248496 – [ New Test ] (256342@main): [ macOS Debug ] fast/events/message-port-gc-after-removing-event-listener.html is a flaky crash

RESOLVED FIXED 248496

[ New Test ] (256342@main): [ macOS Debug ] fast/events/message-port-gc-after-removing-event-listener.html is a flaky crash

https://bugs.webkit.org/show_bug.cgi?id=248496

Summary [ New Test ] (256342@main): [ macOS Debug ] fast/events/message-port-gc-after...

Karl Rackler

Reported 2022-11-29 14:27:42 PST

Description: fast/events/message-port-gc-after-removing-event-listener.html The test was added at 256342@main and was a flaky crash since then. The history shows this affecting macOS Debug. This issue can be bisected to 256342@main using the command: run-webkit-tests --debug --iterations 4000 --exit-after-n-failures 1 --exit-after-n-crashes-or-timeouts 1 --debug-rwt-logging --no-retry --force --no-build -f fast/events/message-port-gc-after-removing-event-listener.html Result: Unexpected flakiness: crashes (1) fast/events/message-port-gc-after-removing-event-listener.html [ Pass Crash ] History: https://results.webkit.org/?suite=layout-tests&test=fast%2Fevents%2Fmessage-port-gc-after-removing-event-listener.html&style=debug&platform=mac Crash Log: No crash log found for com.apple.WebKit.WebContent.Development:79000. stdout: stderr: com.apple.WebKit.WebContent.Development terminated (pid 79000) for reason: crash LEAK: 1 WebPageProxy

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2022-11-29 14:28:07 PST

<rdar://problem/102784521>

Chris Dumez

Comment 2 2022-11-29 14:38:52 PST

I managed to get this crash trace from one of the bots: Crashed Thread: 12 WebCore: Worker Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000005 Exception Codes: 0x0000000000000001, 0x0000000000000005 Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11 Terminating Process: exc handler [41345] VM Region Info: 0x5 is not in any region. Bytes before following region: 4377247739 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 104e78000-104e7c000 [ 16K] r-x/r-x SM=COW ...t.Development Thread 12 Crashed:: Dispatch queue: 0 com.apple.WebCore 0x108ca1d64 JSC::JSCell::isObject() const 1 com.apple.WebCore 0x108cb4c08 JSC::JSValue::isObject() const 2 com.apple.WebCore 0x108cb4c08 JSC::JSValue::isObject() const 3 com.apple.WebCore 0x10b177420 WebCore::isWorldCompatible(JSC::JSGlobalObject&, JSC::JSValue) 4 com.apple.WebCore 0x10b177338 WebCore::cloneAcrossWorlds(JSC::JSGlobalObject&, WebCore::JSDOMObject const&, JSC::JSValue) 5 com.apple.WebCore 0x10b1605f0 WebCore::cachedPropertyValue(JSC::JSGlobalObject&, WebCore::JSDOMObject const&, WebCore::JSValueInWrappedObject&, WTF::Function<JSC::JSValue ()> const&) 6 com.apple.WebCore 0x10b207e2c WebCore::JSMessageEvent::ports(JSC::JSGlobalObject&) const 7 com.apple.WebCore 0x10948e9b8 WebCore::jsMessageEvent_portsGetter(JSC::JSGlobalObject&, WebCore::JSMessageEvent&) 8 com.apple.WebCore 0x1093cbf0c long long WebCore::IDLAttribute<WebCore::JSMessageEvent>::get<&(WebCore::jsMessageEvent_portsGetter(JSC::JSGlobalObject&, WebCore::JSMessageEvent&)), (WebCore::CastedThisErrorBehavior)3>(JSC::JSGlobalObject&, long long, JSC::PropertyName) 9 com.apple.WebCore 0x1093cbde8 WebCore::jsMessageEvent_ports(JSC::JSGlobalObject*, long long, JSC::PropertyName) 10 com.apple.JavaScriptCore 0x147530c9c WTF::FunctionPtr<(WTF::PtrTag)57072, long long (JSC::JSGlobalObject*, long long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long long, JSC::PropertyName) const 11 com.apple.JavaScriptCore 0x147794a0c JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const 12 com.apple.JavaScriptCore 0x145f6716c JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const 13 com.apple.JavaScriptCore 0x14602c6e0 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const 14 com.apple.JavaScriptCore 0x147115f40 JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&) 15 com.apple.JavaScriptCore 0x147115ca8 llint_slow_path_get_by_id

Chris Dumez

Comment 3 2022-11-29 14:56:29 PST

I don't think this is a regression from my change. I believe the new test exposed a pre-existing issue. In particular, I believe that the worker is being terminated while MessageEvent.ports is getting called and we don't properly deal with this.

Alexey Proskuryakov

Comment 4 2022-11-29 15:27:09 PST

Is there a way to adjust the test so that it doesn't run into this? We do need a working test for the original fix.

Chris Dumez

Comment 5 2022-11-29 15:27:38 PST

(In reply to Alexey Proskuryakov from comment #4) > Is there a way to adjust the test so that it doesn't run into this? We do > need a working test for the original fix. I will upload a fix shortly.

Chris Dumez

Comment 6 2022-11-29 15:33:43 PST

Pull request: https://github.com/WebKit/WebKit/pull/6947

EWS

Comment 7 2022-11-30 08:00:24 PST

Committed 257180@main (c9f7f8272c10): <https://commits.webkit.org/257180@main> Reviewed commits have been landed. Closing PR #6947 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Chris Dumez

Reported

2022-11-29 14:27 PST

Modified

2022-11-30 08:00 PST History

CC List

3 users Show

URL

Keywords InRadar

Depends on

Blocks