Bug 194871 - Crash in DOMWindowExtension::suspendForPageCache
Summary: Crash in DOMWindowExtension::suspendForPageCache
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-02-20 14:24 PST by Ryosuke Niwa
Modified: 2019-02-20 16:06 PST (History)
3 users (show)

See Also:

Attachments
Fix attempt (4.80 KB, patch)
2019-02-20 14:57 PST, Ryosuke Niwa 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2019-02-20 14:24:21 PST 
e.g.

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00007fff47af3f3c WebCore::DOMWindowExtension::suspendForPageCache() + 28
1   com.apple.WebCore             	0x00007fff46967fe9 WebCore::DOMWindow::suspendForPageCache() + 233
2   com.apple.WebCore             	0x00007fff47861a68 WebCore::CachedFrame::CachedFrame(WebCore::Frame&) + 504
3   com.apple.WebCore             	0x00007fff47863869 WebCore::PageCache::addIfCacheable(WebCore::HistoryItem&, WebCore::Page*) + 457
4   com.apple.WebCore             	0x00007fff4691a3c7 WebCore::FrameLoader::commitProvisionalLoad() + 263
5   com.apple.WebCore             	0x00007fff46967b81 WebCore::DocumentLoader::commitLoad(char const*, int) + 81
6   com.apple.WebCore             	0x00007fff47aca1b0 WTF::Function<void ()>::CallableWrapper<WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&)::$_0::operator()(WebCore::ResourceRequest&&)::'lambda'()>::call() + 80
7   com.apple.WebCore             	0x00007fff47a559bb WTF::Function<void (WebCore::PolicyAction)>::CallableWrapper<WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&)::$_7>::call(WebCore::PolicyAction) + 59
8   com.apple.WebKit              	0x00007fff488666e9 WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse(WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, WTF::Function<void (WebCore::PolicyAction)>&&) + 121
9   com.apple.WebCore             	0x00007fff47a4cdd8 WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&, WTF::CompletionHandler<void ()>&&) + 1992
10  com.apple.WebCore             	0x00007fff47aca02e WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&)::$_0>::call(WebCore::ResourceRequest&&) + 350
11  com.apple.WebCore             	0x00007fff47abe328 WebCore::iterateRedirects(WebCore::CachedResourceHandle<WebCore::CachedRawResource>&&, WebCore::CachedRawResourceClient&, WTF::Vector<std::__1::pair<WebCore::ResourceRequest, WebCore::ResourceResponse>, 0ul, WTF::CrashOnOverflow, 16ul>&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&) + 1448
12  com.apple.WebCore             	0x00007fff47abd9b1 WebCore::CachedRawResource::didAddClient(WebCore::CachedResourceClient&) + 657
13  com.apple.WebCore             	0x00007fff4690f398 WebCore::ThreadTimers::sharedTimerFiredInternal() + 168
14  com.apple.WebCore             	0x00007fff4690f2df WebCore::timerFired(__CFRunLoopTimer*, void*) + 31

<rdar://problem/47380794>
Comment 1 Ryosuke Niwa 2019-02-20 14:25:15 PST 
We're also seeing crashes in DOMWindowExtension::willDestroyGlobalObjectInCachedFrame()

e.g.
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebCore             	0x00007fff52579040 WebCore::DOMWindowExtension::willDestroyGlobalObjectInCachedFrame() + 16
1   com.apple.WebCore             	0x00007fff514da36a WebCore::DOMWindow::willDestroyCachedFrame() + 234
2   com.apple.WebCore             	0x00007fff514da185 WebCore::CachedFrame::destroy() + 37
3   com.apple.WebCore             	0x00007fff522e84d4 WebCore::PageCache::prune(WebCore::PruningReason) + 100
4   com.apple.WebCore             	0x00007fff522e8458 WebCore::PageCache::pruneToSizeNow(unsigned int, WebCore::PruningReason) + 24
5   com.apple.WebKit              	0x00007fff52fc5a98 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 108
6   com.apple.WebKit              	0x00007fff52fc924b IPC::Connection::dispatchOneIncomingMessage() + 181
7   com.apple.JavaScriptCore      	0x00007fff47874734 WTF::RunLoop::performWork() + 228
8   com.apple.JavaScriptCore      	0x00007fff478749c2 WTF::RunLoop::performWork(void*) + 34
9   com.apple.CoreFoundation      	0x00007fff443526a3 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
10  com.apple.CoreFoundation      	0x00007fff44352649 __CFRunLoopDoSource0 + 108
11  com.apple.CoreFoundation      	0x00007fff44335ffb __CFRunLoopDoSources0 + 195
12  com.apple.CoreFoundation      	0x00007fff443355c5 __CFRunLoopRun + 1189
13  com.apple.CoreFoundation      	0x00007fff44334ece CFRunLoopRunSpecific + 455
14  com.apple.Foundation          	0x00007fff4664da9f -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 280
15  com.apple.Foundation          	0x00007fff4664d974 -[NSRunLoop(NSRunLoop) run] + 76
16  libxpc.dylib                  	0x00007fff709ec1d7 _xpc_objc_main + 552
17  libxpc.dylib                  	0x00007fff709ebcd9 xpc_main + 433
18  com.apple.WebKit.WebContent   	0x1013b26e2 WebKit::XPCServiceMain(int, char const**) + 547 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7607.1.30/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.mm:157)
19  com.apple.WebKit.WebContent   	0x1013b2867 main + 9 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7607.1.30/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.mm:165)
20  libdyld.dylib                 	0x00007fff707b93ed start + 1
Comment 2 Ryosuke Niwa 2019-02-20 14:28:03 PST 
I suspect what might be happening here is that DOMWindowExtension is getting removed / unregistered
inside the client delegate callbacks in dispatchWillDisconnectDOMWindowExtensionFromGlobalObject
and dispatchWillDestroyGlobalObjectForDOMWindowExtension.

In DOMWindow::willDestroyCachedFrame, for example, there is a comment about how this may happen:
// It is necessary to copy m_properties to a separate vector because the DOMWindowProperties may
// unregister themselves from the DOMWindow as a result of the call to willDestroyGlobalObjectInFrame.

I think what we didn't account is notifying one DOMWindowExtension removing another DOMWindowExtension.
Comment 3 Ryosuke Niwa 2019-02-20 14:57:17 PST 
Created attachment 362547 [details]
Fix attempt
Comment 4 Ryosuke Niwa 2019-02-20 15:09:52 PST 
Waiting for EWS...
Comment 5 Ryosuke Niwa 2019-02-20 16:06:29 PST 
Comment on attachment 362547 [details]
Fix attempt

Clearing flags on attachment: 362547

Committed r241848: <https://trac.webkit.org/changeset/241848>
Comment 6 Ryosuke Niwa 2019-02-20 16:06:31 PST 
All reviewed patches have been landed.  Closing bug.