Bug 246709

Summary: New test(255626@main): svg/foreignObject/respect-block-margin.html is constantly crashing
Product: WebKit Reporter: WebKit Commit Bot <commit-queue>
Component: SVGAssignee: WebKit Commit Bot <commit-queue>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: hhjalmarsson, sabouhallawa, webkit-bug-importer, zimmermann
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 245908    
Attachments:
Description Flags
REVERT of 255626@main none

Description WebKit Commit Bot 2022-10-18 14:06:55 PDT 
https://commits.webkit.org/255626@main introduced a regression:
Caused crashing layout tests on iOS Debug

This is an automatic bug report generated by webkitbot. If this bug
report was created because of a flaky test, please file a bug for the flaky
test (if we don't already have one on file) and dup this bug against that bug
so that we can track how often these flaky tests fail.
Comment 1 WebKit Commit Bot 2022-10-18 14:07:05 PDT 
Created attachment 463063 [details]
REVERT of 255626@main

Any committer can land this patch automatically by marking it commit-queue+.  The commit-queue will build and test the patch before landing to ensure that the revert will be successful.  This process takes approximately 15 minutes.

If you would like to land the revert faster, you can use the following command:

  webkit-patch land-attachment ATTACHMENT_ID

where ATTACHMENT_ID is the ID of this attachment.
Comment 2 Hercules Hjalmarsson 2022-10-19 11:29:58 PDT 
Comment on attachment 463063 [details]
REVERT of 255626@main

Causes crashes on iOS Debug
Comment 3 Radar WebKit Bug Importer 2022-10-20 09:25:59 PDT 
<rdar://problem/101385427>
Comment 4 Hercules Hjalmarsson 2022-10-20 10:59:35 PDT 
Reverted in https://commits.webkit.org/255793@main.
Comment 5 Hercules Hjalmarsson 2022-10-20 11:05:15 PDT 
svg/foreignObject/respect-block-margin.html

Is a constant crash since introduced at 255626@main.

HISTORY:

https://results.webkit.org/?suite=layout-tests&test=svg%2FforeignObject%2Frespect-block-margin.html

DIFF:

stdout:

stderr:
ASSERTION FAILED: is<Target>(source)
/Volumes/Data/worker/Apple-iOS-16-Simulator-Debug-Build/build/WebKitBuild/Debug-iphonesimulator/usr/local/include/wtf/TypeCasts.h(79) : match_constness_t<Source, Target> &WTF::downcast(Source &) [Target = WebCore::RenderBoxModelObject, Source = WebCore::RenderObject]
1   0x2527f12d9 WTFCrash
2   0x2527f12f9 WTFCrashWithSecurityImplication
3   0x2810017c1 std::__1::conditional<std::is_const_v<WebCore::RenderObject>, std::__1::add_const<WebCore::RenderBoxModelObject>::type, std::__1::remove_const<WebCore::RenderBoxModelObject>::type>::type& WTF::downcast<WebCore::RenderBoxModelObject, WebCore::RenderObject>(WebCore::RenderObject&)
4   0x284d68877 WebCore::RenderObject::destroy()
5   0x284d686a9 WebCore::RenderObjectDeleter::operator()(WebCore::RenderObject*) const
6   0x284fffd7c std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::reset(WebCore::RenderObject*)
7   0x284fffd19 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr()
8   0x284fee015 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr()
9   0x284fed8c5 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock)
10  0x284fed8b0 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock)
11  0x284ff3da3 WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&)
12  0x28501cf19 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_2::operator()(unsigned int) const
13  0x28501ba85 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)
14  0x28501cbc6 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&)
15  0x28302c112 WebCore::Document::destroyRenderTree()
16  0x28302c614 WebCore::Document::willBeRemovedFromFrame()
17  0x283fe8575 WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView, WTF::RawPtrTraits<WebCore::FrameView>, WTF::DefaultRefDerefTraits<WebCore::FrameView> >&&)
18  0x283fed366 WebCore::Frame::createView(WebCore::IntSize const&, std::__1::optional<WebCore::Color> const&, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool)
19  0x2352ca9c1 WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage()
20  0x283d7d996 WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*)
21  0x283d7c5cd WebCore::FrameLoader::commitProvisionalLoad()
22  0x283cfe4a9 WebCore::DocumentLoader::commitIfReady()
23  0x283cfec0d WebCore::DocumentLoader::finishedLoading()
24  0x283d0c8e1 WebCore::DocumentLoader::maybeLoadEmpty()
25  0x283d0cb46 WebCore::DocumentLoader::startLoadingMainResource()
26  0x283db975c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_12::operator()()
27  0x283db9229 WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_12, void>::call()
28  0x27f700a92 WTF::Function<void ()>::operator()() const
29  0x27f75f162 WTF::CompletionHandler<void ()>::operator()()
30  0x283d79830 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)
31  0x283db5bbc WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_9::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl>&&, WebCore::NavigationPolicyDecision)
com.apple.WebKit.WebContent.Development terminated (pid 55349) for reason: crash
LEAK: 12 WebPageProxy
Comment 6 Hercules Hjalmarsson 2022-10-20 11:06:28 PDT 
This is only crashing on iOS Debug.
Comment 7 Hercules Hjalmarsson 2022-10-20 11:13:28 PDT 

*** This bug has been marked as a duplicate of bug 245908 ***
Comment 8 Nikolas Zimmermann 2022-11-21 01:48:37 PST 
So, I am trying to reproduce this using iOS Simulator -- without luck. I never checked iOS builds before, so I am wondering if this is the correct approach, to use iOS sim to reproduce this on macOS? How else can I tackle this?
Comment 9 Nikolas Zimmermann 2022-11-21 01:53:15 PST 
Heh, wait, I forgot that I changed the RenderSVGRoot <-> RenderSVGViewportContainer relationship (now the latter holds a WeakPtr to the former, not vice-versa). Eventually that masks the bug on iOS....

I can at least say that I've build-webkit --debug --iphone-simulator and ran the layout tests in svg/, without a crash/assertion in svg/foreignObjct.
Comment 10 Nikolas Zimmermann 2022-11-23 00:21:44 PST 
Tthis relanded in 256960@main. According to https://results.webkit.org/?suite=layout-tests&test=svg%2FforeignObject%2Frespect-block-margin.html there is no crash in the previously affected test - respect-block-margin.html - anymore.