Bug 225528

Summary:

[ BigSur ARM64, iOS 14 EWS] http/wpt/fetch/fetch-response-body-stop-in-worker.html is a flaky crash

Product:

WebKit

Reporter:

Robert Jenner <jenner>

Component:

WebCore Misc.

Assignee:

youenn fablet <youennf>

Status:

RESOLVED CONFIGURATION CHANGED

Severity:

Normal

CC:

ehutchison, webkit-bot-watchers-bugzilla, webkit-bug-importer, youennf, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=225534

Attachments:

Description	Flags
Full crashlog	none
Patch	none

Description Robert Jenner 2021-05-07 11:34:29 PDT

http/wpt/fetch/fetch-response-body-stop-in-worker.html

is a flaky crash on BigSur Apple Silicon Macs only. So far, it has only crashed on BigSur Release wk2, and BigSur Debug wk1. But so far has only been on Apple Silicon Macs. 

HISTORY:
https://results.webkit.org/?suite=layout-tests&test=http%2Fwpt%2Ffetch%2Ffetch-response-body-stop-in-worker.html

CRASH TEXT:
Thread 7 Crashed:: WebCore: Worker
0   com.apple.JavaScriptCore      	0x000000010a7ce350 structure + 0 (JSCellInlines.h:141) [inlined]
1   com.apple.JavaScriptCore      	0x000000010a7ce350 globalObject + 0 (JSObject.h:877) [inlined]
2   com.apple.JavaScriptCore      	0x000000010a7ce350 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 128 (Interpreter.cpp:865)
3   com.apple.JavaScriptCore      	0x000000010a7ce318 isCollectorBusyOnCurrentThread + 8 (VM.h:1033) [inlined]
4   com.apple.JavaScriptCore      	0x000000010a7ce318 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 72 (Interpreter.cpp:851)
5   com.apple.WebCore             	0x0000000105a35fc8 invokeReadableStreamDefaultControllerFunction + 200 (ReadableStreamDefaultController.cpp:52) [inlined]
6   com.apple.WebCore             	0x0000000105a35fc8 WebCore::ReadableStreamDefaultController::enqueue(JSC::JSValue) + 412 (ReadableStreamDefaultController.cpp:105)
7   com.apple.WebCore             	0x0000000105a361b0 WebCore::ReadableStreamDefaultController::enqueue(WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&) + 344 (ReadableStreamDefaultController.cpp:128)
8   com.apple.WebCore             	0x000000010567cb90 enqueue + 20 (FetchBodySource.h:44) [inlined]
9   com.apple.WebCore             	0x000000010567cb90 WebCore::FetchResponse::BodyLoader::didReceiveData(char const*, unsigned long) + 312 (FetchResponse.cpp:373)
10  com.apple.WebCore             	0x000000010619b770 didReceiveData + 12 (ThreadableLoaderClientWrapper.h:72) [inlined]
11  com.apple.WebCore             	0x000000010619b770 operator() + 32 (WorkerThreadableLoader.cpp:238) [inlined]
12  com.apple.WebCore             	0x000000010619b770 WTF::Detail::CallableWrapper<WebCore::WorkerThreadableLoader::MainThreadBridge::didReceiveData(char const*, int)::$_17, void, WebCore::ScriptExecutionContext&>::call(WebCore::ScriptExecutionContext&) + 56 (Function.h:52)
13  com.apple.WebCore             	0x000000010696198c operator() + 20 (Function.h:83) [inlined]
14  com.apple.WebCore             	0x000000010696198c performTask + 20 (ScriptExecutionContext.h:203) [inlined]
15  com.apple.WebCore             	0x000000010696198c performTask + 36 (WorkerRunLoop.cpp:270) [inlined]
16  com.apple.WebCore             	0x000000010696198c WebCore::WorkerRunLoop::runInMode(WebCore::WorkerOrWorkletGlobalScope*, WebCore::ModePredicate const&, WebCore::WorkerRunLoop::WaitMode) + 392 (WorkerRunLoop.cpp:209)
17  com.apple.WebCore             	0x00000001069617a0 WebCore::WorkerRunLoop::run(WebCore::WorkerOrWorkletGlobalScope*) + 100 (WorkerRunLoop.cpp:143)
18  com.apple.WebCore             	0x000000010695d0ec WebCore::WorkerOrWorkletThread::workerOrWorkletThread() + 744 (WorkerOrWorkletThread.cpp:146)
19  com.apple.JavaScriptCore      	0x0000000109f38338 operator() + 16 (Function.h:83) [inlined]
20  com.apple.JavaScriptCore      	0x0000000109f38338 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 136 (Threading.cpp:185)
21  com.apple.JavaScriptCore      	0x0000000109f3a6e8 WTF::wtfThreadEntryPoint(void*) + 12 (ThreadingPOSIX.cpp:241)
22  libsystem_pthread.dylib       	0x000000018dc9606c _pthread_start + 320
23  libsystem_pthread.dylib       	0x000000018dc90da0 thread_start + 8

https://build.webkit.org/results/Apple-BigSur-Release-AppleSilicon-WK2-Tests/r277174%20(1348)/http/wpt/fetch/fetch-response-body-stop-in-worker-crash-log.txt

Comment 1 Robert Jenner 2021-05-07 11:35:10 PDT

Created attachment 428014 [details]
Full crashlog

Attaching full crashlog to bug.

Comment 2 Radar WebKit Bug Importer 2021-05-07 17:01:01 PDT

<rdar://problem/77679378>

Comment 3 Robert Jenner 2021-05-10 15:35:23 PDT

This only appears to occur on Apple Silicon Macs. As such, I cannot reproduce the failure, as I do not have access to said system type. 

I have updated the test expectations here to Pass Crash for arm64 only:
https://trac.webkit.org/changeset/277300/webkit

Comment 4 youenn fablet 2021-05-10 23:53:35 PDT

Another crash log:
Thread 32 Crashed:: WebCore: Worker
0   com.apple.JavaScriptCore      	0x00000001022b7120 WTFCrash + 20 (Assertions.cpp:305)
1   com.apple.WebCore             	0x00000001237995c0 WTFCrashWithInfo(int, char const*, char const*, int) + 32 (Assertions.h:695)
2   com.apple.WebCore             	0x0000000125cf43b8 WebCore::invokeReadableStreamDefaultControllerFunction(JSC::JSGlobalObject&, JSC::Identifier const&, JSC::MarkedArgumentBuffer const&) + 220 (ReadableStreamDefaultController.cpp:48)
3   com.apple.WebCore             	0x0000000125cf4818 WebCore::ReadableStreamDefaultController::enqueue(JSC::JSValue) + 220 (ReadableStreamDefaultController.cpp:105)
4   com.apple.WebCore             	0x0000000125cf4a74 WebCore::ReadableStreamDefaultController::enqueue(WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&) + 524 (ReadableStreamDefaultController.cpp:128)
5   com.apple.WebCore             	0x0000000124fdf474 WebCore::FetchBodySource::enqueue(WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&) + 64 (FetchBodySource.h:44)


It seems like JS built-ins are non properly setup since they are not callable here.

Comment 5 Eric Hutchison 2021-09-17 15:58:57 PDT

Crash appears to now appear on iOS in EWS.

Crash Log: https://ews-build.s3-us-west-2.amazonaws.com/iOS-14-Simulator-WK2-Tests-EWS/r435451-19069/http/wpt/fetch/fetch-response-body-stop-in-worker-crash-log.txt

Build: https://ews-build.webkit.org/#/builders/51/builds/19069

Updated test expectations at https://trac.webkit.org/changeset/282700/webkit

Comment 6 Eric Hutchison 2021-10-22 11:58:40 PDT

https://trac.webkit.org/changeset/284706/webkit: updated test expectations as test is also crashing on iOS15

Comment 7 youenn fablet 2021-12-13 05:52:12 PST

Latest crash is at https://build.webkit.org/results/Apple-Monterey-Debug-AppleSilicon-WK1-Tests/r286611%20(365)/http/wpt/fetch/fetch-response-body-stop-in-worker-crash-log.txt.

What happens is that, if enqueue fails due to a termination error, we fail the response, which errors the source that is already errored.
We should just exit early when erroring the source the second time.

Comment 8 youenn fablet 2021-12-13 06:28:17 PST

Created attachment 446999 [details]
Patch

Comment 9 youenn fablet 2021-12-21 09:21:49 PST

Marking as configuration changed, since test is no longer crashing after Mark's changes.