137311 – media/video-fullscreeen-only-playback.html sometimes crashes in TreeShared::ref()

Bug 137311 - media/video-fullscreeen-only-playback.html sometimes crashes in TreeShared::ref()

Summary: media/video-fullscreeen-only-playback.html sometimes crashes in TreeShared::r...

Status:	RESOLVED DUPLICATE of bug 211645

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Media (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Peng Liu

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2014-10-01 13:50 PDT by Beth Dakin
Modified:	2020-05-11 14:19 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Beth Dakin 2014-10-01 13:50:04 PDT

media/video-fullscreeen-only-playback.html has been intermittently asserting on the debug bots. The crash seems kind of bad. The assertion that is failing is:

ASSERT(!m_inRemovedLastRefFunction);

Process:         com.apple.WebKit.WebContent.Development [18909]
Path:            /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development
Identifier:      com.apple.WebKit.WebContent.Development
Version:         601+ (601.1.1+)
Code Type:       X86-64 (Native)
Parent Process:  ??? [1]
Responsible:     com.apple.WebKit.WebContent.Development [18909]
User ID:         501

Date/Time:       2014-10-01 10:12:41.972 -0700
OS Version:      Mac OS X 10.9.4 (13E28)
Report Version:  11
Anonymous UUID:  15CE1938-3EF8-12B1-337A-3F91683D9720


Crashed Thread:  0  Dispatch queue: com.apple.main-thread

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef

VM Regions Near 0xbbadbeef:
--> 
    __TEXT                 000000010ecc7000-000000010ecc9000 [    8K] r-x/rwx SM=COW  /Volumes/VOLUME/*/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development

Application Specific Information:
CRASHING TEST:media/video-fullscreeen-only-playback.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000115bd5d6a WTFCrash + 42 (Assertions.cpp:321)
1   com.apple.WebCore             	0x0000000117096b22 WebCore::TreeShared<WebCore::Node>::ref() + 178 (TreeShared.h:64)
2   com.apple.WebCore             	0x00000001170a104d WTF::Ref<WebCore::Document>::Ref(WebCore::Document&) + 45 (Ref.h:39)
3   com.apple.WebCore             	0x000000011708203d WTF::Ref<WebCore::Document>::Ref(WebCore::Document&) + 29 (Ref.h:39)
4   com.apple.WebCore             	0x00000001172ec34d WebCore::ChildNodeInsertionNotifier::notify(WebCore::Node&) + 125 (ContainerNodeAlgorithms.h:224)
5   com.apple.WebCore             	0x0000000117774017 WebCore::Element::addShadowRoot(WTF::PassRefPtr<WebCore::ShadowRoot>) + 247 (Element.cpp:1455)
6   com.apple.WebCore             	0x0000000117774115 WebCore::Element::ensureUserAgentShadowRoot() + 85 (Element.cpp:1506)
7   com.apple.WebCore             	0x0000000117ad41ab WebCore::HTMLMediaElement::configureMediaControls() + 75 (HTMLMediaElement.cpp:5189)
8   com.apple.WebCore             	0x0000000117ad54f4 WebCore::HTMLMediaElement::prepareForLoad() + 900 (HTMLMediaElement.cpp:978)
9   com.apple.WebCore             	0x0000000117ad40e3 WebCore::HTMLMediaElement::scheduleDelayedAction(WebCore::HTMLMediaElement::DelayedActionType) + 115 (HTMLMediaElement.cpp:722)
10  com.apple.WebCore             	0x0000000117ae0bac WebCore::HTMLMediaElement::pauseInternal() + 188 (HTMLMediaElement.cpp:2799)
11  com.apple.WebCore             	0x0000000117ae0ae5 WebCore::HTMLMediaElement::pause() + 117 (HTMLMediaElement.cpp:2776)
12  com.apple.WebCore             	0x0000000117ad4ce0 WebCore::HTMLMediaElement::removedFrom(WebCore::ContainerNode&) + 192 (HTMLMediaElement.cpp:681)
13  com.apple.WebCore             	0x00000001172f1ddb WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument(WebCore::Node&) + 107 (ContainerNodeAlgorithms.h:242)
14  com.apple.WebCore             	0x00000001172f2c8e WebCore::ChildNodeRemovalNotifier::notifyDescendantRemovedFromDocument(WebCore::ContainerNode&) + 190 (ContainerNodeAlgorithms.cpp:72)
15  com.apple.WebCore             	0x00000001172f1e06 WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument(WebCore::Node&) + 150 (ContainerNodeAlgorithms.h:244)
16  com.apple.WebCore             	0x00000001172f2c8e WebCore::ChildNodeRemovalNotifier::notifyDescendantRemovedFromDocument(WebCore::ContainerNode&) + 190 (ContainerNodeAlgorithms.cpp:72)
17  com.apple.WebCore             	0x00000001172f1e06 WebCore::ChildNodeRemovalNotifier::notifyNodeRemovedFromDocument(WebCore::Node&) + 150 (ContainerNodeAlgorithms.h:244)
18  com.apple.WebCore             	0x00000001172ec64b WebCore::ChildNodeRemovalNotifier::notify(WebCore::Node&) + 59 (ContainerNodeAlgorithms.h:259)
19  com.apple.WebCore             	0x00000001172ef4c4 WebCore::Private::NodeRemovalDispatcher<WebCore::Node, WebCore::ContainerNode, true>::dispatch(WebCore::Node&, WebCore::ContainerNode&) + 116 (ContainerNodeAlgorithms.h:146)
20  com.apple.WebCore             	0x00000001172ef40f void WebCore::Private::addChildNodesToDeletionQueue<WebCore::Node, WebCore::ContainerNode>(WebCore::Node*&, WebCore::Node*&, WebCore::ContainerNode&) + 335 (ContainerNodeAlgorithms.h:188)
21  com.apple.WebCore             	0x00000001172ebef0 void WebCore::removeDetachedChildrenInContainer<WebCore::Node, WebCore::ContainerNode>(WebCore::ContainerNode&) + 48 (ContainerNodeAlgorithms.h:94)
22  com.apple.WebCore             	0x00000001172e77ae WebCore::ContainerNode::removeDetachedChildren() + 110 (ContainerNode.cpp:96)
23  com.apple.WebCore             	0x00000001175cae2c WebCore::Document::removedLastRef() + 428 (Document.cpp:671)
24  com.apple.WebCore             	0x000000011858aba7 WebCore::Node::removedLastRef() + 55 (Node.cpp:2203)
25  com.apple.WebCore             	0x00000001170969b4 WebCore::TreeShared<WebCore::Node>::deref() + 372 (TreeShared.h:83)
26  com.apple.WebCore             	0x0000000117ffc6c6 WebCore::JSNode::releaseImpl() + 38 (JSNode.h:68)
27  com.apple.WebCore             	0x0000000118132039 WebCore::JSNodeOwner::finalize(JSC::Handle<JSC::Unknown>, void*) + 105 (JSNode.cpp:911)
28  com.apple.JavaScriptCore      	0x0000000115b900dd JSC::WeakBlock::finalize(JSC::WeakImpl*) + 189 (WeakSetInlines.h:53)
29  com.apple.JavaScriptCore      	0x0000000115b8fa5e JSC::WeakBlock::sweep() + 158 (WeakBlock.cpp:77)
30  com.apple.JavaScriptCore      	0x0000000115b95730 JSC::WeakSet::sweep() + 64 (WeakSet.cpp:47)
31  com.apple.JavaScriptCore      	0x00000001159cd46d JSC::MarkedBlock::sweep(JSC::MarkedBlock::SweepMode) + 109 (MarkedBlock.cpp:118)
32  com.apple.JavaScriptCore      	0x00000001159cc9de JSC::MarkedAllocator::tryAllocateHelper(unsigned long) + 270 (MarkedAllocator.cpp:80)
33  com.apple.JavaScriptCore      	0x00000001159caf82 JSC::MarkedAllocator::tryAllocate(unsigned long) + 114 (MarkedAllocator.cpp:129)
34  com.apple.JavaScriptCore      	0x00000001159ca86e JSC::MarkedAllocator::allocateSlowCase(unsigned long) + 254 (MarkedAllocator.cpp:171)
35  com.apple.WebCore             	0x000000011703b7e1 JSC::MarkedAllocator::allocate(unsigned long) + 81 (MarkedAllocator.h:95)
36  com.apple.WebCore             	0x000000011703bb39 JSC::MarkedSpace::allocateWithNormalDestructor(unsigned long) + 41 (MarkedSpace.h:251)
37  com.apple.WebCore             	0x000000011703bb06 JSC::Heap::allocateWithNormalDestructor(unsigned long) + 118 (HeapInlines.h:187)
38  com.apple.WebCore             	0x0000000117fc24e7 void* JSC::allocateCell<WebCore::JSEvent>(JSC::Heap&, unsigned long) + 151 (JSCellInlines.h:135)
39  com.apple.WebCore             	0x0000000117fc243f void* JSC::allocateCell<WebCore::JSEvent>(JSC::Heap&) + 31 (JSCellInlines.h:149)
40  com.apple.WebCore             	0x0000000117fc228e WebCore::JSEvent::create(JSC::Structure*, WebCore::JSDOMGlobalObject*, WTF::PassRefPtr<WebCore::Event>) + 46 (JSEvent.h:36)
41  com.apple.WebCore             	0x0000000117fb3ba6 WebCore::JSDOMWrapper* WebCore::createWrapper<WebCore::JSEvent, WebCore::Event>(WebCore::JSDOMGlobalObject*, WebCore::Event*) + 214 (JSDOMBinding.h:219)
42  com.apple.WebCore             	0x0000000117fb2d99 WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Event*) + 457 (JSEventCustom.cpp:68)
43  com.apple.WebCore             	0x0000000117fc6e36 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 774 (JSEventListener.cpp:114)
44  com.apple.WebCore             	0x00000001177cb72b WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow>&) + 1499 (EventTarget.cpp:247)
45  com.apple.WebCore             	0x00000001177caffe WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 334 (EventTarget.cpp:197)
46  com.apple.WebCore             	0x0000000118589ecc WebCore::Node::handleLocalEvents(WebCore::Event&) + 156 (Node.cpp:2024)
47  com.apple.WebCore             	0x0000000117797931 WebCore::EventContext::handleLocalEvents(WebCore::Event&) const + 177 (EventContext.cpp:55)
48  com.apple.WebCore             	0x0000000117798f44 WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&, WebCore::WindowEventContext&) + 356 (EventDispatcher.cpp:306)
49  com.apple.WebCore             	0x000000011779897f WebCore::EventDispatcher::dispatchEvent(WebCore::Node*, WTF::PassRefPtr<WebCore::Event>) + 815 (EventDispatcher.cpp:363)
50  com.apple.WebCore             	0x0000000118589f4d WebCore::Node::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 45 (Node.cpp:2038)
51  com.apple.WebCore             	0x000000011799c651 WebCore::GenericEventQueue::timerFired(WebCore::Timer<WebCore::GenericEventQueue>&) + 417 (GenericEventQueue.cpp:72)
52  com.apple.WebCore             	0x000000011799e49e std::__1::__function::__func<std::__1::__bind<void (WebCore::GenericEventQueue::*&)(WebCore::Timer<WebCore::GenericEventQueue>&), WebCore::GenericEventQueue*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::GenericEventQueue> > >, std::__1::allocator<std::__1::__bind<void (WebCore::GenericEventQueue::*&)(WebCore::Timer<WebCore::GenericEventQueue>&), WebCore::GenericEventQueue*&, std::__1::reference_wrapper<WebCore::Timer<WebCore::GenericEventQueue> > > >, void ()>::operator()() + 350 (functional:1370)
53  com.apple.WebCore             	0x00000001170acffa std::__1::function<void ()>::operator()() const + 26 (functional:1755)
54  com.apple.WebCore             	0x000000011799cf0c WebCore::Timer<WebCore::GenericEventQueue>::fired() + 28 (Timer.h:134)
55  com.apple.WebCore             	0x0000000118e6794c WebCore::ThreadTimers::sharedTimerFiredInternal() + 396 (ThreadTimers.cpp:135)
56  com.apple.WebCore             	0x0000000118e67609 WebCore::ThreadTimers::sharedTimerFired() + 25 (ThreadTimers.cpp:108)
57  com.apple.WebCore             	0x0000000118b70f2f WebCore::timerFired(__CFRunLoopTimer*, void*) + 31 (SharedTimerMac.mm:125)
58  com.apple.CoreFoundation      	0x00007fff933cb3e4 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
59  com.apple.CoreFoundation      	0x00007fff933caf1f __CFRunLoopDoTimer + 1151
60  com.apple.CoreFoundation      	0x00007fff9343c5aa __CFRunLoopDoTimers + 298
61  com.apple.CoreFoundation      	0x00007fff933866a5 __CFRunLoopRun + 1525
62  com.apple.CoreFoundation      	0x00007fff93385e75 CFRunLoopRunSpecific + 309
63  com.apple.HIToolbox           	0x00007fff9ae36a0d RunCurrentEventLoopInMode + 226
64  com.apple.HIToolbox           	0x00007fff9ae367b7 ReceiveNextEventCommon + 479
65  com.apple.HIToolbox           	0x00007fff9ae365bc _BlockUntilNextEventMatchingListInModeWithFilter + 65
66  com.apple.AppKit              	0x00007fff96b8224e _DPSNextEvent + 1434
67  com.apple.AppKit              	0x00007fff96b8189b -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 122
68  com.apple.AppKit              	0x00007fff96b7599c -[NSApplication run] + 553
69  com.apple.AppKit              	0x00007fff96b60783 NSApplicationMain + 940
70  com.apple.XPCService          	0x00007fff8d84cc0f _xpc_main + 385
71  libxpc.dylib                  	0x00007fff98e96bde xpc_main + 399
72  com.apple.WebKit.WebContent.Development	0x000000010ecc8135 main + 37
73  libdyld.dylib                 	0x00007fff993595fd start + 1

Comment 1 Beth Dakin 2014-10-01 14:03:02 PDT

I marked this test as crash-flaky in http://trac.webkit.org/changeset/174169

Comment 2 Alexey Proskuryakov 2014-10-01 14:38:15 PDT

HTMLMediaElement re-adds itself while being removed, this seems quite bad.

Comment 3 Alicia Boya García 2019-01-30 13:34:42 PST

Four years later, the crash is not visible in the flakiness dashboard, but the test is not passing either.

It times out in Mac and GTK and fails on iOS, which makes me wonder to what extent the tested feature is useful.

Comment 4 Radar WebKit Bug Importer 2020-05-09 16:13:43 PDT

<rdar://problem/63057680>

Comment 5 Peng Liu 2020-05-11 14:17:38 PDT


*** This bug has been marked as a duplicate of bug 211645 ***