Bug 192421 - Crash under WebCore::cachedDocumentWrapper()
Summary: Crash under WebCore::cachedDocumentWrapper()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Bindings (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-12-05 12:10 PST by Chris Dumez
Modified: 2018-12-05 13:05 PST (History)
6 users (show)

See Also:

Attachments
Patch (1.77 KB, patch)
2018-12-05 12:14 PST, Chris Dumez 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2018-12-05 12:10:40 PST 
Crash under WebCore::cachedDocumentWrapper():
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000848)
[  0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) [inlined] WTF::DumbPtrTraits<WebCore::DOMWrapperWorld>::unwrap(WebCore::DOMWrapperWorld* const&) at DumbPtrTraits.h:41:69

     0x000000020a99c680:       bl 0xa066f4             ; WebCore::toJS [inlined] WebCore::FrameDestructionObserver::frame() const at DOMWindow.h:204
     0x000000020a99c684:      mov x1, x0
     0x000000020a99c688:      mov x0, x21
     0x000000020a99c68c:       bl 0xa06728             ; WebCore::toJSDOMWindow [inlined] JSC::JSValue::isCell() const at JSCJSValueInlines.h:609
 ->  0x000000020a99c690:      ldr x8, [x0, #0x848]
     0x000000020a99c694:     ldrb w9, [x8, #0x40]
     0x000000020a99c698:      cbz w9, 0xa0c6b8         ; <+160> [inlined] WebCore::DOMWrapperWorld::wrappers() at JSDOMWrapperCache.h:163
     0x000000020a99c69c:      ldr x9, [x19, #0x8]
     0x000000020a99c6a0:      cbz x9, 0xa0c6b8         ; <+160> [inlined] WebCore::DOMWrapperWorld::wrappers() at JSDOMWrapperCache.h:163

[  0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) [inlined] WTF::Ref<WebCore::DOMWrapperWorld, WTF::DumbPtrTraits<WebCore::DOMWrapperWorld> >::get() const at Ref.h:122
[  0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) [inlined] WebCore::JSDOMGlobalObject::world() at JSDOMGlobalObject.h:74
       70  	    Event* currentEvent() const;
       71  	
       72  	    static void visitChildren(JSC::JSCell*, JSC::SlotVisitor&);
       73  	
    -> 74  	    DOMWrapperWorld& world() { return m_world.get(); }
       75  	    bool worldIsNormal() const { return m_worldIsNormal; }
       76  	    static ptrdiff_t offsetOfWorldIsNormal() { return OBJECT_OFFSETOF(JSDOMGlobalObject, m_worldIsNormal); }
       77  	
       78  	    JSBuiltinInternalFunctions& builtinInternalFunctions() { return m_builtinInternalFunctions; }
    
[  0] 0x000000020a99c690 WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) + 120 at JSDocumentCustom.cpp:60
       56  	    if (!window)
       57  	        return nullptr;
       58  	
       59  	    // Creating a wrapper for domWindow might have created a wrapper for document as well.
    -> 60  	    return getCachedWrapper(toJSDOMWindow(state.vm(), toJS(&state, *window))->world(), document);
       61  	}
       62  	
       63  	void reportMemoryForDocumentIfFrameless(ExecState& state, Document& document)
       64  	{
    
[  1] 0x000000020a99c68f WebCore`WebCore::cachedDocumentWrapper(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::Document&) + 119 at JSDocumentCustom.cpp:60:29
[  2] 0x000000020a99c90f WebCore`WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Document&) + 35 at JSDocumentCustom.cpp:86:25
[  3] 0x000000020a4a5303 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node&) + 51 at JSNodeCustom.h:62:12
[  3] 0x000000020a4a52d0 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] WebCore::toJS(JSC::ExecState*, WebCore::JSDOMGlobalObject*, WebCore::Node*) at JSNode.h:97
[  3] 0x000000020a4a52d0 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::JSConverter<WebCore::IDLInterface<WebCore::Node> >::convert<WebCore::ContainerNode*>(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::ContainerNode* const&) at JSDOMConvertInterface.h:81
[  3] 0x000000020a4a52d0 WebCore`WebCore::jsNodeParentNode(JSC::ExecState*, long long, JSC::PropertyName) [inlined] JSC::JSValue WebCore::JSConverter<WebCore::IDLNullable<WebCore::IDLInterface<WebCore::Node> > >::convert<WebCore::ContainerNode*>(JSC::ExecState&, WebCore::JSDOMGlobalObject&, WebCore::ContainerNode*&&) + 28 at JSDOMConvertNullable.h:137
Comment 1 Chris Dumez 2018-12-05 12:14:31 PST 
Created attachment 356638 [details]
Patch
Comment 2 WebKit Commit Bot 2018-12-05 12:47:49 PST 
The commit-queue encountered the following flaky tests while processing attachment 356638 [details]:

imported/w3c/web-platform-tests/WebCryptoAPI/generateKey/failures_AES-KW.https.any.worker.html bug 192423
The commit-queue is continuing to process your patch.
Comment 3 Alexey Proskuryakov 2018-12-05 12:57:47 PST 
Comment on attachment 356638 [details]
Patch

No test case?
Comment 4 Chris Dumez 2018-12-05 12:59:02 PST 
Comment on attachment 356638 [details]
Patch

Clearing flags on attachment: 356638

Committed r238905: <https://trac.webkit.org/changeset/238905>
Comment 5 Chris Dumez 2018-12-05 12:59:04 PST 
All reviewed patches have been landed.  Closing bug.
Comment 6 Radar WebKit Bug Importer 2018-12-05 13:01:04 PST 
<rdar://problem/46496830>
Comment 7 Chris Dumez 2018-12-05 13:05:54 PST 
(In reply to Alexey Proskuryakov from comment #3)
> Comment on attachment 356638 [details]
> Patch
> 
> No test case?

I have not been able to reproduce, neither was QA. This is a speculative fix based on the crash trace.