Bug 263845
| Summary: | REGRESSION(269895@main): ASSERTION FAILED: !m_deletionHasBegun for WebProcessPool | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Fujii Hironori <fujii.hironori> |
| Component: | WebKit2 | Assignee: | Fujii Hironori <fujii.hironori> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | cdumez, kkinnunen, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=263820 | ||
Fujii Hironori
REGRESSION(269895@main): ASSERTION FAILED: !m_deletionHasBegun for WebProcessPool
Windows port and GTK port Debug build are failing an assertion.
Buildbot: builder GTK-Linux-64-bit-Debug-Tests build 11576 (269898@main)
https://build.webkit.org/#/builders/63/builds/11576
ASSERTION FAILED: !m_deletionHasBegun
/app/webkit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/ThreadSafeRefCounted.h(58) : void WTF::ThreadSafeRefCountedBase::ref() const
1 0x7ff9eeb4ca05 WTFCrash
2 0x7ff9eeb4ca1b WTFIsDebuggerAttached
3 0x7ff9f8483109 WTF::ThreadSafeRefCountedBase::ref() const
4 0x7ff9f880fbf5 WTF::Ref<WebKit::WebProcessPool, WTF::RawPtrTraits<WebKit::WebProcessPool> >::Ref(WebKit::WebProcessPool&)
5 0x7ff9f958bb9c WebKit::WebProcessProxy::protectedProcessPool() const
6 0x7ff9f95824d3 WebKit::WebProcessProxy::processWillShutDown(IPC::Connection&)
7 0x7ff9f9344eb2 WebKit::AuxiliaryProcessProxy::shutDownProcess()
8 0x7ff9f9582a2a WebKit::WebProcessProxy::shutDown()
9 0x7ff9f9572ed5 WebKit::WebProcessPool::~WebProcessPool()
10 0x7ff9f9573374 WebKit::WebProcessPool::~WebProcessPool()
11 0x7ff9f848339a WTF::ThreadSafeRefCounted<API::Object, (WTF::DestructionThread)0>::deref() const::{lambda()#1}::operator()() const
12 0x7ff9f84833e1 WTF::ThreadSafeRefCounted<API::Object, (WTF::DestructionThread)0>::deref() const
13 0x7ff9f95c9de1 WTF::DefaultRefDerefTraits<WebKit::WebProcessPool>::derefIfNotNull(WebKit::WebProcessPool*)
14 0x7ff9f95b84a2 WTF::RefPtr<WebKit::WebProcessPool, WTF::RawPtrTraits<WebKit::WebProcessPool>, WTF::DefaultRefDerefTraits<WebKit::WebProcessPool> >::~RefPtr()
15 0x7ff9f95acd84 WebKit::WebProcessProxy::WeakOrStrongPtr<WebKit::WebProcessPool>::~WeakOrStrongPtr()
16 0x7ff9f95807b6 WebKit::WebProcessProxy::~WebProcessProxy()
17 0x7ff9f958083e WebKit::WebProcessProxy::~WebProcessProxy()
18 0x7ff9f88181e4 WTF::ThreadSafeRefCounted<WebKit::AuxiliaryProcessProxy, (WTF::DestructionThread)2>::deref() const::{lambda()#1}::operator()() const
19 0x7ff9f882923c WTF::Detail::CallableWrapper<WTF::ThreadSafeRefCounted<WebKit::AuxiliaryProcessProxy, (WTF::DestructionThread)2>::deref() const::{lambda()#1}, void>::call()
20 0x7ff9ed58185b WTF::Function<void ()>::operator()() const
21 0x7ff9eebbcc10 WTF::ensureOnMainRunLoop(WTF::Function<void ()>&&)
22 0x7ff9f8818248 WTF::ThreadSafeRefCounted<WebKit::AuxiliaryProcessProxy, (WTF::DestructionThread)2>::deref() const
23 0x7ff9f8818018 WebKit::AuxiliaryProcessProxy::deref()
24 0x7ff9f8818301 WTF::Ref<WebKit::WebProcessProxy, WTF::RawPtrTraits<WebKit::WebProcessProxy> >::~Ref()
25 0x7ff9f9438a9c ~<lambda>
26 0x7ff9f948494c ~CallableWrapper
27 0x7ff9f9484974 ~CallableWrapper
28 0x7ff9eced7766 std::default_delete<WTF::Detail::CallableWrapperBase<void> >::operator()(WTF::Detail::CallableWrapperBase<void>*) const
29 0x7ff9eced3a6c std::unique_ptr<WTF::Detail::CallableWrapperBase<void>, std::default_delete<WTF::Detail::CallableWrapperBase<void> > >::~unique_ptr()
30 0x7ff9eced2fbe WTF::Function<void ()>::~Function()
31 0x7ff9eebe8b6f WTF::RunLoop::performWork()
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Fujii Hironori
https://results.webkit.org/?suite=layout-tests&test=fast%2Fdom%2FWindow%2FaddEventListener-implicit-this.html
Fujii Hironori
Here is a crash log of Windows port.
Buildbot: builder WinCairo-64-bit-Debug-Tests build 21218 (269899@main)
https://build.webkit.org/#/builders/727/builds/21218
ASSERTION FAILED: !m_deletionHasBegun
C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf/ThreadSafeRefCounted.h(58) : ref
1 00007FF9078C1C19 WTFCrash
2 00007FF9078C1C39 WTFCrashWithSecurityImplication
3 00007FF8F91BBDAF WTF::ThreadSafeRefCountedBase::ref
4 00007FF8F9613D9E WTF::Ref<WebKit::WebProcessPool,WTF::RawPtrTraits<WebKit::WebProcessPool> >::Ref
5 00007FF8FA322FB2 WebKit::WebProcessProxy::protectedProcessPool
6 00007FF8FA3118B6 WebKit::WebProcessProxy::shutDown
7 00007FF8FA31301F WebKit::WebProcessPool::~WebProcessPool
8 00007FF8FA34E0F9 WebKit::WebProcessPool::~WebProcessPool
9 00007FF8F924F5A3 WTF::ThreadSafeRefCounted<API::Object,0>::deref::<lambda_1>::operator()
10 00007FF8F924F558 WTF::ThreadSafeRefCounted<API::Object,0>::deref
11 00007FF8FA3585F3 WTF::DefaultRefDerefTraits<WebKit::WebProcessPool>::derefIfNotNull
12 00007FF8FA358598 WTF::RefPtr<WebKit::WebProcessPool,WTF::RawPtrTraits<WebKit::WebProcessPool>,WTF::DefaultRefDerefTraits<WebKit::WebProcessPool> >::~RefPtr
13 00007FF8FA34806C WebKit::WebProcessProxy::WeakOrStrongPtr<WebKit::WebProcessPool>::~WeakOrStrongPtr
14 00007FF8FA32217A WebKit::WebProcessProxy::~WebProcessProxy
15 00007FF8FA34E189 WebKit::WebProcessProxy::~WebProcessProxy
16 00007FF8F9618593 WTF::ThreadSafeRefCounted<WebKit::AuxiliaryProcessProxy,2>::deref::<lambda_1>::operator()
17 00007FF8F9618537 WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf/ThreadSafeRefCounted.h:114:27',void>::call
18 00007FF9078D7E24 WTF::Function<void ()>::operator()
19 00007FF90792E025 WTF::ensureOnMainRunLoop
20 00007FF8F9618278 WTF::ThreadSafeRefCounted<WebKit::AuxiliaryProcessProxy,2>::deref
21 00007FF8F96181E7 WebKit::AuxiliaryProcessProxy::deref
22 00007FF8F9617C5B WTF::Ref<WebKit::WebProcessProxy,WTF::RawPtrTraits<WebKit::WebProcessProxy> >::~Ref
23 00007FF8FA20B1FA WebKit::WebPageProxy::close::<lambda_5>::~(lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\UIProcess/WebPageProxy.cpp:1482:33)
24 00007FF8FA243BB6 WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\UIProcess/WebPageProxy.cpp:1482:33',void>::~CallableWrapper
25 00007FF8FA243B49 WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\UIProcess/WebPageProxy.cpp:1482:33',void>::~CallableWrapper
26 00007FF9078CD6F1 std::default_delete<WTF::Detail::CallableWrapperBase<void> >::operator()
27 00007FF9078CD6A7 std::unique_ptr<WTF::Detail::CallableWrapperBase<void>,std::default_delete<WTF::Detail::CallableWrapperBase<void> > >::~unique_ptr
28 00007FF9078CC363 WTF::Function<void ()>::~Function
29 00007FF90795AD54 WTF::RunLoop::performWork
30 00007FF907A2F140 WTF::RunLoop::wndProc
31 00007FF907A2F077 WTF::RunLoop::RunLoopWndProc
Fujii Hironori
WebProcessProxy::protectedProcessPool() converts WeakOrStrongPtr<WebProcessPool> to Ref<WebProcessPool> without checking the liveness.
https://github.com/WebKit/WebKit/blob/ce8774c6b1ee8874b8262d16ad65fc8a576762e2/Source/WebKit/UIProcess/WebProcessProxy.cpp#L2103-L2112
This is a dangerous anti-pattern.
And, WeakPtr should return nullptr while destroying the object.
Fujii Hironori
> 5 00007FF8FA322FB2 WebKit::WebProcessProxy::protectedProcessPool
> 6 00007FF8FA3118B6 WebKit::WebProcessProxy::shutDown
> 7 00007FF8FA31301F WebKit::WebProcessPool::~WebProcessPool
In this callstack, WebProcessPool is being destroyed.
~WebProcessPool calls WebProcessProxy::shutDown. This WebProcessProxy is prewarmed.
However, WebProcessProxy::shutDown calls WebProcessProxy::protectedProcessPool even though it doesn't retain the WebProcessPool ref counter.
Chris Dumez
Thanks for the report. I'll fix this shortly.
Chris Dumez
Pull request: https://github.com/WebKit/WebKit/pull/19690
EWS
Committed 269909@main (26b67379adea): <https://commits.webkit.org/269909@main>
Reviewed commits have been landed. Closing PR #19690 and removing active labels.
Radar WebKit Bug Importer
<rdar://problem/117654716>
Fujii Hironori
Re-opening for pull request https://github.com/WebKit/WebKit/pull/19694
EWS
Committed 269914@main (b75c1351a087): <https://commits.webkit.org/269914@main>
Reviewed commits have been landed. Closing PR #19694 and removing active labels.