192421 2018-12-05 12:10:40 -0800 Crash under WebCore::cachedDocumentWrapper() 2018-12-05 13:05:54 -0800 1 1 1 Unclassified WebKit Bindings WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 cdumez cdumez achristensen cdumez commit-queue rniwa webkit-bug-importer youennf oldest_to_newest 1485368 0 cdumez 2018-12-05 12:10:40 -0800 Crash under WebCore::cachedDocumentWrapper(): Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000848) [ 0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) [inlined] WTF::DumbPtrTraits<WebCore::DOMWrapperWorld>::unwrap(WebCore::DOMWrapperWorld* const&) at DumbPtrTraits.h:41:69 0x000000020a99c680: bl 0xa066f4 ; WebCore::toJS [inlined] WebCore::FrameDestructionObserver::frame() const at DOMWindow.h:204 0x000000020a99c684: mov x1, x0 0x000000020a99c688: mov x0, x21 0x000000020a99c68c: bl 0xa06728 ; WebCore::toJSDOMWindow [inlined] JSC::JSValue::isCell() const at JSCJSValueInlines.h:609 -> 0x000000020a99c690: ldr x8, [x0, #0x848] 0x000000020a99c694: ldrb w9, [x8, #0x40] 0x000000020a99c698: cbz w9, 0xa0c6b8 ; <+160> [inlined] WebCore::DOMWrapperWorld::wrappers() at JSDOMWrapperCache.h:163 0x000000020a99c69c: ldr x9, [x19, #0x8] 0x000000020a99c6a0: cbz x9, 0xa0c6b8 ; <+160> [inlined] WebCore::DOMWrapperWorld::wrappers() at JSDOMWrapperCache.h:163 [ 0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) [inlined] WTF::Ref<WebCore::DOMWrapperWorld, WTF::DumbPtrTraits<WebCore::DOMWrapperWorld> >::get() const at Ref.h:122 [ 0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) [inlined] WebCore::JSDOMGlobalObject::world() at JSDOMGlobalObject.h:74 70 Event* currentEvent() const; 71 72 static void visitChildren(JSC::JSCell*, JSC::SlotVisitor&); 73 -> 74 DOMWrapperWorld& world() { return m_world.get(); } 75 bool worldIsNormal() const { return m_worldIsNormal; } 76 static ptrdiff_t offsetOfWorldIsNormal() { return OBJECT_OFFSETOF(JSDOMGlobalObject, m_worldIsNormal); } 77 78 JSBuiltinInternalFunctions& builtinInternalFunctions() { return m_builtinInternalFunctions; } [ 0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) + 120 at JSDocumentCustom.cpp:60 56 if (!window) 57 return nullptr; 58 59 // Creating a wrapper for domWindow might have created a wrapper for document as well. -> 60 return getCachedWrapper(toJSDOMWindow(state.vm(), toJS(&state, *window))->world(), document); 61 } 62 63 void reportMemoryForDocumentIfFrameless(ExecState& state, Document& document) 64 { [ 1] 0x000000020a99c68f WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) + 119 at JSDocumentCustom.cpp:60:29 [ 2] 0x000000020a99c90f WebCore`WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) + 35 at JSDocumentCustom.cpp:86:25 [ 3] 0x000000020a4a5303 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) + 51 at JSNodeCustom.h:62:12 [ 3] 0x000000020a4a52d0 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node*) at JSNode.h:97 [ 3] 0x000000020a4a52d0 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::JSConverter<WebCore::IDLInterface<WebCore::Node> >::convert<WebCore::ContainerNode*>(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::ContainerNode* const&) at JSDOMConvertInterface.h:81 [ 3] 0x000000020a4a52d0 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::JSConverter<WebCore::IDLNullable<WebCore::IDLInterface<WebCore::Node> > >::convert<WebCore::ContainerNode*>(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::ContainerNode*&&) + 28 at JSDOMConvertNullable.h:137 1485369 1 356638 cdumez 2018-12-05 12:14:31 -0800 Created attachment 356638 Patch 1485383 2 commit-queue 2018-12-05 12:47:49 -0800 The commit-queue encountered the following flaky tests while processing attachment 356638: imported/w3c/web-platform-tests/WebCryptoAPI/generateKey/failures_AES-KW.https.any.worker.html bug 192423 The commit-queue is continuing to process your patch. 1485390 3 356638 ap 2018-12-05 12:57:47 -0800 Comment on attachment 356638 Patch No test case? 1485391 4 356638 cdumez 2018-12-05 12:59:02 -0800 Comment on attachment 356638 Patch Clearing flags on attachment: 356638 Committed r238905: <https://trac.webkit.org/changeset/238905> 1485392 5 cdumez 2018-12-05 12:59:04 -0800 All reviewed patches have been landed. Closing bug. 1485395 6 webkit-bug-importer 2018-12-05 13:01:04 -0800 <rdar://problem/46496830> 1485398 7 cdumez 2018-12-05 13:05:54 -0800 (In reply to Alexey Proskuryakov from comment #3) > Comment on attachment 356638 [details] > Patch > > No test case? I have not been able to reproduce, neither was QA. This is a speculative fix based on the crash trace. 356638 2018-12-05 12:14:31 -0800 2018-12-05 12:59:02 -0800 Patch bug-192421-20181205121430.patch text/plain 1817 cdumez U3VidmVyc2lvbiBSZXZpc2lvbjogMjM4ODkzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggNTUxMzllMmQxYzU3YTlj ZWE5ZTUzYjA4MmE2YjA3M2VhM2NkYTBjNC4uODJmNGYxMTVmM2ExOGExN2I5YTJhOWJiYmUxYzU1 MzE0M2I2MTQyMyAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE3IEBACisyMDE4LTEyLTA1ICBDaHJp cyBEdW1leiAgPGNkdW1lekBhcHBsZS5jb20+CisKKyAgICAgICAgQ3Jhc2ggdW5kZXIgV2ViQ29y ZTo6Y2FjaGVkRG9jdW1lbnRXcmFwcGVyKCkKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTE5MjQyMQorICAgICAgICA8cmRhcjovL3Byb2JsZW0vMzcxMTQx NjM+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgRml4 IHBvdGVudGlhbCBudWxsIGRlZmVyZXJlbmNlIG9mIHRoZSB2YWx1ZSByZXR1cm5lZCBieSB0b0pT RE9NV2luZG93KCkuIEZvciBleGFtcGxlLAorICAgICAgICBpZiB0aGUgd2luZG93IGlzIGZyYW1l bGVzcywgaXQgd291bGQgcmV0dXJuIG51bGwuCisKKyAgICAgICAgKiBiaW5kaW5ncy9qcy9KU0Rv Y3VtZW50Q3VzdG9tLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OmNhY2hlZERvY3VtZW50V3JhcHBl cik6CisKIDIwMTgtMTItMDUgIEFsaWNpYSBCb3lhIEdhcmPDrWEgIDxhYm95YUBpZ2FsaWEuY29t PgogCiAgICAgICAgIFtNU0VdW0dTdHJlYW1lcl0gUmVtb3ZlIHRoZSBBcHBlbmRQaXBlbGluZSBz dGF0ZSBtYWNoaW5lCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9iaW5kaW5ncy9qcy9KU0Rv Y3VtZW50Q3VzdG9tLmNwcCBiL1NvdXJjZS9XZWJDb3JlL2JpbmRpbmdzL2pzL0pTRG9jdW1lbnRD dXN0b20uY3BwCmluZGV4IDU2ODdlNGQ3OGM2MmQwOGYxOTRiOTM4MjQ2NDY5Nzk2OTljMTdmOGQu LjQyYzIyYmYyY2MxOTYyOGYxMGExYmNlZjE1YThiNTUzYTUyNjIzMWYgMTAwNjQ0Ci0tLSBhL1Nv dXJjZS9XZWJDb3JlL2JpbmRpbmdzL2pzL0pTRG9jdW1lbnRDdXN0b20uY3BwCisrKyBiL1NvdXJj ZS9XZWJDb3JlL2JpbmRpbmdzL2pzL0pTRG9jdW1lbnRDdXN0b20uY3BwCkBAIC01Nyw4ICs1Nywx MiBAQCBKU09iamVjdCogY2FjaGVkRG9jdW1lbnRXcmFwcGVyKEV4ZWNTdGF0ZSYgc3RhdGUsIEpT RE9NR2xvYmFsT2JqZWN0JiBnbG9iYWxPYmplYwogICAgIGlmICghd2luZG93KQogICAgICAgICBy ZXR1cm4gbnVsbHB0cjsKIAorICAgIGF1dG8qIGRvY3VtZW50R2xvYmFsT2JqZWN0ID0gdG9KU0RP TVdpbmRvdyhzdGF0ZS52bSgpLCB0b0pTKCZzdGF0ZSwgKndpbmRvdykpOworICAgIGlmICghZG9j dW1lbnRHbG9iYWxPYmplY3QpCisgICAgICAgIHJldHVybiBudWxscHRyOworCiAgICAgLy8gQ3Jl YXRpbmcgYSB3cmFwcGVyIGZvciBkb21XaW5kb3cgbWlnaHQgaGF2ZSBjcmVhdGVkIGEgd3JhcHBl ciBmb3IgZG9jdW1lbnQgYXMgd2VsbC4KLSAgICByZXR1cm4gZ2V0Q2FjaGVkV3JhcHBlcih0b0pT RE9NV2luZG93KHN0YXRlLnZtKCksIHRvSlMoJnN0YXRlLCAqd2luZG93KSktPndvcmxkKCksIGRv Y3VtZW50KTsKKyAgICByZXR1cm4gZ2V0Q2FjaGVkV3JhcHBlcihkb2N1bWVudEdsb2JhbE9iamVj dC0+d29ybGQoKSwgZG9jdW1lbnQpOwogfQogCiB2b2lkIHJlcG9ydE1lbW9yeUZvckRvY3VtZW50 SWZGcmFtZWxlc3MoRXhlY1N0YXRlJiBzdGF0ZSwgRG9jdW1lbnQmIGRvY3VtZW50KQo=