Bug 230717

Summary: [Catalina BigSur wk1 Debug ] resize-observer/delete-observers-in-callbacks.html is a flaky crash
Product: WebKit Reporter: Eric Hutchison <ehutchison>
Component: CSSAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ehutchison, koivisto, webkit-bot-watchers-bugzilla, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=230245
Attachments:
Description Flags
Crash Log none

Description Eric Hutchison 2021-09-23 14:23:56 PDT 
Created attachment 439091 [details]
Crash Log

resize-observer/delete-observers-in-callbacks.html

is a flaky crash on BigSur/Catalina wk1 Debug.

History: https://results.webkit.org/?suite=layout-tests&test=resize-observer/delete-observers-in-callbacks.html

Results: https://ews-build.webkit.org/#/builders/56/builds/15816, https://build.webkit.org/results/Apple-BigSur-Debug-WK1-Tests/r282862%20(4285)/results.html, https://build.webkit.org/results/Apple-BigSur-Debug-WK1-Tests/r282862%20(4285)/results.html

Crash Log attached

CRASHING TEST: resize-observer/delete-observers-in-callbacks.html

Thread 0 Crashed:
0   com.apple.JavaScriptCore      	0x00000001041d3906 adjustStat + 76 (Heap.cpp:105) [inlined]
1   com.apple.JavaScriptCore      	0x00000001041d3906 adjustFreeableMemory + 106 (Heap.cpp:118) [inlined]
2   com.apple.JavaScriptCore      	0x00000001041d3906 bmalloc::Heap::decommitLargeRange(std::__1::unique_lock<bmalloc::Mutex>&, bmalloc::LargeRange&, bmalloc::BulkDecommit&) + 486 (Heap.cpp:146)
3   com.apple.JavaScriptCore      	0x00000001041d41dc bmalloc::Heap::scavenge(std::__1::unique_lock<bmalloc::Mutex>&, bmalloc::BulkDecommit&, unsigned long&) + 1548 (Heap.cpp:199)
4   com.apple.JavaScriptCore      	0x00000001041e457d bmalloc::Scavenger::scavenge() + 205 (Scavenger.cpp:208)
5   com.apple.JavaScriptCore      	0x00000001041c7b26 bmalloc::api::scavenge() + 134 (bmalloc.cpp:142)
6   com.apple.JavaScriptCore      	0x0000000104096be9 WTF::releaseFastMallocFreeMemory() + 9 (FastMalloc.cpp:638)
7   com.apple.WebCore             	0x000000012c55b6c5 WebCore::GCController::garbageCollectNow() + 117 (GCController.cpp:97)
8   com.apple.WebKitLegacy        	0x000000010c9d6c3d +[WebCoreStatistics garbageCollectJavaScriptObjects] + 29 (WebCoreStatistics.mm:108)
9   DumpRenderTree                	0x000000010297acb3 GCController::collect() const + 35 (GCControllerMac.mm:38)
10  DumpRenderTree                	0x000000010297ab76 collectCallback(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) + 54 (GCController.cpp:39)
11  com.apple.JavaScriptCore      	0x0000000104858b9a long long JSC::APICallbackFunction::callImpl<JSC::JSCallbackFunction>(JSC::JSGlobalObject*, JSC::CallFrame*) + 618 (APICallbackFunction.h:61)
12  com.apple.JavaScriptCore      	0x000000010484c53d JSC::callJSCallbackFunction(JSC::JSGlobalObject*, JSC::CallFrame*) + 29 (JSCallbackFunction.cpp:42)
13  ???                           	0x000050c874401027 0 + 88821874036775
14  com.apple.JavaScriptCore      	0x000000010471e87f llint_entry + 144485
15  com.apple.JavaScriptCore      	0x000000010471e92f llint_entry + 144661
16  com.apple.JavaScriptCore      	0x00000001046fb120 vmEntryToJavaScript + 289
17  com.apple.JavaScriptCore      	0x00000001056e329b JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 235 (JITCodeInlines.h:42)
18  com.apple.JavaScriptCore      	0x00000001056e3a77 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1847 (Interpreter.cpp:900)
19  com.apple.JavaScriptCore      	0x0000000105ad8e3d JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 221 (CallData.cpp:57)
20  com.apple.JavaScriptCore      	0x0000000105ad8f1f JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 207 (CallData.cpp:64)
21  com.apple.JavaScriptCore      	0x0000000105ad9202 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 130 (CallData.cpp:85)
22  com.apple.WebCore             	0x000000012c564d6e WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 110 (JSExecState.h:73)
23  com.apple.WebCore             	0x000000012c5649c0 WebCore::JSCallbackData::invokeCallback(WebCore::JSDOMGlobalObject&, JSC::JSObject*, JSC::JSValue, JSC::MarkedArgumentBufferWithSize<8ul>&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 1504 (JSCallbackData.cpp:91)
24  com.apple.WebCore             	0x000000012aad367d WebCore::JSCallbackDataWeak::invokeCallback(JSC::JSValue, JSC::MarkedArgumentBufferWithSize<8ul>&, WebCore::JSCallbackData::CallbackType, JSC::PropertyName, WTF::NakedPtr<JSC::Exception>&) + 173 (JSCallbackData.h:113)
25  com.apple.WebCore             	0x000000012affacc5 WebCore::JSResizeObserverCallback::handleEvent(WebCore::ResizeObserver&, WTF::Vector<WTF::Ref<WebCore::ResizeObserverEntry, WTF::RawPtrTraits<WebCore::ResizeObserverEntry> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::ResizeObserver&) + 533 (JSResizeObserverCallback.cpp:77)
26  com.apple.WebCore             	0x000000012ddc5f45 WebCore::ResizeObserver::deliverObservations() + 965 (ResizeObserver.cpp:145)
27  com.apple.WebCore             	0x000000012cccf2ea WebCore::Document::deliverResizeObservations() + 154 (Document.cpp:8111)
28  com.apple.WebCore             	0x000000012cccf60a WebCore::Document::updateResizeObservations(WebCore::Page&) + 106 (Document.cpp:8141)
29  com.apple.WebCore             	0x000000012dd4a5b0 WebCore::Page::updateRendering()::$_28::operator()(WebCore::Document&) const + 32 (Page.cpp:1592)
30  com.apple.WebCore             	0x000000012dd4a543 WTF::Detail::CallableWrapper<WebCore::Page::updateRendering()::$_28, void, WebCore::Document&>::call(WebCore::Document&) + 51 (Function.h:53)
31  com.apple.WebCore             	0x000000012cc0e1ca WTF::Function<void (WebCore::Document&)>::operator()(WebCore::Document&) const + 154 (Function.h:82)
32  com.apple.WebCore             	0x000000012dcfca7c WebCore::Page::forEachDocument(WTF::Function<void (WebCore::Document&)> const&) const + 220 (Page.cpp:3354)
33  com.apple.WebCore             	0x000000012dd0417c WebCore::Page::updateRendering()::$_21::operator()(WebCore::RenderingUpdateStep, WTF::Function<void (WebCore::Document&)> const&) const + 92 (Page.cpp:1557)
34  com.apple.WebCore             	0x000000012dd03ddf WebCore::Page::updateRendering() + 927 (Page.cpp:1591)
35  com.apple.WebKitLegacy        	0x000000010c96d376 -[WebView(WebPrivate) _updateRendering] + 86 (WebView.mm:1730)
36  com.apple.WebKitLegacy        	0x000000010c976e34 -[WebView(WebPrivate) _forceRepaintForTesting] + 36 (WebView.mm:4426)
37  DumpRenderTree                	0x0000000102934617 updateDisplay() + 55 (DumpRenderTree.mm:1582)
38  DumpRenderTree                	0x0000000102933b63 dump() + 35 (DumpRenderTree.mm:1599)
39  DumpRenderTree                	0x00000001029fc991 TestRunner::forceImmediateCompletion() + 65 (TestRunnerMac.mm:290)
40  DumpRenderTree                	0x00000001029ebfa6 forceImmediateCompletionCallback(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) + 54 (TestRunner.cpp:1808)
41  com.apple.JavaScriptCore      	0x0000000104858b9a long long JSC::APICallbackFunction::callImpl<JSC::JSCallbackFunction>(JSC::JSGlobalObject*, JSC::CallFrame*) + 618 (APICallbackFunction.h:61)
42  com.apple.JavaScriptCore      	0x000000010484c53d JSC::callJSCallbackFunction(JSC::JSGlobalObject*, JSC::CallFrame*) + 29 (JSCallbackFunction.cpp:42)
43  ???                           	0x000050c874401027 0 + 88821874036775
44  com.apple.JavaScriptCore      	0x000000010471e92f llint_entry + 144661
45  com.apple.JavaScriptCore      	0x00000001046fb120 vmEntryToJavaScript + 289
46  com.apple.JavaScriptCore      	0x00000001056e329b JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 235 (JITCodeInlines.h:42)
47  com.apple.JavaScriptCore      	0x00000001056e3a77 JSC::Interpreter::executeCall(JSC::JSGlobalObject*, JSC::JSObject*, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1847 (Interpreter.cpp:900)
48  com.apple.JavaScriptCore      	0x0000000105ad8e3d JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 221 (CallData.cpp:57)
49  com.apple.JavaScriptCore      	0x0000000105ad8f1f JSC::call(JSC::JSGlobalObject*, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 207 (CallData.cpp:64)
50  com.apple.JavaScriptCore      	0x0000000105ad9202 JSC::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 130 (CallData.cpp:85)
51  com.apple.WebCore             	0x000000012c564d6e WebCore::JSExecState::profiledCall(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::JSValue, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 110 (JSExecState.h:73)
52  com.apple.WebCore             	0x000000012c6325e1 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext&) + 1009 (ScheduledAction.cpp:121)
53  com.apple.WebCore             	0x000000012c632005 WebCore::ScheduledAction::execute(WebCore::Document&) + 277 (ScheduledAction.cpp:141)
54  com.apple.WebCore             	0x000000012c631ec3 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext&) + 67 (ScheduledAction.cpp:86)
55  com.apple.WebCore             	0x000000012dbfa947 WebCore::DOMTimer::fired() + 1063 (DOMTimer.cpp:337)
56  com.apple.WebCore             	0x000000012df4c624 WebCore::ThreadTimers::sharedTimerFiredInternal() + 644 (ThreadTimers.cpp:127)
57  com.apple.WebCore             	0x000000012df52971 WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0::operator()() const + 33 (ThreadTimers.cpp:67)
58  com.apple.WebCore             	0x000000012df528fe WTF::Detail::CallableWrapper<WebCore::ThreadTimers::setSharedTimer(WebCore::SharedTimer*)::$_0, void>::call() + 30 (Function.h:53)
59  com.apple.WebCore             	0x0000000129ab07f2 WTF::Function<void ()>::operator()() const + 130 (Function.h:82)
60  com.apple.WebCore             	0x000000012def95cb WebCore::MainThreadSharedTimer::fired() + 139 (MainThreadSharedTimer.cpp:83)
61  com.apple.WebCore             	0x000000012dfe1436 WebCore::timerFired(__CFRunLoopTimer*, void*) + 38 (MainThreadSharedTimerCF.cpp:85)
62  com.apple.CoreFoundation      	0x00007fff204ca2b9 0x7fff20430000 + 631481
63  com.apple.CoreFoundation      	0x00007fff204c9dad 0x7fff20430000 + 630189
64  com.apple.CoreFoundation      	0x00007fff204c990a 0x7fff20430000 + 629002
65  com.apple.CoreFoundation      	0x00007fff204b04d3 0x7fff20430000 + 525523
66  com.apple.CoreFoundation      	0x00007fff204af64c 0x7fff20430000 + 521804
67  DumpRenderTree                	0x00000001029326cb runTest(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&) + 3323 (DumpRenderTree.mm:1963)
68  DumpRenderTree                	0x000000010293192a runTestingServerLoop() + 218 (DumpRenderTree.mm:1077)
69  DumpRenderTree                	0x0000000102931168 dumpRenderTree(int, char const**) + 616 (DumpRenderTree.mm:1190)
70  DumpRenderTree                	0x0000000102933262 DumpRenderTreeMain(int, char const**) + 114 (DumpRenderTree.mm:1301)
71  DumpRenderTree                	0x0000000102a1eba2 main + 34 (DumpRenderTreeMain.mm:34)
72  libdyld.dylib                 	0x00007fff203d3f5d 0x7fff203be000 + 89949
Comment 1 Radar WebKit Bug Importer 2021-09-23 14:25:05 PDT 
<rdar://problem/83465437>
Comment 2 Eric Hutchison 2021-09-23 14:56:47 PDT 
Updated test expectations at https://trac.webkit.org/changeset/283010/webkit

Unable to reproduce locally on BigSur, no access to Catalina for testing.
Comment 3 Eric Hutchison 2021-10-01 10:41:52 PDT 
Removed test expectations: https://trac.webkit.org/changeset/283379/webkit