246709 – New test(255626@main): svg/foreignObject/respect-block-margin.html is constantly crashing

Bug 246709 - New test(255626@main): svg/foreignObject/respect-block-margin.html is constantly crashing

Summary: New test(255626@main): svg/foreignObject/respect-block-margin.html is constan...

Status:	RESOLVED DUPLICATE of bug 245908

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	SVG (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	WebKit Commit Bot

URL:
Keywords:	InRadar

Depends on:
Blocks:	245908
	Show dependency tree / graph

Reported:	2022-10-18 14:06 PDT by WebKit Commit Bot
Modified:	2022-11-23 00:21 PST (History)
CC List:	4 users (show)

See Also:

Attachments
REVERT of 255626@main (21.20 KB, patch) 2022-10-18 14:07 PDT, WebKit Commit Bot	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description WebKit Commit Bot 2022-10-18 14:06:55 PDT

https://commits.webkit.org/255626@main introduced a regression:
Caused crashing layout tests on iOS Debug

This is an automatic bug report generated by webkitbot. If this bug
report was created because of a flaky test, please file a bug for the flaky
test (if we don't already have one on file) and dup this bug against that bug
so that we can track how often these flaky tests fail.

Comment 1 WebKit Commit Bot 2022-10-18 14:07:05 PDT

Created attachment 463063 [details]
REVERT of 255626@main

Any committer can land this patch automatically by marking it commit-queue+.  The commit-queue will build and test the patch before landing to ensure that the revert will be successful.  This process takes approximately 15 minutes.

If you would like to land the revert faster, you can use the following command:

  webkit-patch land-attachment ATTACHMENT_ID

where ATTACHMENT_ID is the ID of this attachment.

Comment 2 Hercules Hjalmarsson 2022-10-19 11:29:58 PDT

Comment on attachment 463063 [details]
REVERT of 255626@main

Causes crashes on iOS Debug

Comment 3 Radar WebKit Bug Importer 2022-10-20 09:25:59 PDT

<rdar://problem/101385427>

Comment 4 Hercules Hjalmarsson 2022-10-20 10:59:35 PDT

Reverted in https://commits.webkit.org/255793@main.

Comment 5 Hercules Hjalmarsson 2022-10-20 11:05:15 PDT

svg/foreignObject/respect-block-margin.html

Is a constant crash since introduced at 255626@main.

HISTORY:

https://results.webkit.org/?suite=layout-tests&test=svg%2FforeignObject%2Frespect-block-margin.html

DIFF:

stdout:

stderr:
ASSERTION FAILED: is<Target>(source)
/Volumes/Data/worker/Apple-iOS-16-Simulator-Debug-Build/build/WebKitBuild/Debug-iphonesimulator/usr/local/include/wtf/TypeCasts.h(79) : match_constness_t<Source, Target> &WTF::downcast(Source &) [Target = WebCore::RenderBoxModelObject, Source = WebCore::RenderObject]
1   0x2527f12d9 WTFCrash
2   0x2527f12f9 WTFCrashWithSecurityImplication
3   0x2810017c1 std::__1::conditional<std::is_const_v<WebCore::RenderObject>, std::__1::add_const<WebCore::RenderBoxModelObject>::type, std::__1::remove_const<WebCore::RenderBoxModelObject>::type>::type& WTF::downcast<WebCore::RenderBoxModelObject, WebCore::RenderObject>(WebCore::RenderObject&)
4   0x284d68877 WebCore::RenderObject::destroy()
5   0x284d686a9 WebCore::RenderObjectDeleter::operator()(WebCore::RenderObject*) const
6   0x284fffd7c std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::reset(WebCore::RenderObject*)
7   0x284fffd19 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr()
8   0x284fee015 std::__1::unique_ptr<WebCore::RenderObject, WebCore::RenderObjectDeleter>::~unique_ptr()
9   0x284fed8c5 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock)
10  0x284fed8b0 WebCore::RenderTreeBuilder::destroy(WebCore::RenderObject&, WebCore::RenderTreeBuilder::CanCollapseAnonymousBlock)
11  0x284ff3da3 WebCore::RenderTreeBuilder::destroyAndCleanUpAnonymousWrappers(WebCore::RenderObject&)
12  0x28501cf19 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)::$_2::operator()(unsigned int) const
13  0x28501ba85 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType, WebCore::RenderTreeBuilder&)
14  0x28501cbc6 WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&)
15  0x28302c112 WebCore::Document::destroyRenderTree()
16  0x28302c614 WebCore::Document::willBeRemovedFromFrame()
17  0x283fe8575 WebCore::Frame::setView(WTF::RefPtr<WebCore::FrameView, WTF::RawPtrTraits<WebCore::FrameView>, WTF::DefaultRefDerefTraits<WebCore::FrameView> >&&)
18  0x283fed366 WebCore::Frame::createView(WebCore::IntSize const&, std::__1::optional<WebCore::Color> const&, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool)
19  0x2352ca9c1 WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage()
20  0x283d7d996 WebCore::FrameLoader::transitionToCommitted(WebCore::CachedPage*)
21  0x283d7c5cd WebCore::FrameLoader::commitProvisionalLoad()
22  0x283cfe4a9 WebCore::DocumentLoader::commitIfReady()
23  0x283cfec0d WebCore::DocumentLoader::finishedLoading()
24  0x283d0c8e1 WebCore::DocumentLoader::maybeLoadEmpty()
25  0x283d0cb46 WebCore::DocumentLoader::startLoadingMainResource()
26  0x283db975c WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_12::operator()()
27  0x283db9229 WTF::Detail::CallableWrapper<WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)::$_12, void>::call()
28  0x27f700a92 WTF::Function<void ()>::operator()() const
29  0x27f75f162 WTF::CompletionHandler<void ()>::operator()()
30  0x283d79830 WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WebCore::FormState*, WebCore::NavigationPolicyDecision, WebCore::AllowNavigationToInvalidURL)
31  0x283db5bbc WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::RefPtr<WebCore::FormState, WTF::RawPtrTraits<WebCore::FormState>, WTF::DefaultRefDerefTraits<WebCore::FormState> >&&, WebCore::AllowNavigationToInvalidURL, WTF::CompletionHandler<void ()>&&)::$_9::operator()(WebCore::ResourceRequest const&, WTF::WeakPtr<WebCore::FormState, WTF::DefaultWeakPtrImpl>&&, WebCore::NavigationPolicyDecision)
com.apple.WebKit.WebContent.Development terminated (pid 55349) for reason: crash
LEAK: 12 WebPageProxy

Comment 6 Hercules Hjalmarsson 2022-10-20 11:06:28 PDT

This is only crashing on iOS Debug.

Comment 7 Hercules Hjalmarsson 2022-10-20 11:13:28 PDT


*** This bug has been marked as a duplicate of bug 245908 ***

Comment 8 Nikolas Zimmermann 2022-11-21 01:48:37 PST

So, I am trying to reproduce this using iOS Simulator -- without luck. I never checked iOS builds before, so I am wondering if this is the correct approach, to use iOS sim to reproduce this on macOS? How else can I tackle this?

Comment 9 Nikolas Zimmermann 2022-11-21 01:53:15 PST

Heh, wait, I forgot that I changed the RenderSVGRoot <-> RenderSVGViewportContainer relationship (now the latter holds a WeakPtr to the former, not vice-versa). Eventually that masks the bug on iOS....

I can at least say that I've build-webkit --debug --iphone-simulator and ran the layout tests in svg/, without a crash/assertion in svg/foreignObjct.

Comment 10 Nikolas Zimmermann 2022-11-23 00:21:44 PST

Tthis relanded in 256960@main. According to https://results.webkit.org/?suite=layout-tests&test=svg%2FforeignObject%2Frespect-block-margin.html there is no crash in the previously affected test - respect-block-margin.html - anymore.