WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
270328
IPC testing API tries to allocate JS objects during sweeping
https://bugs.webkit.org/show_bug.cgi?id=270328
Summary
IPC testing API tries to allocate JS objects during sweeping
Ryosuke Niwa
Reported
2024-02-29 17:06:06 PST
e.g. * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=1, subcode=0x280008f3c) frame #0: 0x0000000280008f3c JavaScriptCore`::WTFCrash() at Assertions.cpp:325:5 frame #1: 0x0000000282380308 JavaScriptCore`WTFCrashWithInfo((null)=37, (null)="./heap/AllocatingScope.h", (null)="JSC::AllocatingScope::AllocatingScope(Heap &)", (null)=2858) at Assertions.h:768:5 * frame #2: 0x000000028523c390 JavaScriptCore`JSC::AllocatingScope::AllocatingScope(this=0x0000000106b83db0, heap=0x0000000116064888) at AllocatingScope.h:37:9 frame #3: 0x000000028522e6a0 JavaScriptCore`JSC::AllocatingScope::AllocatingScope(this=0x0000000106b83db0, heap=0x0000000116064888) at AllocatingScope.h:36:5 frame #4: 0x000000028522dd00 JavaScriptCore`JSC::LocalAllocator::allocateSlowCase(this=0x000000010c378a20, heap=0x0000000116064888, cellSize=64, deferralContext=0x0000000000000000, failureMode=Assert) at LocalAllocator.cpp:123:21 frame #5: 0x000000012788b2d8 WebKit`JSC::LocalAllocator::allocate(this=0x0000000106c23270)::'lambda'()::operator()() const at LocalAllocatorInlines.h:41:43 frame #6: 0x000000012788acc4 WebKit`JSC::HeapCell* JSC::FreeList::allocateWithCellSize<JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(this=0x000000010c378a38, slowPath=0x0000000106c23270, cellSize=64) at FreeListInlines.h:44:16 frame #7: 0x00000001279f3108 WebKit`JSC::LocalAllocator::allocate(this=0x000000010c378a20, heap=0x0000000116064888, cellSize=64, deferralContext=0x0000000000000000, failureMode=Assert) at LocalAllocatorInlines.h:38:23 frame #8: 0x000000012788aa0c WebKit`JSC::Allocator::allocate(this=0x0000000106a80460, heap=0x0000000116064888, cellSize=64, context=0x0000000000000000, mode=Assert) const at AllocatorInlines.h:35:30 frame #9: 0x000000012788a448 WebKit`JSC::CompleteSubspace::allocate(this=0x0000000116068268, vm=0x0000000116064800, cellSize=64, deferralContext=0x0000000000000000, failureMode=Assert) at CompleteSubspaceInlines.h:39:26 frame #10: 0x000000012e2f3e14 WebKit`void* JSC::tryAllocateCellHelper<JSC::JSFinalObject, (JSC::AllocationFailureMode)0>(vm=0x0000000116064800, size=64, deferralContext=0x0000000000000000) at JSCellInlines.h:191:63 frame #11: 0x000000012e2f38b4 WebKit`void* JSC::allocateCell<JSC::JSFinalObject>(vm=0x0000000116064800, size=64) at JSCellInlines.h:207:12 frame #12: 0x000000012e2f37a0 WebKit`JSC::JSFinalObject::createWithButterfly(vm=0x0000000116064800, structure=0x000000040000cd40, butterfly=0x0000000000000000) at JSObject.h:1355:9 frame #13: 0x000000012e2f3624 WebKit`JSC::JSFinalObject::create(vm=0x0000000116064800, structure=0x000000040000cd40) at JSObject.h:1363:12 frame #14: 0x000000012e2f35f0 WebKit`JSC::constructEmptyObject(vm=0x0000000116064800, structure=0x000000040000cd40) at ObjectConstructor.h:61:12 frame #15: 0x000000012e2f35a8 WebKit`JSC::constructEmptyObject(globalObject=0x000000010dc1e0e8, prototype=0x00000001599042d0, inlineCapacity=6) at ObjectConstructor.h:68:12 frame #16: 0x000000012e288280 WebKit`JSC::constructEmptyObject(globalObject=0x000000010dc1e0e8, prototype=0x00000001599042d0) at ObjectConstructor.h:73:12 frame #17: 0x000000012e28c488 WebKit`WebKit::IPCTestingAPI::JSMessageListener::jsDescriptionFromDecoder(this=0x0000000157ff1940, globalObject=0x000000010dc1e0e8, decoder=0x000000015e77f280) at IPCTestingAPI.cpp:2896:22 frame #18: 0x000000012e28e114 WebKit`WebKit::IPCTestingAPI::JSMessageListener::willSendMessage(this=0x0000000157ff1940, encoder=0x000000010be6e480, (null)=(m_storage = '\0')) at IPCTestingAPI.cpp:2885:25 frame #19: 0x000000012faedb3c WebKit`IPC::Connection::sendMessage(this=0x000000010b44be40, encoder=0x0000000106c22a50, sendOptions=(m_storage = '\0'), qos= Has Value=false ) at Connection.cpp:528:27 frame #20: 0x000000012fb63990 WebKit`IPC::MessageSender::sendMessage(this=0x000000010c674bc0, encoder=0x0000000106c22a50, sendOptions=(m_storage = '\0')) at MessageSender.cpp:40:24 frame #21: 0x000000012dee0af8 WebKit`bool IPC::MessageSender::send<Messages::WebSWServerConnection::RemoveServiceWorkerRegistrationInServer>(this=0x000000010c674bc0, message=0x0000000106b81860, destinationID=0, options=(m_storage = '\0')) at MessageSenderInlines.h:38:12 frame #22: 0x000000012de860b0 WebKit`bool IPC::MessageSender::send<Messages::WebSWServerConnection::RemoveServiceWorkerRegistrationInServer>(this=0x000000010c674bc0, message=0x0000000106b81860) at MessageSenderInlines.h:88:12 frame #23: 0x000000012de85d8c WebKit`WebKit::WebSWClientConnection::removeServiceWorkerRegistrationInServer(this=0x000000010c674bc0, identifier=WebCore::ServiceWorkerRegistrationIdentifier @ 0x0000000106b81820) at WebSWClientConnection.cpp:108:9 frame #24: 0x00000002ef6eb39c WebCore`WebCore::ServiceWorkerContainer::removeRegistration(this=0x0000000159a65300, registration=0x000000010ccfd780) at ServiceWorkerContainer.cpp:601:21 frame #25: 0x00000002ef7a5504 WebCore`WebCore::ServiceWorkerRegistration::~ServiceWorkerRegistration(this=0x000000010ccfd780) at ServiceWorkerRegistration.cpp:96:18 frame #26: 0x00000002ef7a5718 WebCore`WebCore::ServiceWorkerRegistration::~ServiceWorkerRegistration(this=0x000000010ccfd780) at ServiceWorkerRegistration.cpp:93:1 frame #27: 0x00000002e29f4e6c WebCore`std::__1::default_delete<WebCore::ServiceWorkerRegistration>::operator()[abi:v160006](this=0x0000000106a7e020, __ptr=0x000000010ccfd780) const at unique_ptr.h:65:5 frame #28: 0x00000002e29f4d88 WebCore`WTF::RefCounted<WebCore::ServiceWorkerRegistration, std::__1::default_delete<WebCore::ServiceWorkerRegistration>>::deref(this=0x000000010ccfd7a0) const at RefCounted.h:190:13 frame #29: 0x00000002ef7ac828 WebCore`WebCore::ServiceWorkerRegistration::derefEventTarget(this=0x000000010ccfd780) at ServiceWorkerRegistration.h:116:37 frame #30: 0x00000002dfc1edf8 WebCore`WebCore::EventTarget::deref(this=0x000000010ccfd780) at Node.h:897:9 frame #31: 0x00000002dfc1ec2c WebCore`WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~Ref(this=0x000000010c4b0be0) at Ref.h:61:18 frame #32: 0x00000002dfc1e7e8 WebCore`WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~Ref(this=0x000000010c4b0be0) at Ref.h:55:5 frame #33: 0x00000002e0f73f24 WebCore`WebCore::JSDOMWrapper<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~JSDOMWrapper(this=0x000000010c4b0bc8) at JSDOMWrapper.h:74:7 frame #34: 0x00000002e0f73ef0 WebCore`WebCore::JSEventTarget::~JSEventTarget(this=0x000000010c4b0bc8) at JSEventTarget.h:29:7 frame #35: 0x00000002e0e446d8 WebCore`WebCore::JSEventTarget::~JSEventTarget(this=0x000000010c4b0bc8) at JSEventTarget.h:29:7 frame #36: 0x00000002e0d7a03c WebCore`WebCore::JSEventTarget::destroy(cell=0x000000010c4b0bc8) at JSEventTarget.cpp:196:32 frame #37: 0x0000000286498b7c JavaScriptCore`JSC::JSDestructibleObjectDestroyFunc::operator()(this=0x0000000106a7dfa0, (null)=0x0000000116064800, cell=0x000000010c4b0bc8) const at JSDestructibleObjectHeapCellType.cpp:38:9 frame #38: 0x0000000286498a4c JavaScriptCore`JSC::JSDestructibleObjectHeapCellType::destroy(this=0x0000000116064f70, vm=0x0000000116064800, cell=0x000000010c4b0bc8) const at JSDestructibleObjectHeapCellType.cpp:58:5 frame #39: 0x00000002853038ec JavaScriptCore`JSC::Subspace::destroy(this=0x0000000159a845c0, vm=0x0000000116064800, cell=0x000000010c4b0bc8) at Subspace.cpp:65:21 frame #40: 0x00000002852ddec8 JavaScriptCore`JSC::PreciseAllocation::sweep(this=0x000000010c4b0b68) at PreciseAllocation.cpp:273:25 frame #41: 0x00000002852896e8 JavaScriptCore`JSC::MarkedSpace::sweepPreciseAllocations(this=0x0000000116064938) at MarkedSpace.cpp:235:21 frame #42: 0x0000000285048bc4 JavaScriptCore`JSC::Heap::sweepInFinalize(this=0x0000000116064888) at Heap.cpp:2247:19 frame #43: 0x0000000285048420 JavaScriptCore`JSC::Heap::finalize(this=0x0000000116064888) at Heap.cpp:2180:9 frame #44: 0x00000002850470b8 JavaScriptCore`JSC::Heap::handleNeedFinalize(this=0x0000000116064888, oldState=13) at Heap.cpp:2117:9 frame #45: 0x00000002850456e0 JavaScriptCore`JSC::Heap::handleNeedFinalize(this=0x0000000116064888) at Heap.cpp:2128:12 frame #46: 0x000000028503b834 JavaScriptCore`JSC::Heap::finishChangingPhase(this=0x0000000116064888, conn=Mutator) at Heap.cpp:1724:17 frame #47: 0x000000028503f9e8 JavaScriptCore`JSC::Heap::changePhase(this=0x0000000116064888, conn=Mutator, nextPhase=NotRunning) at Heap.cpp:1698:12 frame #48: 0x000000028503f790 JavaScriptCore`JSC::Heap::runEndPhase(this=0x0000000116064888, conn=Mutator) at Heap.cpp:1688:12 frame #49: 0x000000028503a630 JavaScriptCore`JSC::Heap::runCurrentPhase(this=0x0000000116064888, conn=Mutator, currentThreadState=0x000000016b8c15a0) at Heap.cpp:1339:18 frame #50: 0x0000000285152934 JavaScriptCore`JSC::Heap::collectInMutatorThread()::$_25::operator()(this=0x0000000106cba070, state=0x000000016b8c15a0) const at Heap.cpp:1955:52 frame #51: 0x00000002851527f0 JavaScriptCore`WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_25>::implFunction(argument=0x0000000106cba060, arguments=0x000000016b8c15a0) at ScopedLambda.h:106:16 frame #52: 0x000000028527b9a8 JavaScriptCore`void WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(this=0x0000000106cba060, arguments=0x000000016b8c15a0) const at ScopedLambda.h:58:16 frame #53: 0x000000028527b838 JavaScriptCore`JSC::callWithCurrentThreadState(lambda=0x0000000106cba060) at MachineStackMarker.cpp:224:5 frame #54: 0x0000000285047360 JavaScriptCore`JSC::Heap::collectInMutatorThread(this=0x0000000116064888) at Heap.cpp:1967:13 frame #55: 0x0000000285046f48 JavaScriptCore`JSC::Heap::stopIfNecessarySlow(this=0x0000000116064888, oldState=5) at Heap.cpp:1936:9 frame #56: 0x0000000285046ca0 JavaScriptCore`JSC::Heap::stopIfNecessarySlow(this=0x0000000116064888) at Heap.cpp:1908:12 frame #57: 0x00000002850394f4 JavaScriptCore`JSC::Heap::stopIfNecessary(this=0x0000000116064888) at HeapInlines.h:264:9 frame #58: 0x00000002853017ec JavaScriptCore`JSC::StopIfNecessaryTimer::doWork(this=0x000000010b364340, vm=0x0000000116064800) at StopIfNecessaryTimer.cpp:43:13 frame #59: 0x000000028680cd7c JavaScriptCore`JSC::JSRunLoopTimer::timerDidFire(this=0x000000010b364340) at JSRunLoopTimer.cpp:233:5 frame #60: 0x000000028680b35c JavaScriptCore`JSC::JSRunLoopTimer::Manager::timerDidFire(this=0x000000010b5479b0) at JSRunLoopTimer.cpp:106:16 frame #61: 0x000000028680aa80 JavaScriptCore`JSC::JSRunLoopTimer::Manager::timerDidFireCallback(this=0x000000010b5479b0) at JSRunLoopTimer.cpp:53:5 frame #62: 0x0000000286821f44 JavaScriptCore`decltype(*std::declval<JSC::JSRunLoopTimer::Manager*&>().*std::declval<void (JSC::JSRunLoopTimer::Manager::*&)()>()()) std::__1::__invoke[abi:v160006]<void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&, void>(__f=0x000000010b547928, __a0=0x000000010b547938) at invoke.h:359:23 frame #63: 0x0000000286821e00 JavaScriptCore`std::__1::__bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>, __is_valid_bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>>::value>::type std::__1::__apply_functor[abi:v160006]<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, 0ul, std::__1::tuple<>>(__f=0x000000010b547928, __bound_args=size=1, (null)=__tuple_indices<0UL> @ 0x000000016b8c1c2f, __args=size=0) at bind.h:263:12 frame #64: 0x0000000286821d18 JavaScriptCore`std::__1::__bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>, __is_valid_bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>>::value>::type std::__1::__bind<void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&>::operator()[abi:v160006]<>(this=0x000000010b547928) at bind.h:295:20 frame #65: 0x0000000286821b9c JavaScriptCore`WTF::Detail::CallableWrapper<std::__1::__bind<void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&>, void>::call(this=0x000000010b547920) at Function.h:53:39 frame #66: 0x000000028682310c JavaScriptCore`WTF::Function<void ()>::operator()(this=0x000000010b547968) const at Function.h:82:35 frame #67: 0x00000002801cd43c JavaScriptCore`WTF::RunLoop::Timer::fired(this=0x000000010b547950) at RunLoop.h:191:33 frame #68: 0x000000028025bdd0 JavaScriptCore`WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::operator()(this=0x0000000106a4a0a0, cfTimer=0x000000010b86cd40, context=0x000000010b547950) const at RunLoopCF.cpp:133:16 frame #69: 0x000000028025bb28 JavaScriptCore`WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::__invoke(cfTimer=0x000000010b86cd40, context=0x000000010b547950) at RunLoopCF.cpp:126:45 frame #70: 0x0000000180bc7a20 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 32 frame #71: 0x0000000180bc76c8 CoreFoundation`__CFRunLoopDoTimer + 972 frame #72: 0x0000000180bc7200 CoreFoundation`__CFRunLoopDoTimers + 356
Attachments
Add attachment
proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1
2024-02-29 17:06:18 PST
<
rdar://119952105
>
Ryosuke Niwa
Comment 2
2024-02-29 17:11:33 PST
Pull request:
https://github.com/WebKit/WebKit/pull/25328
EWS
Comment 3
2024-03-01 15:47:42 PST
Committed
275577@main
(afa8e8e258fb): <
https://commits.webkit.org/275577@main
> Reviewed commits have been landed. Closing PR #25328 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug