Bug 194871

Summary: Crash in DOMWindowExtension::suspendForPageCache
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: DOMAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson, cdumez, ggaren
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fix attempt none

Ryosuke Niwa
Reported 2019-02-20 14:24:21 PST
e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff47af3f3c WebCore::DOMWindowExtension::suspendForPageCache() + 28 1 com.apple.WebCore 0x00007fff46967fe9 WebCore::DOMWindow::suspendForPageCache() + 233 2 com.apple.WebCore 0x00007fff47861a68 WebCore::CachedFrame::CachedFrame(WebCore::Frame&) + 504 3 com.apple.WebCore 0x00007fff47863869 WebCore::PageCache::addIfCacheable(WebCore::HistoryItem&, WebCore::Page*) + 457 4 com.apple.WebCore 0x00007fff4691a3c7 WebCore::FrameLoader::commitProvisionalLoad() + 263 5 com.apple.WebCore 0x00007fff46967b81 WebCore::DocumentLoader::commitLoad(char const*, int) + 81 6 com.apple.WebCore 0x00007fff47aca1b0 WTF::Function<void ()>::CallableWrapper<WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&)::$_0::operator()(WebCore::ResourceRequest&&)::'lambda'()>::call() + 80 7 com.apple.WebCore 0x00007fff47a559bb WTF::Function<void (WebCore::PolicyAction)>::CallableWrapper<WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_7>::call(WebCore::PolicyAction) + 59 8 com.apple.WebKit 0x00007fff488666e9 WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse(WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, WTF::Function<void (WebCore::PolicyAction)>&&) + 121 9 com.apple.WebCore 0x00007fff47a4cdd8 WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&) + 1992 10 com.apple.WebCore 0x00007fff47aca02e WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&)::$_0>::call(WebCore::ResourceRequest&&) + 350 11 com.apple.WebCore 0x00007fff47abe328 WebCore::iterateRedirects(WebCore::CachedResourceHandle<WebCore::CachedRawResource>&&, WebCore::CachedRawResourceClient&, WTF::Vector<std::__1::pair<WebCore::ResourceRequest, WebCore::ResourceResponse>, 0ul, WTF::CrashOnOverflow, 16ul>&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&) + 1448 12 com.apple.WebCore 0x00007fff47abd9b1 WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&) + 657 13 com.apple.WebCore 0x00007fff4690f398 WebCore::ThreadTimers::sharedTimerFiredInternal() + 168 14 com.apple.WebCore 0x00007fff4690f2df WebCore::timerFired(__CFRunLoopTimer*, void*) + 31 <rdar://problem/47380794>
Attachments
Fix attempt (4.80 KB, patch)
2019-02-20 14:57 PST, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2019-02-20 14:25:15 PST
We're also seeing crashes in DOMWindowExtension::willDestroyGlobalObjectInCachedFrame() e.g. Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff52579040 WebCore::DOMWindowExtension::willDestroyGlobalObjectInCachedFrame() + 16 1 com.apple.WebCore 0x00007fff514da36a WebCore::DOMWindow::willDestroyCachedFrame() + 234 2 com.apple.WebCore 0x00007fff514da185 WebCore::CachedFrame::destroy() + 37 3 com.apple.WebCore 0x00007fff522e84d4 WebCore::PageCache::prune(WebCore::PruningReason) + 100 4 com.apple.WebCore 0x00007fff522e8458 WebCore::PageCache::pruneToSizeNow(unsigned int, WebCore::PruningReason) + 24 5 com.apple.WebKit 0x00007fff52fc5a98 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 108 6 com.apple.WebKit 0x00007fff52fc924b IPC::Connection::dispatchOneIncomingMessage() + 181 7 com.apple.JavaScriptCore 0x00007fff47874734 WTF::RunLoop::performWork() + 228 8 com.apple.JavaScriptCore 0x00007fff478749c2 WTF::RunLoop::performWork(void*) + 34 9 com.apple.CoreFoundation 0x00007fff443526a3 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 10 com.apple.CoreFoundation 0x00007fff44352649 __CFRunLoopDoSource0 + 108 11 com.apple.CoreFoundation 0x00007fff44335ffb __CFRunLoopDoSources0 + 195 12 com.apple.CoreFoundation 0x00007fff443355c5 __CFRunLoopRun + 1189 13 com.apple.CoreFoundation 0x00007fff44334ece CFRunLoopRunSpecific + 455 14 com.apple.Foundation 0x00007fff4664da9f -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 280 15 com.apple.Foundation 0x00007fff4664d974 -[NSRunLoop(NSRunLoop) run] + 76 16 libxpc.dylib 0x00007fff709ec1d7 _xpc_objc_main + 552 17 libxpc.dylib 0x00007fff709ebcd9 xpc_main + 433 18 com.apple.WebKit.WebContent 0x1013b26e2 WebKit::XPCServiceMain(int, char const**) + 547 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7607.1.30/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.mm:157) 19 com.apple.WebKit.WebContent 0x1013b2867 main + 9 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7607.1.30/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.mm:165) 20 libdyld.dylib 0x00007fff707b93ed start + 1
Ryosuke Niwa
Comment 2 2019-02-20 14:28:03 PST
I suspect what might be happening here is that DOMWindowExtension is getting removed / unregistered inside the client delegate callbacks in dispatchWillDisconnectDOMWindowExtensionFromGlobalObject and dispatchWillDestroyGlobalObjectForDOMWindowExtension. In DOMWindow::willDestroyCachedFrame, for example, there is a comment about how this may happen: // It is necessary to copy m_properties to a separate vector because the DOMWindowProperties may // unregister themselves from the DOMWindow as a result of the call to willDestroyGlobalObjectInFrame. I think what we didn't account is notifying one DOMWindowExtension removing another DOMWindowExtension.
Ryosuke Niwa
Comment 3 2019-02-20 14:57:17 PST
Created attachment 362547 [details] Fix attempt
Ryosuke Niwa
Comment 4 2019-02-20 15:09:52 PST
Waiting for EWS...
Ryosuke Niwa
Comment 5 2019-02-20 16:06:29 PST
Comment on attachment 362547 [details] Fix attempt Clearing flags on attachment: 362547 Committed r241848: <https://trac.webkit.org/changeset/241848>
Ryosuke Niwa
Comment 6 2019-02-20 16:06:31 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.