https://ews-build.webkit.org/results/macOS-Mojave-Debug-WK1-Tests-EWS/r396938-7951/results.html Thread 8 Crashed:: IndexedDB 0 com.apple.JavaScriptCore 0x000000010e77ecca WTFCrashWithInfoImpl(int, char const*, char const*, int, unsigned long long, unsigned long long, unsigned long long, unsigned long long, unsigned long long, unsigned long long, unsigned long long) + 186 (Assertions.cpp:649) 1 com.apple.JavaScriptCore 0x000000010ff66c4a void WTFCrashWithInfo<unsigned long, unsigned long long, unsigned long long, unsigned int, unsigned long, JSC::MarkedBlock*, unsigned long long>(int, char const*, char const*, int, unsigned long, unsigned long long, unsigned long long, unsigned int, unsigned long, JSC::MarkedBlock*, unsigned long long) + 298 2 com.apple.JavaScriptCore 0x000000010ff66988 JSC::reportZappedCellAndCrash(JSC::Heap&, JSC::JSCell const*) + 920 3 com.apple.WebCore 0x00000001258b4211 WebCore::JSDOMGlobalObject* JSC::jsCast<WebCore::JSDOMGlobalObject*, JSC::JSGlobalObject>(JSC::JSGlobalObject*) + 97 4 com.apple.WebCore 0x0000000127ac5705 JSC::JSValue WebCore::CloneDeserializer::readDOMMatrix<WebCore::DOMMatrix>() + 373 5 com.apple.WebCore 0x0000000127a9ec51 WebCore::CloneDeserializer::readTerminal() + 6497 6 com.apple.WebCore 0x0000000127a9cf83 WebCore::CloneDeserializer::deserialize() + 2883 7 com.apple.WebCore 0x0000000127aa2264 WebCore::CloneDeserializer::deserialize(JSC::JSGlobalObject*, JSC::JSGlobalObject*, WTF::Vector<WTF::RefPtr<WebCore::MessagePort, WTF::DumbPtrTraits<WebCore::MessagePort> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<std::__1::pair<std::__1::unique_ptr<WebCore::ImageBuffer, std::__1::default_delete<WebCore::ImageBuffer> >, bool>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&, WTF::Vector<JSC::ArrayBufferContents, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, WTF::Vector<unsigned char, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>, WTF::Vector<JSC::ArrayBufferContents, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, WTF::Vector<WTF::RefPtr<JSC::Wasm::Module, WTF::DumbPtrTraits<JSC::Wasm::Module> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*) + 468 8 com.apple.WebCore 0x0000000127aa202f WebCore::SerializedScriptValue::deserialize(JSC::JSGlobalObject&, JSC::JSGlobalObject*, WTF::Vector<WTF::RefPtr<WebCore::MessagePort, WTF::DumbPtrTraits<WebCore::MessagePort> >, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::SerializationErrorMode) + 271 9 com.apple.WebCore 0x00000001279e1f1c WebCore::deserializeIDBValueToJSValue(JSC::JSGlobalObject&, JSC::JSGlobalObject&, WebCore::IDBValue const&) + 284 10 com.apple.WebCore 0x00000001279e1df1 WebCore::deserializeIDBValueToJSValue(JSC::JSGlobalObject&, WebCore::IDBValue const&) + 33 11 com.apple.WebCore 0x00000001272bf05e WebCore::IDBServer::SQLiteIDBBackingStore::updateAllIndexesForAddRecord(WebCore::IDBObjectStoreInfo const&, WebCore::IDBKeyData const&, WebCore::ThreadSafeDataBuffer const&, long long) + 206 12 com.apple.WebCore 0x00000001272bfef6 WebCore::IDBServer::SQLiteIDBBackingStore::addRecord(WebCore::IDBResourceIdentifier const&, WebCore::IDBObjectStoreInfo const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&) + 1862 13 com.apple.WebCore 0x00000001272d4e89 WebCore::IDBServer::UniqueIDBDatabase::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode, WTF::Function<void (WebCore::IDBError const&, WebCore::IDBKeyData const&)>) + 2265 14 com.apple.WebCore 0x00000001272dc3c5 WebCore::IDBServer::UniqueIDBDatabaseTransaction::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode) + 581 15 com.apple.WebCore 0x00000001271d274a WebCore::IDBServer::IDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode) + 346 16 com.apple.WebKitLegacy 0x000000013e9585f2 InProcessIDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode)::$_33::operator()() const + 146 17 com.apple.WebKitLegacy 0x000000013e956f49 WTF::Detail::CallableWrapper<InProcessIDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode)::$_33, void>::call() + 25 18 com.apple.WebKitLegacy 0x000000013e98e04a WTF::Function<void ()>::operator()() const + 138
<rdar://problem/62043056>
Regressed at r260345: https://results.webkit.org/?suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2FIndexedDB%2Fstructured-clone.any.html
This test was previously skipped because it is including BigInt syntax. This test immediately throws SyntaxError. So nothing in this test was executed before. Now JSC supports BigInt syntax. Then, this test is now executed. And crash happens when deserializaing DOMMatrixReadOnly. This is because DOMMatrixReadOnly requires JSGlobalObject with DOM implementations, since DOMMatrixReadOnly is WebCore object, not JSC object. However, IDBSerializationContext.cpp is using plain JSGlobalObject. This is wrong since it is JSC JSGlobalObject and it does not include DOMMatrix implementations. 77 ASSERT(!m_globalObject); 78 m_vm = JSC::VM::create(); 79 80 JSC::JSLockHolder locker(m_vm.get()); 81 m_globalObject.set(*m_vm, JSC::JSGlobalObject::create(*m_vm, JSC::JSGlobalObject::createStructure(*m_vm, JSC::jsNull()))); 82 } in `IDBSerializationContext.cpp`. The stderr message "Unexpected global object: Object: 0x124376268 with butterfly 0x1818550448 (Structure 0x1331397a0:[0xd8f4, GlobalObject, {Object:100, Function:101, Array:102, RegExp:103, String:104, Promise:105, BigInt:106, Intl:107, $vm:108, WebAssembly:109}, NonArray, Proto:0x117642b68, Dictionary, Leaf]), StructureID: 55540" is emitted from ebCore::JSDOMGlobalObject::scriptExecutionContext, because this is not a DOM JSGlobalObject. frame #0: 0x0000000103650633 WebCore`WTFCrashWithInfo((null)=178, (null)="./bindings/js/JSDOMGlobalObject.cpp", (null)="WebCore::ScriptExecutionContext *WebCore::JSDOMGlobalObject::scriptExecutionContext() const", (null)=222) at Assertions.h:671:5 [opt] * frame #1: 0x00000001042f3496 WebCore`WebCore::JSDOMGlobalObject::scriptExecutionContext(this=<unavailable>) const at JSDOMGlobalObject.cpp:178:5 [opt] frame #2: 0x00000001038a20f7 WebCore`WebCore::JSDOMMatrixReadOnlyPrototype::finishCreation(this=0x00000001331580d0, vm=0x000000012448e000) at JSDOMMatrixReadOnly.cpp:250:54 [opt] frame #3: 0x00000001038a2515 WebCore`WebCore::JSDOMMatrixReadOnly::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] WebCore::JSDOMMatrixReadOnlyPrototype::create(vm=0x000000012448e000, globalObject=<unavailable>, structure=0x0000000133139880) at JSDOMMatrixReadOnly.cpp:122:14 [opt] frame #4: 0x00000001038a247c WebCore`WebCore::JSDOMMatrixReadOnly::createPrototype(vm=0x000000012448e000, globalObject=<unavailable>) at JSDOMMatrixReadOnly.cpp:279 [opt] frame #5: 0x0000000103899414 WebCore`WebCore::JSDOMMatrix::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] JSC::Structure* WebCore::getDOMStructure<WebCore::JSDOMMatrixReadOnly>(vm=<unavailable>, globalObject=0x0000000124376268) at JSDOMWrapperCache.h:85:93 [opt] frame #6: 0x00000001038993f5 WebCore`WebCore::JSDOMMatrix::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] JSC::JSObject* WebCore::getDOMPrototype<WebCore::JSDOMMatrixReadOnly>(vm=<unavailable>, globalObject=0x0000000124376268) at JSDOMWrapperCache.h:96 [opt] frame #7: 0x00000001038993f5 WebCore`WebCore::JSDOMMatrix::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] WebCore::JSDOMMatrixReadOnly::prototype(vm=<unavailable>, globalObject=0x0000000124376268) at JSDOMMatrixReadOnly.cpp:284 [opt] frame #8: 0x00000001038993f5 WebCore`WebCore::JSDOMMatrix::createPrototype(vm=0x000000012448e000, globalObject=0x0000000124376268) at JSDOMMatrix.cpp:280 [opt] frame #9: 0x000000010389eab1 WebCore`std::__1::enable_if<std::is_same<WebCore::DOMMatrix, WebCore::DOMMatrix>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::DOMMatrix>::WrapperClass*>::type WebCore::createWrapper<WebCore::DOMMatrix, WebCore::DOMMatrix>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::DOMMatrix, WTF::DumbPtrTraits<WebCore::DOMMatrix> >&&) [inlined] JSC::Structure* WebCore::getDOMStructure<WebCore::JSDOMMatrix>(vm=0x000000012448e000, globalObject=0x0000000124376268) at JSDOMWrapperCache.h:85:93 [opt] frame #10: 0x000000010389ea92 WebCore`std::__1::enable_if<std::is_same<WebCore::DOMMatrix, WebCore::DOMMatrix>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::DOMMatrix>::WrapperClass*>::type WebCore::createWrapper<WebCore::DOMMatrix, WebCore::DOMMatrix>(globalObject=0x0000000124376268, domObject=0x00007000025653f0) at JSDOMWrapperCache.h:187 [opt] frame #11: 0x000000010434aa6d WebCore`JSC::JSValue WebCore::CloneDeserializer::readDOMMatrix<WebCore::DOMMatrix>(this=<unavailable>) at SerializedScriptValue.cpp:0 [opt] frame #12: 0x0000000104338a56 WebCore`WebCore::CloneDeserializer::deserialize(this=0x00007000025657d8) at SerializedScriptValue.cpp:3569:36 [opt] frame #13: 0x000000010433d79c WebCore`WebCore::CloneDeserializer::deserialize(lexicalGlobalObject=<unavailable>, globalObject=<unavailable>, messagePorts=<unavailable>, imageBuffers=<unavailable>, arrayBufferContentsArray=<unavailable>, buffer={ size = 54, capacity = 61 }, blobURLs={ size = 0, capacity = 0 }, blobFilePaths={ size = 0, capacity = 0 }, sharedBuffers={ size = 0, capacity = 0 }, wasmModules={ size = 0, capacity = 0 }) at SerializedScriptValue.cpp:1944:29 [opt] frame #14: 0x000000010433d4ef WebCore`WebCore::SerializedScriptValue::deserialize(this=0x0000000132c923c0, lexicalGlobalObject=<unavailable>, globalObject=<unavailable>, messagePorts={ size = 0, capacity = 0 }, blobURLs={ size = 0, capacity = 0 }, blobFilePaths=<unavailable>, throwExceptions=NonThrowing) at SerializedScriptValue.cpp:3905:36 [opt] frame #15: 0x00000001042f031c WebCore`WebCore::deserializeIDBValueToJSValue(lexicalGlobalObject=0x0000000124376268, globalObject=0x0000000124376268, value=<unavailable>) at IDBBindingUtilities.cpp:391:39 [opt] frame #16: 0x0000000104040714 WebCore`WebCore::IDBServer::SQLiteIDBBackingStore::updateAllIndexesForAddRecord(this=0x000000013331f6c0, info=0x0000000132f3d060, key=0x0000700002565d58, value=<unavailable>, recordID=1) at SQLiteIDBBackingStore.cpp:1855:20 [opt] frame #17: 0x0000000104040d3e WebCore`WebCore::IDBServer::SQLiteIDBBackingStore::addRecord(this=0x000000013331f6c0, transactionIdentifier=<unavailable>, objectStoreInfo=0x0000000132f3d060, keyData=<unavailable>, value=0x000000013323ce58) at SQLiteIDBBackingStore.cpp:1929:18 [opt] frame #18: 0x000000010404fb9d WebCore`WebCore::IDBServer::UniqueIDBDatabase::putOrAdd(this=<unavailable>, requestData=<unavailable>, keyData=0x000000013323ce30, value=0x000000013323ce58, overwriteMode=Overwrite, callback=WebCore::IDBServer::KeyDataCallback @ 0x0000700002565e58)>) at UniqueIDBDatabase.cpp:763:29 [opt] frame #19: 0x000000010405429d WebCore`WebCore::IDBServer::UniqueIDBDatabaseTransaction::putOrAdd(this=<unavailable>, requestData=0x000000013323cda8, keyData=0x000000013323ce30, value=<unavailable>, overwriteMode=<unavailable>) at UniqueIDBDatabaseTransaction.cpp:263:15 [opt] frame #20: 0x0000000103ff6dff WebCore`WebCore::IDBServer::IDBServer::putOrAdd(this=<unavailable>, requestData=0x000000013323cda8, keyData=0x000000013323ce30, value=0x000000013323ce58, overwriteMode=Overwrite) at IDBServer.cpp:313:18 [opt] frame #21: 0x0000000108866696 WebKitLegacy`WTF::Detail::CallableWrapper<InProcessIDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode)::$_33, void>::call() [inlined] InProcessIDBServer::putOrAdd(this=0x000000013323cd98)::$_33::operator()() const at InProcessIDBServer.cpp:351:19 [opt] frame #22: 0x0000000108866661 WebKitLegacy`WTF::Detail::CallableWrapper<InProcessIDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode)::$_33, void>::call(this=0x000000013323cd90) at Function.h:52 [opt] frame #23: 0x000000010888686d WebKitLegacy`WebCore::StorageThread::threadEntryPoint() [inlined] WTF::Function<void ()>::operator(this=<unavailable>)() const at Function.h:84:35 [opt] frame #24: 0x0000000108886864 WebKitLegacy`WebCore::StorageThread::threadEntryPoint(this=<unavailable>) at StorageThread.cpp:78 [opt] frame #25: 0x000000010047219c JavaScriptCore`WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) [inlined] WTF::Function<void ()>::operator(this=<unavailable>)() const at Function.h:84:35 [opt] frame #26: 0x0000000100472193 JavaScriptCore`WTF::Thread::entryPoint(newThreadContext=0x00000001328d19c0) at Threading.cpp:168 [opt] frame #27: 0x00000001004746c9 JavaScriptCore`WTF::wtfThreadEntryPoint(context=<unavailable>) at ThreadingPOSIX.cpp:200:5 [opt] frame #28: 0x00007fff711a7a10 libsystem_pthread.dylib`_pthread_start + 224 frame #29: 0x00007fff711a353f libsystem_pthread.dylib`thread_start + 15
I will skip this test in BigInt structured-cloning patch. And in BigInt structured-cloning patch, I'll add a test for BigInt structured-cloning. And send this bug to IDB folks because of the following rationales. 1. This test was throwing BigInt SyntaxError and it was never executed effectively. No tests inside this test file are executed because of SyntaxError. Skipping this test does not regress the coverage because this test was never executed before. 2. Now BigInt is supported and finally this test starts running and crashing. The crash reason is IDB deserialization bug, not related to BigInt. 3. This bug itself is completely unrelated to BigInt, and we can make WebKit crash without BigInt support since this is related to IDB deserialization and DOM objects.
Renamed to r248751 regression.
Committed r260352: <https://trac.webkit.org/changeset/260352>