RESOLVED FIXED 192421
Crash under WebCore::cachedDocumentWrapper() 
https://bugs.webkit.org/show_bug.cgi?id=192421
Summary Crash under WebCore::cachedDocumentWrapper()
Chris Dumez
Reported 2018-12-05 12:10:40 PST
Crash under WebCore::cachedDocumentWrapper(): Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000848) [ 0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) [inlined] WTF::DumbPtrTraits<WebCore::DOMWrapperWorld>::unwrap(WebCore::DOMWrapperWorld* const&) at DumbPtrTraits.h:41:69 0x000000020a99c680: bl 0xa066f4 ; WebCore::toJS [inlined] WebCore::FrameDestructionObserver::frame() const at DOMWindow.h:204 0x000000020a99c684: mov x1, x0 0x000000020a99c688: mov x0, x21 0x000000020a99c68c: bl 0xa06728 ; WebCore::toJSDOMWindow [inlined] JSC::JSValue::isCell() const at JSCJSValueInlines.h:609 -> 0x000000020a99c690: ldr x8, [x0, #0x848] 0x000000020a99c694: ldrb w9, [x8, #0x40] 0x000000020a99c698: cbz w9, 0xa0c6b8 ; <+160> [inlined] WebCore::DOMWrapperWorld::wrappers() at JSDOMWrapperCache.h:163 0x000000020a99c69c: ldr x9, [x19, #0x8] 0x000000020a99c6a0: cbz x9, 0xa0c6b8 ; <+160> [inlined] WebCore::DOMWrapperWorld::wrappers() at JSDOMWrapperCache.h:163 [ 0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) [inlined] WTF::Ref<WebCore::DOMWrapperWorld, WTF::DumbPtrTraits<WebCore::DOMWrapperWorld> >::get() const at Ref.h:122 [ 0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) [inlined] WebCore::JSDOMGlobalObject::world() at JSDOMGlobalObject.h:74 70 Event* currentEvent() const; 71 72 static void visitChildren(JSC::JSCell*, JSC::SlotVisitor&); 73 -> 74 DOMWrapperWorld& world() { return m_world.get(); } 75 bool worldIsNormal() const { return m_worldIsNormal; } 76 static ptrdiff_t offsetOfWorldIsNormal() { return OBJECT_OFFSETOF(JSDOMGlobalObject, m_worldIsNormal); } 77 78 JSBuiltinInternalFunctions& builtinInternalFunctions() { return m_builtinInternalFunctions; } [ 0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) + 120 at JSDocumentCustom.cpp:60 56 if (!window) 57 return nullptr; 58 59 // Creating a wrapper for domWindow might have created a wrapper for document as well. -> 60 return getCachedWrapper(toJSDOMWindow(state.vm(), toJS(&state, *window))->world(), document); 61 } 62 63 void reportMemoryForDocumentIfFrameless(ExecState& state, Document& document) 64 { [ 1] 0x000000020a99c68f WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) + 119 at JSDocumentCustom.cpp:60:29 [ 2] 0x000000020a99c90f WebCore`WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) + 35 at JSDocumentCustom.cpp:86:25 [ 3] 0x000000020a4a5303 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) + 51 at JSNodeCustom.h:62:12 [ 3] 0x000000020a4a52d0 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node*) at JSNode.h:97 [ 3] 0x000000020a4a52d0 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::JSConverter<WebCore::IDLInterface<WebCore::Node> >::convert<WebCore::ContainerNode*>(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::ContainerNode* const&) at JSDOMConvertInterface.h:81 [ 3] 0x000000020a4a52d0 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::JSConverter<WebCore::IDLNullable<WebCore::IDLInterface<WebCore::Node> > >::convert<WebCore::ContainerNode*>(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::ContainerNode*&&) + 28 at JSDOMConvertNullable.h:137
Attachments
Patch (1.77 KB, patch)
2018-12-05 12:14 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2018-12-05 12:14:31 PST
Created attachment 356638 [details] Patch
WebKit Commit Bot
Comment 2 2018-12-05 12:47:49 PST
The commit-queue encountered the following flaky tests while processing attachment 356638 [details]: imported/w3c/web-platform-tests/WebCryptoAPI/generateKey/failures_AES-KW.https.any.worker.html bug 192423 The commit-queue is continuing to process your patch.
Alexey Proskuryakov
Comment 3 2018-12-05 12:57:47 PST
Comment on attachment 356638 [details] Patch No test case?
Chris Dumez
Comment 4 2018-12-05 12:59:02 PST
Comment on attachment 356638 [details] Patch Clearing flags on attachment: 356638 Committed r238905: <https://trac.webkit.org/changeset/238905>
Chris Dumez
Comment 5 2018-12-05 12:59:04 PST
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 6 2018-12-05 13:01:04 PST
<rdar://problem/46496830>
Chris Dumez
Comment 7 2018-12-05 13:05:54 PST
(In reply to Alexey Proskuryakov from comment #3) > Comment on attachment 356638 [details] > Patch > > No test case? I have not been able to reproduce, neither was QA. This is a speculative fix based on the crash trace.
Note You need to log in before you can comment on or make changes to this bug.