Bug 137311

Summary: media/video-fullscreeen-only-playback.html sometimes crashes in TreeShared::ref()
Product: WebKit Reporter: Beth Dakin <bdakin>
Component: MediaAssignee: Peng Liu <peng.liu6>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: aboya, ap, bdakin, eric.carlson, jer.noble, peng.liu6, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Beth Dakin
Reported 2014-10-01 13:50:04 PDT
media/video-fullscreeen-only-playback.html has been intermittently asserting on the debug bots. The crash seems kind of bad. The assertion that is failing is: ASSERT(!m_inRemovedLastRefFunction); Process: com.apple.WebKit.WebContent.Development [18909] Path: /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Identifier: com.apple.WebKit.WebContent.Development Version: 601+ (601.1.1+) Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: com.apple.WebKit.WebContent.Development [18909] User ID: 501 Date/Time: 2014-10-01 10:12:41.972 -0700 OS Version: Mac OS X 10.9.4 (13E28) Report Version: 11 Anonymous UUID: 15CE1938-3EF8-12B1-337A-3F91683D9720 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 000000010ecc7000-000000010ecc9000 [ 8K] r-x/rwx SM=COW /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development Application Specific Information: CRASHING TEST:media/video-fullscreeen-only-playback.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000115bd5d6a WTFCrash + 42 (Assertions.cpp:321) 1 com.apple.WebCore 0x0000000117096b22 WebCore::TreeShared<WebCore::Node>::ref() + 178 (TreeShared.h:64) 2 com.apple.WebCore 0x00000001170a104d WTF::Ref<WebCore::Document>::Ref(WebCore::Document&) + 45 (Ref.h:39) 3 com.apple.WebCore 0x000000011708203d WTF::Ref<WebCore::Document>::Ref(WebCore::Document&) + 29 (Ref.h:39) 4 com.apple.WebCore 0x00000001172ec34d WebCore::ChildNodeInsertionNotifier::notify(WebCore::Node&) + 125 (ContainerNodeAlgorithms.h:224) 5 com.apple.WebCore 0x0000000117774017 WebCore::Element::addShadowRoot(WTF::PassRefPtr<WebCore::ShadowRoot>) + 247 (Element.cpp:1455) 6 com.apple.WebCore 0x0000000117774115 WebCore::Element::ensureUserAgentShadowRoot() + 85 (Element.cpp:1506) 7 com.apple.WebCore 0x0000000117ad41ab WebCore::HTMLMediaElement::configureMediaControls() + 75 (HTMLMediaElement.cpp:5189) 8 com.apple.WebCore 0x0000000117ad54f4 WebCore::HTMLMediaElement::prepareForLoad() + 900 (HTMLMediaElement.cpp:978) 9 com.apple.WebCore 0x0000000117ad40e3 WebCore::HTMLMediaElement::scheduleDelayedAction(WebCore::HTMLMediaElement::DelayedActionType) + 115 (HTMLMediaElement.cpp:722) 10 com.apple.WebCore 0x0000000117ae0bac WebCore::HTMLMediaElement::pauseInternal() + 188 (HTMLMediaElement.cpp:2799) 11 com.apple.WebCore 0x0000000117ae0ae5 WebCore::HTMLMediaElement::pause() + 117 (HTMLMediaElement.cpp:2776) 12 com.apple.WebCore 0x0000000117ad4ce0 WebCore::HTMLMediaElement::removedFrom(WebCore::ContainerNode&) + 192 (HTMLMediaElement.cpp:681) 13 com.apple.WebCore 0x00000001172f1ddb WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument(WebCore::Node&) + 107 (ContainerNodeAlgorithms.h:242) 14 com.apple.WebCore 0x00000001172f2c8e WebCore::ChildNodeRemovalNotifier::notifyDescendantRemovedFromDocument(WebCore::ContainerNode&) + 190 (ContainerNodeAlgorithms.cpp:72) 15 com.apple.WebCore 0x00000001172f1e06 WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument(WebCore::Node&) + 150 (ContainerNodeAlgorithms.h:244) 16 com.apple.WebCore 0x00000001172f2c8e WebCore::ChildNodeRemovalNotifier::notifyDescendantRemovedFromDocument(WebCore::ContainerNode&) + 190 (ContainerNodeAlgorithms.cpp:72) 17 com.apple.WebCore 0x00000001172f1e06 WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument(WebCore::Node&) + 150 (ContainerNodeAlgorithms.h:244) 18 com.apple.WebCore 0x00000001172ec64b WebCore::ChildNodeRemovalNotifier::notify(WebCore::Node&) + 59 (ContainerNodeAlgorithms.h:259) 19 com.apple.WebCore 0x00000001172ef4c4 WebCore::Private::NodeRemovalDispatcher<WebCore::Node, WebCore::ContainerNode, true>::dispatch(WebCore::Node&, WebCore::ContainerNode&) + 116 (ContainerNodeAlgorithms.h:146) 20 com.apple.WebCore 0x00000001172ef40f void WebCore::Private::addChildNodesToDeletionQueue<WebCore::Node, WebCore::ContainerNode>(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) + 335 (ContainerNodeAlgorithms.h:188) 21 com.apple.WebCore 0x00000001172ebef0 void WebCore::removeDetachedChildrenInContainer<WebCore::Node, WebCore::ContainerNode>(WebCore::ContainerNode&) + 48 (ContainerNodeAlgorithms.h:94) 22 com.apple.WebCore 0x00000001172e77ae WebCore::ContainerNode::removeDetachedChildren() + 110 (ContainerNode.cpp:96) 23 com.apple.WebCore 0x00000001175cae2c WebCore::Document::removedLastRef() + 428 (Document.cpp:671) 24 com.apple.WebCore 0x000000011858aba7 WebCore::Node::removedLastRef() + 55 (Node.cpp:2203) 25 com.apple.WebCore 0x00000001170969b4 WebCore::TreeShared<WebCore::Node>::deref() + 372 (TreeShared.h:83) 26 com.apple.WebCore 0x0000000117ffc6c6 WebCore::JSNode::releaseImpl() + 38 (JSNode.h:68) 27 com.apple.WebCore 0x0000000118132039 WebCore::JSNodeOwner::finalize(JSC::Handle<JSC::Unknown>, void*) + 105 (JSNode.cpp:911) 28 com.apple.JavaScriptCore 0x0000000115b900dd JSC::WeakBlock::finalize(JSC::WeakImpl*) + 189 (WeakSetInlines.h:53) 29 com.apple.JavaScriptCore 0x0000000115b8fa5e JSC::WeakBlock::sweep() + 158 (WeakBlock.cpp:77) 30 com.apple.JavaScriptCore 0x0000000115b95730 JSC::WeakSet::sweep() + 64 (WeakSet.cpp:47) 31 com.apple.JavaScriptCore 0x00000001159cd46d JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) + 109 (MarkedBlock.cpp:118) 32 com.apple.JavaScriptCore 0x00000001159cc9de JSC::MarkedAllocator::tryAllocateHelper(unsigned long) + 270 (MarkedAllocator.cpp:80) 33 com.apple.JavaScriptCore 0x00000001159caf82 JSC::MarkedAllocator::tryAllocate(unsigned long) + 114 (MarkedAllocator.cpp:129) 34 com.apple.JavaScriptCore 0x00000001159ca86e JSC::MarkedAllocator::allocateSlowCase(unsigned long) + 254 (MarkedAllocator.cpp:171) 35 com.apple.WebCore 0x000000011703b7e1 JSC::MarkedAllocator::allocate(unsigned long) + 81 (MarkedAllocator.h:95) 36 com.apple.WebCore 0x000000011703bb39 JSC::MarkedSpace::allocateWithNormalDestructor(unsigned long) + 41 (MarkedSpace.h:251) 37 com.apple.WebCore 0x000000011703bb06 JSC::Heap::allocateWithNormalDestructor(unsigned long) + 118 (HeapInlines.h:187) 38 com.apple.WebCore 0x0000000117fc24e7 void* JSC::allocateCell<WebCore::JSEvent>(JSC::Heap&, unsigned long) + 151 (JSCellInlines.h:135) 39 com.apple.WebCore 0x0000000117fc243f void* JSC::allocateCell<WebCore::JSEvent>(JSC::Heap&) + 31 (JSCellInlines.h:149) 40 com.apple.WebCore 0x0000000117fc228e WebCore::JSEvent::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::PassRefPtr<WebCore::Event>) + 46 (JSEvent.h:36) 41 com.apple.WebCore 0x0000000117fb3ba6 WebCore::JSDOMWrapper* WebCore::createWrapper<WebCore::JSEvent, WebCore::Event>(WebCore::JSDOMGlobalObject*, WebCore::Event*) + 214 (JSDOMBinding.h:219) 42 com.apple.WebCore 0x0000000117fb2d99 WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Event*) + 457 (JSEventCustom.cpp:68) 43 com.apple.WebCore 0x0000000117fc6e36 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 774 (JSEventListener.cpp:114) 44 com.apple.WebCore 0x00000001177cb72b WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 1499 (EventTarget.cpp:247) 45 com.apple.WebCore 0x00000001177caffe WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 334 (EventTarget.cpp:197) 46 com.apple.WebCore 0x0000000118589ecc WebCore::Node::handleLocalEvents(WebCore::Event&) + 156 (Node.cpp:2024) 47 com.apple.WebCore 0x0000000117797931 WebCore::EventContext::handleLocalEvents(WebCore::Event&) const + 177 (EventContext.cpp:55) 48 com.apple.WebCore 0x0000000117798f44 WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&, WebCore::WindowEventContext&) + 356 (EventDispatcher.cpp:306) 49 com.apple.WebCore 0x000000011779897f WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 815 (EventDispatcher.cpp:363) 50 com.apple.WebCore 0x0000000118589f4d WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 45 (Node.cpp:2038) 51 com.apple.WebCore 0x000000011799c651 WebCore::GenericEventQueue::timerFired(WebCore::Timer<WebCore::GenericEventQueue>&) + 417 (GenericEventQueue.cpp:72) 52 com.apple.WebCore 0x000000011799e49e std::__1::__function::__func<std::__1::__bind<void (WebCore::GenericEventQueue::*&)(WebCore::Timer<WebCore::GenericEventQueue>&), WebCore::GenericEventQueue*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::GenericEventQueue> > >, std::__1::allocator<std::__1::__bind<void (WebCore::GenericEventQueue::*&)(WebCore::Timer<WebCore::GenericEventQueue>&), WebCore::GenericEventQueue*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::GenericEventQueue> > > >, void ()>::operator()() + 350 (functional:1370) 53 com.apple.WebCore 0x00000001170acffa std::__1::function<void ()>::operator()() const + 26 (functional:1755) 54 com.apple.WebCore 0x000000011799cf0c WebCore::Timer<WebCore::GenericEventQueue>::fired() + 28 (Timer.h:134) 55 com.apple.WebCore 0x0000000118e6794c WebCore::ThreadTimers::sharedTimerFiredInternal() + 396 (ThreadTimers.cpp:135) 56 com.apple.WebCore 0x0000000118e67609 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:108) 57 com.apple.WebCore 0x0000000118b70f2f WebCore::timerFired(__CFRunLoopTimer*, void*) + 31 (SharedTimerMac.mm:125) 58 com.apple.CoreFoundation 0x00007fff933cb3e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 59 com.apple.CoreFoundation 0x00007fff933caf1f __CFRunLoopDoTimer + 1151 60 com.apple.CoreFoundation 0x00007fff9343c5aa __CFRunLoopDoTimers + 298 61 com.apple.CoreFoundation 0x00007fff933866a5 __CFRunLoopRun + 1525 62 com.apple.CoreFoundation 0x00007fff93385e75 CFRunLoopRunSpecific + 309 63 com.apple.HIToolbox 0x00007fff9ae36a0d RunCurrentEventLoopInMode + 226 64 com.apple.HIToolbox 0x00007fff9ae367b7 ReceiveNextEventCommon + 479 65 com.apple.HIToolbox 0x00007fff9ae365bc _BlockUntilNextEventMatchingListInModeWithFilter + 65 66 com.apple.AppKit 0x00007fff96b8224e _DPSNextEvent + 1434 67 com.apple.AppKit 0x00007fff96b8189b -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122 68 com.apple.AppKit 0x00007fff96b7599c -[NSApplication run] + 553 69 com.apple.AppKit 0x00007fff96b60783 NSApplicationMain + 940 70 com.apple.XPCService 0x00007fff8d84cc0f _xpc_main + 385 71 libxpc.dylib 0x00007fff98e96bde xpc_main + 399 72 com.apple.WebKit.WebContent.Development 0x000000010ecc8135 main + 37 73 libdyld.dylib 0x00007fff993595fd start + 1
Attachments
Add attachment proposed patch, testcase, etc.
Beth Dakin
Comment 1 2014-10-01 14:03:02 PDT
I marked this test as crash-flaky in http://trac.webkit.org/changeset/174169
Alexey Proskuryakov
Comment 2 2014-10-01 14:38:15 PDT
HTMLMediaElement re-adds itself while being removed, this seems quite bad.
Alicia Boya GarcĂ­a
Comment 3 2019-01-30 13:34:42 PST
Four years later, the crash is not visible in the flakiness dashboard, but the test is not passing either. It times out in Mac and GTK and fails on iOS, which makes me wonder to what extent the tested feature is useful.
Radar WebKit Bug Importer
Comment 4 2020-05-09 16:13:43 PDT
<rdar://problem/63057680>
Peng Liu
Comment 5 2020-05-11 14:17:38 PDT
*** This bug has been marked as a duplicate of bug 211645 ***
Note You need to log in before you can comment on or make changes to this bug.