Bug 210731

Summary: REGRESSION (r248751): 2 IndexedDB tests are crashing in JSC::reportZappedCellAndCrash
Product: WebKit Reporter: Simon Fraser (smfr) <simon.fraser>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: mark.lam, rmorisset, sihui_liu, simon.fraser, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=210728
https://bugs.webkit.org/show_bug.cgi?id=210726
https://bugs.webkit.org/show_bug.cgi?id=200526
https://bugs.webkit.org/show_bug.cgi?id=210735

Description Simon Fraser (smfr) 2020-04-19 21:50:30 PDT
https://ews-build.webkit.org/results/macOS-Mojave-Debug-WK1-Tests-EWS/r396938-7951/results.html

Thread 8 Crashed:: IndexedDB
0   com.apple.JavaScriptCore      	0x000000010e77ecca WTFCrashWithInfoImpl(int, char const*, char const*, int, unsigned long long, unsigned long long, unsigned long long, unsigned long long, unsigned long long, unsigned long long, unsigned long long) + 186 (Assertions.cpp:649)
1   com.apple.JavaScriptCore      	0x000000010ff66c4a void WTFCrashWithInfo<unsigned long, unsigned long long, unsigned long long, unsigned int, unsigned long, JSC::MarkedBlock*, unsigned long long>(int, char const*, char const*, int, unsigned long, unsigned long long, unsigned long long, unsigned int, unsigned long, JSC::MarkedBlock*, unsigned long long) + 298
2   com.apple.JavaScriptCore      	0x000000010ff66988 JSC::reportZappedCellAndCrash(JSC::Heap&, JSC::JSCell const*) + 920
3   com.apple.WebCore             	0x00000001258b4211 WebCore::JSDOMGlobalObject* JSC::jsCast<WebCore::JSDOMGlobalObject*, JSC::JSGlobalObject>(JSC::JSGlobalObject*) + 97
4   com.apple.WebCore             	0x0000000127ac5705 JSC::JSValue WebCore::CloneDeserializer::readDOMMatrix<WebCore::DOMMatrix>() + 373
5   com.apple.WebCore             	0x0000000127a9ec51 WebCore::CloneDeserializer::readTerminal() + 6497
6   com.apple.WebCore             	0x0000000127a9cf83 WebCore::CloneDeserializer::deserialize() + 2883
7   com.apple.WebCore             	0x0000000127aa2264 WebCore::CloneDeserializer::deserialize(JSC::JSGlobalObject*, JSC::JSGlobalObject*, WTF::Vector<WTF::RefPtr<WebCore::MessagePort, WTF::DumbPtrTraits<WebCore::MessagePort> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<std::__1::pair<std::__1::unique_ptr<WebCore::ImageBuffer, std::__1::default_delete<WebCore::ImageBuffer> >, bool>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, WTF::Vector<JSC::ArrayBufferContents, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::Vector<JSC::ArrayBufferContents, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, WTF::Vector<WTF::RefPtr<JSC::Wasm::Module, WTF::DumbPtrTraits<JSC::Wasm::Module> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) + 468
8   com.apple.WebCore             	0x0000000127aa202f WebCore::SerializedScriptValue::deserialize(JSC::JSGlobalObject&, JSC::JSGlobalObject*, WTF::Vector<WTF::RefPtr<WebCore::MessagePort, WTF::DumbPtrTraits<WebCore::MessagePort> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::SerializationErrorMode) + 271
9   com.apple.WebCore             	0x00000001279e1f1c WebCore::deserializeIDBValueToJSValue(JSC::JSGlobalObject&, JSC::JSGlobalObject&, WebCore::IDBValue const&) + 284
10  com.apple.WebCore             	0x00000001279e1df1 WebCore::deserializeIDBValueToJSValue(JSC::JSGlobalObject&, WebCore::IDBValue const&) + 33
11  com.apple.WebCore             	0x00000001272bf05e WebCore::IDBServer::SQLiteIDBBackingStore::updateAllIndexesForAddRecord(WebCore::IDBObjectStoreInfo const&, WebCore::IDBKeyData const&, WebCore::ThreadSafeDataBuffer const&, long long) + 206
12  com.apple.WebCore             	0x00000001272bfef6 WebCore::IDBServer::SQLiteIDBBackingStore::addRecord(WebCore::IDBResourceIdentifier const&, WebCore::IDBObjectStoreInfo const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&) + 1862
13  com.apple.WebCore             	0x00000001272d4e89 WebCore::IDBServer::UniqueIDBDatabase::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode, WTF::Function<void (WebCore::IDBError const&, WebCore::IDBKeyData const&)>) + 2265
14  com.apple.WebCore             	0x00000001272dc3c5 WebCore::IDBServer::UniqueIDBDatabaseTransaction::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode) + 581
15  com.apple.WebCore             	0x00000001271d274a WebCore::IDBServer::IDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode) + 346
16  com.apple.WebKitLegacy        	0x000000013e9585f2 InProcessIDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode)::$_33::operator()() const + 146
17  com.apple.WebKitLegacy        	0x000000013e956f49 WTF::Detail::CallableWrapper<InProcessIDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode)::$_33, void>::call() + 25
18  com.apple.WebKitLegacy        	0x000000013e98e04a WTF::Function<void ()>::operator()() const + 138
Comment 1 Radar WebKit Bug Importer 2020-04-19 21:50:48 PDT
<rdar://problem/62043056>
Comment 3 Yusuke Suzuki 2020-04-19 22:26:45 PDT
This test was previously skipped because it is including BigInt syntax. This test immediately throws SyntaxError. So nothing in this test was executed before.

Now JSC supports BigInt syntax. Then, this test is now executed. And crash happens when deserializaing DOMMatrixReadOnly.

This is because DOMMatrixReadOnly requires JSGlobalObject with DOM implementations, since DOMMatrixReadOnly is WebCore object, not JSC object.

However, IDBSerializationContext.cpp is using plain JSGlobalObject. This is wrong since it is JSC JSGlobalObject and it does not include DOMMatrix implementations.

 77     ASSERT(!m_globalObject);
 78     m_vm = JSC::VM::create();
 79
 80     JSC::JSLockHolder locker(m_vm.get());
 81     m_globalObject.set(*m_vm, JSC::JSGlobalObject::create(*m_vm, JSC::JSGlobalObject::createStructure(*m_vm, JSC::jsNull())));
 82 }

in `IDBSerializationContext.cpp`.

The stderr message "Unexpected global object: Object: 0x124376268 with butterfly 0x1818550448 (Structure 0x1331397a0:[0xd8f4, GlobalObject, {Object:100, Function:101, Array:102, RegExp:103, String:104, Promise:105, BigInt:106, Intl:107, $vm:108, WebAssembly:109}, NonArray, Proto:0x117642b68, Dictionary, Leaf]), StructureID: 55540" is emitted from ebCore::JSDOMGlobalObject::scriptExecutionContext, because this is not a DOM JSGlobalObject.

    frame #0: 0x0000000103650633 WebCore`WTFCrashWithInfo((null)=178, (null)="./bindings/js/JSDOMGlobalObject.cpp", (null)="WebCore::ScriptExecutionContext *WebCore::JSDOMGlobalObject::scriptExecutionContext() const", (null)=222) at Assertions.h:671:5 [opt]
  * frame #1: 0x00000001042f3496 WebCore`WebCore::JSDOMGlobalObject::scriptExecutionContext(this=<unavailable>) const at JSDOMGlobalObject.cpp:178:5 [opt]
    frame #2: 0x00000001038a20f7 WebCore`WebCore::JSDOMMatrixReadOnlyPrototype::finishCreation(this=0x00000001331580d0, vm=0x000000012448e000) at JSDOMMatrixReadOnly.cpp:250:54 [opt]
    frame #3: 0x00000001038a2515 WebCore`WebCore::JSDOMMatrixReadOnly::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] WebCore::JSDOMMatrixReadOnlyPrototype::create(vm=0x000000012448e000, globalObject=<unavailable>, structure=0x0000000133139880) at JSDOMMatrixReadOnly.cpp:122:14 [opt]
    frame #4: 0x00000001038a247c WebCore`WebCore::JSDOMMatrixReadOnly::createPrototype(vm=0x000000012448e000, globalObject=<unavailable>) at JSDOMMatrixReadOnly.cpp:279 [opt]
    frame #5: 0x0000000103899414 WebCore`WebCore::JSDOMMatrix::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] JSC::Structure* WebCore::getDOMStructure<WebCore::JSDOMMatrixReadOnly>(vm=<unavailable>, globalObject=0x0000000124376268) at JSDOMWrapperCache.h:85:93 [opt]
    frame #6: 0x00000001038993f5 WebCore`WebCore::JSDOMMatrix::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] JSC::JSObject* WebCore::getDOMPrototype<WebCore::JSDOMMatrixReadOnly>(vm=<unavailable>, globalObject=0x0000000124376268) at JSDOMWrapperCache.h:96 [opt]
    frame #7: 0x00000001038993f5 WebCore`WebCore::JSDOMMatrix::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] WebCore::JSDOMMatrixReadOnly::prototype(vm=<unavailable>, globalObject=0x0000000124376268) at JSDOMMatrixReadOnly.cpp:284 [opt]
    frame #8: 0x00000001038993f5 WebCore`WebCore::JSDOMMatrix::createPrototype(vm=0x000000012448e000, globalObject=0x0000000124376268) at JSDOMMatrix.cpp:280 [opt]
    frame #9: 0x000000010389eab1 WebCore`std::__1::enable_if<std::is_same<WebCore::DOMMatrix, WebCore::DOMMatrix>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::DOMMatrix>::WrapperClass*>::type WebCore::createWrapper<WebCore::DOMMatrix, WebCore::DOMMatrix>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::DOMMatrix, WTF::DumbPtrTraits<WebCore::DOMMatrix> >&&) [inlined] JSC::Structure* WebCore::getDOMStructure<WebCore::JSDOMMatrix>(vm=0x000000012448e000, globalObject=0x0000000124376268) at JSDOMWrapperCache.h:85:93 [opt]
    frame #10: 0x000000010389ea92 WebCore`std::__1::enable_if<std::is_same<WebCore::DOMMatrix, WebCore::DOMMatrix>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::DOMMatrix>::WrapperClass*>::type WebCore::createWrapper<WebCore::DOMMatrix, WebCore::DOMMatrix>(globalObject=0x0000000124376268, domObject=0x00007000025653f0) at JSDOMWrapperCache.h:187 [opt]
    frame #11: 0x000000010434aa6d WebCore`JSC::JSValue WebCore::CloneDeserializer::readDOMMatrix<WebCore::DOMMatrix>(this=<unavailable>) at SerializedScriptValue.cpp:0 [opt]
    frame #12: 0x0000000104338a56 WebCore`WebCore::CloneDeserializer::deserialize(this=0x00007000025657d8) at SerializedScriptValue.cpp:3569:36 [opt]
    frame #13: 0x000000010433d79c WebCore`WebCore::CloneDeserializer::deserialize(lexicalGlobalObject=<unavailable>, globalObject=<unavailable>, messagePorts=<unavailable>, imageBuffers=<unavailable>, arrayBufferContentsArray=<unavailable>, buffer={ size = 54, capacity = 61 }, blobURLs={ size = 0, capacity = 0 }, blobFilePaths={ size = 0, capacity = 0 }, sharedBuffers={ size = 0, capacity = 0 }, wasmModules={ size = 0, capacity = 0 }) at SerializedScriptValue.cpp:1944:29 [opt]
    frame #14: 0x000000010433d4ef WebCore`WebCore::SerializedScriptValue::deserialize(this=0x0000000132c923c0, lexicalGlobalObject=<unavailable>, globalObject=<unavailable>, messagePorts={ size = 0, capacity = 0 }, blobURLs={ size = 0, capacity = 0 }, blobFilePaths=<unavailable>, throwExceptions=NonThrowing) at SerializedScriptValue.cpp:3905:36 [opt]
    frame #15: 0x00000001042f031c WebCore`WebCore::deserializeIDBValueToJSValue(lexicalGlobalObject=0x0000000124376268, globalObject=0x0000000124376268, value=<unavailable>) at IDBBindingUtilities.cpp:391:39 [opt]
    frame #16: 0x0000000104040714 WebCore`WebCore::IDBServer::SQLiteIDBBackingStore::updateAllIndexesForAddRecord(this=0x000000013331f6c0, info=0x0000000132f3d060, key=0x0000700002565d58, value=<unavailable>, recordID=1) at SQLiteIDBBackingStore.cpp:1855:20 [opt]
    frame #17: 0x0000000104040d3e WebCore`WebCore::IDBServer::SQLiteIDBBackingStore::addRecord(this=0x000000013331f6c0, transactionIdentifier=<unavailable>, objectStoreInfo=0x0000000132f3d060, keyData=<unavailable>, value=0x000000013323ce58) at SQLiteIDBBackingStore.cpp:1929:18 [opt]
    frame #18: 0x000000010404fb9d WebCore`WebCore::IDBServer::UniqueIDBDatabase::putOrAdd(this=<unavailable>, requestData=<unavailable>, keyData=0x000000013323ce30, value=0x000000013323ce58, overwriteMode=Overwrite, callback=WebCore::IDBServer::KeyDataCallback @ 0x0000700002565e58)>) at UniqueIDBDatabase.cpp:763:29 [opt]
    frame #19: 0x000000010405429d WebCore`WebCore::IDBServer::UniqueIDBDatabaseTransaction::putOrAdd(this=<unavailable>, requestData=0x000000013323cda8, keyData=0x000000013323ce30, value=<unavailable>, overwriteMode=<unavailable>) at UniqueIDBDatabaseTransaction.cpp:263:15 [opt]
    frame #20: 0x0000000103ff6dff WebCore`WebCore::IDBServer::IDBServer::putOrAdd(this=<unavailable>, requestData=0x000000013323cda8, keyData=0x000000013323ce30, value=0x000000013323ce58, overwriteMode=Overwrite) at IDBServer.cpp:313:18 [opt]
    frame #21: 0x0000000108866696 WebKitLegacy`WTF::Detail::CallableWrapper<InProcessIDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode)::$_33, void>::call() [inlined] InProcessIDBServer::putOrAdd(this=0x000000013323cd98)::$_33::operator()() const at InProcessIDBServer.cpp:351:19 [opt]
    frame #22: 0x0000000108866661 WebKitLegacy`WTF::Detail::CallableWrapper<InProcessIDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode)::$_33, void>::call(this=0x000000013323cd90) at Function.h:52 [opt]
    frame #23: 0x000000010888686d WebKitLegacy`WebCore::StorageThread::threadEntryPoint() [inlined] WTF::Function<void ()>::operator(this=<unavailable>)() const at Function.h:84:35 [opt]
    frame #24: 0x0000000108886864 WebKitLegacy`WebCore::StorageThread::threadEntryPoint(this=<unavailable>) at StorageThread.cpp:78 [opt]
    frame #25: 0x000000010047219c JavaScriptCore`WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) [inlined] WTF::Function<void ()>::operator(this=<unavailable>)() const at Function.h:84:35 [opt]
    frame #26: 0x0000000100472193 JavaScriptCore`WTF::Thread::entryPoint(newThreadContext=0x00000001328d19c0) at Threading.cpp:168 [opt]
    frame #27: 0x00000001004746c9 JavaScriptCore`WTF::wtfThreadEntryPoint(context=<unavailable>) at ThreadingPOSIX.cpp:200:5 [opt]
    frame #28: 0x00007fff711a7a10 libsystem_pthread.dylib`_pthread_start + 224
    frame #29: 0x00007fff711a353f libsystem_pthread.dylib`thread_start + 15
Comment 4 Yusuke Suzuki 2020-04-19 22:43:16 PDT
I will skip this test in BigInt structured-cloning patch. And in BigInt structured-cloning patch, I'll add a test for BigInt structured-cloning.
And send this bug to IDB folks because of the following rationales.

1. This test was throwing BigInt SyntaxError and it was never executed effectively. No tests inside this test file are executed because of SyntaxError. Skipping this test does not regress the coverage because this test was never executed before.
2. Now BigInt is supported and finally this test starts running and crashing. The crash reason is IDB deserialization bug, not related to BigInt.
3. This bug itself is completely unrelated to BigInt, and we can make WebKit crash without BigInt support since this is related to IDB deserialization and DOM objects.
Comment 5 Yusuke Suzuki 2020-04-19 22:45:09 PDT
Renamed to r248751 regression.
Comment 6 Yusuke Suzuki 2020-04-19 23:30:40 PDT
Committed r260352: <https://trac.webkit.org/changeset/260352>