WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
185073
REGRESSION(iOS 11.3): Crashes in TimerBase::~TimerBase() in Tencent x5gamehelper
https://bugs.webkit.org/show_bug.cgi?id=185073
Summary
REGRESSION(iOS 11.3): Crashes in TimerBase::~TimerBase() in Tencent x5gamehelper
wang
Reported
2018-04-27 05:25:56 PDT
CrashTracer: type 1: #0 Thread SIGTRAP 0 WebCore WebCore::TimerBase::~TimerBase() + 120 1 WebCore WebCore::TimerBase::~TimerBase() + 40 2 WebCore WebCore::ImageLoader::~ImageLoader() + 2076 3 WebCore WebCore::HTMLImageElement::~HTMLImageElement() + 224 4 WebCore WebCore::HTMLImageElement::~HTMLImageElement() + 12 5 JavaScriptCore void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 212 6 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const + 408 7 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 320 8 JavaScriptCore JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 32 9 JavaScriptCore JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 372 10 JavaScriptCore JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) + 40 11 JavaScriptCore JSC::LocalAllocator::tryAllocateWithoutCollecting() + 48 12 JavaScriptCore JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 292 13 JavaScriptCore JSC::CompleteSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 216 14 WebCore std::__1::enable_if<std::is_same<WebCore::GainNode, WebCore::GainNode>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::GainNode>::WrapperClass*>::type WebCore::createWrapper<WebCore::GainNode, WebCore::GainNode>(WebCore::JSDOMGlobalObject*, ***::Ref<WebCore::GainNode, ***::DumbPtrTraits<WebCore::GainNode> >&&) + 220 15 WebCore WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::GainNode&) + 136 16 WebCore WebCore::jsAudioContextPrototypeFunctionCreateGain(JSC::ExecState*) + 264 17 JavaScriptCore _llint_entry + 31860 18 JavaScriptCore _llint_entry + 29020 19 JavaScriptCore _llint_entry + 30040 20 JavaScriptCore _llint_entry + 29020 21 JavaScriptCore _llint_entry + 29020 22 JavaScriptCore _llint_entry + 29020 23 JavaScriptCore _llint_entry + 29020 24 JavaScriptCore _llint_entry + 29020 25 JavaScriptCore _llint_entry + 29020 26 JavaScriptCore _llint_entry + 29020 27 JavaScriptCore _llint_entry + 29020 28 JavaScriptCore _llint_entry + 29020 29 JavaScriptCore _llint_entry + 29020 30 JavaScriptCore _llint_entry + 29020 31 JavaScriptCore _llint_entry + 29020 32 JavaScriptCore _llint_entry + 29020 33 JavaScriptCore _llint_entry + 29020 34 JavaScriptCore _llint_entry + 29020 35 JavaScriptCore _llint_entry + 29020 36 JavaScriptCore _vmEntryToJavaScript + 272 37 JavaScriptCore JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 184 38 JavaScriptCore JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 464 39 JavaScriptCore JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, ***::NakedPtr<JSC::Exception>&) + 180 40 WebCore WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1176 41 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&, ***::Vector<***::RefPtr<WebCore::RegisteredEventListener, ***::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>) + 760 42 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 596 43 WebCore WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 116 44 WebCore WebCore::WebSocket::didReceiveBinaryData(***::Vector<unsigned char, 0ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>&&) + 236 45 WebCore WebCore::WebSocketChannel::processFrame() + 2912 46 WebCore WebCore::WebSocketChannel::processBuffer() + 112 47 WebCore WebCore::WebSocketChannel::didReceiveSocketStreamData(WebCore::SocketStreamHandle&, char const*, unsigned long) + 112 48 WebCore WebCore::SocketStreamHandleImpl::readStreamCallback(unsigned long) + 544 49 CoreFoundation __signalEventSync + 212 50 CoreFoundation __cfstream_solo_signalEventSync + 260 51 CoreFoundation __CFStreamSignalEvent + 548 52 CFNetwork SocketStream::dispatchSignalFromSocketCallbackUnlocked(SocketStreamSignalHolder*) + 64 53 CFNetwork SocketStream::socketCallback(__CFSocket*, unsigned long, __CFData const*, void const*) + 148 54 CFNetwork SocketStream::_SocketCallBack_stream(__CFSocket*, unsigned long, __CFData const*, void const*, void*) + 88 55 CoreFoundation ___CFSocketPerformV0 + 1352 56 CoreFoundation ___CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 57 CoreFoundation ___CFRunLoopDoSources0 + 276 58 CoreFoundation ___CFRunLoopRun + 1204 59 CoreFoundation CFRunLoopRunSpecific + 552 60 GraphicsServices GSEventRunModal + 100 61 UIKit UIApplicationMain + 236 62 x5gamehelper main + 88 63 libdyld.dylib _start + 4 #0 Thread SIGTRAP 0 WebCore WebCore::TimerBase::~TimerBase() + 120 1 WebCore WebCore::TimerBase::~TimerBase() + 40 2 WebCore WebCore::XMLHttpRequest::~XMLHttpRequest() + 116 3 WebCore WebCore::XMLHttpRequest::~XMLHttpRequest() + 12 4 JavaScriptCore void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 212 5 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const + 408 6 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 320 7 JavaScriptCore JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 32 8 JavaScriptCore JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 372 9 JavaScriptCore JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) + 40 10 JavaScriptCore JSC::LocalAllocator::tryAllocateWithoutCollecting() + 48 11 JavaScriptCore JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 292 12 JavaScriptCore JSC::CompleteSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 216 13 WebCore std::__1::enable_if<std::is_same<WebCore::GainNode, WebCore::GainNode>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::GainNode>::WrapperClass*>::type WebCore::createWrapper<WebCore::GainNode, WebCore::GainNode>(WebCore::JSDOMGlobalObject*, ***::Ref<WebCore::GainNode, ***::DumbPtrTraits<WebCore::GainNode> >&&) + 220 14 WebCore WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::GainNode&) + 136 15 WebCore WebCore::jsAudioContextPrototypeFunctionCreateGain(JSC::ExecState*) + 264 16 JavaScriptCore _llint_entry + 31860 17 JavaScriptCore _llint_entry + 29020 18 JavaScriptCore _llint_entry + 30040 19 JavaScriptCore _llint_entry + 29020 20 JavaScriptCore _llint_entry + 29020 21 JavaScriptCore _llint_entry + 29020 22 JavaScriptCore _llint_entry + 29020 23 JavaScriptCore _llint_entry + 29020 24 JavaScriptCore _llint_entry + 29020 25 JavaScriptCore _llint_entry + 29020 26 JavaScriptCore _llint_entry + 29020 27 JavaScriptCore _llint_entry + 29020 28 JavaScriptCore _llint_entry + 29020 29 JavaScriptCore _llint_entry + 28904 30 JavaScriptCore _llint_entry + 28904 31 JavaScriptCore _llint_entry + 28904 32 JavaScriptCore _llint_entry + 29020 33 JavaScriptCore _llint_entry + 29020 34 JavaScriptCore _llint_entry + 28904 35 JavaScriptCore _llint_entry + 29020 36 JavaScriptCore _llint_entry + 29020 37 JavaScriptCore _vmEntryToJavaScript + 272 38 JavaScriptCore JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 184 39 JavaScriptCore JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 464 40 JavaScriptCore JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, ***::NakedPtr<JSC::Exception>&) + 180 41 WebCore WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1176 42 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&, ***::Vector<***::RefPtr<WebCore::RegisteredEventListener, ***::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>) + 760 43 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 596 44 WebCore WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 116 45 WebCore WebCore::WebSocket::didReceiveBinaryData(***::Vector<unsigned char, 0ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>&&) + 236 46 WebCore WebCore::WebSocketChannel::processFrame() + 2912 47 WebCore WebCore::WebSocketChannel::processBuffer() + 112 48 WebCore WebCore::WebSocketChannel::didReceiveSocketStreamData(WebCore::SocketStreamHandle&, char const*, unsigned long) + 112 49 WebCore WebCore::SocketStreamHandleImpl::readStreamCallback(unsigned long) + 544 50 CoreFoundation __signalEventSync + 212 51 CoreFoundation __cfstream_solo_signalEventSync + 260 52 CoreFoundation __CFStreamSignalEvent + 548 53 CFNetwork SocketStream::dispatchSignalFromSocketCallbackUnlocked(SocketStreamSignalHolder*) + 64 54 CFNetwork SocketStream::socketCallback(__CFSocket*, unsigned long, __CFData const*, void const*) + 148 55 CFNetwork SocketStream::_SocketCallBack_stream(__CFSocket*, unsigned long, __CFData const*, void const*, void*) + 88 56 CoreFoundation ___CFSocketPerformV0 + 1352 57 CoreFoundation ___CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 58 CoreFoundation ___CFRunLoopDoSources0 + 276 59 CoreFoundation ___CFRunLoopRun + 1204 60 CoreFoundation CFRunLoopRunSpecific + 552 61 GraphicsServices GSEventRunModal + 100 62 UIKit UIApplicationMain + 236 63 x5gamehelper main + 88 64 libdyld.dylib _start + 4 #0 Thread SIGTRAP 0 WebCore WebCore::TimerBase::~TimerBase() + 120 1 WebCore WebCore::TimerBase::~TimerBase() + 40 2 WebCore WebCore::MediaElementSession::~MediaElementSession() + 96 3 WebCore WebCore::HTMLMediaElement::~HTMLMediaElement() + 1340 4 WebCore WebCore::HTMLVideoElement::~HTMLVideoElement() + 176 5 JavaScriptCore void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 212 6 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const + 408 7 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 320 8 JavaScriptCore JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 32 9 JavaScriptCore JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 372 10 JavaScriptCore JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) + 40 11 JavaScriptCore JSC::LocalAllocator::tryAllocateWithoutCollecting() + 48 12 JavaScriptCore JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 292 13 JavaScriptCore JSC::CompleteSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 216 14 WebCore std::__1::enable_if<std::is_same<WebCore::WebSocket, WebCore::WebSocket>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::WebSocket>::WrapperClass*>::type WebCore::createWrapper<WebCore::WebSocket, WebCore::WebSocket>(WebCore::JSDOMGlobalObject*, ***::Ref<WebCore::WebSocket, ***::DumbPtrTraits<WebCore::WebSocket> >&&) + 220 15 WebCore WebCore::constructJSWebSocket1(JSC::ExecState*) + 284 16 WebCore WebCore::JSDOMConstructor<WebCore::JSWebSocket>::construct(JSC::ExecState*) + 136 17 JavaScriptCore JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 580 18 JavaScriptCore _llint_entry + 30024 19 JavaScriptCore _llint_entry + 28904 20 JavaScriptCore _llint_entry + 28904 21 JavaScriptCore _llint_entry + 29020 22 JavaScriptCore _llint_entry + 28904 23 JavaScriptCore _llint_entry + 28904 24 JavaScriptCore _llint_entry + 29020 25 JavaScriptCore _llint_entry + 29020 26 JavaScriptCore _llint_entry + 29020 27 JavaScriptCore _llint_entry + 29020 28 JavaScriptCore _vmEntryToJavaScript + 272 29 JavaScriptCore JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 184 30 JavaScriptCore JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 464 31 JavaScriptCore JSC::boundThisNoArgsFunctionCall(JSC::ExecState*) + 512 32 JavaScriptCore _llint_entry + 31860 33 JavaScriptCore _llint_entry + 29020 34 JavaScriptCore _vmEntryToJavaScript + 272 35 JavaScriptCore JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 184 36 JavaScriptCore JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 464 37 JavaScriptCore JSC::boundThisNoArgsFunctionCall(JSC::ExecState*) + 512 38 JavaScriptCore _llint_entry + 31860 39 JavaScriptCore _llint_entry + 29020 40 JavaScriptCore _llint_entry + 29020 41 JavaScriptCore _llint_entry + 29020 42 JavaScriptCore _llint_entry + 28904 43 JavaScriptCore _llint_entry + 29020 44 JavaScriptCore _llint_entry + 28904 45 JavaScriptCore _llint_entry + 28904 46 JavaScriptCore _llint_entry + 28904 47 JavaScriptCore _vmEntryToJavaScript + 272 48 JavaScriptCore JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 184 49 JavaScriptCore JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 464 50 JavaScriptCore JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, ***::NakedPtr<JSC::Exception>&) + 180 51 WebCore WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1176 52 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&, ***::Vector<***::RefPtr<WebCore::RegisteredEventListener, ***::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>) + 760 53 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 596 54 WebCore WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 116 55 WebCore WebCore::WebSocket::didReceiveBinaryData(***::Vector<unsigned char, 0ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>&&) + 236 56 WebCore WebCore::WebSocketChannel::processFrame() + 2912 57 WebCore WebCore::WebSocketChannel::processBuffer() + 112 58 WebCore WebCore::WebSocketChannel::didReceiveSocketStreamData(WebCore::SocketStreamHandle&, char const*, unsigned long) + 112 59 WebCore WebCore::SocketStreamHandleImpl::readStreamCallback(unsigned long) + 544 60 CoreFoundation __signalEventSync + 212 61 CoreFoundation __cfstream_solo_signalEventSync + 260 62 CoreFoundation __CFStreamSignalEvent + 548 63 CFNetwork SocketStream::dispatchSignalFromSocketCallbackUnlocked(SocketStreamSignalHolder*) + 64 64 CFNetwork SocketStream::socketCallback(__CFSocket*, unsigned long, __CFData const*, void const*) + 148 65 CFNetwork SocketStream::_SocketCallBack_stream(__CFSocket*, unsigned long, __CFData const*, void const*, void*) + 88 66 CoreFoundation ___CFSocketPerformV0 + 1352 67 CoreFoundation ___CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 68 CoreFoundation ___CFRunLoopDoSources0 + 276 69 CoreFoundation ___CFRunLoopRun + 1204 70 CoreFoundation CFRunLoopRunSpecific + 552 71 GraphicsServices GSEventRunModal + 100 72 UIKit UIApplicationMain + 236 73 x5gamehelper main + 88 74 libdyld.dylib _start + 4
Attachments
Patch
(2.08 KB, patch)
2018-05-02 10:40 PDT
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
Patch
(2.39 KB, patch)
2018-05-02 10:43 PDT
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
Patch
(7.95 KB, patch)
2018-05-02 12:30 PDT
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
Patch
(7.95 KB, patch)
2018-05-03 08:48 PDT
,
Chris Dumez
no flags
Details
Formatted Diff
Diff
Show Obsolete
(3)
View All
Add attachment
proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1
2018-04-28 19:20:45 PDT
Is this reproducible at all? This may be a WebKit bug, but another possibility is that some of your code uses WebKit from a wrong thread before the crash occurs.
Radar WebKit Bug Importer
Comment 2
2018-04-28 19:20:57 PDT
<
rdar://problem/39821223
>
Alexey Proskuryakov
Comment 3
2018-04-28 19:30:51 PDT
Actually, thread 0 must be the wrong thread here. I'm guessing that WebSocketChannel got refactored without considering legacy WebKit on iOS.
Chris Dumez
Comment 4
2018-04-30 09:28:36 PDT
(In reply to Alexey Proskuryakov from
comment #3
)
> Actually, thread 0 must be the wrong thread here. I'm guessing that > WebSocketChannel got refactored without considering legacy WebKit on iOS.e
Alexey is right that it seems unexpected for code such as EventTarget::dispatchEvent() to run on thread 0 in WebKitLegacy. I would have expected such code to run on the Web thread. As we can see from the trace, we're already on thread 0 from SocketStreamHandleImpl::readStreamCallback(unsigned long). This callback is scheduled in SocketStreamHandleImpl::scheduleStreams() like so: CFReadStreamSetClient(m_readStream.get(), static_cast<CFOptionFlags>(-1), readStreamCallback, &clientContext); CFReadStreamScheduleWithRunLoop(m_readStream.get(), CFRunLoopGetCurrent(), kCFRunLoopCommonModes); It is using CFRunLoopGetCurrent() so this is only safe if SocketStreamHandleImpl::scheduleStreams() gets called on the Web thread. It is called from the SocketStreamHandleImpl() constructor, which is called from SocketProvider::createSocketStreamHandle(). This is called from WebSocketChannel::connect(), which I would expect to run on the WebThread given what it does. It is called from WebSocket::connect() which is Web-exposed and should therefore be called on the WebThread. I do not see anything obviously wrong with the code yet. I am also not aware of any recent refactoring in this part of the code. I'll investigate furthere
Ryosuke Niwa
Comment 5
2018-04-30 13:54:25 PDT
We added a release assertion to TimerBase::~TimerBase() in iOS 11.3 in
https://trac.webkit.org/changeset/227934
. I suspect Tencent x5gamehelper is accessing UIWebView in a wrong thread, or we're lacking a WebThread lock somewhere.
wang
Comment 6
2018-05-02 00:34:23 PDT
(In reply to Alexey Proskuryakov from
comment #1
)
> Is this reproducible at all? This may be a WebKit bug, but another > possibility is that some of your code uses WebKit from a wrong thread before > the crash occurs.
I can't reproduce it.I got the crash report from Crash Report Tools.It only happened on version 11.3(15E216).And we access UIWebView in main thread.
Alexey Proskuryakov
Comment 7
2018-05-02 09:54:34 PDT
Wouldn't we hit this if the request was legitimately started on the main thread while holding a WebThreadLock? I don't fully understand the design, but my understanding is that pretty much any code can get to run on the main thread with the lock.
Chris Dumez
Comment 8
2018-05-02 10:40:29 PDT
Created
attachment 339315
[details]
Patch
Chris Dumez
Comment 9
2018-05-02 10:43:13 PDT
Created
attachment 339316
[details]
Patch
Geoffrey Garen
Comment 10
2018-05-02 10:50:54 PDT
Patch looks OK. Is it ready for review?
Chris Dumez
Comment 11
2018-05-02 10:54:39 PDT
(In reply to Geoffrey Garen from
comment #10
)
> Patch looks OK. Is it ready for review?
I am waiting for iOS EWS to be green to be safe, but otherwise yes.
Alexey Proskuryakov
Comment 12
2018-05-02 11:03:42 PDT
Comment on
attachment 339316
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=339316&action=review
> Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:133 > CFReadStreamScheduleWithRunLoop(m_readStream.get(), CFRunLoopGetCurrent(), kCFRunLoopCommonModes);
Do we still need Current here, not Main?
Chris Dumez
Comment 13
2018-05-02 11:37:40 PDT
(In reply to Alexey Proskuryakov from
comment #12
)
> Comment on
attachment 339316
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=339316&action=review
> > > Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:133 > > CFReadStreamScheduleWithRunLoop(m_readStream.get(), CFRunLoopGetCurrent(), kCFRunLoopCommonModes); > > Do we still need Current here, not Main?
I think so because websockets can be used in workers iirc.
Chris Dumez
Comment 14
2018-05-02 11:42:43 PDT
Comment on
attachment 339316
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=339316&action=review
> Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:130 > + CFReadStreamScheduleWithRunLoop(m_readStream.get(), WebThreadRunLoop(), kCFRunLoopCommonModes);
Well, that's a good point. I guess this means this will not be OK when using WebSockets in workers threads on iOS WebKitLegacy :/
Chris Dumez
Comment 15
2018-05-02 11:48:56 PDT
(In reply to Chris Dumez from
comment #13
)
> (In reply to Alexey Proskuryakov from
comment #12
) > > Comment on
attachment 339316
[details]
> > Patch > > > > View in context: > >
https://bugs.webkit.org/attachment.cgi?id=339316&action=review
> > > > > Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:133 > > > CFReadStreamScheduleWithRunLoop(m_readStream.get(), CFRunLoopGetCurrent(), kCFRunLoopCommonModes); > > > > Do we still need Current here, not Main? > > I think so because websockets can be used in workers iirc.
Actually, we can use Main I believe. The worker case is fine because we always go via WorkerThreadableWebSocketChannel which has a bridge between the main thread and the worker thread.
Chris Dumez
Comment 16
2018-05-02 12:30:24 PDT
Created
attachment 339324
[details]
Patch
Alexey Proskuryakov
Comment 17
2018-05-02 23:46:25 PDT
Comment on
attachment 339324
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=339324&action=review
> Source/WebCore/ChangeLog:3 > + REGRESSION(iOS 11.3): Crashes in TimerBase::~TimerBase() in Tencent x5gamehelper
This breaks Windows build.
Ryosuke Niwa
Comment 18
2018-05-02 23:52:33 PDT
Comment on
attachment 339324
[details]
Patch View in context:
https://bugs.webkit.org/attachment.cgi?id=339324&action=review
> Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:82 > +#elif PLATFORM(IOS)
Shouldn't we use USE(WEB_THREAD) here?
Chris Dumez
Comment 19
2018-05-03 08:46:26 PDT
(In reply to Ryosuke Niwa from
comment #18
)
> Comment on
attachment 339324
[details]
> Patch > > View in context: >
https://bugs.webkit.org/attachment.cgi?id=339324&action=review
> > > Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:82 > > +#elif PLATFORM(IOS) > > Shouldn't we use USE(WEB_THREAD) here?
Not sure what the rules are but literally *every* call to WebThreadRunLoop() in WebCore is protected with PLATFORM(IOS), not PLATFORM(WEB_THREAD).
Chris Dumez
Comment 20
2018-05-03 08:48:21 PDT
Created
attachment 339409
[details]
Patch
WebKit Commit Bot
Comment 21
2018-05-03 12:17:51 PDT
Comment on
attachment 339409
[details]
Patch Clearing flags on attachment: 339409 Committed
r231319
: <
https://trac.webkit.org/changeset/231319
>
WebKit Commit Bot
Comment 22
2018-05-03 12:17:53 PDT
All reviewed patches have been landed. Closing bug.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug