Bug 270328

Summary: IPC testing API tries to allocate JS objects during sweeping
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: Service WorkersAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal Keywords: InRadar
Priority: P2    
Version: Other   
Hardware: Unspecified   
OS: Unspecified   

Ryosuke Niwa
Reported 2024-02-29 17:06:06 PST
e.g. * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=1, subcode=0x280008f3c) frame #0: 0x0000000280008f3c JavaScriptCore`::WTFCrash() at Assertions.cpp:325:5 frame #1: 0x0000000282380308 JavaScriptCore`WTFCrashWithInfo((null)=37, (null)="./heap/AllocatingScope.h", (null)="JSC::AllocatingScope::AllocatingScope(Heap &)", (null)=2858) at Assertions.h:768:5 * frame #2: 0x000000028523c390 JavaScriptCore`JSC::AllocatingScope::AllocatingScope(this=0x0000000106b83db0, heap=0x0000000116064888) at AllocatingScope.h:37:9 frame #3: 0x000000028522e6a0 JavaScriptCore`JSC::AllocatingScope::AllocatingScope(this=0x0000000106b83db0, heap=0x0000000116064888) at AllocatingScope.h:36:5 frame #4: 0x000000028522dd00 JavaScriptCore`JSC::LocalAllocator::allocateSlowCase(this=0x000000010c378a20, heap=0x0000000116064888, cellSize=64, deferralContext=0x0000000000000000, failureMode=Assert) at LocalAllocator.cpp:123:21 frame #5: 0x000000012788b2d8 WebKit`JSC::LocalAllocator::allocate(this=0x0000000106c23270)::'lambda'()::operator()() const at LocalAllocatorInlines.h:41:43 frame #6: 0x000000012788acc4 WebKit`JSC::HeapCell* JSC::FreeList::allocateWithCellSize<JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(this=0x000000010c378a38, slowPath=0x0000000106c23270, cellSize=64) at FreeListInlines.h:44:16 frame #7: 0x00000001279f3108 WebKit`JSC::LocalAllocator::allocate(this=0x000000010c378a20, heap=0x0000000116064888, cellSize=64, deferralContext=0x0000000000000000, failureMode=Assert) at LocalAllocatorInlines.h:38:23 frame #8: 0x000000012788aa0c WebKit`JSC::Allocator::allocate(this=0x0000000106a80460, heap=0x0000000116064888, cellSize=64, context=0x0000000000000000, mode=Assert) const at AllocatorInlines.h:35:30 frame #9: 0x000000012788a448 WebKit`JSC::CompleteSubspace::allocate(this=0x0000000116068268, vm=0x0000000116064800, cellSize=64, deferralContext=0x0000000000000000, failureMode=Assert) at CompleteSubspaceInlines.h:39:26 frame #10: 0x000000012e2f3e14 WebKit`void* JSC::tryAllocateCellHelper<JSC::JSFinalObject, (JSC::AllocationFailureMode)0>(vm=0x0000000116064800, size=64, deferralContext=0x0000000000000000) at JSCellInlines.h:191:63 frame #11: 0x000000012e2f38b4 WebKit`void* JSC::allocateCell<JSC::JSFinalObject>(vm=0x0000000116064800, size=64) at JSCellInlines.h:207:12 frame #12: 0x000000012e2f37a0 WebKit`JSC::JSFinalObject::createWithButterfly(vm=0x0000000116064800, structure=0x000000040000cd40, butterfly=0x0000000000000000) at JSObject.h:1355:9 frame #13: 0x000000012e2f3624 WebKit`JSC::JSFinalObject::create(vm=0x0000000116064800, structure=0x000000040000cd40) at JSObject.h:1363:12 frame #14: 0x000000012e2f35f0 WebKit`JSC::constructEmptyObject(vm=0x0000000116064800, structure=0x000000040000cd40) at ObjectConstructor.h:61:12 frame #15: 0x000000012e2f35a8 WebKit`JSC::constructEmptyObject(globalObject=0x000000010dc1e0e8, prototype=0x00000001599042d0, inlineCapacity=6) at ObjectConstructor.h:68:12 frame #16: 0x000000012e288280 WebKit`JSC::constructEmptyObject(globalObject=0x000000010dc1e0e8, prototype=0x00000001599042d0) at ObjectConstructor.h:73:12 frame #17: 0x000000012e28c488 WebKit`WebKit::IPCTestingAPI::JSMessageListener::jsDescriptionFromDecoder(this=0x0000000157ff1940, globalObject=0x000000010dc1e0e8, decoder=0x000000015e77f280) at IPCTestingAPI.cpp:2896:22 frame #18: 0x000000012e28e114 WebKit`WebKit::IPCTestingAPI::JSMessageListener::willSendMessage(this=0x0000000157ff1940, encoder=0x000000010be6e480, (null)=(m_storage = '\0')) at IPCTestingAPI.cpp:2885:25 frame #19: 0x000000012faedb3c WebKit`IPC::Connection::sendMessage(this=0x000000010b44be40, encoder=0x0000000106c22a50, sendOptions=(m_storage = '\0'), qos= Has Value=false ) at Connection.cpp:528:27 frame #20: 0x000000012fb63990 WebKit`IPC::MessageSender::sendMessage(this=0x000000010c674bc0, encoder=0x0000000106c22a50, sendOptions=(m_storage = '\0')) at MessageSender.cpp:40:24 frame #21: 0x000000012dee0af8 WebKit`bool IPC::MessageSender::send<Messages::WebSWServerConnection::RemoveServiceWorkerRegistrationInServer>(this=0x000000010c674bc0, message=0x0000000106b81860, destinationID=0, options=(m_storage = '\0')) at MessageSenderInlines.h:38:12 frame #22: 0x000000012de860b0 WebKit`bool IPC::MessageSender::send<Messages::WebSWServerConnection::RemoveServiceWorkerRegistrationInServer>(this=0x000000010c674bc0, message=0x0000000106b81860) at MessageSenderInlines.h:88:12 frame #23: 0x000000012de85d8c WebKit`WebKit::WebSWClientConnection::removeServiceWorkerRegistrationInServer(this=0x000000010c674bc0, identifier=WebCore::ServiceWorkerRegistrationIdentifier @ 0x0000000106b81820) at WebSWClientConnection.cpp:108:9 frame #24: 0x00000002ef6eb39c WebCore`WebCore::ServiceWorkerContainer::removeRegistration(this=0x0000000159a65300, registration=0x000000010ccfd780) at ServiceWorkerContainer.cpp:601:21 frame #25: 0x00000002ef7a5504 WebCore`WebCore::ServiceWorkerRegistration::~ServiceWorkerRegistration(this=0x000000010ccfd780) at ServiceWorkerRegistration.cpp:96:18 frame #26: 0x00000002ef7a5718 WebCore`WebCore::ServiceWorkerRegistration::~ServiceWorkerRegistration(this=0x000000010ccfd780) at ServiceWorkerRegistration.cpp:93:1 frame #27: 0x00000002e29f4e6c WebCore`std::__1::default_delete<WebCore::ServiceWorkerRegistration>::operator()[abi:v160006](this=0x0000000106a7e020, __ptr=0x000000010ccfd780) const at unique_ptr.h:65:5 frame #28: 0x00000002e29f4d88 WebCore`WTF::RefCounted<WebCore::ServiceWorkerRegistration, std::__1::default_delete<WebCore::ServiceWorkerRegistration>>::deref(this=0x000000010ccfd7a0) const at RefCounted.h:190:13 frame #29: 0x00000002ef7ac828 WebCore`WebCore::ServiceWorkerRegistration::derefEventTarget(this=0x000000010ccfd780) at ServiceWorkerRegistration.h:116:37 frame #30: 0x00000002dfc1edf8 WebCore`WebCore::EventTarget::deref(this=0x000000010ccfd780) at Node.h:897:9 frame #31: 0x00000002dfc1ec2c WebCore`WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~Ref(this=0x000000010c4b0be0) at Ref.h:61:18 frame #32: 0x00000002dfc1e7e8 WebCore`WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~Ref(this=0x000000010c4b0be0) at Ref.h:55:5 frame #33: 0x00000002e0f73f24 WebCore`WebCore::JSDOMWrapper<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~JSDOMWrapper(this=0x000000010c4b0bc8) at JSDOMWrapper.h:74:7 frame #34: 0x00000002e0f73ef0 WebCore`WebCore::JSEventTarget::~JSEventTarget(this=0x000000010c4b0bc8) at JSEventTarget.h:29:7 frame #35: 0x00000002e0e446d8 WebCore`WebCore::JSEventTarget::~JSEventTarget(this=0x000000010c4b0bc8) at JSEventTarget.h:29:7 frame #36: 0x00000002e0d7a03c WebCore`WebCore::JSEventTarget::destroy(cell=0x000000010c4b0bc8) at JSEventTarget.cpp:196:32 frame #37: 0x0000000286498b7c JavaScriptCore`JSC::JSDestructibleObjectDestroyFunc::operator()(this=0x0000000106a7dfa0, (null)=0x0000000116064800, cell=0x000000010c4b0bc8) const at JSDestructibleObjectHeapCellType.cpp:38:9 frame #38: 0x0000000286498a4c JavaScriptCore`JSC::JSDestructibleObjectHeapCellType::destroy(this=0x0000000116064f70, vm=0x0000000116064800, cell=0x000000010c4b0bc8) const at JSDestructibleObjectHeapCellType.cpp:58:5 frame #39: 0x00000002853038ec JavaScriptCore`JSC::Subspace::destroy(this=0x0000000159a845c0, vm=0x0000000116064800, cell=0x000000010c4b0bc8) at Subspace.cpp:65:21 frame #40: 0x00000002852ddec8 JavaScriptCore`JSC::PreciseAllocation::sweep(this=0x000000010c4b0b68) at PreciseAllocation.cpp:273:25 frame #41: 0x00000002852896e8 JavaScriptCore`JSC::MarkedSpace::sweepPreciseAllocations(this=0x0000000116064938) at MarkedSpace.cpp:235:21 frame #42: 0x0000000285048bc4 JavaScriptCore`JSC::Heap::sweepInFinalize(this=0x0000000116064888) at Heap.cpp:2247:19 frame #43: 0x0000000285048420 JavaScriptCore`JSC::Heap::finalize(this=0x0000000116064888) at Heap.cpp:2180:9 frame #44: 0x00000002850470b8 JavaScriptCore`JSC::Heap::handleNeedFinalize(this=0x0000000116064888, oldState=13) at Heap.cpp:2117:9 frame #45: 0x00000002850456e0 JavaScriptCore`JSC::Heap::handleNeedFinalize(this=0x0000000116064888) at Heap.cpp:2128:12 frame #46: 0x000000028503b834 JavaScriptCore`JSC::Heap::finishChangingPhase(this=0x0000000116064888, conn=Mutator) at Heap.cpp:1724:17 frame #47: 0x000000028503f9e8 JavaScriptCore`JSC::Heap::changePhase(this=0x0000000116064888, conn=Mutator, nextPhase=NotRunning) at Heap.cpp:1698:12 frame #48: 0x000000028503f790 JavaScriptCore`JSC::Heap::runEndPhase(this=0x0000000116064888, conn=Mutator) at Heap.cpp:1688:12 frame #49: 0x000000028503a630 JavaScriptCore`JSC::Heap::runCurrentPhase(this=0x0000000116064888, conn=Mutator, currentThreadState=0x000000016b8c15a0) at Heap.cpp:1339:18 frame #50: 0x0000000285152934 JavaScriptCore`JSC::Heap::collectInMutatorThread()::$_25::operator()(this=0x0000000106cba070, state=0x000000016b8c15a0) const at Heap.cpp:1955:52 frame #51: 0x00000002851527f0 JavaScriptCore`WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_25>::implFunction(argument=0x0000000106cba060, arguments=0x000000016b8c15a0) at ScopedLambda.h:106:16 frame #52: 0x000000028527b9a8 JavaScriptCore`void WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(this=0x0000000106cba060, arguments=0x000000016b8c15a0) const at ScopedLambda.h:58:16 frame #53: 0x000000028527b838 JavaScriptCore`JSC::callWithCurrentThreadState(lambda=0x0000000106cba060) at MachineStackMarker.cpp:224:5 frame #54: 0x0000000285047360 JavaScriptCore`JSC::Heap::collectInMutatorThread(this=0x0000000116064888) at Heap.cpp:1967:13 frame #55: 0x0000000285046f48 JavaScriptCore`JSC::Heap::stopIfNecessarySlow(this=0x0000000116064888, oldState=5) at Heap.cpp:1936:9 frame #56: 0x0000000285046ca0 JavaScriptCore`JSC::Heap::stopIfNecessarySlow(this=0x0000000116064888) at Heap.cpp:1908:12 frame #57: 0x00000002850394f4 JavaScriptCore`JSC::Heap::stopIfNecessary(this=0x0000000116064888) at HeapInlines.h:264:9 frame #58: 0x00000002853017ec JavaScriptCore`JSC::StopIfNecessaryTimer::doWork(this=0x000000010b364340, vm=0x0000000116064800) at StopIfNecessaryTimer.cpp:43:13 frame #59: 0x000000028680cd7c JavaScriptCore`JSC::JSRunLoopTimer::timerDidFire(this=0x000000010b364340) at JSRunLoopTimer.cpp:233:5 frame #60: 0x000000028680b35c JavaScriptCore`JSC::JSRunLoopTimer::Manager::timerDidFire(this=0x000000010b5479b0) at JSRunLoopTimer.cpp:106:16 frame #61: 0x000000028680aa80 JavaScriptCore`JSC::JSRunLoopTimer::Manager::timerDidFireCallback(this=0x000000010b5479b0) at JSRunLoopTimer.cpp:53:5 frame #62: 0x0000000286821f44 JavaScriptCore`decltype(*std::declval<JSC::JSRunLoopTimer::Manager*&>().*std::declval<void (JSC::JSRunLoopTimer::Manager::*&)()>()()) std::__1::__invoke[abi:v160006]<void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&, void>(__f=0x000000010b547928, __a0=0x000000010b547938) at invoke.h:359:23 frame #63: 0x0000000286821e00 JavaScriptCore`std::__1::__bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>, __is_valid_bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>>::value>::type std::__1::__apply_functor[abi:v160006]<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, 0ul, std::__1::tuple<>>(__f=0x000000010b547928, __bound_args=size=1, (null)=__tuple_indices<0UL> @ 0x000000016b8c1c2f, __args=size=0) at bind.h:263:12 frame #64: 0x0000000286821d18 JavaScriptCore`std::__1::__bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>, __is_valid_bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>>::value>::type std::__1::__bind<void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&>::operator()[abi:v160006]<>(this=0x000000010b547928) at bind.h:295:20 frame #65: 0x0000000286821b9c JavaScriptCore`WTF::Detail::CallableWrapper<std::__1::__bind<void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&>, void>::call(this=0x000000010b547920) at Function.h:53:39 frame #66: 0x000000028682310c JavaScriptCore`WTF::Function<void ()>::operator()(this=0x000000010b547968) const at Function.h:82:35 frame #67: 0x00000002801cd43c JavaScriptCore`WTF::RunLoop::Timer::fired(this=0x000000010b547950) at RunLoop.h:191:33 frame #68: 0x000000028025bdd0 JavaScriptCore`WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::operator()(this=0x0000000106a4a0a0, cfTimer=0x000000010b86cd40, context=0x000000010b547950) const at RunLoopCF.cpp:133:16 frame #69: 0x000000028025bb28 JavaScriptCore`WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::__invoke(cfTimer=0x000000010b86cd40, context=0x000000010b547950) at RunLoopCF.cpp:126:45 frame #70: 0x0000000180bc7a20 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 32 frame #71: 0x0000000180bc76c8 CoreFoundation`__CFRunLoopDoTimer + 972 frame #72: 0x0000000180bc7200 CoreFoundation`__CFRunLoopDoTimers + 356
Attachments
Ryosuke Niwa
Comment 1 2024-02-29 17:06:18 PST
Ryosuke Niwa
Comment 2 2024-02-29 17:11:33 PST
EWS
Comment 3 2024-03-01 15:47:42 PST
Committed 275577@main (afa8e8e258fb): <https://commits.webkit.org/275577@main> Reviewed commits have been landed. Closing PR #25328 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.