290826 2025-03-31 22:03:49 -0700 ASSERTION FAILED: Unsafe to ref/deref from different threads : m_isOwnedByMainThread == isMainThread() : under WebCore::JSTrustedTypePolicy::visitAdditionalChildren<JSC::SlotVisitor> 2025-04-07 09:48:56 -0700 1 1 1 Unclassified WebKit DOM WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 fujii rniwa bfulgham keith_miller lwarlow rniwa webkit-bug-importer ysuzuki oldest_to_newest 2107709 0 fujii 2025-03-31 22:03:49 -0700 trusted-types tests are randomly crashing. Windows Debug 292992@main Regressions: Unexpected crashes (1) imported/w3c/web-platform-tests/trusted-types/default-policy-report-only.html [ Crash ] ASSERTION FAILED: Unsafe to ref/deref from different threads m_isOwnedByMainThread == isMainThread() C:\BW\work\build\WebKitBuild\Debug\WTF\Headers\wtf/RefCounted.h(119) : void WTF::RefCountedBase::applyRefDerefThreadingCheck() const 1 00007FFFE74F7498 WTF::RefCountedBase::applyRefDerefThreadingCheck 2 00007FFFE75048A8 WTF::RefCountedBase::ref 3 00007FFFE9CAB70A WTF::DefaultRefDerefTraits<WebCore::CreateScriptURLCallback>::refIfNotNull 4 00007FFFE9CAB6CA WTF::RefPtr<WebCore::CreateScriptURLCallback,WTF::RawPtrTraits<WebCore::CreateScriptURLCallback>,WTF::DefaultRefDerefTraits<WebCore::CreateScriptURLCallback> >::RefPtr 5 00007FFFE9CAAD26 WTF::RefPtr<WebCore::CreateScriptURLCallback,WTF::RawPtrTraits<WebCore::CreateScriptURLCallback>,WTF::DefaultRefDerefTraits<WebCore::CreateScriptURLCallback> >::operator= 6 00007FFFE9CAAEE9 WebCore::JSTrustedTypePolicy::visitAdditionalChildren<JSC::SlotVisitor> 7 00007FFFE8E709A6 WebCore::JSTrustedTypePolicy::visitChildrenImpl<JSC::SlotVisitor> 8 00007FFFE8E5AFED WebCore::JSTrustedTypePolicy::visitChildren 9 00007FFFF4CD346B JSC::MethodTable::visitChildren 10 00007FFFF4CD0AB1 JSC::SlotVisitor::visitChildren 11 00007FFFF4CCF89E JSC::SlotVisitor::drain::<lambda_3>::operator() 12 00007FFFF4CCBD36 JSC::SlotVisitor::forEachMarkStack<`lambda at C:\BW\work\build\Source\JavaScriptCore\heap\SlotVisitor.cpp:500:13'> 13 00007FFFF4CCBCBC JSC::SlotVisitor::drain 14 00007FFFF4CCC902 JSC::SlotVisitor::drainFromShared 15 00007FFFF4C0B026 JSC::Heap::runBeginPhase::<lambda_33>::operator() 16 00007FFFF4C0AF07 WTF::SharedTaskFunctor<void (),`lambda at C:\BW\work\build\Source\JavaScriptCore\heap\Heap.cpp:1481:9'>::run 17 00007FFFF619B668 WTF::ParallelHelperClient::runTask 18 00007FFFF619C610 WTF::ParallelHelperPool::Thread::work 19 00007FFFF612CA8A WTF::AutomaticThread::start::<lambda_0>::operator() 20 00007FFFF612C787 WTF::Detail::CallableWrapper<`lambda at C:\BW\work\build\Source\WTF\wtf\AutomaticThread.cpp:169:9',void>::call 21 00007FFFF46EA85C WTF::Function<void ()>::operator() 22 00007FFFF629FD73 WTF::Thread::entryPoint 23 00007FFFF6378B63 WTF::wtfThreadEntryPoint 24 00007FF854AD1BB2 configthreadlocale 25 00007FF855837374 BaseThreadInitThunk 26 00007FF8571DCC91 RtlUserThreadStart ERROR: 000001D1694A1730 - [PID=15040] WebProcessProxy::didClose (web process crash) C:\BW\work\build\Source\WebKit\UIProcess/WebProcessProxy.cpp(1273) : virtual void WebKit::WebProcessProxy::didClose(IPC::Connection &) ERROR: 000001D1694A1730 - [PID=15040] WebProcessProxy::processDidTerminateOrFailedToLaunch: reason=Crash C:\BW\work\build\Source\WebKit\UIProcess/WebProcessProxy.cpp(1288) : void WebKit::WebProcessProxy::processDidTerminateOrFailedToLaunch(ProcessTerminationReason) ERROR: 000001D16949ABE0 - [pageProxyID=6404, webPageID=6405, PID=15040] WebPageProxy::processDidTerminate: (pid 15040), reason=Crash C:\BW\work\build\Source\WebKit\UIProcess/WebPageProxy.cpp(11039) : void WebKit::WebPageProxy::resetStateAfterProcessTermination(ProcessTerminationReason) ERROR: 000001D16949ABE0 - [pageProxyID=6404, webPageID=6405, PID=15040] WebPageProxy::dispatchProcessDidTerminate: reason=Crash C:\BW\work\build\Source\WebKit\UIProcess/WebPageProxy.cpp(11098) : void WebKit::WebPageProxy::dispatchProcessDidTerminate(WebProcessProxy &, ProcessTerminationReason) WebProcess terminated (pid 15040) for reason: crash 2107710 1 fujii 2025-03-31 22:04:27 -0700 This is reproducible with the following command and Windows Debug builds: > python ./Tools/Scripts/run-webkit-tests --debug --no-retry imported/w3c/web-platform-tests/trusted-types/ --iter=100 -f Unexpected flakiness: crashes (2) imported/w3c/web-platform-tests/trusted-types/TrustedTypePolicyFactory-getAttributeType.html [ Crash Pass ] imported/w3c/web-platform-tests/trusted-types/default-policy-callback-arguments.html [ Crash Pass ] 2108074 2 fujii 2025-04-01 21:38:10 -0700 Hi Luke and Ryosuke, Looking though the `WebCore/bindings/js` directory, only `JSTrustedTypePolicy::visitAdditionalChildren` does ref-ing in `visitAdditionalChildren`. https://github.com/WebKit/WebKit/blob/aa298b6b8f4a74ac6c71d9c46de51c5ee18a1794/Source/WebCore/bindings/js/JSTrustedTypePolicyCustom.cpp#L41-L43 Is this code correct? Or, CreateHTMLCallback has to be a ThreadSafeRefCounted? 2108081 3 rniwa 2025-04-01 22:43:20 -0700 Oh, looks like this code manually grabs a lock and synchronizes with the main thread? So that should be safe in terms of ref() but the code is definitely not thread safe for deref(). It can corrupt refCount. 2108082 4 webkit-bug-importer 2025-04-01 22:43:33 -0700 <rdar://problem/148400517> 2108253 5 rniwa 2025-04-02 12:14:13 -0700 Pull request: https://github.com/apple/WebKit/pull/2946 2108254 6 474808 rniwa 2025-04-02 12:14:49 -0700 Created attachment 474808 Patch 2108368 7 rniwa 2025-04-02 17:17:42 -0700 Actually, nobody seems to have shipped trusted types yet so we can fix this in main. 2108370 8 rniwa 2025-04-02 17:20:49 -0700 Pull request: https://github.com/WebKit/WebKit/pull/43502 2108432 9 ews-feeder 2025-04-02 22:44:36 -0700 Committed 293145@main (59b9ac30c4c6): <https://commits.webkit.org/293145@main> Reviewed commits have been landed. Closing PR #43502 and removing active labels. 2109437 10 ews-feeder 2025-04-07 09:48:56 -0700 Committed 289651.401@safari-7621-branch (55899a8ab0b3): <https://commits.webkit.org/289651.401@safari-7621-branch> Reviewed commits have been landed. Closing PR #2960 and removing active labels. 474808 2025-04-02 12:14:49 -0700 2025-04-02 12:14:49 -0700 Patch trusted-types-callbacks.patch text/plain 2479 rniwa RnJvbSBjNmFiOTJjYzkzZDBkNDM3YjQxM2IxODJjN2EwMjE1MWNjODhhNGE3IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBSeW9zdWtlIE5pd2EgPHJuaXdhQHdlYmtpdC5vcmc+CkRhdGU6 IFdlZCwgMiBBcHIgMjAyNSAxMjowNzoxMyAtMDcwMApTdWJqZWN0OiBbUEFUQ0hdIEFTU0VSVElP TiBGQUlMRUQ6IFVuc2FmZSB0byByZWYvZGVyZWYgZnJvbSBkaWZmZXJlbnQgdGhyZWFkcwogOiBt X2lzT3duZWRCeU1haW5UaHJlYWQgPT0gaXNNYWluVGhyZWFkKCkgOiAgdW5kZXIKIFdlYkNvcmU6 OkpTVHJ1c3RlZFR5cGVQb2xpY3k6OnZpc2l0QWRkaXRpb25hbENoaWxkcmVuPEpTQzo6U2xvdFZp c2l0b3I+CiBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjkwODI2IHJk YXI6Ly8xNDg0MDA1MTcKClJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgoKVXNlIFRocmVhZFNh ZmVSZWZDb3VudGVkIGluIHRoZXNlIGNhbGxiYWNrcy4KCiogU291cmNlL1dlYkNvcmUvZG9tL0Ny ZWF0ZUhUTUxDYWxsYmFjay5oOgoqIFNvdXJjZS9XZWJDb3JlL2RvbS9DcmVhdGVTY3JpcHRDYWxs YmFjay5oOgoqIFNvdXJjZS9XZWJDb3JlL2RvbS9DcmVhdGVTY3JpcHRVUkxDYWxsYmFjay5oOgot LS0KIFNvdXJjZS9XZWJDb3JlL2RvbS9DcmVhdGVIVE1MQ2FsbGJhY2suaCAgICAgIHwgMiArLQog U291cmNlL1dlYkNvcmUvZG9tL0NyZWF0ZVNjcmlwdENhbGxiYWNrLmggICAgfCAyICstCiBTb3Vy Y2UvV2ViQ29yZS9kb20vQ3JlYXRlU2NyaXB0VVJMQ2FsbGJhY2suaCB8IDIgKy0KIDMgZmlsZXMg Y2hhbmdlZCwgMyBpbnNlcnRpb25zKCspLCAzIGRlbGV0aW9ucygtKQoKZGlmZiAtLWdpdCBhL1Nv dXJjZS9XZWJDb3JlL2RvbS9DcmVhdGVIVE1MQ2FsbGJhY2suaCBiL1NvdXJjZS9XZWJDb3JlL2Rv bS9DcmVhdGVIVE1MQ2FsbGJhY2suaAppbmRleCBmOWIwMmI3NTZiNjMuLjg4MTAyY2QxOTAwNSAx MDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvZG9tL0NyZWF0ZUhUTUxDYWxsYmFjay5oCisrKyBi L1NvdXJjZS9XZWJDb3JlL2RvbS9DcmVhdGVIVE1MQ2FsbGJhY2suaApAQCAtMzIsNyArMzIsNyBA QAogCiBuYW1lc3BhY2UgV2ViQ29yZSB7CiAKLWNsYXNzIENyZWF0ZUhUTUxDYWxsYmFjayA6IHB1 YmxpYyBSZWZDb3VudGVkPENyZWF0ZUhUTUxDYWxsYmFjaz4sIHB1YmxpYyBBY3RpdmVET01DYWxs YmFjayB7CitjbGFzcyBDcmVhdGVIVE1MQ2FsbGJhY2sgOiBwdWJsaWMgVGhyZWFkU2FmZVJlZkNv dW50ZWQ8Q3JlYXRlSFRNTENhbGxiYWNrPiwgcHVibGljIEFjdGl2ZURPTUNhbGxiYWNrIHsKIHB1 YmxpYzoKICAgICB1c2luZyBBY3RpdmVET01DYWxsYmFjazo6QWN0aXZlRE9NQ2FsbGJhY2s7CiAK ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL2RvbS9DcmVhdGVTY3JpcHRDYWxsYmFjay5oIGIv U291cmNlL1dlYkNvcmUvZG9tL0NyZWF0ZVNjcmlwdENhbGxiYWNrLmgKaW5kZXggNmRiNzQwZWIx NDY4Li5kYTc3ZTI0NGNmZTcgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJDb3JlL2RvbS9DcmVhdGVT Y3JpcHRDYWxsYmFjay5oCisrKyBiL1NvdXJjZS9XZWJDb3JlL2RvbS9DcmVhdGVTY3JpcHRDYWxs YmFjay5oCkBAIC0zMiw3ICszMiw3IEBACiAKIG5hbWVzcGFjZSBXZWJDb3JlIHsKIAotY2xhc3Mg Q3JlYXRlU2NyaXB0Q2FsbGJhY2sgOiBwdWJsaWMgUmVmQ291bnRlZDxDcmVhdGVTY3JpcHRDYWxs YmFjaz4sIHB1YmxpYyBBY3RpdmVET01DYWxsYmFjayB7CitjbGFzcyBDcmVhdGVTY3JpcHRDYWxs YmFjayA6IHB1YmxpYyBUaHJlYWRTYWZlUmVmQ291bnRlZDxDcmVhdGVTY3JpcHRDYWxsYmFjaz4s IHB1YmxpYyBBY3RpdmVET01DYWxsYmFjayB7CiBwdWJsaWM6CiAgICAgdXNpbmcgQWN0aXZlRE9N Q2FsbGJhY2s6OkFjdGl2ZURPTUNhbGxiYWNrOwogCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29y ZS9kb20vQ3JlYXRlU2NyaXB0VVJMQ2FsbGJhY2suaCBiL1NvdXJjZS9XZWJDb3JlL2RvbS9DcmVh dGVTY3JpcHRVUkxDYWxsYmFjay5oCmluZGV4IGE1NmQ1YWVhNTAxMS4uOTc4Y2JmZGQwMDRhIDEw MDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9kb20vQ3JlYXRlU2NyaXB0VVJMQ2FsbGJhY2suaAor KysgYi9Tb3VyY2UvV2ViQ29yZS9kb20vQ3JlYXRlU2NyaXB0VVJMQ2FsbGJhY2suaApAQCAtMzIs NyArMzIsNyBAQAogCiBuYW1lc3BhY2UgV2ViQ29yZSB7CiAKLWNsYXNzIENyZWF0ZVNjcmlwdFVS TENhbGxiYWNrIDogcHVibGljIFJlZkNvdW50ZWQ8Q3JlYXRlU2NyaXB0VVJMQ2FsbGJhY2s+LCBw dWJsaWMgQWN0aXZlRE9NQ2FsbGJhY2sgeworY2xhc3MgQ3JlYXRlU2NyaXB0VVJMQ2FsbGJhY2sg OiBwdWJsaWMgVGhyZWFkU2FmZVJlZkNvdW50ZWQ8Q3JlYXRlU2NyaXB0VVJMQ2FsbGJhY2s+LCBw dWJsaWMgQWN0aXZlRE9NQ2FsbGJhY2sgewogcHVibGljOgogICAgIHVzaW5nIEFjdGl2ZURPTUNh bGxiYWNrOjpBY3RpdmVET01DYWxsYmFjazsKIA==