Bug 151838 - Web Inspector: CRASH in LayoutTests/inspector/debugger/terminate-dedicated-worker-while-paused.html
Summary: Web Inspector: CRASH in LayoutTests/inspector/debugger/terminate-dedicated-wo...
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: Web Inspector (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-12-03 17:33 PST by Joseph Pecoraro
Modified: 2015-12-14 10:50 PST (History)
10 users (show)

See Also:


Attachments
[CRASH] Multiple Crash Report (63.12 KB, application/zip)
2015-12-03 17:33 PST, Joseph Pecoraro
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Pecoraro 2015-12-03 17:33:18 PST
Created attachment 266581 [details]
[CRASH] Multiple Crash Report

* SUMMARY
CRASH in LayoutTests/inspector/debugger/terminate-dedicated-worker-while-paused.html.

* STEPS TO REPRODUCE
1. Unskip LayoutTests/inspector/debugger/terminate-dedicated-worker-while-paused.html
2. shell> run-webkit-tests --debug inspector/debugger --iterations=10 -1
  => this test crashes

* CRASH LOG
Multiple attached

> Crashed Thread:        34  WebCore: Worker
> Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
> Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
>
Thread 0:: Dispatch queue: com.apple.main-thread
> 0   llint_entry + 3366
> 1   llint_entry + 26604
> 2   llint_entry + 27485
> 3   llint_entry + 26604
> 4   llint_entry + 26604
> 5   vmEntryToJavaScript + 334
> 6   JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 213 (JITCode.cpp:80)
> 7   JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 1186 (Interpreter.cpp:1032)
> 8   JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 190 (CallData.cpp:39)
> 9   JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 83 (CallData.cpp:44)
> 10  WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 107 (JSMainThreadExecState.h:56)
> 11  WebCore::functionCallHandlerFromAnyThread(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 109 (JSMainThreadExecState.cpp:54)
> 12  Deprecated::ScriptFunctionCall::call(bool&) + 488 (ScriptFunctionCall.cpp:138)
> 13  Inspector::InjectedScriptBase::callFunctionWithEvalEnabled(Deprecated::ScriptFunctionCall&, bool&) const + 193 (InjectedScriptBase.cpp:81)
> 14  Inspector::InjectedScriptBase::makeCall(Deprecated::ScriptFunctionCall&, WTF::RefPtr<Inspector::InspectorValue>*) + 137 (InjectedScriptBase.cpp:100)
> 15  Inspector::InjectedScriptBase::makeEvalCall(WTF::String&, Deprecated::ScriptFunctionCall&, WTF::RefPtr<Inspector::Protocol::Runtime::RemoteObject>*, Inspector::Protocol::OptOutput<bool>*, Inspector::Protocol::OptOutput<int>*) + 78 (InjectedScriptBase.cpp:112)
> 16  Inspector::InjectedScript::evaluate(WTF::String&, WTF::String const&, WTF::String const&, bool, bool, bool, bool, WTF::RefPtr<Inspector::Protocol::Runtime::RemoteObject>*, Inspector::Protocol::OptOutput<bool>*, Inspector::Protocol::OptOutput<int>*) + 417 (InjectedScript.cpp:68)
> 17  Inspector::InspectorRuntimeAgent::evaluate(WTF::String&, WTF::String const&, WTF::String const*, bool const*, bool const*, int const*, bool const*, bool const*, bool const*, WTF::RefPtr<Inspector::Protocol::Runtime::RemoteObject>&, Inspector::Protocol::OptOutput<bool>*, Inspector::Protocol::OptOutput<int>*) + 626 (InspectorRuntimeAgent.cpp:128)
> 18  non-virtual thunk to Inspector::InspectorRuntimeAgent::evaluate(WTF::String&, WTF::String const&, WTF::String const*, bool const*, bool const*, int const*, bool const*, bool const*, bool const*, WTF::RefPtr<Inspector::Protocol::Runtime::RemoteObject>&, Inspector::Protocol::OptOutput<bool>*, Inspector::Protocol::OptOutput<int>*) + 252 (InspectorRuntimeAgent.cpp:116)
> 19  Inspector::RuntimeBackendDispatcher::evaluate(long, WTF::RefPtr<Inspector::InspectorObject>&&) + 2601 (InspectorBackendDispatchers.cpp:4969)
> 20  Inspector::RuntimeBackendDispatcher::dispatch(long, WTF::String const&, WTF::Ref<Inspector::InspectorObject>&&) + 827 (InspectorBackendDispatchers.cpp:4898)
> 21  Inspector::BackendDispatcher::dispatch(WTF::String const&) + 1997 (InspectorBackendDispatcher.cpp:181)
> 22  WebCore::InspectorController::dispatchMessageFromFrontend(WTF::String const&) + 47 (InspectorController.cpp:381)
> 23  WebCore::InspectorBackendDispatchTask::timerFired() + 158 (InspectorFrontendClientLocal.cpp:103)
> ...
> 
> Thread 34 Crashed:: WebCore: Worker
> 0   WTF::Atomic<unsigned char>::compareExchangeWeak(unsigned char, unsigned char, std::__1::memory_order) + 367 (atomic:879)
> 1   WTF::LockBase::lock() + 37 (Lock.h:51)
> 2   void WTF::addIterator<JSC::CodeBlock*, JSC::CodeBlock*, WTF::IdentityExtractor, WTF::PtrHash<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*> >(WTF::HashTable<JSC::CodeBlock*, JSC::CodeBlock*, WTF::IdentityExtractor, WTF::PtrHash<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*> > const*, WTF::HashTableConstIterator<JSC::CodeBlock*, JSC::CodeBlock*, WTF::IdentityExtractor, WTF::PtrHash<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*> >*) + 162 (HashTable.h:1386)
> 3   WTF::HashTableConstIterator<JSC::CodeBlock*, JSC::CodeBlock*, WTF::IdentityExtractor, WTF::PtrHash<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*> >::HashTableConstIterator(WTF::HashTable<JSC::CodeBlock*, JSC::CodeBlock*, WTF::IdentityExtractor, WTF::PtrHash<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*> > const*, JSC::CodeBlock* const*, JSC::CodeBlock* const*) + 59 (HashTable.h:128)
> 4   WTF::HashTableConstIterator<JSC::CodeBlock*, JSC::CodeBlock*, WTF::IdentityExtractor, WTF::PtrHash<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*> >::HashTableConstIterator(WTF::HashTable<JSC::CodeBlock*, JSC::CodeBlock*, WTF::IdentityExtractor, WTF::PtrHash<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*> > const*, JSC::CodeBlock* const*, JSC::CodeBlock* const*) + 45 (HashTable.h:129)
> 5   WTF::HashTable<JSC::CodeBlock*, JSC::CodeBlock*, WTF::IdentityExtractor, WTF::PtrHash<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*> >::makeConstIterator(JSC::CodeBlock**) const + 64 (HashTable.h:463)
> 6   WTF::HashTable<JSC::CodeBlock*, JSC::CodeBlock*, WTF::IdentityExtractor, WTF::PtrHash<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*> >::begin() const + 89 (HashTable.h:376)
> 7   WTF::HashSet<JSC::CodeBlock*, WTF::PtrHash<JSC::CodeBlock*>, WTF::HashTraits<JSC::CodeBlock*> >::begin() const + 39 (HashSet.h:173)
> 8   void JSC::CodeBlockSet::iterate<JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor>(JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor&) + 67 (CodeBlockSet.h:83)
> 9   void JSC::Heap::forEachCodeBlock<JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor>(JSC::Debugger::ClearCodeBlockDebuggerRequestsFunctor&) + 63 (HeapInlines.h:155)
> 10  JSC::Debugger::clearBreakpoints() + 100 (Debugger.cpp:480)
> 11  Inspector::ScriptDebugServer::clearBreakpoints() + 31 (ScriptDebugServer.cpp:126)
> 12  Inspector::InspectorDebuggerAgent::clearDebuggerBreakpointState() + 32 (InspectorDebuggerAgent.cpp:786)
> 13  Inspector::InspectorDebuggerAgent::clearInspectorBreakpointState() + 189 (InspectorDebuggerAgent.cpp:781)
> 14  Inspector::InspectorDebuggerAgent::disable(bool) + 86 (InspectorDebuggerAgent.cpp:107)
> 15  WebCore::WebDebuggerAgent::disable(bool) + 47 (WebDebuggerAgent.cpp:49)
> 16  Inspector::InspectorDebuggerAgent::willDestroyFrontendAndBackend(Inspector::DisconnectReason) + 54 (InspectorDebuggerAgent.cpp:83)
> 17  Inspector::AgentRegistry::willDestroyFrontendAndBackend(Inspector::DisconnectReason) + 117 (InspectorAgentRegistry.cpp:68)
> 18  WebCore::WorkerInspectorController::disconnectFrontend(Inspector::DisconnectReason) + 248 (WorkerInspectorController.cpp:163)
> 19  WebCore::WorkerInspectorController::workerGlobalScopeDestroyed() + 114 (WorkerInspectorController.cpp:145)
> 20  WebCore::WorkerGlobalScope::~WorkerGlobalScope() + 214 (WorkerGlobalScope.cpp:87)
> 21  WebCore::DedicatedWorkerGlobalScope::~DedicatedWorkerGlobalScope() + 21 (DedicatedWorkerGlobalScope.cpp:56)
> 22  WebCore::DedicatedWorkerGlobalScope::~DedicatedWorkerGlobalScope() + 21 (DedicatedWorkerGlobalScope.cpp:56)
> 23  WebCore::DedicatedWorkerGlobalScope::~DedicatedWorkerGlobalScope() + 25 (DedicatedWorkerGlobalScope.cpp:55)
> 24  WTF::RefCounted<WebCore::WorkerGlobalScope>::deref() + 83 (RefCounted.h:146)
> 25  void WTF::derefIfNotNull<WebCore::WorkerGlobalScope>(WebCore::WorkerGlobalScope*) + 58 (PassRefPtr.h:43)
> 26  WTF::RefPtr<WebCore::WorkerGlobalScope>::operator=(std::nullptr_t) + 55 (RefPtr.h:142)
> 27  WebCore::WorkerThread::workerThread() + 1312 (WorkerThread.cpp:168)
> 28  WebCore::WorkerThread::workerThreadStart(void*) + 21 (WorkerThread.cpp:129)
> ...
Comment 1 Radar WebKit Bug Importer 2015-12-03 17:33:37 PST
<rdar://problem/23753808>
Comment 2 Joseph Pecoraro 2015-12-03 17:35:44 PST
I wonder if this is a multi-threading issue. The crash is always on the Worker thread iterating the Heap and sometimes (see crash reports) the main thread is evaluating JavaScript. In once case even in JSC::Heap::deleteAllCodeBlocks. I don't see any guarded access to the heap here.
Comment 3 Timothy Hatcher 2015-12-12 19:18:41 PST
I am pretty sure worker code was removed recently.
Comment 4 Joseph Pecoraro 2015-12-14 10:50:35 PST
It was. I'll close this out.