248496 2022-11-29 14:27:42 -0800 [ New Test ] (256342@main): [ macOS Debug ] fast/events/message-port-gc-after-removing-event-listener.html is a flaky crash 2022-11-30 08:00:27 -0800 1 1 1 Unclassified WebKit New Bugs WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=193184 InRadar P2 Normal --- 1 rackler cdumez cdumez webkit-bot-watchers-bugzilla webkit-bug-importer oldest_to_newest 1915417 0 rackler 2022-11-29 14:27:42 -0800 Description: fast/events/message-port-gc-after-removing-event-listener.html The test was added at 256342@main and was a flaky crash since then. The history shows this affecting macOS Debug. This issue can be bisected to 256342@main using the command: run-webkit-tests --debug --iterations 4000 --exit-after-n-failures 1 --exit-after-n-crashes-or-timeouts 1 --debug-rwt-logging --no-retry --force --no-build -f fast/events/message-port-gc-after-removing-event-listener.html Result: Unexpected flakiness: crashes (1) fast/events/message-port-gc-after-removing-event-listener.html [ Pass Crash ] History: https://results.webkit.org/?suite=layout-tests&test=fast%2Fevents%2Fmessage-port-gc-after-removing-event-listener.html&style=debug&platform=mac Crash Log: No crash log found for com.apple.WebKit.WebContent.Development:79000. stdout: stderr: com.apple.WebKit.WebContent.Development terminated (pid 79000) for reason: crash LEAK: 1 WebPageProxy 1915418 1 webkit-bug-importer 2022-11-29 14:28:07 -0800 <rdar://problem/102784521> 1915422 2 cdumez 2022-11-29 14:38:52 -0800 I managed to get this crash trace from one of the bots: Crashed Thread: 12 WebCore: Worker Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000005 Exception Codes: 0x0000000000000001, 0x0000000000000005 Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11 Terminating Process: exc handler [41345] VM Region Info: 0x5 is not in any region. Bytes before following region: 4377247739 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 104e78000-104e7c000 [ 16K] r-x/r-x SM=COW ...t.Development Thread 12 Crashed:: Dispatch queue: 0 com.apple.WebCore 0x108ca1d64 JSC::JSCell::isObject() const 1 com.apple.WebCore 0x108cb4c08 JSC::JSValue::isObject() const 2 com.apple.WebCore 0x108cb4c08 JSC::JSValue::isObject() const 3 com.apple.WebCore 0x10b177420 WebCore::isWorldCompatible(JSC::JSGlobalObject&, JSC::JSValue) 4 com.apple.WebCore 0x10b177338 WebCore::cloneAcrossWorlds(JSC::JSGlobalObject&, WebCore::JSDOMObject const&, JSC::JSValue) 5 com.apple.WebCore 0x10b1605f0 WebCore::cachedPropertyValue(JSC::JSGlobalObject&, WebCore::JSDOMObject const&, WebCore::JSValueInWrappedObject&, WTF::Function<JSC::JSValue ()> const&) 6 com.apple.WebCore 0x10b207e2c WebCore::JSMessageEvent::ports(JSC::JSGlobalObject&) const 7 com.apple.WebCore 0x10948e9b8 WebCore::jsMessageEvent_portsGetter(JSC::JSGlobalObject&, WebCore::JSMessageEvent&) 8 com.apple.WebCore 0x1093cbf0c long long WebCore::IDLAttribute<WebCore::JSMessageEvent>::get<&(WebCore::jsMessageEvent_portsGetter(JSC::JSGlobalObject&, WebCore::JSMessageEvent&)), (WebCore::CastedThisErrorBehavior)3>(JSC::JSGlobalObject&, long long, JSC::PropertyName) 9 com.apple.WebCore 0x1093cbde8 WebCore::jsMessageEvent_ports(JSC::JSGlobalObject*, long long, JSC::PropertyName) 10 com.apple.JavaScriptCore 0x147530c9c WTF::FunctionPtr<(WTF::PtrTag)57072, long long (JSC::JSGlobalObject*, long long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long long, JSC::PropertyName) const 11 com.apple.JavaScriptCore 0x147794a0c JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const 12 com.apple.JavaScriptCore 0x145f6716c JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const 13 com.apple.JavaScriptCore 0x14602c6e0 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const 14 com.apple.JavaScriptCore 0x147115f40 JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&) 15 com.apple.JavaScriptCore 0x147115ca8 llint_slow_path_get_by_id 1915428 3 cdumez 2022-11-29 14:56:29 -0800 I don't think this is a regression from my change. I believe the new test exposed a pre-existing issue. In particular, I believe that the worker is being terminated while MessageEvent.ports is getting called and we don't properly deal with this. 1915437 4 ap 2022-11-29 15:27:09 -0800 Is there a way to adjust the test so that it doesn't run into this? We do need a working test for the original fix. 1915438 5 cdumez 2022-11-29 15:27:38 -0800 (In reply to Alexey Proskuryakov from comment #4) > Is there a way to adjust the test so that it doesn't run into this? We do > need a working test for the original fix. I will upload a fix shortly. 1915441 6 cdumez 2022-11-29 15:33:43 -0800 Pull request: https://github.com/WebKit/WebKit/pull/6947 1915610 7 ews-feeder 2022-11-30 08:00:24 -0800 Committed 257180@main (c9f7f8272c10): <https://commits.webkit.org/257180@main> Reviewed commits have been landed. Closing PR #6947 and removing active labels.