270328 – IPC testing API tries to allocate JS objects during sweeping

Bug 270328 - IPC testing API tries to allocate JS objects during sweeping

Summary: IPC testing API tries to allocate JS objects during sweeping

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Service Workers (show other bugs)
Version:	Other
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Ryosuke Niwa

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2024-02-29 17:06 PST by Ryosuke Niwa
Modified:	2024-03-01 15:47 PST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2024-02-29 17:06:06 PST

e.g.
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BREAKPOINT (code=1, subcode=0x280008f3c)
    frame #0: 0x0000000280008f3c JavaScriptCore`::WTFCrash() at Assertions.cpp:325:5
    frame #1: 0x0000000282380308 JavaScriptCore`WTFCrashWithInfo((null)=37, (null)="./heap/AllocatingScope.h", (null)="JSC::AllocatingScope::AllocatingScope(Heap &)", (null)=2858) at Assertions.h:768:5
  * frame #2: 0x000000028523c390 JavaScriptCore`JSC::AllocatingScope::AllocatingScope(this=0x0000000106b83db0, heap=0x0000000116064888) at AllocatingScope.h:37:9
    frame #3: 0x000000028522e6a0 JavaScriptCore`JSC::AllocatingScope::AllocatingScope(this=0x0000000106b83db0, heap=0x0000000116064888) at AllocatingScope.h:36:5
    frame #4: 0x000000028522dd00 JavaScriptCore`JSC::LocalAllocator::allocateSlowCase(this=0x000000010c378a20, heap=0x0000000116064888, cellSize=64, deferralContext=0x0000000000000000, failureMode=Assert) at LocalAllocator.cpp:123:21
    frame #5: 0x000000012788b2d8 WebKit`JSC::LocalAllocator::allocate(this=0x0000000106c23270)::'lambda'()::operator()() const at LocalAllocatorInlines.h:41:43
    frame #6: 0x000000012788acc4 WebKit`JSC::HeapCell* JSC::FreeList::allocateWithCellSize<JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(this=0x000000010c378a38, slowPath=0x0000000106c23270, cellSize=64) at FreeListInlines.h:44:16
    frame #7: 0x00000001279f3108 WebKit`JSC::LocalAllocator::allocate(this=0x000000010c378a20, heap=0x0000000116064888, cellSize=64, deferralContext=0x0000000000000000, failureMode=Assert) at LocalAllocatorInlines.h:38:23
    frame #8: 0x000000012788aa0c WebKit`JSC::Allocator::allocate(this=0x0000000106a80460, heap=0x0000000116064888, cellSize=64, context=0x0000000000000000, mode=Assert) const at AllocatorInlines.h:35:30
    frame #9: 0x000000012788a448 WebKit`JSC::CompleteSubspace::allocate(this=0x0000000116068268, vm=0x0000000116064800, cellSize=64, deferralContext=0x0000000000000000, failureMode=Assert) at CompleteSubspaceInlines.h:39:26
    frame #10: 0x000000012e2f3e14 WebKit`void* JSC::tryAllocateCellHelper<JSC::JSFinalObject, (JSC::AllocationFailureMode)0>(vm=0x0000000116064800, size=64, deferralContext=0x0000000000000000) at JSCellInlines.h:191:63
    frame #11: 0x000000012e2f38b4 WebKit`void* JSC::allocateCell<JSC::JSFinalObject>(vm=0x0000000116064800, size=64) at JSCellInlines.h:207:12
    frame #12: 0x000000012e2f37a0 WebKit`JSC::JSFinalObject::createWithButterfly(vm=0x0000000116064800, structure=0x000000040000cd40, butterfly=0x0000000000000000) at JSObject.h:1355:9
    frame #13: 0x000000012e2f3624 WebKit`JSC::JSFinalObject::create(vm=0x0000000116064800, structure=0x000000040000cd40) at JSObject.h:1363:12
    frame #14: 0x000000012e2f35f0 WebKit`JSC::constructEmptyObject(vm=0x0000000116064800, structure=0x000000040000cd40) at ObjectConstructor.h:61:12
    frame #15: 0x000000012e2f35a8 WebKit`JSC::constructEmptyObject(globalObject=0x000000010dc1e0e8, prototype=0x00000001599042d0, inlineCapacity=6) at ObjectConstructor.h:68:12
    frame #16: 0x000000012e288280 WebKit`JSC::constructEmptyObject(globalObject=0x000000010dc1e0e8, prototype=0x00000001599042d0) at ObjectConstructor.h:73:12
    frame #17: 0x000000012e28c488 WebKit`WebKit::IPCTestingAPI::JSMessageListener::jsDescriptionFromDecoder(this=0x0000000157ff1940, globalObject=0x000000010dc1e0e8, decoder=0x000000015e77f280) at IPCTestingAPI.cpp:2896:22
    frame #18: 0x000000012e28e114 WebKit`WebKit::IPCTestingAPI::JSMessageListener::willSendMessage(this=0x0000000157ff1940, encoder=0x000000010be6e480, (null)=(m_storage = '\0')) at IPCTestingAPI.cpp:2885:25
    frame #19: 0x000000012faedb3c WebKit`IPC::Connection::sendMessage(this=0x000000010b44be40, encoder=0x0000000106c22a50, sendOptions=(m_storage = '\0'), qos= Has Value=false ) at Connection.cpp:528:27
    frame #20: 0x000000012fb63990 WebKit`IPC::MessageSender::sendMessage(this=0x000000010c674bc0, encoder=0x0000000106c22a50, sendOptions=(m_storage = '\0')) at MessageSender.cpp:40:24
    frame #21: 0x000000012dee0af8 WebKit`bool IPC::MessageSender::send<Messages::WebSWServerConnection::RemoveServiceWorkerRegistrationInServer>(this=0x000000010c674bc0, message=0x0000000106b81860, destinationID=0, options=(m_storage = '\0')) at MessageSenderInlines.h:38:12
    frame #22: 0x000000012de860b0 WebKit`bool IPC::MessageSender::send<Messages::WebSWServerConnection::RemoveServiceWorkerRegistrationInServer>(this=0x000000010c674bc0, message=0x0000000106b81860) at MessageSenderInlines.h:88:12
    frame #23: 0x000000012de85d8c WebKit`WebKit::WebSWClientConnection::removeServiceWorkerRegistrationInServer(this=0x000000010c674bc0, identifier=WebCore::ServiceWorkerRegistrationIdentifier @ 0x0000000106b81820) at WebSWClientConnection.cpp:108:9
    frame #24: 0x00000002ef6eb39c WebCore`WebCore::ServiceWorkerContainer::removeRegistration(this=0x0000000159a65300, registration=0x000000010ccfd780) at ServiceWorkerContainer.cpp:601:21
    frame #25: 0x00000002ef7a5504 WebCore`WebCore::ServiceWorkerRegistration::~ServiceWorkerRegistration(this=0x000000010ccfd780) at ServiceWorkerRegistration.cpp:96:18
    frame #26: 0x00000002ef7a5718 WebCore`WebCore::ServiceWorkerRegistration::~ServiceWorkerRegistration(this=0x000000010ccfd780) at ServiceWorkerRegistration.cpp:93:1
    frame #27: 0x00000002e29f4e6c WebCore`std::__1::default_delete<WebCore::ServiceWorkerRegistration>::operator()[abi:v160006](this=0x0000000106a7e020, __ptr=0x000000010ccfd780) const at unique_ptr.h:65:5
    frame #28: 0x00000002e29f4d88 WebCore`WTF::RefCounted<WebCore::ServiceWorkerRegistration, std::__1::default_delete<WebCore::ServiceWorkerRegistration>>::deref(this=0x000000010ccfd7a0) const at RefCounted.h:190:13
    frame #29: 0x00000002ef7ac828 WebCore`WebCore::ServiceWorkerRegistration::derefEventTarget(this=0x000000010ccfd780) at ServiceWorkerRegistration.h:116:37
    frame #30: 0x00000002dfc1edf8 WebCore`WebCore::EventTarget::deref(this=0x000000010ccfd780) at Node.h:897:9
    frame #31: 0x00000002dfc1ec2c WebCore`WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~Ref(this=0x000000010c4b0be0) at Ref.h:61:18
    frame #32: 0x00000002dfc1e7e8 WebCore`WTF::Ref<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~Ref(this=0x000000010c4b0be0) at Ref.h:55:5
    frame #33: 0x00000002e0f73f24 WebCore`WebCore::JSDOMWrapper<WebCore::EventTarget, WTF::RawPtrTraits<WebCore::EventTarget>>::~JSDOMWrapper(this=0x000000010c4b0bc8) at JSDOMWrapper.h:74:7
    frame #34: 0x00000002e0f73ef0 WebCore`WebCore::JSEventTarget::~JSEventTarget(this=0x000000010c4b0bc8) at JSEventTarget.h:29:7
    frame #35: 0x00000002e0e446d8 WebCore`WebCore::JSEventTarget::~JSEventTarget(this=0x000000010c4b0bc8) at JSEventTarget.h:29:7
    frame #36: 0x00000002e0d7a03c WebCore`WebCore::JSEventTarget::destroy(cell=0x000000010c4b0bc8) at JSEventTarget.cpp:196:32
    frame #37: 0x0000000286498b7c JavaScriptCore`JSC::JSDestructibleObjectDestroyFunc::operator()(this=0x0000000106a7dfa0, (null)=0x0000000116064800, cell=0x000000010c4b0bc8) const at JSDestructibleObjectHeapCellType.cpp:38:9
    frame #38: 0x0000000286498a4c JavaScriptCore`JSC::JSDestructibleObjectHeapCellType::destroy(this=0x0000000116064f70, vm=0x0000000116064800, cell=0x000000010c4b0bc8) const at JSDestructibleObjectHeapCellType.cpp:58:5
    frame #39: 0x00000002853038ec JavaScriptCore`JSC::Subspace::destroy(this=0x0000000159a845c0, vm=0x0000000116064800, cell=0x000000010c4b0bc8) at Subspace.cpp:65:21
    frame #40: 0x00000002852ddec8 JavaScriptCore`JSC::PreciseAllocation::sweep(this=0x000000010c4b0b68) at PreciseAllocation.cpp:273:25
    frame #41: 0x00000002852896e8 JavaScriptCore`JSC::MarkedSpace::sweepPreciseAllocations(this=0x0000000116064938) at MarkedSpace.cpp:235:21
    frame #42: 0x0000000285048bc4 JavaScriptCore`JSC::Heap::sweepInFinalize(this=0x0000000116064888) at Heap.cpp:2247:19
    frame #43: 0x0000000285048420 JavaScriptCore`JSC::Heap::finalize(this=0x0000000116064888) at Heap.cpp:2180:9
    frame #44: 0x00000002850470b8 JavaScriptCore`JSC::Heap::handleNeedFinalize(this=0x0000000116064888, oldState=13) at Heap.cpp:2117:9
    frame #45: 0x00000002850456e0 JavaScriptCore`JSC::Heap::handleNeedFinalize(this=0x0000000116064888) at Heap.cpp:2128:12
    frame #46: 0x000000028503b834 JavaScriptCore`JSC::Heap::finishChangingPhase(this=0x0000000116064888, conn=Mutator) at Heap.cpp:1724:17
    frame #47: 0x000000028503f9e8 JavaScriptCore`JSC::Heap::changePhase(this=0x0000000116064888, conn=Mutator, nextPhase=NotRunning) at Heap.cpp:1698:12
    frame #48: 0x000000028503f790 JavaScriptCore`JSC::Heap::runEndPhase(this=0x0000000116064888, conn=Mutator) at Heap.cpp:1688:12
    frame #49: 0x000000028503a630 JavaScriptCore`JSC::Heap::runCurrentPhase(this=0x0000000116064888, conn=Mutator, currentThreadState=0x000000016b8c15a0) at Heap.cpp:1339:18
    frame #50: 0x0000000285152934 JavaScriptCore`JSC::Heap::collectInMutatorThread()::$_25::operator()(this=0x0000000106cba070, state=0x000000016b8c15a0) const at Heap.cpp:1955:52
    frame #51: 0x00000002851527f0 JavaScriptCore`WTF::ScopedLambdaFunctor<void (JSC::CurrentThreadState&), JSC::Heap::collectInMutatorThread()::$_25>::implFunction(argument=0x0000000106cba060, arguments=0x000000016b8c15a0) at ScopedLambda.h:106:16
    frame #52: 0x000000028527b9a8 JavaScriptCore`void WTF::ScopedLambda<void (JSC::CurrentThreadState&)>::operator()<JSC::CurrentThreadState&>(this=0x0000000106cba060, arguments=0x000000016b8c15a0) const at ScopedLambda.h:58:16
    frame #53: 0x000000028527b838 JavaScriptCore`JSC::callWithCurrentThreadState(lambda=0x0000000106cba060) at MachineStackMarker.cpp:224:5
    frame #54: 0x0000000285047360 JavaScriptCore`JSC::Heap::collectInMutatorThread(this=0x0000000116064888) at Heap.cpp:1967:13
    frame #55: 0x0000000285046f48 JavaScriptCore`JSC::Heap::stopIfNecessarySlow(this=0x0000000116064888, oldState=5) at Heap.cpp:1936:9
    frame #56: 0x0000000285046ca0 JavaScriptCore`JSC::Heap::stopIfNecessarySlow(this=0x0000000116064888) at Heap.cpp:1908:12
    frame #57: 0x00000002850394f4 JavaScriptCore`JSC::Heap::stopIfNecessary(this=0x0000000116064888) at HeapInlines.h:264:9
    frame #58: 0x00000002853017ec JavaScriptCore`JSC::StopIfNecessaryTimer::doWork(this=0x000000010b364340, vm=0x0000000116064800) at StopIfNecessaryTimer.cpp:43:13
    frame #59: 0x000000028680cd7c JavaScriptCore`JSC::JSRunLoopTimer::timerDidFire(this=0x000000010b364340) at JSRunLoopTimer.cpp:233:5
    frame #60: 0x000000028680b35c JavaScriptCore`JSC::JSRunLoopTimer::Manager::timerDidFire(this=0x000000010b5479b0) at JSRunLoopTimer.cpp:106:16
    frame #61: 0x000000028680aa80 JavaScriptCore`JSC::JSRunLoopTimer::Manager::timerDidFireCallback(this=0x000000010b5479b0) at JSRunLoopTimer.cpp:53:5
    frame #62: 0x0000000286821f44 JavaScriptCore`decltype(*std::declval<JSC::JSRunLoopTimer::Manager*&>().*std::declval<void (JSC::JSRunLoopTimer::Manager::*&)()>()()) std::__1::__invoke[abi:v160006]<void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&, void>(__f=0x000000010b547928, __a0=0x000000010b547938) at invoke.h:359:23
    frame #63: 0x0000000286821e00 JavaScriptCore`std::__1::__bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>, __is_valid_bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>>::value>::type std::__1::__apply_functor[abi:v160006]<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, 0ul, std::__1::tuple<>>(__f=0x000000010b547928, __bound_args=size=1, (null)=__tuple_indices<0UL> @ 0x000000016b8c1c2f, __args=size=0) at bind.h:263:12
    frame #64: 0x0000000286821d18 JavaScriptCore`std::__1::__bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>, __is_valid_bind_return<void (JSC::JSRunLoopTimer::Manager::*)(), std::__1::tuple<JSC::JSRunLoopTimer::Manager*>, std::__1::tuple<>>::value>::type std::__1::__bind<void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&>::operator()[abi:v160006]<>(this=0x000000010b547928) at bind.h:295:20
    frame #65: 0x0000000286821b9c JavaScriptCore`WTF::Detail::CallableWrapper<std::__1::__bind<void (JSC::JSRunLoopTimer::Manager::*&)(), JSC::JSRunLoopTimer::Manager*&>, void>::call(this=0x000000010b547920) at Function.h:53:39
    frame #66: 0x000000028682310c JavaScriptCore`WTF::Function<void ()>::operator()(this=0x000000010b547968) const at Function.h:82:35
    frame #67: 0x00000002801cd43c JavaScriptCore`WTF::RunLoop::Timer::fired(this=0x000000010b547950) at RunLoop.h:191:33
    frame #68: 0x000000028025bdd0 JavaScriptCore`WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::operator()(this=0x0000000106a4a0a0, cfTimer=0x000000010b86cd40, context=0x000000010b547950) const at RunLoopCF.cpp:133:16
    frame #69: 0x000000028025bb28 JavaScriptCore`WTF::RunLoop::TimerBase::start(WTF::Seconds, bool)::$_1::__invoke(cfTimer=0x000000010b86cd40, context=0x000000010b547950) at RunLoopCF.cpp:126:45
    frame #70: 0x0000000180bc7a20 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 32
    frame #71: 0x0000000180bc76c8 CoreFoundation`__CFRunLoopDoTimer + 972
    frame #72: 0x0000000180bc7200 CoreFoundation`__CFRunLoopDoTimers + 356

Comment 1 Ryosuke Niwa 2024-02-29 17:06:18 PST

<rdar://119952105>

Comment 2 Ryosuke Niwa 2024-02-29 17:11:33 PST

Pull request: https://github.com/WebKit/WebKit/pull/25328

Comment 3 EWS 2024-03-01 15:47:42 PST

Committed 275577@main (afa8e8e258fb): <https://commits.webkit.org/275577@main>

Reviewed commits have been landed. Closing PR #25328 and removing active labels.