RESOLVED FIXED 263845
REGRESSION(269895@main): ASSERTION FAILED: !m_deletionHasBegun for WebProcessPool 
https://bugs.webkit.org/show_bug.cgi?id=263845
Summary REGRESSION(269895@main): ASSERTION FAILED: !m_deletionHasBegun for WebProcess...
Fujii Hironori
Reported 2023-10-29 01:36:49 PDT
REGRESSION(269895@main): ASSERTION FAILED: !m_deletionHasBegun for WebProcessPool Windows port and GTK port Debug build are failing an assertion. Buildbot: builder GTK-Linux-64-bit-Debug-Tests build 11576 (269898@main) https://build.webkit.org/#/builders/63/builds/11576 ASSERTION FAILED: !m_deletionHasBegun /app/webkit/WebKitBuild/GTK/Debug/WTF/Headers/wtf/ThreadSafeRefCounted.h(58) : void WTF::ThreadSafeRefCountedBase::ref() const 1 0x7ff9eeb4ca05 WTFCrash 2 0x7ff9eeb4ca1b WTFIsDebuggerAttached 3 0x7ff9f8483109 WTF::ThreadSafeRefCountedBase::ref() const 4 0x7ff9f880fbf5 WTF::Ref<WebKit::WebProcessPool, WTF::RawPtrTraits<WebKit::WebProcessPool> >::Ref(WebKit::WebProcessPool&) 5 0x7ff9f958bb9c WebKit::WebProcessProxy::protectedProcessPool() const 6 0x7ff9f95824d3 WebKit::WebProcessProxy::processWillShutDown(IPC::Connection&) 7 0x7ff9f9344eb2 WebKit::AuxiliaryProcessProxy::shutDownProcess() 8 0x7ff9f9582a2a WebKit::WebProcessProxy::shutDown() 9 0x7ff9f9572ed5 WebKit::WebProcessPool::~WebProcessPool() 10 0x7ff9f9573374 WebKit::WebProcessPool::~WebProcessPool() 11 0x7ff9f848339a WTF::ThreadSafeRefCounted<API::Object, (WTF::DestructionThread)0>::deref() const::{lambda()#1}::operator()() const 12 0x7ff9f84833e1 WTF::ThreadSafeRefCounted<API::Object, (WTF::DestructionThread)0>::deref() const 13 0x7ff9f95c9de1 WTF::DefaultRefDerefTraits<WebKit::WebProcessPool>::derefIfNotNull(WebKit::WebProcessPool*) 14 0x7ff9f95b84a2 WTF::RefPtr<WebKit::WebProcessPool, WTF::RawPtrTraits<WebKit::WebProcessPool>, WTF::DefaultRefDerefTraits<WebKit::WebProcessPool> >::~RefPtr() 15 0x7ff9f95acd84 WebKit::WebProcessProxy::WeakOrStrongPtr<WebKit::WebProcessPool>::~WeakOrStrongPtr() 16 0x7ff9f95807b6 WebKit::WebProcessProxy::~WebProcessProxy() 17 0x7ff9f958083e WebKit::WebProcessProxy::~WebProcessProxy() 18 0x7ff9f88181e4 WTF::ThreadSafeRefCounted<WebKit::AuxiliaryProcessProxy, (WTF::DestructionThread)2>::deref() const::{lambda()#1}::operator()() const 19 0x7ff9f882923c WTF::Detail::CallableWrapper<WTF::ThreadSafeRefCounted<WebKit::AuxiliaryProcessProxy, (WTF::DestructionThread)2>::deref() const::{lambda()#1}, void>::call() 20 0x7ff9ed58185b WTF::Function<void ()>::operator()() const 21 0x7ff9eebbcc10 WTF::ensureOnMainRunLoop(WTF::Function<void ()>&&) 22 0x7ff9f8818248 WTF::ThreadSafeRefCounted<WebKit::AuxiliaryProcessProxy, (WTF::DestructionThread)2>::deref() const 23 0x7ff9f8818018 WebKit::AuxiliaryProcessProxy::deref() 24 0x7ff9f8818301 WTF::Ref<WebKit::WebProcessProxy, WTF::RawPtrTraits<WebKit::WebProcessProxy> >::~Ref() 25 0x7ff9f9438a9c ~<lambda> 26 0x7ff9f948494c ~CallableWrapper 27 0x7ff9f9484974 ~CallableWrapper 28 0x7ff9eced7766 std::default_delete<WTF::Detail::CallableWrapperBase<void> >::operator()(WTF::Detail::CallableWrapperBase<void>*) const 29 0x7ff9eced3a6c std::unique_ptr<WTF::Detail::CallableWrapperBase<void>, std::default_delete<WTF::Detail::CallableWrapperBase<void> > >::~unique_ptr() 30 0x7ff9eced2fbe WTF::Function<void ()>::~Function() 31 0x7ff9eebe8b6f WTF::RunLoop::performWork()
Attachments
Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 2 2023-10-29 02:51:31 PDT
Here is a crash log of Windows port. Buildbot: builder WinCairo-64-bit-Debug-Tests build 21218 (269899@main) https://build.webkit.org/#/builders/727/builds/21218 ASSERTION FAILED: !m_deletionHasBegun C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf/ThreadSafeRefCounted.h(58) : ref 1 00007FF9078C1C19 WTFCrash 2 00007FF9078C1C39 WTFCrashWithSecurityImplication 3 00007FF8F91BBDAF WTF::ThreadSafeRefCountedBase::ref 4 00007FF8F9613D9E WTF::Ref<WebKit::WebProcessPool,WTF::RawPtrTraits<WebKit::WebProcessPool> >::Ref 5 00007FF8FA322FB2 WebKit::WebProcessProxy::protectedProcessPool 6 00007FF8FA3118B6 WebKit::WebProcessProxy::shutDown 7 00007FF8FA31301F WebKit::WebProcessPool::~WebProcessPool 8 00007FF8FA34E0F9 WebKit::WebProcessPool::~WebProcessPool 9 00007FF8F924F5A3 WTF::ThreadSafeRefCounted<API::Object,0>::deref::<lambda_1>::operator() 10 00007FF8F924F558 WTF::ThreadSafeRefCounted<API::Object,0>::deref 11 00007FF8FA3585F3 WTF::DefaultRefDerefTraits<WebKit::WebProcessPool>::derefIfNotNull 12 00007FF8FA358598 WTF::RefPtr<WebKit::WebProcessPool,WTF::RawPtrTraits<WebKit::WebProcessPool>,WTF::DefaultRefDerefTraits<WebKit::WebProcessPool> >::~RefPtr 13 00007FF8FA34806C WebKit::WebProcessProxy::WeakOrStrongPtr<WebKit::WebProcessPool>::~WeakOrStrongPtr 14 00007FF8FA32217A WebKit::WebProcessProxy::~WebProcessProxy 15 00007FF8FA34E189 WebKit::WebProcessProxy::~WebProcessProxy 16 00007FF8F9618593 WTF::ThreadSafeRefCounted<WebKit::AuxiliaryProcessProxy,2>::deref::<lambda_1>::operator() 17 00007FF8F9618537 WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\WebKitBuild\Debug\WTF\Headers\wtf/ThreadSafeRefCounted.h:114:27',void>::call 18 00007FF9078D7E24 WTF::Function<void ()>::operator() 19 00007FF90792E025 WTF::ensureOnMainRunLoop 20 00007FF8F9618278 WTF::ThreadSafeRefCounted<WebKit::AuxiliaryProcessProxy,2>::deref 21 00007FF8F96181E7 WebKit::AuxiliaryProcessProxy::deref 22 00007FF8F9617C5B WTF::Ref<WebKit::WebProcessProxy,WTF::RawPtrTraits<WebKit::WebProcessProxy> >::~Ref 23 00007FF8FA20B1FA WebKit::WebPageProxy::close::<lambda_5>::~(lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\UIProcess/WebPageProxy.cpp:1482:33) 24 00007FF8FA243BB6 WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\UIProcess/WebPageProxy.cpp:1482:33',void>::~CallableWrapper 25 00007FF8FA243B49 WTF::Detail::CallableWrapper<`lambda at C:\BW\WinCairo-64-bit-Debug-Build\build\Source\WebKit\UIProcess/WebPageProxy.cpp:1482:33',void>::~CallableWrapper 26 00007FF9078CD6F1 std::default_delete<WTF::Detail::CallableWrapperBase<void> >::operator() 27 00007FF9078CD6A7 std::unique_ptr<WTF::Detail::CallableWrapperBase<void>,std::default_delete<WTF::Detail::CallableWrapperBase<void> > >::~unique_ptr 28 00007FF9078CC363 WTF::Function<void ()>::~Function 29 00007FF90795AD54 WTF::RunLoop::performWork 30 00007FF907A2F140 WTF::RunLoop::wndProc 31 00007FF907A2F077 WTF::RunLoop::RunLoopWndProc
Fujii Hironori
Comment 3 2023-10-29 02:56:20 PDT
WebProcessProxy::protectedProcessPool() converts WeakOrStrongPtr<WebProcessPool> to Ref<WebProcessPool> without checking the liveness. https://github.com/WebKit/WebKit/blob/ce8774c6b1ee8874b8262d16ad65fc8a576762e2/Source/WebKit/UIProcess/WebProcessProxy.cpp#L2103-L2112 This is a dangerous anti-pattern. And, WeakPtr should return nullptr while destroying the object.
Fujii Hironori
Comment 4 2023-10-29 05:49:36 PDT
> 5 00007FF8FA322FB2 WebKit::WebProcessProxy::protectedProcessPool > 6 00007FF8FA3118B6 WebKit::WebProcessProxy::shutDown > 7 00007FF8FA31301F WebKit::WebProcessPool::~WebProcessPool In this callstack, WebProcessPool is being destroyed. ~WebProcessPool calls WebProcessProxy::shutDown. This WebProcessProxy is prewarmed. However, WebProcessProxy::shutDown calls WebProcessProxy::protectedProcessPool even though it doesn't retain the WebProcessPool ref counter.
Chris Dumez
Comment 5 2023-10-29 10:44:09 PDT
Thanks for the report. I'll fix this shortly.
Chris Dumez
Comment 6 2023-10-29 10:46:58 PDT
Pull request: https://github.com/WebKit/WebKit/pull/19690
EWS
Comment 7 2023-10-29 10:49:30 PDT
Committed 269909@main (26b67379adea): <https://commits.webkit.org/269909@main> Reviewed commits have been landed. Closing PR #19690 and removing active labels.
Radar WebKit Bug Importer
Comment 8 2023-10-29 10:50:15 PDT
<rdar://problem/117654716>
Fujii Hironori
Comment 9 2023-10-29 13:12:08 PDT
Re-opening for pull request https://github.com/WebKit/WebKit/pull/19694
EWS
Comment 10 2023-10-29 14:42:30 PDT
Committed 269914@main (b75c1351a087): <https://commits.webkit.org/269914@main> Reviewed commits have been landed. Closing PR #19694 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.