Bug 185073 - REGRESSION(iOS 11.3): Crashes in TimerBase::~TimerBase() in Tencent x5gamehelper
Summary: REGRESSION(iOS 11.3): Crashes in TimerBase::~TimerBase() in Tencent x5gamehelper
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: Other
Hardware: iPhone / iPad Other
: P2 Critical
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on: 185181
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-27 05:25 PDT by wang
Modified: 2018-05-03 12:17 PDT (History)
9 users (show)

See Also:

Attachments
Patch (2.08 KB, patch)
2018-05-02 10:40 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (2.39 KB, patch)
2018-05-02 10:43 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (7.95 KB, patch)
2018-05-02 12:30 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (7.95 KB, patch)
2018-05-03 08:48 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description wang 2018-04-27 05:25:56 PDT 
CrashTracer:

type 1:

#0 Thread  


SIGTRAP  


0 WebCore WebCore::TimerBase::~TimerBase() + 120  
1 WebCore WebCore::TimerBase::~TimerBase() + 40  
2 WebCore WebCore::ImageLoader::~ImageLoader() + 2076  
3 WebCore WebCore::HTMLImageElement::~HTMLImageElement() + 224  
4 WebCore WebCore::HTMLImageElement::~HTMLImageElement() + 12  
5 JavaScriptCore void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 212  
6 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const + 408  
7 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 320  
8 JavaScriptCore JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 32  
9 JavaScriptCore JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 372  
10 JavaScriptCore JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) + 40  
11 JavaScriptCore JSC::LocalAllocator::tryAllocateWithoutCollecting() + 48  
12 JavaScriptCore JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 292  
13 JavaScriptCore JSC::CompleteSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 216  
14 WebCore std::__1::enable_if<std::is_same<WebCore::GainNode, WebCore::GainNode>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::GainNode>::WrapperClass*>::type WebCore::createWrapper<WebCore::GainNode, WebCore::GainNode>(WebCore::JSDOMGlobalObject*, ***::Ref<WebCore::GainNode, ***::DumbPtrTraits<WebCore::GainNode> >&&) + 220  
15 WebCore WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::GainNode&) + 136  
16 WebCore WebCore::jsAudioContextPrototypeFunctionCreateGain(JSC::ExecState*) + 264  
17 JavaScriptCore _llint_entry + 31860  
18 JavaScriptCore _llint_entry + 29020  
19 JavaScriptCore _llint_entry + 30040  
20 JavaScriptCore _llint_entry + 29020  
21 JavaScriptCore _llint_entry + 29020  
22 JavaScriptCore _llint_entry + 29020  
23 JavaScriptCore _llint_entry + 29020  
24 JavaScriptCore _llint_entry + 29020  
25 JavaScriptCore _llint_entry + 29020  
26 JavaScriptCore _llint_entry + 29020  
27 JavaScriptCore _llint_entry + 29020  
28 JavaScriptCore _llint_entry + 29020  
29 JavaScriptCore _llint_entry + 29020  
30 JavaScriptCore _llint_entry + 29020  
31 JavaScriptCore _llint_entry + 29020  
32 JavaScriptCore _llint_entry + 29020  
33 JavaScriptCore _llint_entry + 29020  
34 JavaScriptCore _llint_entry + 29020  
35 JavaScriptCore _llint_entry + 29020  
36 JavaScriptCore _vmEntryToJavaScript + 272  
37 JavaScriptCore JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 184  
38 JavaScriptCore JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 464  
39 JavaScriptCore JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, ***::NakedPtr<JSC::Exception>&) + 180  
40 WebCore WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1176  
41 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&, ***::Vector<***::RefPtr<WebCore::RegisteredEventListener, ***::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>) + 760  
42 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 596  
43 WebCore WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 116  
44 WebCore WebCore::WebSocket::didReceiveBinaryData(***::Vector<unsigned char, 0ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>&&) + 236  
45 WebCore WebCore::WebSocketChannel::processFrame() + 2912  
46 WebCore WebCore::WebSocketChannel::processBuffer() + 112  
47 WebCore WebCore::WebSocketChannel::didReceiveSocketStreamData(WebCore::SocketStreamHandle&, char const*, unsigned long) + 112  
48 WebCore WebCore::SocketStreamHandleImpl::readStreamCallback(unsigned long) + 544  
49 CoreFoundation __signalEventSync + 212  
50 CoreFoundation __cfstream_solo_signalEventSync + 260  
51 CoreFoundation __CFStreamSignalEvent + 548  
52 CFNetwork SocketStream::dispatchSignalFromSocketCallbackUnlocked(SocketStreamSignalHolder*) + 64  
53 CFNetwork SocketStream::socketCallback(__CFSocket*, unsigned long, __CFData const*, void const*) + 148  
54 CFNetwork SocketStream::_SocketCallBack_stream(__CFSocket*, unsigned long, __CFData const*, void const*, void*) + 88  
55 CoreFoundation ___CFSocketPerformV0 + 1352  
56 CoreFoundation ___CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24  
57 CoreFoundation ___CFRunLoopDoSources0 + 276  
58 CoreFoundation ___CFRunLoopRun + 1204  
59 CoreFoundation CFRunLoopRunSpecific + 552  
60 GraphicsServices GSEventRunModal + 100  
61 UIKit UIApplicationMain + 236  
62 x5gamehelper main + 88  
63 libdyld.dylib _start + 4  


#0 Thread  


SIGTRAP  


0 WebCore WebCore::TimerBase::~TimerBase() + 120  
1 WebCore WebCore::TimerBase::~TimerBase() + 40  
2 WebCore WebCore::XMLHttpRequest::~XMLHttpRequest() + 116  
3 WebCore WebCore::XMLHttpRequest::~XMLHttpRequest() + 12  
4 JavaScriptCore void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 212  
5 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const + 408  
6 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 320  
7 JavaScriptCore JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 32  
8 JavaScriptCore JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 372  
9 JavaScriptCore JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) + 40  
10 JavaScriptCore JSC::LocalAllocator::tryAllocateWithoutCollecting() + 48  
11 JavaScriptCore JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 292  
12 JavaScriptCore JSC::CompleteSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 216  
13 WebCore std::__1::enable_if<std::is_same<WebCore::GainNode, WebCore::GainNode>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::GainNode>::WrapperClass*>::type WebCore::createWrapper<WebCore::GainNode, WebCore::GainNode>(WebCore::JSDOMGlobalObject*, ***::Ref<WebCore::GainNode, ***::DumbPtrTraits<WebCore::GainNode> >&&) + 220  
14 WebCore WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::GainNode&) + 136  
15 WebCore WebCore::jsAudioContextPrototypeFunctionCreateGain(JSC::ExecState*) + 264  
16 JavaScriptCore _llint_entry + 31860  
17 JavaScriptCore _llint_entry + 29020  
18 JavaScriptCore _llint_entry + 30040  
19 JavaScriptCore _llint_entry + 29020  
20 JavaScriptCore _llint_entry + 29020  
21 JavaScriptCore _llint_entry + 29020  
22 JavaScriptCore _llint_entry + 29020  
23 JavaScriptCore _llint_entry + 29020  
24 JavaScriptCore _llint_entry + 29020  
25 JavaScriptCore _llint_entry + 29020  
26 JavaScriptCore _llint_entry + 29020  
27 JavaScriptCore _llint_entry + 29020  
28 JavaScriptCore _llint_entry + 29020  
29 JavaScriptCore _llint_entry + 28904  
30 JavaScriptCore _llint_entry + 28904  
31 JavaScriptCore _llint_entry + 28904  
32 JavaScriptCore _llint_entry + 29020  
33 JavaScriptCore _llint_entry + 29020  
34 JavaScriptCore _llint_entry + 28904  
35 JavaScriptCore _llint_entry + 29020  
36 JavaScriptCore _llint_entry + 29020  
37 JavaScriptCore _vmEntryToJavaScript + 272  
38 JavaScriptCore JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 184  
39 JavaScriptCore JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 464  
40 JavaScriptCore JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, ***::NakedPtr<JSC::Exception>&) + 180  
41 WebCore WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1176  
42 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&, ***::Vector<***::RefPtr<WebCore::RegisteredEventListener, ***::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>) + 760  
43 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 596  
44 WebCore WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 116  
45 WebCore WebCore::WebSocket::didReceiveBinaryData(***::Vector<unsigned char, 0ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>&&) + 236  
46 WebCore WebCore::WebSocketChannel::processFrame() + 2912  
47 WebCore WebCore::WebSocketChannel::processBuffer() + 112  
48 WebCore WebCore::WebSocketChannel::didReceiveSocketStreamData(WebCore::SocketStreamHandle&, char const*, unsigned long) + 112  
49 WebCore WebCore::SocketStreamHandleImpl::readStreamCallback(unsigned long) + 544  
50 CoreFoundation __signalEventSync + 212  
51 CoreFoundation __cfstream_solo_signalEventSync + 260  
52 CoreFoundation __CFStreamSignalEvent + 548  
53 CFNetwork SocketStream::dispatchSignalFromSocketCallbackUnlocked(SocketStreamSignalHolder*) + 64  
54 CFNetwork SocketStream::socketCallback(__CFSocket*, unsigned long, __CFData const*, void const*) + 148  
55 CFNetwork SocketStream::_SocketCallBack_stream(__CFSocket*, unsigned long, __CFData const*, void const*, void*) + 88  
56 CoreFoundation ___CFSocketPerformV0 + 1352  
57 CoreFoundation ___CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24  
58 CoreFoundation ___CFRunLoopDoSources0 + 276  
59 CoreFoundation ___CFRunLoopRun + 1204  
60 CoreFoundation CFRunLoopRunSpecific + 552  
61 GraphicsServices GSEventRunModal + 100  
62 UIKit UIApplicationMain + 236  
63 x5gamehelper main + 88  
64 libdyld.dylib _start + 4  


#0 Thread  


SIGTRAP  


0 WebCore WebCore::TimerBase::~TimerBase() + 120  
1 WebCore WebCore::TimerBase::~TimerBase() + 40  
2 WebCore WebCore::MediaElementSession::~MediaElementSession() + 96  
3 WebCore WebCore::HTMLMediaElement::~HTMLMediaElement() + 1340  
4 WebCore WebCore::HTMLVideoElement::~HTMLVideoElement() + 176  
5 JavaScriptCore void JSC::MarkedBlock::Handle::specializedSweep<true, (JSC::MarkedBlock::Handle::EmptyMode)1, (JSC::MarkedBlock::Handle::SweepMode)1, (JSC::MarkedBlock::Handle::SweepDestructionMode)1, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)1, (JSC::MarkedBlock::Handle::MarksMode)1, JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::JSDestructibleObjectDestroyFunc const&) + 212  
6 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&)::'lambda'()::operator()() const + 408  
7 JavaScriptCore void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::JSDestructibleObjectDestroyFunc>(JSC::FreeList*, JSC::JSDestructibleObjectDestroyFunc const&) + 320  
8 JavaScriptCore JSC::JSDestructibleObjectHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 32  
9 JavaScriptCore JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 372  
10 JavaScriptCore JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*) + 40  
11 JavaScriptCore JSC::LocalAllocator::tryAllocateWithoutCollecting() + 48  
12 JavaScriptCore JSC::LocalAllocator::allocateSlowCase(JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 292  
13 JavaScriptCore JSC::CompleteSubspace::allocateNonVirtual(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 216  
14 WebCore std::__1::enable_if<std::is_same<WebCore::WebSocket, WebCore::WebSocket>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::WebSocket>::WrapperClass*>::type WebCore::createWrapper<WebCore::WebSocket, WebCore::WebSocket>(WebCore::JSDOMGlobalObject*, ***::Ref<WebCore::WebSocket, ***::DumbPtrTraits<WebCore::WebSocket> >&&) + 220  
15 WebCore WebCore::constructJSWebSocket1(JSC::ExecState*) + 284  
16 WebCore WebCore::JSDOMConstructor<WebCore::JSWebSocket>::construct(JSC::ExecState*) + 136  
17 JavaScriptCore JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) + 580  
18 JavaScriptCore _llint_entry + 30024  
19 JavaScriptCore _llint_entry + 28904  
20 JavaScriptCore _llint_entry + 28904  
21 JavaScriptCore _llint_entry + 29020  
22 JavaScriptCore _llint_entry + 28904  
23 JavaScriptCore _llint_entry + 28904  
24 JavaScriptCore _llint_entry + 29020  
25 JavaScriptCore _llint_entry + 29020  
26 JavaScriptCore _llint_entry + 29020  
27 JavaScriptCore _llint_entry + 29020  
28 JavaScriptCore _vmEntryToJavaScript + 272  
29 JavaScriptCore JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 184  
30 JavaScriptCore JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 464  
31 JavaScriptCore JSC::boundThisNoArgsFunctionCall(JSC::ExecState*) + 512  
32 JavaScriptCore _llint_entry + 31860  
33 JavaScriptCore _llint_entry + 29020  
34 JavaScriptCore _vmEntryToJavaScript + 272  
35 JavaScriptCore JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 184  
36 JavaScriptCore JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 464  
37 JavaScriptCore JSC::boundThisNoArgsFunctionCall(JSC::ExecState*) + 512  
38 JavaScriptCore _llint_entry + 31860  
39 JavaScriptCore _llint_entry + 29020  
40 JavaScriptCore _llint_entry + 29020  
41 JavaScriptCore _llint_entry + 29020  
42 JavaScriptCore _llint_entry + 28904  
43 JavaScriptCore _llint_entry + 29020  
44 JavaScriptCore _llint_entry + 28904  
45 JavaScriptCore _llint_entry + 28904  
46 JavaScriptCore _llint_entry + 28904  
47 JavaScriptCore _vmEntryToJavaScript + 272  
48 JavaScriptCore JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 184  
49 JavaScriptCore JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 464  
50 JavaScriptCore JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, ***::NakedPtr<JSC::Exception>&) + 180  
51 WebCore WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) + 1176  
52 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&, ***::Vector<***::RefPtr<WebCore::RegisteredEventListener, ***::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>) + 760  
53 WebCore WebCore::EventTarget::fireEventListeners(WebCore::Event&) + 596  
54 WebCore WebCore::EventTarget::dispatchEvent(WebCore::Event&) + 116  
55 WebCore WebCore::WebSocket::didReceiveBinaryData(***::Vector<unsigned char, 0ul, ***::CrashOnOverflow, 16ul, ***::FastMalloc>&&) + 236  
56 WebCore WebCore::WebSocketChannel::processFrame() + 2912  
57 WebCore WebCore::WebSocketChannel::processBuffer() + 112  
58 WebCore WebCore::WebSocketChannel::didReceiveSocketStreamData(WebCore::SocketStreamHandle&, char const*, unsigned long) + 112  
59 WebCore WebCore::SocketStreamHandleImpl::readStreamCallback(unsigned long) + 544  
60 CoreFoundation __signalEventSync + 212  
61 CoreFoundation __cfstream_solo_signalEventSync + 260  
62 CoreFoundation __CFStreamSignalEvent + 548  
63 CFNetwork SocketStream::dispatchSignalFromSocketCallbackUnlocked(SocketStreamSignalHolder*) + 64  
64 CFNetwork SocketStream::socketCallback(__CFSocket*, unsigned long, __CFData const*, void const*) + 148  
65 CFNetwork SocketStream::_SocketCallBack_stream(__CFSocket*, unsigned long, __CFData const*, void const*, void*) + 88  
66 CoreFoundation ___CFSocketPerformV0 + 1352  
67 CoreFoundation ___CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24  
68 CoreFoundation ___CFRunLoopDoSources0 + 276  
69 CoreFoundation ___CFRunLoopRun + 1204  
70 CoreFoundation CFRunLoopRunSpecific + 552  
71 GraphicsServices GSEventRunModal + 100  
72 UIKit UIApplicationMain + 236  
73 x5gamehelper main + 88  
74 libdyld.dylib _start + 4
Comment 1 Alexey Proskuryakov 2018-04-28 19:20:45 PDT 
Is this reproducible at all? This may be a WebKit bug, but another possibility is that some of your code uses WebKit from a wrong thread before the crash occurs.
Comment 2 Radar WebKit Bug Importer 2018-04-28 19:20:57 PDT 
<rdar://problem/39821223>
Comment 3 Alexey Proskuryakov 2018-04-28 19:30:51 PDT 
Actually, thread 0 must be the wrong thread here. I'm guessing that WebSocketChannel got refactored without considering legacy WebKit on iOS.
Comment 4 Chris Dumez 2018-04-30 09:28:36 PDT 
(In reply to Alexey Proskuryakov from comment #3)
> Actually, thread 0 must be the wrong thread here. I'm guessing that
> WebSocketChannel got refactored without considering legacy WebKit on iOS.e
Alexey is right that it seems unexpected for code such as EventTarget::dispatchEvent() to run on thread 0 in WebKitLegacy. I would have expected such code to run on the Web thread.

As we can see from the trace, we're already on thread 0 from SocketStreamHandleImpl::readStreamCallback(unsigned long).

This callback is scheduled in SocketStreamHandleImpl::scheduleStreams() like so:
CFReadStreamSetClient(m_readStream.get(), static_cast<CFOptionFlags>(-1), readStreamCallback, &clientContext);
CFReadStreamScheduleWithRunLoop(m_readStream.get(), CFRunLoopGetCurrent(), kCFRunLoopCommonModes);

It is using CFRunLoopGetCurrent() so this is only safe if SocketStreamHandleImpl::scheduleStreams() gets called on the Web thread. It is called from the SocketStreamHandleImpl() constructor, which is called from SocketProvider::createSocketStreamHandle().
This is called from WebSocketChannel::connect(), which I would expect to run on the WebThread given what it does. It is called from WebSocket::connect() which is Web-exposed and should therefore be called on the WebThread.

I do not see anything obviously wrong with the code yet. I am also not aware of any recent refactoring in this part of the code. I'll investigate furthere
Comment 5 Ryosuke Niwa 2018-04-30 13:54:25 PDT 
We added a release assertion to TimerBase::~TimerBase() in iOS 11.3 in https://trac.webkit.org/changeset/227934.

I suspect Tencent x5gamehelper is accessing UIWebView in a wrong thread, or we're lacking a WebThread lock somewhere.
Comment 6 wang 2018-05-02 00:34:23 PDT 
(In reply to Alexey Proskuryakov from comment #1)
> Is this reproducible at all? This may be a WebKit bug, but another
> possibility is that some of your code uses WebKit from a wrong thread before
> the crash occurs.

I can't reproduce it.I got the crash report from Crash Report Tools.It only happened on version 11.3(15E216).And we access UIWebView in main thread.
Comment 7 Alexey Proskuryakov 2018-05-02 09:54:34 PDT 
Wouldn't we hit this if the request was legitimately started on the main thread while holding a WebThreadLock? I don't fully understand the design, but my understanding is that pretty much any code can get to run on the main thread with the lock.
Comment 8 Chris Dumez 2018-05-02 10:40:29 PDT 
Created attachment 339315 [details]
Patch
Comment 9 Chris Dumez 2018-05-02 10:43:13 PDT 
Created attachment 339316 [details]
Patch
Comment 10 Geoffrey Garen 2018-05-02 10:50:54 PDT 
Patch looks OK. Is it ready for review?
Comment 11 Chris Dumez 2018-05-02 10:54:39 PDT 
(In reply to Geoffrey Garen from comment #10)
> Patch looks OK. Is it ready for review?

I am waiting for iOS EWS to be green to be safe, but otherwise yes.
Comment 12 Alexey Proskuryakov 2018-05-02 11:03:42 PDT 
Comment on attachment 339316 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=339316&action=review

> Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:133
>      CFReadStreamScheduleWithRunLoop(m_readStream.get(), CFRunLoopGetCurrent(), kCFRunLoopCommonModes);

Do we still need Current here, not Main?
Comment 13 Chris Dumez 2018-05-02 11:37:40 PDT 
(In reply to Alexey Proskuryakov from comment #12)
> Comment on attachment 339316 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=339316&action=review
> 
> > Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:133
> >      CFReadStreamScheduleWithRunLoop(m_readStream.get(), CFRunLoopGetCurrent(), kCFRunLoopCommonModes);
> 
> Do we still need Current here, not Main?

I think so because websockets can be used in workers iirc.
Comment 14 Chris Dumez 2018-05-02 11:42:43 PDT 
Comment on attachment 339316 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=339316&action=review

> Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:130
> +    CFReadStreamScheduleWithRunLoop(m_readStream.get(), WebThreadRunLoop(), kCFRunLoopCommonModes);

Well, that's a good point. I guess this means this will not be OK when using WebSockets in workers threads on iOS WebKitLegacy :/
Comment 15 Chris Dumez 2018-05-02 11:48:56 PDT 
(In reply to Chris Dumez from comment #13)
> (In reply to Alexey Proskuryakov from comment #12)
> > Comment on attachment 339316 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=339316&action=review
> > 
> > > Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:133
> > >      CFReadStreamScheduleWithRunLoop(m_readStream.get(), CFRunLoopGetCurrent(), kCFRunLoopCommonModes);
> > 
> > Do we still need Current here, not Main?
> 
> I think so because websockets can be used in workers iirc.

Actually, we can use Main I believe. The worker case is fine because we always go via WorkerThreadableWebSocketChannel which has a bridge between the main thread and the worker thread.
Comment 16 Chris Dumez 2018-05-02 12:30:24 PDT 
Created attachment 339324 [details]
Patch
Comment 17 Alexey Proskuryakov 2018-05-02 23:46:25 PDT 
Comment on attachment 339324 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=339324&action=review

> Source/WebCore/ChangeLog:3
> +        REGRESSION(iOS 11.3): Crashes in TimerBase::~TimerBase() in Tencent x5gamehelper

This breaks Windows build.
Comment 18 Ryosuke Niwa 2018-05-02 23:52:33 PDT 
Comment on attachment 339324 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=339324&action=review

> Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:82
> +#elif PLATFORM(IOS)

Shouldn't we use USE(WEB_THREAD) here?
Comment 19 Chris Dumez 2018-05-03 08:46:26 PDT 
(In reply to Ryosuke Niwa from comment #18)
> Comment on attachment 339324 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=339324&action=review
> 
> > Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:82
> > +#elif PLATFORM(IOS)
> 
> Shouldn't we use USE(WEB_THREAD) here?

Not sure what the rules are but literally *every* call to WebThreadRunLoop() in WebCore is protected with PLATFORM(IOS), not PLATFORM(WEB_THREAD).
Comment 20 Chris Dumez 2018-05-03 08:48:21 PDT 
Created attachment 339409 [details]
Patch
Comment 21 WebKit Commit Bot 2018-05-03 12:17:51 PDT 
Comment on attachment 339409 [details]
Patch

Clearing flags on attachment: 339409

Committed r231319: <https://trac.webkit.org/changeset/231319>
Comment 22 WebKit Commit Bot 2018-05-03 12:17:53 PDT 
All reviewed patches have been landed.  Closing bug.