Bug 245815

Summary: REGRESSION(254283@main): [WK1] fast/workers/worker-copy-shared-blob-url.html is crashing
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: New BugsAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
WinCairo WK1 Release crash log
none
AppleWin EWS crash log none

Fujii Hironori
Reported 2022-09-28 21:34:10 PDT
[Win] fast/workers/worker-crash-with-invalid-location.html is crashing AppleWin WK1 and WinCairo WK1 is crashing. Callstack of AppleWin EWS: # Child-SP RetAddr Call Site 00 (Inline Function) --------`-------- WTF!WTF::StringImpl::setIsAtom [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Source\WTF\wtf\text\StringImpl.h @ 1095] 01 00000012`5c57de60 00007ffa`02eb6a66 WTF!WTF::AtomStringTable::~AtomStringTable(void)+0x122 [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Source\WTF\wtf\text\AtomStringTable.cpp @ 31] 02 00000012`5c57deb0 00007ff9`e3985e6e WTF!WTF::Thread::~Thread(void)+0x66 [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Source\WTF\wtf\win\ThreadingWin.cpp @ 107] 03 00000012`5c57dee0 00007ff9`e39c85de WebKit!WebCore::WorkerOrWorkletThread::~WorkerOrWorkletThread(void)+0xee [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Source\WebCore\workers\WorkerOrWorkletThread.cpp @ 82] 04 (Inline Function) --------`-------- WebKit!WebCore::DedicatedWorkerThread::{dtor}+0x14 [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Source\WebCore\workers\DedicatedWorkerThread.cpp @ 48] 05 00000012`5c57df20 00007ff9`e32f80ab WebKit!WebCore::DedicatedWorkerThread::`scalar deleting destructor'(void)+0x1e 06 (Inline Function) --------`-------- WebKit!WTF::ThreadSafeRefCounted<WTF::SharedTask<void __cdecl+0x17 [C:\cygwin\home\buildbot\worker\Windows-EWS\build\WebKitBuild\Release\DerivedSources\ForwardingHeaders\wtf\ThreadSafeRefCounted.h @ 117] 07 (Inline Function) --------`-------- WebKit!WTF::ThreadSafeRefCounted<WTF::SharedTask<void __cdecl+0x29 [C:\cygwin\home\buildbot\worker\Windows-EWS\build\WebKitBuild\Release\DerivedSources\ForwardingHeaders\wtf\ThreadSafeRefCounted.h @ 129] 08 (Inline Function) --------`-------- WebKit!WTF::Ref<WTF::SharedTask<void __cdecl+0x3c [C:\cygwin\home\buildbot\worker\Windows-EWS\build\WebKitBuild\Release\DerivedSources\ForwardingHeaders\wtf\Ref.h @ 61] 09 00000012`5c57df50 00007ffa`02e5d2be WebKit!WTF::Detail::CallableWrapper<`WebCore::ScriptController::executeAsynchronousUserAgentScriptInWorld'::`2'::<lambda_3>,__int64,JSC::JSGlobalObject *,JSC::CallFrame *>::`scalar deleting destructor'(void)+0x4b 0a (Inline Function) --------`-------- WTF!std::default_delete<WTF::Detail::CallableWrapperBase<void> >::operator()+0xb [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.31.31103\include\memory @ 3125] 0b (Inline Function) --------`-------- WTF!std::unique_ptr<WTF::Detail::CallableWrapperBase<void>,std::default_delete<WTF::Detail::CallableWrapperBase<void> > >::{dtor}+0xd [C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.31.31103\include\memory @ 3233] 0c 00000012`5c57df80 00007ffa`02eb644c WTF!WTF::RunLoop::performWork(void)+0x27e [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Source\WTF\wtf\RunLoop.cpp @ 140] 0d (Inline Function) --------`-------- WTF!WTF::RunLoop::wndProc+0x36 [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 56] 0e 00000012`5c57dfe0 00007ffa`20e8e858 WTF!WTF::RunLoop::RunLoopWndProc(struct HWND__ * hWnd = 0x00000000`0338087c, unsigned int message = 0x401, unsigned int64 wParam = 0x0000011f`5d367610, int64 lParam = 0n0)+0x5c [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Source\WTF\wtf\win\RunLoopWin.cpp @ 39] 0f 00000012`5c57e040 00007ffa`20e8e299 USER32!UserCallWinProcCheckWow+0x2f8 10 00000012`5c57e1d0 00007ffa`09bc48a8 USER32!DispatchMessageWorker+0x249 11 00000012`5c57e250 00007ffa`09bc680f DumpRenderTreeLib!runTest(class std::basic_string<char,std::char_traits<char>,std::allocator<char> > * inputLine = <Value unavailable error>)+0xb78 [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Tools\DumpRenderTree\win\DumpRenderTree.cpp @ 1315] 12 00000012`5c57ef10 00007ff6`3b042fbd DumpRenderTreeLib!main(int argc = <Value unavailable error>, char ** argv = <Value unavailable error>)+0x53f [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Tools\DumpRenderTree\win\DumpRenderTree.cpp @ 1667] 13 00000012`5c57f830 00007ff6`3b043870 DumpRenderTree!main(int argc = 0n2, char ** argv = 0x0000011f`5d2f4d80)+0x81d [C:\cygwin\home\buildbot\worker\Windows-EWS\build\Tools\win\DLLLauncher\DLLLauncherMain.cpp @ 223] 14 (Inline Function) --------`-------- DumpRenderTree!invoke_main+0x22 [d:\a01\_work\43\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 78] 15 00000012`5c57fbc0 00007ffa`1fa57034 DumpRenderTree!__scrt_common_main_seh(void)+0x10c [d:\a01\_work\43\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 16 00000012`5c57fc00 00007ffa`21362651 KERNEL32!BaseThreadInitThunk+0x14 17 00000012`5c57fc30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
Attachments
WinCairo WK1 Release crash log (55.50 KB, text/plain)
2022-09-28 21:38 PDT, Fujii Hironori
no flags
AppleWin EWS crash log (172.63 KB, text/plain)
2022-09-28 21:39 PDT, Fujii Hironori
no flags
Fujii Hironori
Comment 1 2022-09-28 21:37:09 PDT
Fujii Hironori
Comment 3 2022-09-28 21:39:48 PDT
Created attachment 462698 [details] AppleWin EWS crash log
Fujii Hironori
Comment 4 2022-09-28 23:54:55 PDT
fast/workers/worker-copy-shared-blob-url.html makes the following test crash. Skipping fast/workers/worker-copy-shared-blob-url.html works around the crash.
Fujii Hironori
Comment 5 2022-09-29 00:18:01 PDT
Mac WK1 can reproduce the crash. > run-webkit-tests --debug fast/workers/worker-copy-shared-blob-url.html --iterations=100 -f1
Fujii Hironori
Comment 6 2022-09-29 00:30:20 PDT
Mac WK1 Debug reported an assertion failure. ASSERTION FAILED: The string being removed is an atom in the string table of an other thread! iterator != atomStringTable.end() /Volumes/Data/webkit/ga/Source/WTF/wtf/text/AtomStringImpl.cpp(458) : static void WTF::AtomStringImpl::remove(WTF::AtomStringImpl *) 1 0x7ff7b8081740 (null) 2 0x11f73b885 (null) 3 0x1f1d0e2885 (null) 4 0x7ff7b8081740 (null) 5 0x7ff7b80816f8 (null) 6 0x7ff7b8081710 (null) 7 0x11d0e2a1f WTFPrintBacktrace 8 0x7ff7b8081710 (null) 9 0x1201147a0 vtable for CrashLogPrintStream 10 0x1fb808172c (null) 11 0x7ff7b8081740 (null) 12 0x7ff7b8081840 (null) 13 0x11d0e29bf WTFReportBacktrace 14 0x3000000010 (null) 15 0x211f73d1ea (null) 16 0x11d1c6dbf WTFGetBacktrace 17 0x11d0e29a6 WTFReportBacktrace 18 0x11d0e2aa9 WTFCrash 19 0x11d0ece29 WTF::AtomStringImpl::remove(WTF::AtomStringImpl*) 20 0x11d1cc685 WTF::StringImpl::~StringImpl() 21 0x11d1cca25 WTF::StringImpl::~StringImpl() 22 0x11d1cca45 WTF::StringImpl::destroy(WTF::StringImpl*) 23 0x17443d3ff WTF::StringImpl::deref() 24 0x1744432ce WTF::DefaultRefDerefTraits<WTF::StringImpl>::derefIfNotNull(WTF::StringImpl*) 25 0x174443299 WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >::~RefPtr() 26 0x174443135 WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >::~RefPtr() 27 0x174443a35 WTF::String::~String() 28 0x1744424e5 WTF::String::~String() 29 0x17456db85 WTF::URL::~URL() 30 0x17456cb45 WTF::URL::~URL() 31 0x1781c1f72 WebCore::URLKeepingBlobAlive::~URLKeepingBlobAlive()
Fujii Hironori
Comment 7 2022-09-29 00:49:12 PDT
URLKeepingBlobAlive was introduced by 254283@main (bug#244922).
Chris Dumez
Comment 8 2022-09-29 14:16:53 PDT
(In reply to Fujii Hironori from comment #5) > Mac WK1 can reproduce the crash. > > > run-webkit-tests --debug fast/workers/worker-copy-shared-blob-url.html --iterations=100 -f1 I can reproduce this way, Thanks. I will fix.
Chris Dumez
Comment 9 2022-09-29 15:06:42 PDT
EWS
Comment 10 2022-09-30 08:03:22 PDT
Committed 255028@main (4123405e0625): <https://commits.webkit.org/255028@main> Reviewed commits have been landed. Closing PR #4839 and removing active labels.
Radar WebKit Bug Importer
Comment 11 2022-09-30 08:04:17 PDT
Note You need to log in before you can comment on or make changes to this bug.