Created attachment 407268 [details] The property inspector of XCode when the crash happens. commit in 7/22 in SerializedScriptValue.cpp result in crash. !m_isDOMGlobalObject and m_isJSIDBSerializationGlobalObject are not equal. Cause a crash in a type checking. Build Date & Hardware: Build 2020-08-25 on Mac OS 10.15.4 run and debug in iOS 14 beta 5 simulator.
The closest change to this file r264661, although that was 7/21 in California. Is this what you are blaming? Could you please attach a complete crash log, and/or steps to reproduce?
Created attachment 407373 [details] crashreport
(In reply to Alexey Proskuryakov from comment #1) > The closest change to this file r264661, although that was 7/21 in > California. Is this what you are blaming? > > Could you please attach a complete crash log, and/or steps to reproduce? Yes, r264661 is the change I'm talking about. Sorry, but I can only provide part of the crash log.See crashreport in Attachments.
Thank you for the confirmation. We cannot symbolicate a partial crash report, and this may not be actionable without a symbolicated trace, or better, a repro case. Keeping open in case Sihui has an idea.
Created attachment 407597 [details] symbolicated crash report
(In reply to Alexey Proskuryakov from comment #4) > Thank you for the confirmation. > > We cannot symbolicate a partial crash report, and this may not be actionable > without a symbolicated trace, or better, a repro case. > > Keeping open in case Sihui has an idea. Hi, we managed to get symbolicated crash report. Would you please take a look at it ? thanks. :-)
Thank you! I think that this may be enough info for an investigation. Any details tat could help prioritization would also be appreciated (such as user impact qualification).
rdar://problem/68084639
Created attachment 407695 [details] Patch
Comment on attachment 407695 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407695&action=review > Source/WebCore/ChangeLog:3 > + REGRESSION (r264661): Crashes in WebCore::wrap<WebCore::Blob> in CloneDeserializer Can a regression test be added for this?
Created attachment 407721 [details] Patch
(In reply to Alexey Proskuryakov from comment #10) > Comment on attachment 407695 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=407695&action=review > > > Source/WebCore/ChangeLog:3 > > + REGRESSION (r264661): Crashes in WebCore::wrap<WebCore::Blob> in CloneDeserializer > > Can a regression test be added for this? Test added.
Comment on attachment 407721 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=407721&action=review > Source/WebCore/bindings/js/SerializedScriptValue.cpp:2042 > + , m_isValidDOMGlobalObject(m_isDOMGlobalObject && !globalObject->inherits<JSIDBSerializationGlobalObject>(globalObject->vm())) I would rename it to something like m_canCreateDOMObject.
Created attachment 407772 [details] Patch for landing
Committed r266470: <https://trac.webkit.org/changeset/266470> All reviewed patches have been landed. Closing bug and clearing flags on attachment 407772 [details].