Bug 181017 - ASSERT in MessagePort shutdown code
Summary: ASSERT in MessagePort shutdown code
Status: RESOLVED DUPLICATE of bug 94458
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Brady Eidson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-19 20:56 PST by Brady Eidson
Modified: 2017-12-19 23:01 PST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brady Eidson 2017-12-19 20:56:18 PST 
ASSERT in MessagePort shutdown code

Ran across this while working on MessagePorts for Service Workers.

The following command in a debug build:
run-webkit-tests fast/events/message-port-constructor-for-deleted-document.html fast/events/message-port-context-destroyed.html

Results in the following:

ASSERTION FAILED: m_closed
/Users/bradeeoh/git/OpenSource/Source/WebCore/dom/MessagePort.cpp(138) : void WebCore::MessagePort::contextDestroyed()
1   0x112a3d72d WTFCrash
2   0x11b260cf3 WebCore::MessagePort::contextDestroyed()
3   0x11b2d9a3a WebCore::ScriptExecutionContext::~ScriptExecutionContext()
4   0x11b16e1bd WebCore::Document::~Document()
5   0x11b4ac775 WebCore::HTMLDocument::~HTMLDocument()
6   0x11b4ac795 WebCore::HTMLDocument::~HTMLDocument()
7   0x11b4ac879 WebCore::HTMLDocument::~HTMLDocument()
8   0x11b16f570 WebCore::Document::decrementReferencingNodeCount()
9   0x11b16f2c4 WebCore::Document::removedLastRef()
10  0x11b293eb7 WebCore::Node::removedLastRef()
11  0x119496db3 WebCore::Node::deref()
12  0x11b28a1d5 WebCore::Node::derefEventTarget()
13  0x1197b3bc6 WebCore::EventTarget::deref()
14  0x1197b3b9f WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >::~Ref()
15  0x1197a18a5 WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >::~Ref()
16  0x119c52219 WebCore::JSDOMWrapper<WebCore::EventTarget>::~JSDOMWrapper()
17  0x119c521f5 WebCore::JSEventTarget::~JSEventTarget()
18  0x119c49fd5 WebCore::JSEventTarget::~JSEventTarget()
19  0x119c46c1d WebCore::JSEventTarget::destroy(JSC::JSCell*)
....

So the ScriptExecutionContext is being destroyed but hasn't told its MessagePorts to close.

It normally tells its MessagePorts to close inside stopActiveDOMObjects.

This test is arranged such that stopActiveDOMObjects is called, *then* a MessagePort is added later, and therefore that MessagePort is never told to close.

Of course the real problem is that MessagePorts are added after stopActiveDOMObjects is called - "Active DOM Objects" and similar objects should not be added then.

Indeed if I add an ASSERT inside ScriptExecutionContext::createdMessagePort:
    ASSERT(!m_activeDOMObjectsAreStopped);

It fires.

So that's the bug.
Comment 1 Brady Eidson 2017-12-19 22:29:06 PST 
This can easily be fixed by making MessagePort an ActiveDOMObject, as some comments allude.
Comment 2 Brady Eidson 2017-12-19 22:30:27 PST 
Annoyingly, this required interactions between multiple tests that - apparently - weren't happening in normal run-webkit-test runs.

I'm going to try to reproduce standalone first.
Comment 3 Brady Eidson 2017-12-19 22:36:03 PST 
(Maybe this test was skipped? 272 out of 791 in fast/events are skipped!!!)
Comment 4 Brady Eidson 2017-12-19 23:01:39 PST 

*** This bug has been marked as a duplicate of bug 94458 ***