Bug 120315

Summary: REGRESSION (r154581): Some plugin tests failing in debug bots
Product: WebKit Reporter: Antti Koivisto <koivisto>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, esprehn+autocc, kangil.han
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch darin: review+

Antti Koivisto
Reported 2013-08-26 10:04:57 PDT
+plugins/destroy-stream-twice.html crash log sample +plugins/change-widget-and-click-crash.html crash log sample +plugins/js-from-destroy.html crash log sample We are hitting the new no-event-dispatch-while-iterating assertion Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 000000010e6e1000-000000010e6e2000 [ 4K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit2.framework/WebProcess.app/Contents/MacOS/WebProcess Application Specific Information: CRASHING TEST: plugins/destroy-reentry.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000011041cc2a WTFCrash + 42 (Assertions.cpp:342) 1 com.apple.WebCore 0x000000011141f0b5 WebCore::dispatchChildRemovalEvents(WebCore::Node*) + 117 (ContainerNode.cpp:1022) 2 com.apple.WebCore 0x000000011141d1b8 WebCore::willRemoveChild(WebCore::Node*) + 152 (ContainerNode.cpp:472) 3 com.apple.WebCore 0x000000011141cf52 WebCore::ContainerNode::removeChild(WebCore::Node*, int&) + 434 (ContainerNode.cpp:539) 4 com.apple.WebCore 0x0000000112358458 WebCore::Node::removeChild(WebCore::Node*, int&) + 88 (Node.cpp:497) 5 com.apple.WebCore 0x0000000111fcc8ef WebCore::JSNode::removeChild(JSC::ExecState*) + 95 (JSNodeCustom.cpp:168) 6 com.apple.WebCore 0x0000000111fc8fe5 WebCore::jsNodePrototypeFunctionRemoveChild(JSC::ExecState*) + 357 (JSNode.cpp:471) 7 ??? 0x0000340977801045 0 + 57215264231493 8 com.apple.JavaScriptCore 0x00000001101b9dd7 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*) + 71 (JITCode.cpp:46) 9 com.apple.JavaScriptCore 0x000000011019cd18 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) + 4408 (Interpreter.cpp:849) 10 com.apple.JavaScriptCore 0x000000010ff757c1 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) + 497 (Completion.cpp:83) 11 com.apple.WebKit2 0x000000010e8e5714 WebKit::NPRuntimeObjectMap::evaluate(NPObject*, WTF::String const&, _NPVariant*) + 484 (SourceCode.h:116) 12 com.apple.WebKit2 0x000000010e96c1b2 WebKit::PluginView::evaluate(NPObject*, WTF::String const&, _NPVariant*, bool) + 178 (PluginView.cpp:1397) 13 com.apple.WebKit2 0x000000010e96c23b non-virtual thunk to WebKit::PluginView::evaluate(NPObject*, WTF::String const&, _NPVariant*, bool) + 91 (PluginView.cpp:1398) 14 com.apple.WebKit2 0x000000010e95a859 WebKit::PluginProxy::evaluate(WebKit::NPVariantData const&, WTF::String const&, bool, bool&, WebKit::NPVariantData&) + 249 (PluginProxy.cpp:648) 15 com.apple.WebKit2 0x000000010e9633c6 void CoreIPC::callMemberFunction<WebKit::PluginProxy, void (WebKit::PluginProxy::*)(WebKit::NPVariantData const&, WTF::String const&, bool, bool&, WebKit::NPVariantData&), WebKit::NPVariantData, WTF::String, bool, bool, WebKit::NPVariantData>(CoreIPC::Arguments3<WebKit::NPVariantData, WTF::String, bool> const&, CoreIPC::Arguments2<bool, WebKit::NPVariantData>&, WebKit::PluginProxy*, void (WebKit::PluginProxy::*)(WebKit::NPVariantData const&, WTF::String const&, bool, bool&, WebKit::NPVariantData&)) + 214 (HandleMessage.h:150) 16 com.apple.WebKit2 0x000000010e962e6e void CoreIPC::handleMessage<Messages::PluginProxy::Evaluate, WebKit::PluginProxy, void (WebKit::PluginProxy::*)(WebKit::NPVariantData const&, WTF::String const&, bool, bool&, WebKit::NPVariantData&)>(CoreIPC::MessageDecoder&, CoreIPC::MessageEncoder&, WebKit::PluginProxy*, void (WebKit::PluginProxy::*)(WebKit::NPVariantData const&, WTF::String const&, bool, bool&, WebKit::NPVariantData&)) + 190 (HandleMessage.h:387) 17 com.apple.WebKit2 0x000000010e96232c WebKit::PluginProxy::didReceiveSyncPluginProxyMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&, WTF::OwnPtr<CoreIPC::MessageEncoder>&) + 940 (PluginProxyMessageReceiver.cpp:118) 18 com.apple.WebKit2 0x000000010e939aed WebKit::PluginProcessConnection::didReceiveSyncMessage(CoreIPC::Connection*, CoreIPC::MessageDecoder&, WTF::OwnPtr<CoreIPC::MessageEncoder>&) + 269 (PluginProcessConnection.cpp:121) 19 com.apple.WebKit2 0x000000010e7bbf45 CoreIPC::Connection::dispatchSyncMessage(CoreIPC::MessageDecoder&) + 277 (Connection.cpp:757) 20 com.apple.WebKit2 0x000000010e7b8420 CoreIPC::Connection::dispatchMessage(WTF::PassOwnPtr<CoreIPC::MessageDecoder>) + 192 (Connection.cpp:814) 21 com.apple.WebKit2 0x000000010e7b82e1 CoreIPC::Connection::SyncMessageState::dispatchMessages(CoreIPC::Connection*) + 321 (Connection.cpp:188) 22 com.apple.WebKit2 0x000000010e7ba78c CoreIPC::Connection::waitForSyncReply(unsigned long long, double, unsigned int) + 172 (Connection.cpp:537) 23 com.apple.WebKit2 0x000000010e7ba250 CoreIPC::Connection::sendSyncMessage(unsigned long long, WTF::PassOwnPtr<CoreIPC::MessageEncoder>, double, unsigned int) + 592 (Connection.cpp:472) 24 com.apple.WebKit2 0x000000010e95b51b bool CoreIPC::Connection::sendSync<Messages::WebProcessConnection::DestroyPlugin>(Messages::WebProcessConnection::DestroyPlugin const&, Messages::WebProcessConnection::DestroyPlugin::Reply const&, unsigned long long, double, unsigned int) + 267 (Connection.h:379) 25 com.apple.WebKit2 0x000000010e958899 WebKit::PluginProxy::destroy() + 169 (PluginProxy.cpp:202) 26 com.apple.WebKit2 0x000000010e91abda WebKit::Plugin::destroyPlugin() + 26 (Plugin.cpp:102) 27 com.apple.WebKit2 0x000000010e96701a WebKit::PluginView::destroyPluginAndReset() + 234 (PluginView.cpp:328) 28 com.apple.WebKit2 0x000000010e966d45 WebKit::PluginView::~PluginView() + 245 (PluginView.cpp:312) 29 com.apple.WebKit2 0x000000010e966bb5 WebKit::PluginView::~PluginView() + 21 (PluginView.cpp:317) 30 com.apple.WebKit2 0x000000010e966b89 WebKit::PluginView::~PluginView() + 25 (PluginView.cpp:303) 31 com.apple.WebCore 0x0000000111241b53 WTF::RefCounted<WebCore::Widget>::deref() + 83 (RefCounted.h:196) 32 com.apple.WebCore 0x00000001118337fb void WTF::derefIfNotNull<WebCore::Widget>(WebCore::Widget*) + 59 (PassRefPtr.h:53) 33 com.apple.WebCore 0x00000001118337b8 WTF::RefPtr<WebCore::Widget>::~RefPtr() + 24 (RefPtr.h:62) 34 com.apple.WebCore 0x0000000111833715 WTF::RefPtr<WebCore::Widget>::~RefPtr() + 21 (RefPtr.h:62) 35 com.apple.WebCore 0x000000011272de65 WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair() + 21 (HashTraits.h:198) 36 com.apple.WebCore 0x000000011272de45 WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>::~KeyValuePair() + 21 (HashTraits.h:198) 37 com.apple.WebCore 0x000000011272de08 WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::deallocateTable(WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>*, int) + 88 (HashTable.h:1093) 38 com.apple.WebCore 0x000000011272e3b9 WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable() + 57 (HashTable.h:374) 39 com.apple.WebCore 0x000000011272e375 WTF::HashTable<WTF::RefPtr<WebCore::Widget>, WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*>, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*> >, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> > >::~HashTable() + 21 (HashTable.h:378) 40 com.apple.WebCore 0x000000011272e355 WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap() + 21 (RefPtrHashMap.h:32) 41 com.apple.WebCore 0x0000000112729135 WTF::HashMap<WTF::RefPtr<WebCore::Widget>, WebCore::FrameView*, WTF::PtrHash<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WTF::RefPtr<WebCore::Widget> >, WTF::HashTraits<WebCore::FrameView*> >::~HashMap() + 21 (RefPtrHashMap.h:32) 42 com.apple.WebCore 0x0000000112726e88 WebCore::WidgetHierarchyUpdatesSuspensionScope::moveWidgets() + 408 (RenderWidget.cpp:75) 43 com.apple.WebCore 0x00000001113b5ecc WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() + 108 (RenderWidget.h:41) 44 com.apple.WebCore 0x00000001113b3055 WebCore::WidgetHierarchyUpdatesSuspensionScope::~WidgetHierarchyUpdatesSuspensionScope() + 21 (RenderWidget.h:43) 45 com.apple.WebCore 0x00000001113b1bff WebCore::Style::detachRenderTree(WebCore::Element*, WebCore::Style::AttachContext const&) + 287 (StyleResolveTree.cpp:273) 46 com.apple.WebCore 0x000000011169039d WebCore::Document::detach() + 749 (Document.cpp:2083) 47 com.apple.WebCore 0x0000000111690773 WebCore::Document::prepareForDestruction() + 83 (Document.cpp:2117) 48 com.apple.WebCore 0x00000001118fb576 WebCore::Frame::setView(WTF::PassRefPtr<WebCore::FrameView>) + 230 (Frame.cpp:257) 49 com.apple.WebCore 0x00000001118fdbba WebCore::Frame::createView(WebCore::IntSize const&, WebCore::Color const&, bool, WebCore::IntSize const&, WebCore::IntRect const&, bool, WebCore::ScrollbarMode, bool, WebCore::ScrollbarMode, bool) + 346 (Frame.cpp:717) 50 com.apple.WebKit2 0x000000010ea58975 WebKit::WebFrameLoaderClient::transitionToCommittedForNewPage() + 533 (WebFrameLoaderClient.cpp:1209) 51 com.apple.WebCore 0x00000001119100ed WebCore::FrameLoader::transitionToCommitted(WTF::PassRefPtr<WebCore::CachedPage>) + 1341 (FrameLoader.cpp:1886) 52 com.apple.WebCore 0x000000011190f477 WebCore::FrameLoader::commitProvisionalLoad() + 1079 (FrameLoader.cpp:1723) 53 com.apple.WebCore 0x00000001116d272c WebCore::DocumentLoader::commitIfReady() + 60 (DocumentLoader.cpp:325) 54 com.apple.WebCore 0x00000001116d4f1c WebCore::DocumentLoader::commitLoad(char const*, int) + 76 (DocumentLoader.cpp:737) 55 com.apple.WebCore 0x00000001116d557b WebCore::DocumentLoader::dataReceived(WebCore::CachedResource*, char const*, int) + 987 (DocumentLoader.cpp:863) 56 com.apple.WebCore 0x0000000111371fa1 WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) + 161 (CachedRawResource.cpp:110) 57 com.apple.WebCore 0x0000000111371e8e WebCore::CachedRawResource::addDataBuffer(WebCore::ResourceBuffer*) + 206 (CachedRawResource.cpp:67) 58 com.apple.WebCore 0x000000011291e15e WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::PassRefPtr<WebCore::SharedBuffer>, long long, WebCore::DataPayloadType) + 478 (SubresourceLoader.cpp:250) 59 com.apple.WebCore 0x000000011291e28b WebCore::SubresourceLoader::didReceiveBuffer(WTF::PassRefPtr<WebCore::SharedBuffer>, long long, WebCore::DataPayloadType) + 75 (SubresourceLoader.cpp:231) 60 com.apple.WebCore 0x0000000112747b0c WebCore::ResourceLoader::didReceiveBuffer(WebCore::ResourceHandle*, WTF::PassRefPtr<WebCore::SharedBuffer>, int) + 140 (ResourceLoader.cpp:482) 61 com.apple.WebCore 0x0000000112b2c879 -[WebCoreResourceHandleAsDelegate connection:didReceiveData:lengthReceived:] + 249 (WebCoreResourceHandleAsDelegate.mm:195) 62 com.apple.Foundation 0x00007fff92a36d88 __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke_0 + 28 63 com.apple.Foundation 0x00007fff92a36ccc -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 227 64 com.apple.Foundation 0x00007fff92a36bc8 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 63 65 com.apple.Foundation 0x00007fff92a3977b _NSURLConnectionDidReceiveData_LengthReceived + 86 66 com.apple.CFNetwork 0x00007fff96c78854 ___delegate_didReceiveDataArray_block_invoke_0 + 132 67 com.apple.CFNetwork 0x00007fff96c6b54a ___withDelegateAsync_block_invoke_0 + 90 68 com.apple.CFNetwork 0x00007fff96cfbf3a __block_global_1 + 28 69 com.apple.CoreFoundation 0x00007fff8f56c154 CFArrayApplyFunction + 68 70 com.apple.CFNetwork 0x00007fff96c5c2b4 RunloopBlockContext::perform() + 124 71 com.apple.CFNetwork 0x00007fff96c5c18b MultiplexerSource::perform() + 221 72 com.apple.CoreFoundation 0x00007fff8f54db31 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 73 com.apple.CoreFoundation 0x00007fff8f54d455 __CFRunLoopDoSources0 + 245 74 com.apple.CoreFoundation 0x00007fff8f5707f5 __CFRunLoopRun + 789 75 com.apple.CoreFoundation 0x00007fff8f5700e2 CFRunLoopRunSpecific + 290 76 com.apple.HIToolbox 0x00007fff8e223eb4 RunCurrentEventLoopInMode + 209 77 com.apple.HIToolbox 0x00007fff8e223c52 ReceiveNextEventCommon + 356 78 com.apple.HIToolbox 0x00007fff8e223ae3 BlockUntilNextEventMatchingListInMode + 62 79 com.apple.AppKit 0x00007fff96fea533 _DPSNextEvent + 685 80 com.apple.AppKit 0x00007fff96fe9df2 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 128 81 com.apple.AppKit 0x00007fff96fe11a3 -[NSApplication run] + 517 82 com.apple.WebCore 0x0000000112776922 WebCore::RunLoop::run() + 114 (RunLoopMac.mm:44) 83 com.apple.WebKit2 0x000000010ea0355c int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebContentProcessMainDelegate>(int, char**) + 604 (ChildProcessEntryPoint.h:92) 84 com.apple.WebKit2 0x000000010ea032eb WebContentProcessMain + 27 (WebContentProcessMain.mm:179) 85 com.apple.WebProcess 0x000000010e6e1d1d WebKit::BootstrapMain(int, char**) + 381 86 com.apple.WebProcess 0x000000010e6e1b92 main + 34
Attachments
patch (1.89 KB, patch)
2013-08-26 10:09 PDT, Antti Koivisto 		darin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Antti Koivisto
Comment 1 2013-08-26 10:09:43 PDT
Created attachment 209659 [details] patch
Darin Adler
Comment 2 2013-08-26 10:12:43 PDT
Comment on attachment 209659 [details] patch The iterator is doing it wrong. The DOM modification assertion should not be in the iterator's destructor. Instead it should be in the iterator dereference operator. We don’t want to require people to carefully scope iterators just to time the assertion properly, and we don’t want to wait to catch the problem until long after it happened, either. The hash table iterators had the same consideration, and that's what we came up with.
Antti Koivisto
Comment 3 2013-08-26 10:28:28 PDT
(In reply to comment #2) > (From update of attachment 209659 [details]) > The iterator is doing it wrong. The DOM modification assertion should not be in the iterator's destructor. Instead it should be in the iterator dereference operator. We don’t want to require people to carefully scope iterators just to time the assertion properly, and we don’t want to wait to catch the problem until long after it happened, either. The hash table iterators had the same consideration, and that's what we came up with. DOM mutations are already tested at use time (and as you mentioned should be tested in more places). The problem here is the no-event-dispatch assertion which is an object freed in destructor.
Antti Koivisto
Comment 4 2013-08-26 10:45:32 PDT
https://trac.webkit.org/r154613
Note You need to log in before you can comment on or make changes to this bug.