Bug 153525

Summary: fast/history/page-cache-webdatabase-no-transaction-db.html flakily crashes
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: PlatformAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, ap, beidson, buildbot, commit-queue, dbates, kling, koivisto, rniwa
Priority: P1    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Archive of layout-test-results from ews115 for mac-yosemite
none
Archive of layout-test-results from ews100 for mac-yosemite
none
Patch none

Description Chris Dumez 2016-01-26 16:36:16 PST 
fast/history/page-cache-webdatabase-no-transaction-db.html flakily crashes:
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000bbadbeef

VM Regions Near 0xbbadbeef:
--> 
    __TEXT                 0000000100067000-0000000100109000 [  648K] r-x/rwx SM=COW  /Volumes/VOLUME/*

Application Specific Information:
CRASHING TEST: fast/history/page-cache-webdatabase-no-transaction-db.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000010138ffc7 WTFCrash + 39
1   com.apple.WebCore             	0x0000000106523512 WTF::HashTableConstIterator<WTF::RefPtr<WebCore::Database>, WTF::RefPtr<WebCore::Database>, WTF::IdentityExtractor, WTF::PtrHash<WTF::RefPtr<WebCore::Database> >, WTF::HashTraits<WTF::RefPtr<WebCore::Database> >, WTF::HashTraits<WTF::RefPtr<WebCore::Database> > >::checkValidity() const + 66 (HashTable.h:212)
2   com.apple.WebCore             	0x0000000106523539 WTF::HashTableConstIterator<WTF::RefPtr<WebCore::Database>, WTF::RefPtr<WebCore::Database>, WTF::IdentityExtractor, WTF::PtrHash<WTF::RefPtr<WebCore::Database> >, WTF::HashTraits<WTF::RefPtr<WebCore::Database> >, WTF::HashTraits<WTF::RefPtr<WebCore::Database> > >::operator++() + 25 (HashTable.h:180)
3   com.apple.WebCore             	0x000000010651f359 WTF::HashTableConstIteratorAdapter<WTF::HashTable<WTF::RefPtr<WebCore::Database>, WTF::RefPtr<WebCore::Database>, WTF::IdentityExtractor, WTF::PtrHash<WTF::RefPtr<WebCore::Database> >, WTF::HashTraits<WTF::RefPtr<WebCore::Database> >, WTF::HashTraits<WTF::RefPtr<WebCore::Database> > >, WTF::RefPtr<WebCore::Database> >::operator++() + 25 (HashTable.h:1436)
4   com.apple.WebCore             	0x000000010651ec4e WebCore::DatabaseThread::hasPendingDatabaseActivity() const + 190 (DatabaseThread.cpp:186)
5   com.apple.WebCore             	0x00000001065127b8 WebCore::DatabaseContext::canSuspendForDocumentSuspension() const + 104 (DatabaseContext.cpp:150)
6   com.apple.WebCore             	0x0000000107df45e0 WebCore::ScriptExecutionContext::canSuspendActiveDOMObjectsForDocumentSuspension(WTF::Vector<WebCore::ActiveDOMObject*, 0ul, WTF::CrashOnOverflow, 16ul>*) + 192 (ScriptExecutionContext.cpp:196)
7   com.apple.WebCore             	0x00000001078f257d WebCore::canCacheFrame(WebCore::Frame&, WebCore::DiagnosticLoggingClient&, unsigned int) + 3165 (PageCache.cpp:153)
8   com.apple.WebCore             	0x00000001078efa45 WebCore::canCachePage(WebCore::Page&) + 181 (PageCache.cpp:194)
9   com.apple.WebCore             	0x00000001078ef924 WebCore::PageCache::canCache(WebCore::Page&) const + 164 (PageCache.cpp:288)
10  com.apple.WebCore             	0x00000001078f0955 WebCore::PageCache::addIfCacheable(WebCore::HistoryItem&, WebCore::Page*) + 181 (PageCache.cpp:417)
11  com.apple.WebCore             	0x000000010696c659 WebCore::FrameLoader::commitProvisionalLoad() + 1865 (FrameLoader.cpp:1778)
12  com.apple.WebCore             	0x000000010663f20c WebCore::DocumentLoader::commitIfReady() + 60 (DocumentLoader.cpp:358)
13  com.apple.WebCore             	0x000000010664222c WebCore::DocumentLoader::commitLoad(char const*, int) + 76 (DocumentLoader.cpp:799)
14  com.apple.WebCore             	0x0000000106642733 WebCore::DocumentLoader::dataReceived(WebCore::CachedResource*, char const*, int) + 579 (DocumentLoader.cpp:919)
15  com.apple.WebCore             	0x00000001061c0b61 WebCore::CachedRawResource::notifyClientsDataWasReceived(char const*, unsigned int) + 161 (CachedRawResource.cpp:118)
16  com.apple.WebCore             	0x00000001061c0a0f WebCore::CachedRawResource::addDataBuffer(WebCore::SharedBuffer&) + 191 (CachedRawResource.cpp:70)
17  com.apple.WebCore             	0x00000001080bccbe WebCore::SubresourceLoader::didReceiveDataOrBuffer(char const*, int, WTF::PassRefPtr<WebCore::SharedBuffer>, long long, WebCore::DataPayloadType) + 478 (SubresourceLoader.cpp:300)
18  com.apple.WebCore             	0x00000001080bcde2 WebCore::SubresourceLoader::didReceiveBuffer(WTF::PassRefPtr<WebCore::SharedBuffer>, long long, WebCore::DataPayloadType) + 66 (SubresourceLoader.cpp:281)
19  com.apple.WebCore             	0x0000000107d58a3f WebCore::ResourceLoader::didReceiveBuffer(WebCore::ResourceHandle*, WTF::PassRefPtr<WebCore::SharedBuffer>, int) + 79 (ResourceLoader.cpp:638)
20  com.apple.WebCore             	0x00000001084163df -[WebCoreResourceHandleAsDelegate connection:didReceiveDataArray:] + 303 (WebCoreResourceHandleAsDelegate.mm:197)
21  com.apple.CFNetwork           	0x00007fff879e481d __65-[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:]_block_invoke + 69
22  com.apple.CFNetwork           	0x00007fff879e4681 -[NSURLConnectionInternal _withConnectionAndDelegate:onlyActive:] + 232
23  com.apple.CFNetwork           	0x00007fff879e4587 -[NSURLConnectionInternal _withActiveConnectionAndDelegate:] + 48
24  com.apple.CFNetwork           	0x00007fff87ad8eeb _NSURLConnectionDidReceiveDataArray(_CFURLConnection*, __CFArray const*, void const*) + 82
25  com.apple.CFNetwork           	0x00007fff879e4ea3 ___ZN27URLConnectionClient_Classic29_delegate_didReceiveDataArrayEv_block_invoke + 145
26  com.apple.CFNetwork           	0x00007fff87a994a3 ___ZN27URLConnectionClient_Classic18_withDelegateAsyncEPKcU13block_pointerFvP16_CFURLConnectionPK33CFURLConnectionClientCurrent_VMaxE_block_invoke_2 + 94
27  com.apple.CFNetwork           	0x00007fff87937eec RunloopBlockContext::_invoke_block(void const*, void*) + 72
28  com.apple.CoreFoundation      	0x00007fff8ed0d664 CFArrayApplyFunction + 68
29  com.apple.CFNetwork           	0x00007fff87937dad RunloopBlockContext::perform() + 133
30  com.apple.CFNetwork           	0x00007fff87937b98 MultiplexerSource::perform() + 282
31  com.apple.CFNetwork           	0x00007fff879379ba MultiplexerSource::_perform(void*) + 72
32  com.apple.CoreFoundation      	0x00007fff8ed41a01 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
33  com.apple.CoreFoundation      	0x00007fff8ed33b8d __CFRunLoopDoSources0 + 269
34  com.apple.CoreFoundation      	0x00007fff8ed331bf __CFRunLoopRun + 927
35  com.apple.CoreFoundation      	0x00007fff8ed32bd8 CFRunLoopRunSpecific + 296
36  DumpRenderTree                	0x00000001000870a5 runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 6261 (DumpRenderTree.mm:2037)
37  DumpRenderTree                	0x00000001000857ca runTestingServerLoop() + 330 (DumpRenderTree.mm:1188)
38  DumpRenderTree                	0x0000000100084d40 dumpRenderTree(int, char const**) + 448 (DumpRenderTree.mm:1297)
39  DumpRenderTree                	0x00000001000879ad DumpRenderTreeMain(int, char const**) + 125 (DumpRenderTree.mm:1432)
40  DumpRenderTree                	0x00000001000de6c2 main + 34 (DumpRenderTreeMain.mm:32)
41  libdyld.dylib                 	0x00007fff910fe5c9 start + 1

c.f. https://build.webkit.org/results/Apple%20Yosemite%20Debug%20WK1%20(Tests)/r195620%20(10325)/fast/history/page-cache-webdatabase-no-transaction-db-crash-log.txt
Comment 1 Chris Dumez 2016-01-26 16:37:32 PST 
I think the issue is that DatabaseThread::hasPendingDatabaseActivity() is called from the main thread and accesses m_openDatabaseSet which is only meant to be accessed from the database thread. 

As a result, the database thread can alter m_openDatabaseSet while the main thread is iterating over it.
Comment 2 Chris Dumez 2016-01-26 16:52:40 PST 
Committed r195638: <http://trac.webkit.org/changeset/195638>
Comment 3 Chris Dumez 2016-01-26 16:52:53 PST 
Test temporarily skipped in <http://trac.webkit.org/changeset/195638>
Comment 4 Chris Dumez 2016-01-26 16:53:10 PST 
Reopening as I did not land a fix yet.
Comment 5 Chris Dumez 2016-01-26 17:00:57 PST 
Created attachment 269952 [details]
Patch
Comment 6 Andreas Kling 2016-01-26 17:11:40 PST 
Comment on attachment 269952 [details]
Patch

r=me
Comment 7 Build Bot 2016-01-26 17:52:27 PST 
Comment on attachment 269952 [details]
Patch

Attachment 269952 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/743443

New failing tests:
fast/history/page-cache-webdatabase-no-transaction-db.html
Comment 8 Build Bot 2016-01-26 17:52:30 PST 
Created attachment 269962 [details]
Archive of layout-test-results from ews115 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews115  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 9 Build Bot 2016-01-26 18:25:08 PST 
Comment on attachment 269952 [details]
Patch

Attachment 269952 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/743589

New failing tests:
fast/history/page-cache-webdatabase-no-transaction-db.html
Comment 10 Build Bot 2016-01-26 18:25:11 PST 
Created attachment 269965 [details]
Archive of layout-test-results from ews100 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews100  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 11 Chris Dumez 2016-01-26 18:57:19 PST 
Created attachment 269969 [details]
Patch
Comment 12 WebKit Commit Bot 2016-01-26 19:45:17 PST 
Comment on attachment 269969 [details]
Patch

Clearing flags on attachment: 269969

Committed r195652: <http://trac.webkit.org/changeset/195652>
Comment 13 WebKit Commit Bot 2016-01-26 19:45:21 PST 
All reviewed patches have been landed.  Closing bug.