Bug 215835

Summary:

REGRESSION (r264661): Crashes in WebCore::wrap<WebCore::Blob> in CloneDeserializer

Product:

WebKit

Reporter:

xiao_chengyi

Component:

WebKit Misc.

Assignee:

Sihui Liu <sihui_liu>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

alecflett, ap, beidson, ews-watchlist, jsbell, sihui_liu, webkit-bug-importer, youennf, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
The property inspector of XCode when the crash happens.	none
crashreport	none
symbolicated crash report	none
Patch	none
Patch	none
Patch for landing	none

xiao_chengyi

Reported 2020-08-25 20:29:07 PDT

Created attachment 407268 [details] The property inspector of XCode when the crash happens. commit in 7/22 in SerializedScriptValue.cpp result in crash. !m_isDOMGlobalObject and m_isJSIDBSerializationGlobalObject are not equal. Cause a crash in a type checking. Build Date & Hardware: Build 2020-08-25 on Mac OS 10.15.4 run and debug in iOS 14 beta 5 simulator.

Attachments
The property inspector of XCode when the crash happens. (94.41 KB, application/zip) 2020-08-25 20:29 PDT, xiao_chengyi	no flags	Details
crashreport (2.53 KB, text/plain) 2020-08-26 20:53 PDT, xiao_chengyi	no flags	Details
symbolicated crash report (5.21 KB, text/plain) 2020-08-31 05:53 PDT, xiao_chengyi	no flags	Details
Patch (5.60 KB, patch) 2020-09-01 10:31 PDT, Sihui Liu	no flags	Details Formatted Diff Diff
Patch (6.97 KB, patch) 2020-09-01 17:52 PDT, Sihui Liu	no flags	Details Formatted Diff Diff
Patch for landing (6.93 KB, patch) 2020-09-02 09:30 PDT, Sihui Liu	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Alexey Proskuryakov

Comment 1 2020-08-26 11:27:11 PDT

The closest change to this file r264661, although that was 7/21 in California. Is this what you are blaming? Could you please attach a complete crash log, and/or steps to reproduce?

xiao_chengyi

Comment 2 2020-08-26 20:53:15 PDT

Created attachment 407373 [details] crashreport

xiao_chengyi

Comment 3 2020-08-26 20:53:49 PDT

(In reply to Alexey Proskuryakov from comment #1) > The closest change to this file r264661, although that was 7/21 in > California. Is this what you are blaming? > > Could you please attach a complete crash log, and/or steps to reproduce? Yes, r264661 is the change I'm talking about. Sorry, but I can only provide part of the crash log.See crashreport in Attachments.

Alexey Proskuryakov

Comment 4 2020-08-26 21:25:42 PDT

Thank you for the confirmation. We cannot symbolicate a partial crash report, and this may not be actionable without a symbolicated trace, or better, a repro case. Keeping open in case Sihui has an idea.

xiao_chengyi

Comment 5 2020-08-31 05:53:00 PDT

Created attachment 407597 [details] symbolicated crash report

xiao_chengyi

Comment 6 2020-08-31 05:57:35 PDT

(In reply to Alexey Proskuryakov from comment #4) > Thank you for the confirmation. > > We cannot symbolicate a partial crash report, and this may not be actionable > without a symbolicated trace, or better, a repro case. > > Keeping open in case Sihui has an idea. Hi, we managed to get symbolicated crash report. Would you please take a look at it ? thanks. :-)

Alexey Proskuryakov

Comment 7 2020-08-31 09:27:06 PDT

Thank you! I think that this may be enough info for an investigation. Any details tat could help prioritization would also be appreciated (such as user impact qualification).

Alexey Proskuryakov

Comment 8 2020-08-31 10:36:22 PDT

rdar://problem/68084639

Sihui Liu

Comment 9 2020-09-01 10:31:36 PDT

Created attachment 407695 [details] Patch

Alexey Proskuryakov

Comment 10 2020-09-01 10:41:59 PDT

Comment on attachment 407695 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407695&action=review > Source/WebCore/ChangeLog:3 > + REGRESSION (r264661): Crashes in WebCore::wrap<WebCore::Blob> in CloneDeserializer Can a regression test be added for this?

Sihui Liu

Comment 11 2020-09-01 17:52:48 PDT

Created attachment 407721 [details] Patch

Sihui Liu

Comment 12 2020-09-01 17:53:38 PDT

(In reply to Alexey Proskuryakov from comment #10) > Comment on attachment 407695 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=407695&action=review > > > Source/WebCore/ChangeLog:3 > > + REGRESSION (r264661): Crashes in WebCore::wrap<WebCore::Blob> in CloneDeserializer > > Can a regression test be added for this? Test added.

youenn fablet

Comment 13 2020-09-02 02:38:21 PDT

Comment on attachment 407721 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407721&action=review > Source/WebCore/bindings/js/SerializedScriptValue.cpp:2042 > + , m_isValidDOMGlobalObject(m_isDOMGlobalObject && !globalObject->inherits<JSIDBSerializationGlobalObject>(globalObject->vm())) I would rename it to something like m_canCreateDOMObject.

Sihui Liu

Comment 14 2020-09-02 09:30:17 PDT

Created attachment 407772 [details] Patch for landing

EWS

Comment 15 2020-09-02 10:04:39 PDT

Committed r266470: <https://trac.webkit.org/changeset/266470> All reviewed patches have been landed. Closing bug and clearing flags on attachment 407772 [details].

Note You need to log in before you can comment on or make changes to this bug.