptr=0x7f846d8f8300) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/9.3.0/../../../../include/c++/9.3.0/bits/unique_ptr.h:81
#7  0x00007f84ed6c12c9 in std::unique_ptr<WebCore::ValidationMessage, std::default_delete<WebCore::ValidationMessage> >::reset(WebCore::ValidationMessage*) (this=0x7f84911eb408, __p=0x7f846d8f8300) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/9.3.0/../../../../include/c++/9.3.0/bits/unique_ptr.h:402
#8  0x00007f84ed6b3a07 in std::unique_ptr<WebCore::ValidationMessage, std::default_delete<WebCore::ValidationMessage> >::operator=(decltype(nullptr)) (this=0x7f84911eb408) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/9.3.0/../../../../include/c++/9.3.0/bits/unique_ptr.h:336
#9  0x00007f84ed6a7c59 in WebCore::HTMLFormControlElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) (this=0x7f84911eb360, removalType=..., oldParentOfRemovedTree=...) at ../../Source/WebCore/html/HTMLFormControlElement.cpp:314
#10 0x00007f84ed6a9221 in WebCore::HTMLFormControlElementWithState::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) (this=0x7f84911eb360, removalType=..., oldParentOfRemovedTree=...) at ../../Source/WebCore/html/HTMLFormControlElementWithState.cpp:55
#11 0x00007f84ed6e1104 in WebCore::HTMLInputElement::removedFromAncestor(WebCore::Node::RemovalType, WebCore::ContainerNode&) (this=0x7f84911eb360, removalType=..., oldParentOfRemovedTree=...) at ../../Source/WebCore/html/HTMLInputElement.cpp:1570
#12 0x00007f84ed222547 in WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) (oldParentOfRemovedTree=..., treeScopeChange=WebCore::TreeScopeChange::Changed, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:114
#13 0x00007f84ed222617 in WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) (oldParentOfRemovedTree=..., treeScopeChange=WebCore::TreeScopeChange::Changed, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:121
#14 0x00007f84ed222617 in WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) (oldParentOfRemovedTree=..., treeScopeChange=WebCore::TreeScopeChange::Changed, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:121
#15 0x00007f84ed222617 in WebCore::notifyNodeRemovedFromDocument(WebCore::ContainerNode&, WebCore::TreeScopeChange, WebCore::Node&) (oldParentOfRemovedTree=..., treeScopeChange=WebCore::TreeScopeChange::Changed, node=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:121
#16 0x00007f84ed22240f in WebCore::notifyChildNodeRemoved(WebCore::ContainerNode&, WebCore::Node&) (oldParentOfRemovedTree=..., child=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:161
#17 0x00007f84ed222b1c in WebCore::addChildNodesToDeletionQueue(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) (head=@0x7ffe9ed04f40: 0x0, tail=@0x7ffe9ed04f38: 0x0, container=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:195
#18 0x00007f84ed21c99d in WebCore::removeDetachedChildrenInContainer(WebCore::ContainerNode&) (container=...) at ../../Source/WebCore/dom/ContainerNodeAlgorithms.cpp:209
#19 0x00007f84ed21c952 in WebCore::ContainerNode::removeDetachedChildren() (this=0x7f84911acbc8) at ../../Source/WebCore/dom/ContainerNode.cpp:245
#20 0x00007f84ed26e89a in WebCore::Document::removedLastRef() (this=0x7f84911acbc8) at ../../Source/WebCore/dom/Document.cpp:766
#21 0x00007f84ed3f10b4 in WebCore::Node::removedLastRef() (this=0x7f84911acbc8) at ../../Source/WebCore/dom/Node.cpp:2556
#22 0x00007f84ea9d6b5f in WebCore::Node::deref() const (this=0x7f84911acbc8) at DerivedSources/ForwardingHeaders/WebCore/Node.h:741
#23 0x00007f84ed20734f in WTF::Ref<WebCore::ContainerNode, WTF::DumbPtrTraits<WebCore::ContainerNode> >::~Ref() (this=0x7f847af74570) at DerivedSources/ForwardingHeaders/wtf/Ref.h:61
#24 0x00007f84ed206095 in WebCore::ChildNodeList::~ChildNodeList() (this=0x7f847af74558) at ../../Source/WebCore/dom/ChildNodeList.cpp:48
#25 0x00007f84ed2060c9 in WebCore::ChildNodeList::~ChildNodeList() (this=0x7f847af74558) at ../../Source/WebCore/dom/ChildNodeList.cpp:46
#26 0x00007f84eb1d9cbf in std::default_delete<WebCore::NodeList>::operator()(WebCore::NodeList*) const (this=0x7ffe9ed050e0, __ptr=0x7f847af74558) at /usr/bin/../lib/gcc/x86_64-unknown-linux-gnu/9.3.0/../../../../include/c++/9.3.0/bits/unique_ptr.h:81
#27 0x00007f84eb1d9c80 in WTF::RefCounted<WebCore::NodeList, std::default_delete<WebCore::NodeList> >::deref() const (this=0x7f847af74568) at DerivedSources/ForwardingHeaders/wtf/RefCounted.h:190
#28 0x00007f84eb1d5863 in WTF::Ref<WebCore::NodeList, WTF::DumbPtrTraits<WebCore::NodeList> >::~Ref() (this=0x7f83bfb80058) at DerivedSources/ForwardingHeaders/wtf/Ref.h:61
#29 0x00007f84ebf0db69 in WebCore::JSDOMWrapper<WebCore::NodeList>::~JSDOMWrapper() (this=0x7f83bfb80040) at ../../Source/WebCore/bindings/js/JSDOMWrapper.h:72
#30 0x00007f84ebf0bcc5 in WebCore::JSNodeList::~JSNodeList() (this=0x7f83bfb80040) at DerivedSources/WebCore/JSNodeList.h:29
#31 0x00007f84ebf01b1d in WebCore::JSNodeList::destroy(JSC::JSCell*) (cell=0x7f83bfb80040) at DerivedSources/WebCore/JSNodeList.cpp:170
#32 0x00007f84dd4cd8ba in JSC::JSDestructibleObjectDestroyFunc::operator()(JSC::VM&, JSC::JSCell*) const (this=0x7ffe9ed05450, cell=0x7f83bfb80040) at ../../Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:38
#33 0x00007f84dd4e78f5 in JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&)::{lambda(void*)#1}::operator()(void*) const (this=0x7ffe9ed05338, cell=0x7f83bfb80040) at ../../Source/JavaScriptCore/heap/MarkedBlockInlines.h:260
#34 0x00007f84dd4e2425 in JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) (this=0x7f846cb6a300, freeList=0x0, emptyMode=JSC::MarkedBlock::Handle::IsEmpty, sweepMode=JSC::MarkedBlock::Handle::SweepOnly, destructionMode=JSC::MarkedBlock::Handle::BlockHasDestructors, scribbleMode=JSC::MarkedBlock::Handle::Scribble, newlyAllocatedMode=JSC::MarkedBlock::Handle::DoesNotHaveNewlyAllocated, marksMode=JSC::MarkedBlock::Handle::MarksStale, destroyFunc=...) at ../../Source/JavaScriptCore/heap/MarkedBlockInlines.h:294
#35 0x00007f84dd4cd882 in JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) (this=0x7f846cb6a300, freeList=0x0, destroyFunc=...) at ../../Source/JavaScriptCore/heap/MarkedBlockInlines.h:439
#36 0x00007f84dd48a615 in JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (this=0x7f84d43f9300, handle=..., freeList=0x0) at ../../Source/JavaScriptCore/runtime/JSDestructibleObjectHeapCellType.cpp:53
#37 0x00007f84dced8eb5 in JSC::Subspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) (this=0x7f8479cb08d0, block=..., freeList=0x0) at ../../Source/JavaScriptCore/heap/Subspace.cpp:60
#38 0x00007f84dcebba90 in JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) (this=0x7f846cb6a300, freeList=0x0) at ../../Source/JavaScriptCore/heap/MarkedBlock.cpp:415
#39 0x00007f84dce268a4 in JSC::BlockDirectory::sweep()::$_7::operator()(unsigned long) const (this=0x7ffe9ed05630, index=0) at ../../Source/JavaScriptCore/heap/BlockDirectory.cpp:280
#40 0x00007f84dce248bc in WTF::FastBitVectorImpl<JSC::BlockDirectoryBits::BlockDirectoryBitVectorWordView<(JSC::BlockDirectoryBits::Kind)6> >::forEachSetBit<JSC::BlockDirectory::sweep()::$_7>(JSC::BlockDirectory::sweep()::$_7 const&) const (this=0x7ffe9ed05638, func=...) at DerivedSources/ForwardingHeaders/wtf/FastBitVector.h:355
#41 0x00007f84dce24833 in JSC::BlockDirectory::sweep() (this=0x7f8479cb0930) at ../../Source/JavaScriptCore/heap/BlockDirectory.cpp:277
#42 0x00007f84dcec5219 in JSC::MarkedSpace::sweepBlocks()::$_9::operator()(JSC::BlockDirectory&) const (this=0x7ffe9ed056c0, directory=...) at ../../Source/JavaScriptCore/heap/MarkedSpace.cpp:222
#43 0x00007f84dcebdddf in JSC::MarkedSpace::forEachDirectory<JSC::MarkedSpace::sweepBlocks()::$_9>(JSC::MarkedSpace::sweepBlocks()::$_9 const&) (this=0x7f8491000130, functor=...) at ../../Source/JavaScriptCore/heap/MarkedSpace.h:241
#44 0x00007f84dcebdd96 in JSC::MarkedSpace::sweepBlocks() (this=0x7f8491000130) at ../../Source/JavaScriptCore/heap/MarkedSpace.cpp:220
#45 0x00007f84dce41c9b in JSC::Heap::sweepSynchronously() (this=0x7f8491000048) at ../../Source/JavaScriptCore/heap/Heap.cpp:1048
#46 0x00007f84dce42134 in JSC::Heap::collectNow(JSC::Synchronousness, JSC::GCRequest) (this=0x7f8491000048, synchronousness=JSC::Sync, request=...) at ../../Source/JavaScriptCore/heap/Heap.cpp:1091
#47 0x00007f84ecd4d9f3 in WebCore::GCController::garbageCollectNow() (this=0x7f84f5854220 <WebCore::GCController::singleton()::controller>) at ../../Source/WebCore/bindings/js/GCController.cpp:96
#48 0x00007f84eb140339 in WebKit::InjectedBundle::garbageCollectJavaScriptObjects() (this=0x7f84d43ca030) at ../../Source/WebKit/WebProcess/InjectedBundle/InjectedBundle.cpp:463
#49 0x00007f84eb15aa0d in WKBundleGarbageCollectJavaScriptObjects(WKBundleRef) (bundleRef=0x7f84d43ca030) at ../../Source/WebKit/WebProcess/InjectedBundle/API/c/WKBundle.cpp:86
#50 0x00007f84917b3221 in WTR::GCController::collect() (this=0x7f83c00c5150) at ../../Tools/WebKitTestRunner/InjectedBundle/GCController.cpp:55
#51 0x00007f8491801677 in WTR::JSGCController::collect(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) (context=0x7f846cd6cea0, thisObject=0x7f8490ea11c0, argumentCount=0, arguments=0x7ffe9ed059a0, exception=0x7ffe9ed05970) at DerivedSources/WebKitTestRunner/InjectedBundle/JSGCController.cpp:80
#52 0x00007f84dc00a2dc in JSC::APICallbackFunction::call<JSC::JSCallbackFunction>(JSC::JSGlobalObject*, JSC::CallFrame*) (globalObject=0x7f846cd6cea0, callFrame=0x7ffe9ed05ae0) at ../../Source/JavaScriptCore/API/APICallbackFunction.h:63
#53 0x00007f8494034027 in  ()
#54 0x00007ffe9ed05b50 in  ()
#55 0x00007f84dbecea53 in llint_op_call () at /app/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18
#56 0x0000000000000000 in  ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200901/24df517e/attachment-0001.htm>

More information about the webkit-unassigned mailing list