RESOLVED FIXED 180173
ServiceWorker WebProcess sometimes crashes in JSVMClientData::~JSVMClientData() 
https://bugs.webkit.org/show_bug.cgi?id=180173
Summary ServiceWorker WebProcess sometimes crashes in JSVMClientData::~JSVMClientData()
Chris Dumez
Reported 2017-11-29 15:54:25 PST
ServiceWorker WebProcess sometimes crashes in JSVMClientData::~JSVMClientData() when running the layout tests: Thread 7 Crashed:: WebCore: Worker 0 com.apple.JavaScriptCore 0x00000001ec0adfc4 WTFCrash + 36 (Assertions.cpp:270) 1 com.apple.WebCore 0x00000001de3984e1 WebCore::JSVMClientData::~JSVMClientData() + 289 (WebCoreJSClientData.cpp:56) 2 com.apple.WebCore 0x00000001de398715 WebCore::JSVMClientData::~JSVMClientData() + 21 (WebCoreJSClientData.cpp:59) 3 com.apple.WebCore 0x00000001de398739 WebCore::JSVMClientData::~JSVMClientData() + 25 (WebCoreJSClientData.cpp:53) 4 com.apple.JavaScriptCore 0x00000001ebe486f4 JSC::VM::~VM() + 1268 (VM.cpp:430) 5 com.apple.JavaScriptCore 0x00000001ebe4a7d5 JSC::VM::~VM() + 21 (VM.cpp:439) 6 com.apple.JavaScriptCore 0x00000001eace5297 WTF::ThreadSafeRefCounted<JSC::VM>::deref() const + 71 (ThreadSafeRefCounted.h:71) 7 com.apple.JavaScriptCore 0x00000001eb8d19c1 void WTF::derefIfNotNull<JSC::VM>(JSC::VM*) + 49 (RefPtr.h:46) 8 com.apple.JavaScriptCore 0x00000001eb8c20fb WTF::RefPtr<JSC::VM>::operator=(std::nullptr_t) + 91 (RefPtr.h:152) 9 com.apple.JavaScriptCore 0x00000001ebcbc0ea JSC::JSLockHolder::~JSLockHolder() + 58 (JSLock.cpp:76) 10 com.apple.JavaScriptCore 0x00000001ebcbc165 JSC::JSLockHolder::~JSLockHolder() + 21 (JSLock.cpp:78) 11 com.apple.WebCore 0x00000001de399c2a WebCore::WorkerScriptController::~WorkerScriptController() + 442 (WorkerScriptController.cpp:70) 12 com.apple.WebCore 0x00000001de399e35 WebCore::WorkerScriptController::~WorkerScriptController() + 21 (WorkerScriptController.cpp:70) 13 com.apple.WebCore 0x00000001dfca6d42 WebCore::WorkerGlobalScope::clearScript() + 178 (memory:2397) 14 com.apple.WebCore 0x00000001dfca6c86 WebCore::WorkerThread::stop(WTF::Function<void ()>&&)::$_14::operator()(WebCore::ScriptExecutionContext&) const::'lambda'(WebCore::ScriptExecutionContext&)::operator()(WebCore::ScriptExecutionContext&) const + 38 (WorkerThread.cpp:295) 15 com.apple.WebCore 0x00000001dfca6c34 WTF::Function<void (WebCore::ScriptExecutionContext&)>::CallableWrapper<WebCore::WorkerThread::stop(WTF::Function<void ()>&&)::$_14::operator()(WebCore::ScriptExecutionContext&) const::'lambda'(WebCore::ScriptExecutionContext&)>::call(WebCore::ScriptExecutionContext&) + 52 (Function.h:101) 16 com.apple.WebCore 0x00000001de20d4ce WTF::Function<void (WebCore::ScriptExecutionContext&)>::operator()(WebCore::ScriptExecutionContext&) const + 158 (Function.h:56) 17 com.apple.WebCore 0x00000001de1fac7d WebCore::ScriptExecutionContext::Task::performTask(WebCore::ScriptExecutionContext&) + 29 (ScriptExecutionContext.h:184) 18 com.apple.WebCore 0x00000001dfc96b10 WebCore::WorkerRunLoop::Task::performTask(WebCore::WorkerGlobalScope*) + 128 (WorkerRunLoop.cpp:259) 19 com.apple.WebCore 0x00000001dfc95ebb WebCore::WorkerRunLoop::runCleanupTasks(WebCore::WorkerGlobalScope*) + 395 (WorkerRunLoop.cpp:232) 20 com.apple.WebCore 0x00000001dfc95550 WebCore::WorkerRunLoop::run(WebCore::WorkerGlobalScope*) + 112 (WorkerRunLoop.cpp:140) 21 com.apple.WebCore 0x00000001dfc99ce3 WebCore::WorkerThread::runEventLoop() + 51 (WorkerThread.cpp:258) 22 com.apple.WebCore 0x00000001dfccb215 WebCore::ServiceWorkerThread::runEventLoop() + 21 (ServiceWorkerThread.cpp:95) 23 com.apple.WebCore 0x00000001dfc99917 WebCore::WorkerThread::workerThread() + 1719 (WorkerThread.cpp:201) 24 com.apple.WebCore 0x00000001dfca5828 WebCore::WorkerThread::start(WTF::Function<void (WTF::String const&)>&&)::$_12::operator()() const + 24 (WorkerThread.cpp:145) 25 com.apple.WebCore 0x00000001dfca57e9 WTF::Function<void ()>::CallableWrapper<WebCore::WorkerThread::start(WTF::Function<void (WTF::String const&)>&&)::$_12>::call() + 25 (Function.h:101) 26 com.apple.JavaScriptCore 0x00000001ec0e744b WTF::Function<void ()>::operator()() const + 139 (Function.h:56) 27 com.apple.JavaScriptCore 0x00000001ec13389f WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) + 351 (Threading.cpp:129) 28 com.apple.JavaScriptCore 0x00000001ec138f75 WTF::wtfThreadEntryPoint(void*) + 21 (ThreadingPthreads.cpp:223) 29 libsystem_pthread.dylib 0x00007fff600a86c1 _pthread_body + 340 30 libsystem_pthread.dylib 0x00007fff600a856d _pthread_start + 377 31 libsystem_pthread.dylib 0x00007fff600a7c5d thread_start + 13 Not sure what is causing this. The assertion is: ASSERT(m_normalWorld->hasOneRef()); Presumably we are leaking the DOMWrapperWorld somehow?
Attachments
Patch (4.01 KB, patch)
2017-11-29 20:01 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2017-11-29 16:28:27 PST
I can reproduce like so: Tools/Scripts/run-webkit-tests imported/w3c/web-platform-tests/service-workers/service-worker/ServiceWorkerGlobalScope/registration-attribute.https.html --repeat-each=2 The first run passes but the second one fails. If you check your crashes in Console.app, you'll see a new crash file for the assertion hit.
Chris Dumez
Comment 2 2017-11-29 20:01:21 PST
Created attachment 327948 [details] Patch
WebKit Commit Bot
Comment 3 2017-11-29 22:13:44 PST
Comment on attachment 327948 [details] Patch Clearing flags on attachment: 327948 Committed r225316: <https://trac.webkit.org/changeset/225316>
WebKit Commit Bot
Comment 4 2017-11-29 22:13:45 PST
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 5 2017-11-29 22:14:28 PST
<rdar://problem/35766174>
Note You need to log in before you can comment on or make changes to this bug.