Bug 45575

The crash is caused by r66850. The crash stack is: #0 0x00000001018af63c in WTF::StringImpl::isIdentifier (this=0x0) at StringImpl.h:212 #1 0x000000010139ae86 in JSC::Identifier::add (exec=0x11b010040, r=0x0) at Identifier.h:97 #2 0x00000001018bafad in JSC::Identifier::Identifier (this=0x11a6a10e0, exec=0x11b010040, s=@0x11a012ce0) at Identifier.h:41 #3 0x00000001018ae740 in WebCore::CloneDeserializer::deserialize (this=0x11a6a11d0) at /Users/jianli/WebKit/WebCore/bindings/js/SerializedScriptValue.cpp:1227 #4 0x00000001018bd38a in WebCore::CloneDeserializer::deserialize (exec=0x11b010040, globalObject=0x111740080, buffer=@0x105d5e868) at /Users/jianli/WebKit/WebCore/bindings/js/SerializedScriptValue.cpp:761 #5 0x00000001018aea35 in WebCore::SerializedScriptValue::deserialize (this=0x105d5e860, exec=0x11b010040, globalObject=0x111740080) at /Users/jianli/WebKit/WebCore/bindings/js/SerializedScriptValue.cpp:1331 #6 0x00000001014d7dba in WebCore::jsMessageEventData (exec=0x11b010040, slotBase={m_ptr = 0x111744100}) at /Users/jianli/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSMessageEvent.cpp:178 #7 0x00000001001285dc in JSC::PropertySlot::getValue (this=0x11a6a1440, exec=0x11b010040, propertyName=@0x11a015cd0) at PropertySlot.h:78 #8 0x00000001001328bc in JSC::JSValue::get (this=0x11a6a14b0, exec=0x11b010040, propertyName=@0x11a015cd0, slot=@0x11a6a1440) at JSObject.h:659 #9 0x00000001001d49e4 in cti_op_get_by_id (args=0x11a6a14f0) at /Users/jianli/WebKit/JavaScriptCore/jit/JITStubs.cpp:1597 Could not find the frame base for "WTF::doubleHash(unsigned int)". #10 0x00000001001ca7d9 in WTF::doubleHash (key=) at HashTable.h:447 #11 0x00000001001aa43c in JSC::JITCode::execute (this=0x11a0117b8, registerFile=0x11a002008, callFrame=0x11b010040, globalData=0x11a800400, exception=0x11a801d48) at JITCode.h:77 #12 0x00000001001a5d0a in JSC::Interpreter::executeCall (this=0x11a001ff0, callFrame=0x11a002f38, function=0x111744040, callType=JSC::CallTypeJS, callData=@0x11a6a18d0, thisValue={m_ptr = 0x111740080}, args=@0x11a6a1880, exception=0x11a801d48) at /Users/jianli/WebKit/JavaScriptCore/interpreter/Interpreter.cpp:780 #13 0x000000010015ddf7 in JSC::call (exec=0x11a002f38, functionObject={m_ptr = 0x111744040}, callType=JSC::CallTypeJS, callData=@0x11a6a18d0, thisValue={m_ptr = 0x111740080}, args=@0x11a6a1880) at /Users/jianli/WebKit/JavaScriptCore/runtime/CallData.cpp:38 #14 0x000000010144b0c0 in WebCore::JSEventListener::handleEvent (this=0x11a0157c0, scriptExecutionContext=0x11a000920, event=0x11a012a70) at /Users/jianli/WebKit/WebCore/bindings/js/JSEventListener.cpp:124 #15 0x000000010118321c in WebCore::EventTarget::fireEventListeners (this=0x11a000ad0, event=0x11a012a70, d=0x11a000b40, entry=@0x11a0121c0) at /Users/jianli/WebKit/WebCore/dom/EventTarget.cpp:339 #16 0x000000010118383d in WebCore::EventTarget::fireEventListeners (this=0x11a000ad0, event=0x11a012a70) at /Users/jianli/WebKit/WebCore/dom/EventTarget.cpp:300 #17 0x00000001011839c1 in WebCore::EventTarget::dispatchEvent (this=0x11a000ad0, event=@0x11a6a1bd0) at /Users/jianli/WebKit/WebCore/dom/EventTarget.cpp:286 #18 0x0000000101a51639 in WebCore::MessageWorkerContextTask::performTask (this=0x105d5e880, scriptContext=0x11a000920) at /Users/jianli/WebKit/WebCore/workers/WorkerMessagingProxy.cpp:67 #19 0x0000000101a51d50 in WebCore::WorkerRunLoop::Task::performTask (this=0x105d27890, context=0x11a000920) at /Users/jianli/WebKit/WebCore/workers/WorkerRunLoop.cpp:198 #20 0x0000000101a5202f in WebCore::WorkerRunLoop::runInMode (this=0x105d284f8, context=0x11a000920, predicate=@0x11a6a1d60) at /Users/jianli/WebKit/WebCore/workers/WorkerRunLoop.cpp:162 #21 0x0000000101a5211d in WebCore::WorkerRunLoop::run (this=0x105d284f8, context=0x11a000920) at /Users/jianli/WebKit/WebCore/workers/WorkerRunLoop.cpp:133 #22 0x0000000101a55ea6 in WebCore::WorkerThread::runEventLoop (this=0x105d284e0) at /Users/jianli/WebKit/WebCore/workers/WorkerThread.cpp:162 #23 0x0000000101021770 in WebCore::DedicatedWorkerThread::runEventLoop (this=0x105d284e0) at /Users/jianli/WebKit/WebCore/workers/DedicatedWorkerThread.cpp:66 #24 0x0000000101a56664 in WebCore::WorkerThread::workerThread (this=0x105d284e0) at /Users/jianli/WebKit/WebCore/workers/WorkerThread.cpp:140 #25 0x0000000101a5671b in WebCore::WorkerThread::workerThreadStart (thread=0x105d284e0) at /Users/jianli/WebKit/WebCore/workers/WorkerThread.cpp:117 #26 0x00000001002b3c29 in WTF::threadEntryPoint (contextData=0x105d279e0) at /Users/jianli/WebKit/JavaScriptCore/wtf/Threading.cpp:65 #27 0x00007fff88c128b6 in _pthread_start () #28 0x00007fff88c12769 in thread_start () It seems that the serialization of File/Blob objects are not thread safe in rewriting of SerializedScriptValue. This happens when we post a File/Blob object from the main thread to the worker thread.