Bug 123029

Summary: platform/mac/editing/attributed-string tests all flakily assert
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: darin, ggaren, mhahnenberg, rniwa, simon.fraser, thorton
Priority: P2 Keywords: InRadar, LayoutTestFailure
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Alexey Proskuryakov 2013-10-18 10:56:34 PDT
This is an extremely common assertion on bots.

http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#tests=attributed-string

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000104ee85ca WTFCrash + 42 (Assertions.cpp:342)
1   com.apple.WebCore             	0x0000000106881ca3 JSC::Bindings::Instance::createRuntimeObject(JSC::ExecState*) + 163 (BridgeJSC.cpp:74)
2   com.apple.WebCore             	0x000000010795da73 JSC::Bindings::convertObjcValueToValue(JSC::ExecState*, void*, JSC::Bindings::ObjcValueType, JSC::Bindings::RootObject*) + 1571 (objc_utility.mm:202)
3   com.apple.WebCore             	0x0000000107959864 JSC::Bindings::ObjcInstance::invokeObjcMethod(JSC::ExecState*, JSC::Bindings::ObjcMethod*) + 2356 (objc_instance.mm:343)
4   com.apple.WebCore             	0x0000000107958f08 JSC::Bindings::ObjcInstance::invokeMethod(JSC::ExecState*, JSC::RuntimeMethod*) + 312 (objc_instance.mm:233)
5   com.apple.WebCore             	0x0000000107d44e67 JSC::callRuntimeMethod(JSC::ExecState*) + 503 (runtime_method.cpp:100)
6   com.apple.JavaScriptCore      	0x0000000104d571c2 JSC::LLInt::handleHostCall(JSC::ExecState*, JSC::Instruction*, JSC::JSValue, JSC::CodeSpecializationKind) + 306 (LLIntSlowPaths.cpp:960)
7   com.apple.JavaScriptCore      	0x0000000104d57f9c JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 92 (LLIntSlowPaths.cpp:1004)
Comment 1 Alexey Proskuryakov 2013-10-19 21:57:12 PDT
<rdar://problem/15196388>
Comment 2 Alexey Proskuryakov 2013-10-19 22:04:25 PDT
It was very difficult for me to reproduce this locally. I managed to hit it once with

run-webkit-tests platform/mac/editing/attributed-string/ --iter 1000 -v -gf
Comment 3 Ryosuke Niwa 2013-10-19 22:41:53 PDT
This isn't this the same assertion we're hitting on other layout tests?
Comment 4 Alexey Proskuryakov 2013-10-19 23:01:29 PDT
I don't know which assertion you have in mind, but the answer is likely no. It's only a small subset of tests that have a code path through ObjcInstance::invokeMethod.
Comment 7 Tim Horton 2013-11-14 19:04:17 PST
And still!
Comment 8 Alexey Proskuryakov 2013-12-19 10:01:53 PST
Looks like there are at least two problems here:

- Somehow, s_instanceWrapperCache contains an entry with an invalidated root object, which makes no sense.

- The cache should not be global, because Objective C instances can be used in multiple pages at once, and they need separate ObjcInstances then.

Both are pretty bad bugs I think.


This was failing extremely frequently lately - most of the time, multiple bots were red because of this issue alone. Marked as flakily crashing in debug in <http://trac.webkit.org/r160840>.
Comment 9 Ryosuke Niwa 2013-12-19 10:51:37 PST
Looks like this is a bug in Objective-C binding code?
Comment 10 Darin Adler 2013-12-19 11:05:23 PST
This lurked for four years before we noticed!?
Comment 11 Alexey Proskuryakov 2013-12-19 11:19:06 PST
Yes, it appears so.

These attributed string tests were added this August, and I guess we didn't cover this aspect of Objective-C bindings in tests before. Also, these crashes became more frequent over the last few months, presumably because of some timing differences in loading, GC, or just different hardware on bots.
Comment 12 Alexey Proskuryakov 2014-04-15 16:09:51 PDT
platform/mac/plugins/jsobjc-simple.html is affected too.