Bug 225528

Summary:

[ BigSur ARM64, iOS 14 EWS] http/wpt/fetch/fetch-response-body-stop-in-worker.html is a flaky crash

Product:

WebKit

Reporter:

Robert Jenner <jenner>

Component:

WebCore Misc.

Assignee:

youenn fablet <youennf>

Status:

RESOLVED CONFIGURATION CHANGED

Severity:

Normal

CC:

ehutchison, webkit-bot-watchers-bugzilla, webkit-bug-importer, youennf, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=225534

Attachments:

Description	Flags
Full crashlog	none
Patch	none

Robert Jenner

Reported 2021-05-07 11:34:29 PDT

http/wpt/fetch/fetch-response-body-stop-in-worker.html is a flaky crash on BigSur Apple Silicon Macs only. So far, it has only crashed on BigSur Release wk2, and BigSur Debug wk1. But so far has only been on Apple Silicon Macs. HISTORY: https://results.webkit.org/?suite=layout-tests&test=http%2Fwpt%2Ffetch%2Ffetch-response-body-stop-in-worker.html CRASH TEXT: Thread 7 Crashed:: WebCore: Worker 0 com.apple.JavaScriptCore 0x000000010a7ce350 structure + 0 (JSCellInlines.h:141) [inlined] 1 com.apple.JavaScriptCore 0x000000010a7ce350 globalObject + 0 (JSObject.h:877) [inlined] 2 com.apple.JavaScriptCore 0x000000010a7ce350 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 128 (Interpreter.cpp:865) 3 com.apple.JavaScriptCore 0x000000010a7ce318 isCollectorBusyOnCurrentThread + 8 (VM.h:1033) [inlined] 4 com.apple.JavaScriptCore 0x000000010a7ce318 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 72 (Interpreter.cpp:851) 5 com.apple.WebCore 0x0000000105a35fc8 invokeReadableStreamDefaultControllerFunction + 200 (ReadableStreamDefaultController.cpp:52) [inlined] 6 com.apple.WebCore 0x0000000105a35fc8 WebCore::ReadableStreamDefaultController::enqueue(JSC::JSValue) + 412 (ReadableStreamDefaultController.cpp:105) 7 com.apple.WebCore 0x0000000105a361b0 WebCore::ReadableStreamDefaultController::enqueue(WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&) + 344 (ReadableStreamDefaultController.cpp:128) 8 com.apple.WebCore 0x000000010567cb90 enqueue + 20 (FetchBodySource.h:44) [inlined] 9 com.apple.WebCore 0x000000010567cb90 WebCore::FetchResponse::BodyLoader::didReceiveData(char const*, unsigned long) + 312 (FetchResponse.cpp:373) 10 com.apple.WebCore 0x000000010619b770 didReceiveData + 12 (ThreadableLoaderClientWrapper.h:72) [inlined] 11 com.apple.WebCore 0x000000010619b770 operator() + 32 (WorkerThreadableLoader.cpp:238) [inlined] 12 com.apple.WebCore 0x000000010619b770 WTF::Detail::CallableWrapper<WebCore::WorkerThreadableLoader::MainThreadBridge::didReceiveData(char const*, int)::$_17, void, WebCore::ScriptExecutionContext&>::call(WebCore::ScriptExecutionContext&) + 56 (Function.h:52) 13 com.apple.WebCore 0x000000010696198c operator() + 20 (Function.h:83) [inlined] 14 com.apple.WebCore 0x000000010696198c performTask + 20 (ScriptExecutionContext.h:203) [inlined] 15 com.apple.WebCore 0x000000010696198c performTask + 36 (WorkerRunLoop.cpp:270) [inlined] 16 com.apple.WebCore 0x000000010696198c WebCore::WorkerRunLoop::runInMode(WebCore::WorkerOrWorkletGlobalScope*, WebCore::ModePredicate const&, WebCore::WorkerRunLoop::WaitMode) + 392 (WorkerRunLoop.cpp:209) 17 com.apple.WebCore 0x00000001069617a0 WebCore::WorkerRunLoop::run(WebCore::WorkerOrWorkletGlobalScope*) + 100 (WorkerRunLoop.cpp:143) 18 com.apple.WebCore 0x000000010695d0ec WebCore::WorkerOrWorkletThread::workerOrWorkletThread() + 744 (WorkerOrWorkletThread.cpp:146) 19 com.apple.JavaScriptCore 0x0000000109f38338 operator() + 16 (Function.h:83) [inlined] 20 com.apple.JavaScriptCore 0x0000000109f38338 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 136 (Threading.cpp:185) 21 com.apple.JavaScriptCore 0x0000000109f3a6e8 WTF::wtfThreadEntryPoint(void*) + 12 (ThreadingPOSIX.cpp:241) 22 libsystem_pthread.dylib 0x000000018dc9606c _pthread_start + 320 23 libsystem_pthread.dylib 0x000000018dc90da0 thread_start + 8 https://build.webkit.org/results/Apple-BigSur-Release-AppleSilicon-WK2-Tests/r277174%20(1348)/http/wpt/fetch/fetch-response-body-stop-in-worker-crash-log.txt

Attachments
Full crashlog (77.16 KB, text/plain) 2021-05-07 11:35 PDT, Robert Jenner	no flags	Details
Patch (4.50 KB, patch) 2021-12-13 06:28 PST, youenn fablet	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Robert Jenner

Comment 1 2021-05-07 11:35:10 PDT

Created attachment 428014 [details] Full crashlog Attaching full crashlog to bug.

Radar WebKit Bug Importer

Comment 2 2021-05-07 17:01:01 PDT

<rdar://problem/77679378>

Robert Jenner

Comment 3 2021-05-10 15:35:23 PDT

This only appears to occur on Apple Silicon Macs. As such, I cannot reproduce the failure, as I do not have access to said system type. I have updated the test expectations here to Pass Crash for arm64 only: https://trac.webkit.org/changeset/277300/webkit

youenn fablet

Comment 4 2021-05-10 23:53:35 PDT

Another crash log: Thread 32 Crashed:: WebCore: Worker 0 com.apple.JavaScriptCore 0x00000001022b7120 WTFCrash + 20 (Assertions.cpp:305) 1 com.apple.WebCore 0x00000001237995c0 WTFCrashWithInfo(int, char const*, char const*, int) + 32 (Assertions.h:695) 2 com.apple.WebCore 0x0000000125cf43b8 WebCore::invokeReadableStreamDefaultControllerFunction(JSC::JSGlobalObject&, JSC::Identifier const&, JSC::MarkedArgumentBuffer const&) + 220 (ReadableStreamDefaultController.cpp:48) 3 com.apple.WebCore 0x0000000125cf4818 WebCore::ReadableStreamDefaultController::enqueue(JSC::JSValue) + 220 (ReadableStreamDefaultController.cpp:105) 4 com.apple.WebCore 0x0000000125cf4a74 WebCore::ReadableStreamDefaultController::enqueue(WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&) + 524 (ReadableStreamDefaultController.cpp:128) 5 com.apple.WebCore 0x0000000124fdf474 WebCore::FetchBodySource::enqueue(WTF::RefPtr<JSC::ArrayBuffer, WTF::RawPtrTraits<JSC::ArrayBuffer>, WTF::DefaultRefDerefTraits<JSC::ArrayBuffer> >&&) + 64 (FetchBodySource.h:44) It seems like JS built-ins are non properly setup since they are not callable here.

Eric Hutchison

Comment 5 2021-09-17 15:58:57 PDT

Crash appears to now appear on iOS in EWS. Crash Log: https://ews-build.s3-us-west-2.amazonaws.com/iOS-14-Simulator-WK2-Tests-EWS/r435451-19069/http/wpt/fetch/fetch-response-body-stop-in-worker-crash-log.txt Build: https://ews-build.webkit.org/#/builders/51/builds/19069 Updated test expectations at https://trac.webkit.org/changeset/282700/webkit

Eric Hutchison

Comment 6 2021-10-22 11:58:40 PDT

https://trac.webkit.org/changeset/284706/webkit: updated test expectations as test is also crashing on iOS15

youenn fablet

Comment 7 2021-12-13 05:52:12 PST

Latest crash is at https://build.webkit.org/results/Apple-Monterey-Debug-AppleSilicon-WK1-Tests/r286611%20(365)/http/wpt/fetch/fetch-response-body-stop-in-worker-crash-log.txt. What happens is that, if enqueue fails due to a termination error, we fail the response, which errors the source that is already errored. We should just exit early when erroring the source the second time.

youenn fablet

Comment 8 2021-12-13 06:28:17 PST

Created attachment 446999 [details] Patch

youenn fablet

Comment 9 2021-12-21 09:21:49 PST

Marking as configuration changed, since test is no longer crashing after Mark's changes.

Note You need to log in before you can comment on or make changes to this bug.