Bug 95079

Summary: Assertion failure at WebCore::MessagePort::contextDestroyed() (MessagePort.cpp:158)
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: WebCore JavaScriptAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Mark Lam
Reported 2012-08-27 05:53:18 PDT
This assertion failure has been seen to cause crashes on both the WK1 and WK2 Lion mac bots. The earliest incidence of this that I found was: - build 1877 - test: http/tests/security/XFrameOptions/x-frame-options-deny.html - change sets: http://trac.webkit.org/changeset/125609 http://trac.webkit.org/changeset/125602 http://trac.webkit.org/changeset/125603 http://trac.webkit.org/changeset/125604 http://trac.webkit.org/changeset/125605 http://trac.webkit.org/changeset/125606 http://trac.webkit.org/changeset/125608 The latest incidence of this was found on: - build 2257 - test: http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html Sampling through the build history, I've seen this assertion crash manifest on the following tests (this is not an exhaustive list): - fast/events/message-port-context-destroyed.html (1901, 1920, 2055, 2218, 2222, 2227, 2234, 2639, 2832) - http/tests/security/aboutBlank/security-context-alias.html (build 2227, 2250) - http/tests/security/aboutBlank/security-context-grandchildren-alias.html (build 1890, 1905) - http/tests/security/aboutBlank/security-context-grandchildren-write-lexical.html (build 2233) - http/tests/security/XFrameOptions/x-frame-options-deny.html (build 1877) - http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-parent-same-origin-allow.html (build 1879) - http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-allow.html (build 2055, 2218, 2229, 2234, 2235) - http/tests/security/XFrameOptions/x-frame-options-parent-same-origin-deny.html (build 1885, 1903, 1920, 2239, 2244, 2245, 2246, 2249) The crash / assertion failure is intermittent. It does not necessarily manifest on every build test run, nor always on the same tests. However, it has been seen to repeat on the same test more than once.
Attachments
Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2012-08-27 05:57:29 PDT
Here is an excerpt of the crash log of the latest observed incident in test http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body.html on build 2257. The full crash log does not fit in this comment box (only an excerpt if copied here). The full crash log can be found at: http://build.webkit.org/results/Apple%20Lion%20Debug%20WK1%20(Tests)/r126743%20(2257)/http/tests/security/XFrameOptions/x-frame-options-deny-meta-tag-in-body-crash-log.txt === BEGIN excerpt of crash log === Process: DumpRenderTree [3636] Path: /Volumes/VOLUME/*/DumpRenderTree Identifier: DumpRenderTree Version: ??? (???) Code Type: X86-64 (Native) Parent Process: Python [3635] Date/Time: 2012-08-27 04:28:19.895 -0700 OS Version: Mac OS X 10.7.4 (11E53) Report Version: 9 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef VM Regions Near 0xbbadbeef: --> __TEXT 0000000105f37000-0000000105fcf000 [ 608K] r-x/rwx SM=COW /Volumes/VOLUME/* Application Specific Information: objc[3636]: garbage collection is OFF Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x0000000108810bd2 WebCore::MessagePort::contextDestroyed() + 178 (MessagePort.cpp:158) 1 com.apple.WebCore 0x0000000108c8e354 WebCore::ScriptExecutionContext::~ScriptExecutionContext() + 724 (ScriptExecutionContext.cpp:113) 2 com.apple.WebCore 0x0000000107a585f3 WebCore::Document::~Document() + 3523 (Document.cpp:687) 3 com.apple.WebCore 0x0000000107e9fa25 WebCore::HTMLDocument::~HTMLDocument() + 149 (HTMLDocument.cpp:91) 4 com.apple.WebCore 0x0000000107e9f8f5 WebCore::HTMLDocument::~HTMLDocument() + 21 (HTMLDocument.cpp:91) 5 com.apple.WebCore 0x0000000107e9f8c9 WebCore::HTMLDocument::~HTMLDocument() + 25 (HTMLDocument.cpp:90) 6 com.apple.WebCore 0x0000000107a72109 WebCore::Document::guardDeref() + 201 (Document.h:247) 7 com.apple.WebCore 0x0000000107a58bb0 WebCore::Document::removedLastRef() + 560 (Document.cpp:736) 8 com.apple.WebCore 0x0000000108850a22 WebCore::Node::removedLastRef() + 50 (Node.cpp:2814) 9 com.apple.WebCore 0x000000010765ce2e WebCore::TreeShared<WebCore::Node, WebCore::ContainerNode>::deref() + 494 (TreeShared.h:83) 10 com.apple.WebCore 0x000000010834cba6 WebCore::JSNode::releaseImpl() + 38 (JSNode.h:69) 11 com.apple.WebCore 0x0000000108479e61 WebCore::JSNodeOwner::finalize(JSC::Handle<JSC::Unknown>, void*) + 113 (JSNodeCustom.cpp:145) 12 com.apple.JavaScriptCore 0x00000001065aac47 JSC::WeakBlock::finalize(JSC::WeakImpl*) + 215 (WeakSetInlines.h:53) 13 com.apple.JavaScriptCore 0x00000001065aa59e JSC::WeakBlock::sweep() + 158 (WeakBlock.cpp:81) 14 com.apple.JavaScriptCore 0x00000001065aaf20 JSC::WeakSet::sweep() + 64 (WeakSet.cpp:45) 15 com.apple.JavaScriptCore 0x0000000106470f18 JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) + 40 (MarkedBlock.cpp:108) 16 com.apple.JavaScriptCore 0x00000001065a88e1 JSC::MarkedAllocator::tryAllocateHelper() + 193 (MarkedAllocator.cpp:45) 17 com.apple.JavaScriptCore 0x00000001065a7b08 JSC::MarkedAllocator::tryAllocate() + 136 (MarkedAllocator.cpp:69) 18 com.apple.JavaScriptCore 0x00000001065a763a JSC::MarkedAllocator::allocateSlowCase() + 234 (MarkedAllocator.cpp:85) 19 com.apple.WebCore 0x0000000107777300 JSC::MarkedAllocator::allocate() + 64 (MarkedAllocator.h:83) 20 com.apple.WebCore 0x0000000107777c25 JSC::MarkedSpace::allocateWithDestructor(unsigned long) + 37 (MarkedSpace.h:197) 21 com.apple.WebCore 0x0000000107777bf6 JSC::Heap::allocateWithDestructor(unsigned long) + 134 (Heap.h:366) 22 com.apple.WebCore 0x0000000107783660 void* JSC::allocateCell<JSC::JSString>(JSC::Heap&) + 176 (JSCell.h:337) 23 com.apple.WebCore 0x0000000107783468 JSC::JSString::create(JSC::JSGlobalData&, WTF::PassRefPtr<WTF::StringImpl>) + 200 (JSString.h:126) 24 com.apple.WebCore 0x000000010843f3bc JSC::jsNontrivialString(JSC::JSGlobalData*, JSC::UString const&) + 156 (JSString.h:367) 25 com.apple.WebCore 0x000000010843ee15 JSC::jsNontrivialString(JSC::ExecState*, JSC::UString const&) + 37 (JSString.h:470) 26 com.apple.WebCore 0x000000010843e898 WebCore::JSLazyEventListener::initializeJSFunction(WebCore::ScriptExecutionContext*) const + 808 (JSLazyEventListener.cpp:97) 27 com.apple.WebCore 0x0000000108170db3 WebCore::JSEventListener::jsFunction(WebCore::ScriptExecutionContext*) const + 163 (JSEventListener.h:84) 28 com.apple.WebCore 0x00000001083093fc WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 220 (JSEventListener.cpp:80) 29 com.apple.WebCore 0x0000000107cc59b9 WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul>&) + 393 (EventTarget.cpp:232) 30 com.apple.WebCore 0x0000000107cc57fb WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 331 (EventTarget.cpp:200) 31 com.apple.WebCore 0x000000010884f16b WebCore::Node::handleLocalEvents(WebCore::Event*) + 155 (Node.cpp:2570) 32 com.apple.WebCore 0x0000000107c92595 WebCore::EventContext::handleLocalEvents(WebCore::Event*) const + 293 (EventContext.cpp:55) 33 com.apple.WebCore 0x0000000107c9567f WebCore::EventDispatcher::dispatchEventAtTarget(WTF::PassRefPtr<WebCore::Event>) + 111 (EventDispatcher.cpp:309) 34 com.apple.WebCore 0x0000000107c944b9 WebCore::EventDispatcher::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 1129 (EventDispatcher.cpp:261) 35 com.apple.WebCore 0x0000000107c9a63c WebCore::EventDispatchMediator::dispatchEvent(WebCore::EventDispatcher*) const + 76 (EventDispatchMediator.cpp:51) 36 com.apple.WebCore 0x0000000107c9307a WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::EventDispatchMediator>) + 154 (EventDispatcher.cpp:129) 37 com.apple.WebCore 0x000000010884f266 WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 70 (Node.cpp:2585) 38 com.apple.WebCore 0x0000000107c11026 WebCore::DOMWindow::dispatchLoadEvent() + 758 (DOMWindow.cpp:1639) 39 com.apple.WebCore 0x0000000107a621f2 WebCore::Document::dispatchWindowLoadEvent() + 146 (Document.cpp:4111) 40 com.apple.WebCore 0x0000000107a5f661 WebCore::Document::implicitClose() + 513 (Document.cpp:2537) 41 com.apple.WebCore 0x0000000107d7b2ab WebCore::FrameLoader::checkCallImplicitClose() + 155 (FrameLoader.cpp:766) 42 com.apple.WebCore 0x0000000107d7af75 WebCore::FrameLoader::checkCompleted() + 341 (FrameLoader.cpp:713) 43 com.apple.WebCore 0x0000000107d79d03 WebCore::FrameLoader::finishedParsing() + 179 (FrameLoader.cpp:646) 44 com.apple.WebCore 0x0000000107a6c16f WebCore::Document::finishedParsing() + 591 (Document.cpp:4887) 45 com.apple.WebCore 0x0000000107f7d014 WebCore::HTMLTreeBuilder::finished() + 148 (HTMLTreeBuilder.cpp:2696) 46 com.apple.WebCore 0x0000000107ea4b53 WebCore::HTMLDocumentParser::end() + 227 (HTMLDocumentParser.cpp:373) 47 com.apple.WebCore 0x0000000107ea3b46 WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd() + 278 (HTMLDocumentParser.cpp:382) 48 com.apple.WebCore 0x0000000107ea392c WebCore::HTMLDocumentParser::prepareToStopParsing() + 268 (HTMLDocumentParser.cpp:150) 49 com.apple.WebCore 0x0000000107ea4ba3 WebCore::HTMLDocumentParser::attemptToEnd() + 67 (HTMLDocumentParser.cpp:394) 50 com.apple.WebCore 0x0000000107ea4bf8 WebCore::HTMLDocumentParser::finish() + 72 (HTMLDocumentParser.cpp:421) 51 com.apple.WebCore 0x0000000107ad0ca7 WebCore::DocumentWriter::end() + 391 (DocumentWriter.cpp:245) 52 com.apple.WebCore 0x0000000107aad0bf WebCore::DocumentLoader::finishedLoading() + 207 (DocumentLoader.cpp:301) 53 com.apple.WebCore 0x00000001087a6f2e WebCore::MainResourceLoader::didFinishLoading(double) + 318 (MainResourceLoader.cpp:526) 54 com.apple.WebCore 0x00000001087a6193 WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction, WebCore::ResourceResponse const&) + 2051 (MainResourceLoader.cpp:346) 55 com.apple.WebCore 0x00000001087a6347 WebCore::MainResourceLoader::continueAfterContentPolicy(WebCore::PolicyAction) + 199 (MainResourceLoader.cpp:361) 56 com.apple.WebCore 0x00000001087a626b WebCore::MainResourceLoader::callContinueAfterContentPolicy(void*, WebCore::PolicyAction) + 27 (MainResourceLoader.cpp:353) 57 com.apple.WebCore 0x00000001088e8a16 WebCore::PolicyCallback::call(WebCore::PolicyAction) + 310 (PolicyCallback.cpp:115) 58 com.apple.WebCore 0x00000001088e98e4 WebCore::PolicyChecker::continueAfterContentPolicy(WebCore::PolicyAction) + 100 (PolicyChecker.cpp:195) 59 com.apple.WebKit 0x000000010704973c WebFrameLoaderClient::receivedPolicyDecison(WebCore::PolicyAction) + 412 (WebFrameLoaderClient.mm:1285) 60 com.apple.WebKit 0x000000010704e7e1 -[WebFramePolicyListener receivedPolicyDecision:] + 193 (WebFrameLoaderClient.mm:2033) 61 com.apple.WebKit 0x000000010704e900 -[WebFramePolicyListener use] + 48 (WebFrameLoaderClient.mm:2049) 62 com.apple.WebKit 0x000000010701a5b2 -[WebDefaultPolicyDelegate webView:decidePolicyForMIMEType:request:frame:decisionListener:] + 338 (WebDefaultPolicyDelegate.m:74) 63 com.apple.CoreFoundation 0x00007fff8b63aefc __invoking___ + 140 64 com.apple.CoreFoundation 0x00007fff8b63ad94 -[NSInvocation invoke] + 132 65 com.apple.CoreFoundation 0x00007fff8b63af64 -[NSInvocation invokeWithTarget:] + 52 66 com.apple.WebKit 0x0000000107120dd2 -[_WebSafeForwarder forwardInvocation:] + 370 (WebView.mm:3012) 67 com.apple.CoreFoundation 0x00007fff8b635fa4 ___forwarding___ + 756 68 com.apple.CoreFoundation 0x00007fff8b635c38 _CF_forwarding_prep_0 + 232 69 com.apple.WebKit 0x0000000107045268 WebFrameLoaderClient::dispatchDecidePolicyForResponse(void (WebCore::PolicyChecker::*)(WebCore::PolicyAction), WebCore::ResourceResponse const&, WebCore::ResourceRequest const&) + 360 (WebFrameLoaderClient.mm:722) 70 com.apple.WebCore 0x00000001088e9879 WebCore::PolicyChecker::checkContentPolicy(WebCore::ResourceResponse const&, void (*)(void*, WebCore::PolicyAction), void*) + 169 (PolicyChecker.cpp:109) 71 com.apple.WebCore 0x00000001087a6a1f WebCore::MainResourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) + 1727 (MainResourceLoader.cpp:431) 72 com.apple.WebCore 0x00000001087a7291 WebCore::MainResourceLoader::handleEmptyLoad(WebCore::KURL const&, bool) + 513 (MainResourceLoader.cpp:571) 73 com.apple.WebCore 0x00000001087a771f WebCore::MainResourceLoader::loadNow(WebCore::ResourceRequest&) + 991 (MainResourceLoader.cpp:637) 74 com.apple.WebCore 0x00000001087a7abf WebCore::MainResourceLoader::load(WebCore::ResourceRequest const&, WebCore::SubstituteData const&) + 719 (MainResourceLoader.cpp:668) 75 com.apple.WebCore 0x0000000107aaf758 WebCore::DocumentLoader::startLoadingMainResource() + 344 (DocumentLoader.cpp:870) 76 com.apple.WebCore 0x0000000107d84d39 WebCore::FrameLoader::continueLoadAfterWillSubmitForm() + 185 (FrameLoader.cpp:2188) 77 com.apple.WebCore 0x0000000107d80faf WebCore::FrameLoader::continueLoadAfterNavigationPolicy(WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 1039 (FrameLoader.cpp:2794) 78 com.apple.WebCore 0x0000000107d8101b WebCore::FrameLoader::callContinueLoadAfterNavigationPolicy(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool) + 91 (FrameLoader.cpp:2663) 79 com.apple.WebCore 0x00000001088e87c8 WebCore::PolicyCallback::call(bool) + 136 (PolicyCallback.cpp:103) 80 com.apple.WebCore 0x00000001088e9483 WebCore::PolicyChecker::continueAfterNavigationPolicy(WebCore::PolicyAction) + 723 (PolicyChecker.cpp:168) 81 com.apple.WebKit 0x000000010704973c WebFrameLoaderClient::receivedPolicyDecison(WebCore::PolicyAction) + 412 (WebFrameLoaderClient.mm:1285) 82 com.apple.WebKit 0x000000010704e7e1 -[WebFramePolicyListener receivedPolicyDecision:] + 193 (WebFrameLoaderClient.mm:2033) 83 com.apple.WebKit 0x000000010704e900 -[WebFramePolicyListener use] + 48 (WebFrameLoaderClient.mm:2049) 84 com.apple.WebKit 0x000000010701a6a2 -[WebDefaultPolicyDelegate webView:decidePolicyForNavigationAction:request:frame:decisionListener:] + 210 (WebDefaultPolicyDelegate.m:88) 85 com.apple.CoreFoundation 0x00007fff8b63aefc __invoking___ + 140 86 com.apple.CoreFoundation 0x00007fff8b63ad94 -[NSInvocation invoke] + 132 87 com.apple.CoreFoundation 0x00007fff8b63af64 -[NSInvocation invokeWithTarget:] + 52 88 com.apple.WebKit 0x0000000107120dd2 -[_WebSafeForwarder forwardInvocation:] + 370 (WebView.mm:3012) 89 com.apple.CoreFoundation 0x00007fff8b635fa4 ___forwarding___ + 756 90 com.apple.CoreFoundation 0x00007fff8b635c38 _CF_forwarding_prep_0 + 232 91 com.apple.WebKit 0x0000000107045cf4 WebFrameLoaderClient::dispatchDecidePolicyForNavigationAction(void (WebCore::PolicyChecker::*)(WebCore::PolicyAction), WebCore::NavigationAction const&, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>) + 372 (WebFrameLoaderClient.mm:744) 92 com.apple.WebCore 0x00000001088e915b WebCore::PolicyChecker::checkNavigationPolicy(WebCore::ResourceRequest const&, WebCore::DocumentLoader*, WTF::PassRefPtr<WebCore::FormState>, void (*)(void*, WebCore::ResourceRequest const&, WTF::PassRefPtr<WebCore::FormState>, bool), void*) + 1019 (PolicyChecker.cpp:88) 93 com.apple.WebCore 0x0000000107d80993 WebCore::FrameLoader::loadWithDocumentLoader(WebCore::DocumentLoader*, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) + 1715 (FrameLoader.cpp:1372) 94 com.apple.WebCore 0x0000000107d7fab7 WebCore::FrameLoader::loadWithNavigationAction(WebCore::ResourceRequest const&, WebCore::NavigationAction const&, bool, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::FormState>) + 855 (FrameLoader.cpp:1277) 95 com.apple.WebCore 0x0000000107d7cd9e WebCore::FrameLoader::loadURL(WebCore::KURL const&, WTF::String const&, WTF::String const&, bool, WebCore::FrameLoadType, WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::FormState>) + 2046 (FrameLoader.cpp:1212) 96 com.apple.WebCore 0x0000000107d788f2 WebCore::FrameLoader::loadFrameRequest(WebCore::FrameLoadRequest const&, bool, bool, WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::FormState>, WebCore::ShouldSendReferrer) + 1266 (FrameLoader.cpp:1142) 97 com.apple.WebCore 0x0000000107d77fe5 WebCore::FrameLoader::urlSelected(WebCore::FrameLoadRequest const&, WTF::PassRefPtr<WebCore::Event>, bool, bool, WebCore::ShouldSendReferrer, WebCore::ShouldReplaceDocumentIfJavaScriptURL) + 853 (FrameLoader.cpp:282) 98 com.apple.WebCore 0x0000000107d77c47 WebCore::FrameLoader::changeLocation(WebCore::SecurityOrigin*, WebCore::KURL const&, WTF::String const&, bool, bool, bool) + 359 (FrameLoader.cpp:251) 99 com.apple.WebCore 0x00000001088343f8 WebCore::ScheduledURLNavigation::fire(WebCore::Frame*) + 296 (NavigationScheduler.cpp:109) 100 com.apple.WebCore 0x00000001088317ef WebCore::NavigationScheduler::timerFired(WebCore::Timer<WebCore::NavigationScheduler>*) + 175 (NavigationScheduler.cpp:419) 101 com.apple.WebCore 0x0000000108833823 WebCore::Timer<WebCore::NavigationScheduler>::fired() + 115 (Timer.h:100) 102 com.apple.WebCore 0x0000000109000fd7 WebCore::ThreadTimers::sharedTimerFiredInternal() + 311 (ThreadTimers.cpp:118) 103 com.apple.WebCore 0x0000000109000d19 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:94) 104 com.apple.WebCore 0x0000000108d0a8f3 _ZN7WebCoreL10timerFiredEP16__CFRunLoopTimerPv + 67 (SharedTimerMac.mm:167) 105 com.apple.CoreFoundation 0x00007fff8b5fd934 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 106 com.apple.CoreFoundation 0x00007fff8b5fd486 __CFRunLoopDoTimer + 534 107 com.apple.CoreFoundation 0x00007fff8b5dde11 __CFRunLoopRun + 1617 108 com.apple.CoreFoundation 0x00007fff8b5dd486 CFRunLoopRunSpecific + 230 109 com.apple.Foundation 0x00007fff8315bf7b -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 267 110 DumpRenderTree 0x0000000105f4f21b _ZL7runTestRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE + 5035 111 DumpRenderTree 0x0000000105f4ddea _ZL20runTestingServerLoopv + 282 112 DumpRenderTree 0x0000000105f4d666 dumpRenderTree(int, char const**) + 374 113 DumpRenderTree 0x0000000105f4fa5c main + 124 114 DumpRenderTree 0x0000000105f38c94 start + 52 ... === END excerpt crash log ===
Alexey Proskuryakov
Comment 2 2012-08-27 09:21:22 PDT
*** This bug has been marked as a duplicate of bug 94458 ***
Note You need to log in before you can comment on or make changes to this bug.