REGRESSION(268278@main): WTFCrash in ~CanMakeCheckedPtrBase of ~Event…

…Target https://bugs.webkit.org/show_bug.cgi?id=264382 Reviewed by Chris Dumez. Windows port was ocationally observing a CheckedPtr release check failure in ~EventTarget with the following backtrace. > WebCore!WTFCrashWithInfo(void)+0x1d > WebCore!WTF::CanMakeCheckedPtrBase<WTF::SingleThreadIntegralWrapper<unsigned int>,unsigned int>::~CanMakeCheckedPtrBase(void)+0xab > WebCore!WebCore::EventTarget::~EventTarget(void)+0x11c > WebCore!WebCore::TextDocument::~TextDocument(int should_call_delete = 0n1)+0x10 > WebCore!WebCore::Document::decrementReferencingNodeCount(void)+0x23 > WebCore!WebCore::Node::~Node(void)+0xcf > WebCore!WebCore::Element::~Element(void)+0x13f > WebCore!WebCore::HTMLHeadElement::~HTMLHeadElement(int should_call_delete = 0n1)+0x10 > WebCore!WebCore::Node::deref(void)+0x12 > WebCore!WTF::DefaultRefDerefTraits<WebCore::ContainerNode>::derefIfNotNull(class WebCore::ContainerNode * ptr = <Value unavailable error>)+0x17 > WebCore!WTF::RefPtr<WebCore::ContainerNode,WTF::RawPtrTraits<WebCore::ContainerNode>,WTF::DefaultRefDerefTraits<WebCore::ContainerNode> >::~RefPtr(void)+0x23 > WebCore!WebCore::HTMLStackItem::~HTMLStackItem(void)+0x2c > WebCore!WebCore::HTMLConstructionSite::~HTMLConstructionSite(void)+0x84 > WebCore!WebCore::HTMLTreeBuilder::~HTMLTreeBuilder(void)+0xce > [...] This is under ~HTMLStackItem and ~HTMLConstructionSite. While destroying m_head of HTMLConstructionSite, something still had a CheckedPtr to the EventTarget. 268278@main adopted CheckedRef to m_document and m_attachmentRoot of HTMLConstructionSite. m_document and m_attachmentRoot should be destroyed before destroying m_head. * Source/WebCore/html/parser/HTMLConstructionSite.h: Reodered member variables so that m_head is destroyed after m_document and m_attachmentRoot. Canonical link: https://commits.webkit.org/270813@main
WebKit · Nov 16, 2023 · b43c0f5 · b43c0f5
1 parent 5e6b4ec
commit b43c0f5
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/Source/WebCore/html/parser/HTMLConstructionSite.h b/Source/WebCore/html/parser/HTMLConstructionSite.h
@@ -224,14 +224,16 @@ class HTMLConstructionSite {
     Ref<Document> protectedDocument() const;
     Ref<ContainerNode> protectedAttachmentRoot() const;
 
+    // m_head has to be destroyed after destroying CheckedRef of m_document and m_attachmentRoot
+    HTMLStackItem m_head;
+
     CheckedRef<Document> m_document;
 
     // This is the root ContainerNode to which the parser attaches all newly
     // constructed nodes. It points to a DocumentFragment when parsing fragments
     // and a Document in all other cases.
     CheckedRef<ContainerNode> m_attachmentRoot;
 
-    HTMLStackItem m_head;
     RefPtr<HTMLFormElement> m_form;
     mutable HTMLElementStack m_openElements;
     mutable HTMLFormattingElementList m_activeFormattingElements;