Bug 230662

Seen in WK1 tests: 2021-09-22 12:21:01.415 DumpRenderTree[58389:29549883] *** WARNING: Method convertPointToBase: in class NSView is deprecated on 10.7 and later. It should not be used in new applications. ASSERTION FAILED: Unsafe to ref/deref from different threads m_isOwnedByMainThread == isMainThread() /Volumes/Data/worker/bigsur-debug/build/WebKitBuild/Debug/usr/local/include/wtf/RefCounted.h(114) : void WTF::RefCountedBase::applyRefDerefThreadingCheck() const 1 0x107107539 WTFCrash 2 0x12849df91 WTF::RefCountedBase::applyRefDerefThreadingCheck() const 3 0x12849dd6c WTF::RefCountedBase::derefBase() const 4 0x12850920f WTF::RefCounted<WebCore::SharedBuffer, std::__1::default_delete<WebCore::SharedBuffer> >::deref() const 5 0x1285091dc WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >::~Ref() 6 0x1284fe755 WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >::~Ref() 7 0x1289ba0ea WebCore::SourceBufferParserAVFObjC::appendData(WebCore::SourceBufferParser::Segment&&, WTF::CompletionHandler<void ()>&&, WebCore::SourceBufferParser::AppendFlags) 8 0x1289cbf7c WebCore::SourceBufferPrivateAVFObjC::append(WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >&&)::$_13::operator()() 9 0x1289cbeac invocation function for block in WebCore::SourceBufferPrivateAVFObjC::append(WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >&&) 10 0x7fff2020d623 _dispatch_call_block_and_release 11 0x7fff2020e806 _dispatch_client_callout 12 0x7fff202111b0 _dispatch_continuation_pop 13 0x7fff20210887 _dispatch_async_redirect_invoke 14 0x7fff2021d818 _dispatch_root_queue_drain 15 0x7fff2021df70 _dispatch_worker_thread2 16 0x7fff203b5417 _pthread_wqthread 17 0x7fff203b442f start_wqthread The issue at hand is that the call to dispatch_async takes an objective-C block ; which doesn't move the rvalue but instead copy it. So we end up with all the captured objects being copied which increase the refcount to the SharedBuffer. Due to a race with the task being run (and destructed) on the source buffer parser thread before the dispatch_async returns, and trigger the assertion. The quick fix is to make SharedBuffer have a thread-safe refcount ; long term fix would be to have the SourceBufferPrivateAVFObjC use a WorkQueue instead, but due to how it would be used with the SourceBufferPrivate, it needs extra method (such as WaitUntilIdle() )