RESOLVED FIXED 279145
AX: misspelling-range.html is pass crash flaky on iOS simulator. 
https://bugs.webkit.org/show_bug.cgi?id=279145
Summary AX: misspelling-range.html is pass crash flaky on iOS simulator.
Andres Gonzalez
Reported 2024-09-04 14:12:42 PDT
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libobjc.A.dylib 0x103089e84 objc_release + 16 1 WebKitTestRunnerInjectedBundle 0x15a2b287c WTF::RetainPtr<objc_object*>::~RetainPtr() + 72 (RetainPtr.h:198) 2 WebKitTestRunnerInjectedBundle 0x15a2aff64 WTF::RetainPtr<objc_object*>::~RetainPtr() + 28 (RetainPtr.h:196) 3 WebKitTestRunnerInjectedBundle 0x15a2b74b8 WTR::AccessibilityTextMarkerRange::~AccessibilityTextMarkerRange() + 48 (AccessibilityTextMarkerRange.cpp:58) 4 WebKitTestRunnerInjectedBundle 0x15a2b74ec WTR::AccessibilityTextMarkerRange::~AccessibilityTextMarkerRange() + 28 (AccessibilityTextMarkerRange.cpp:57) 5 WebKitTestRunnerInjectedBundle 0x15a2b7518 WTR::AccessibilityTextMarkerRange::~AccessibilityTextMarkerRange() + 28 (AccessibilityTextMarkerRange.cpp:57) 6 WebKitTestRunnerInjectedBundle 0x15a2af508 WTF::ThreadSafeRefCounted<WTR::JSWrappable, (WTF::DestructionThread)0>::deref() const + 88 (ThreadSafeRefCounted.h:144) 7 WebKitTestRunnerInjectedBundle 0x15a352e3c WTR::JSWrapper::finalize(OpaqueJSValue*) + 68 (JSWrapper.cpp:77) 8 JavaScriptCore 0x13b6cbbac JSC::JSCallbackObject<JSC::JSNonFinalObject>::~JSCallbackObject() + 304 (JSCallbackObjectFunctions.h:85) 9 JavaScriptCore 0x13b6cba6c JSC::JSCallbackObject<JSC::JSNonFinalObject>::~JSCallbackObject() + 28 (JSCallbackObjectFunctions.h:77) 10 JavaScriptCore 0x13b6c0db8 JSC::JSCallbackObject<JSC::JSNonFinalObject>::destroy(JSC::JSCell*) + 24 (JSCallbackObject.h:151) 11 JavaScriptCore 0x13c551890 JSC::IsoHeapCellType::operator()(JSC::VM&, JSC::JSCell*) const + 40 (IsoHeapCellType.h:62) 12 JavaScriptCore 0x13c5541f8 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::IsoHeapCellType>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::IsoHeapCellType const&)::'lambda'(void*)::operator()(void*) const + 76 (MarkedBlockInlines.h:284) 13 JavaScriptCore 0x13c55427c void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::IsoHeapCellType>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::IsoHeapCellType const&)::'lambda'(unsigned long)::operator()(unsigned long) const + 104 (MarkedBlockInlines.h:363) 14 JavaScriptCore 0x13c54d254 void JSC::MarkedBlock::Handle::specializedSweep<false, (JSC::MarkedBlock::Handle::EmptyMode)0, (JSC::MarkedBlock::Handle::SweepMode)0, (JSC::MarkedBlock::Handle::SweepDestructionMode)0, (JSC::MarkedBlock::Handle::ScribbleMode)0, (JSC::MarkedBlock::Handle::NewlyAllocatedMode)0, (JSC::MarkedBlock::Handle::MarksMode)0, JSC::IsoHeapCellType>(JSC::FreeList*, JSC::MarkedBlock::Handle::EmptyMode, JSC::MarkedBlock::Handle::SweepMode, JSC::MarkedBlock::Handle::SweepDestructionMode, JSC::MarkedBlock::Handle::ScribbleMode, JSC::MarkedBlock::Handle::NewlyAllocatedMode, JSC::MarkedBlock::Handle::MarksMode, JSC::IsoHeapCellType const&) + 1580 (MarkedBlockInlines.h:412) 15 JavaScriptCore 0x13c54068c void JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType<JSC::IsoHeapCellType>(JSC::FreeList*, JSC::IsoHeapCellType const&) + 356 (MarkedBlockInlines.h:512) 16 JavaScriptCore 0x13c54051c JSC::IsoHeapCellType::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) const + 40 (IsoHeapCellType.cpp:47) 17 JavaScriptCore 0x13c58b5d0 JSC::Subspace::finishSweep(JSC::MarkedBlock::Handle&, JSC::FreeList*) + 52 (Subspace.cpp:61) 18 JavaScriptCore 0x13c560bf0 JSC::MarkedBlock::Handle::sweep(JSC::FreeList*) + 820 (MarkedBlock.cpp:452) 19 JavaScriptCore 0x13c544968 JSC::LocalAllocator::tryAllocateIn(JSC::MarkedBlock::Handle*, unsigned long) + 396 (LocalAllocator.cpp:232) 20 JavaScriptCore 0x13c544554 JSC::LocalAllocator::tryAllocateWithoutCollecting(unsigned long) + 356 (LocalAllocator.cpp:196) 21 JavaScriptCore 0x13c543f54 JSC::LocalAllocator::allocateSlowCase(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 468 (LocalAllocator.cpp:132) 22 JavaScriptCore 0x13cbbb3f0 JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()::operator()() const + 80 (LocalAllocatorInlines.h:41) 23 JavaScriptCore 0x13cbbb308 JSC::HeapCell* JSC::FreeList::allocateWithCellSize<JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'()>(JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode)::'lambda'() const&, unsigned long) + 144 (FreeListInlines.h:44) 24 JavaScriptCore 0x13c2114f4 JSC::LocalAllocator::allocate(JSC::Heap&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 148 (LocalAllocatorInlines.h:38) 25 JavaScriptCore 0x13c2147ec JSC::GCClient::IsoSubspace::allocate(JSC::VM&, unsigned long, JSC::GCDeferralContext*, JSC::AllocationFailureMode) + 60 (IsoSubspaceInlines.h:34) 26 JavaScriptCore 0x13b6fcf64 void* JSC::tryAllocateCellHelper<JSC::JSCallbackObject<JSC::JSNonFinalObject>, (JSC::AllocationFailureMode)0>(JSC::VM&, unsigned long, JSC::GCDeferralContext*) + 368 (JSCellInlines.h:191) 27 JavaScriptCore 0x13b6fccd8 void* JSC::allocateCell<JSC::JSCallbackObject<JSC::JSNonFinalObject>>(JSC::VM&, unsigned long) + 36 (JSCellInlines.h:207) 28 JavaScriptCore 0x13b6e604c JSC::JSCallbackObject<JSC::JSNonFinalObject>::create(JSC::JSGlobalObject*, JSC::Structure*, OpaqueJSClass*, void*) + 224 (JSCallbackObject.h:142) 29 JavaScriptCore 0x13b6e8874 JSObjectMake + 256 (JSObjectRef.cpp:92) 30 WebKitTestRunnerInjectedBundle 0x15a352b60 WTR::JSWrapper::wrap(OpaqueJSContext const*, WTR::JSWrappable*) + 292 (JSWrapper.cpp:42) 31 WebKitTestRunnerInjectedBundle 0x15a2ad168 WTR::toJS(OpaqueJSContext const*, WTR::JSWrappable*) + 32 (JSWrapper.h:45) 32 WebKitTestRunnerInjectedBundle 0x15a30bc98 WTR::JSAccessibilityUIElement::startTextMarkerForTextMarkerRange(OpaqueJSContext const*, OpaqueJSValue*, OpaqueJSValue*, unsigned long, OpaqueJSValue const* const*, OpaqueJSValue const**) + 244 (JSAccessibilityUIElement.cpp:1604) 33 JavaScriptCore 0x13b6c90a8 long long JSC::APICallbackFunction::callImpl<JSC::JSCallbackFunction>(JSC::JSGlobalObject*, JSC::CallFrame*) + 420 (APICallbackFunction.h:60) 34 JavaScriptCore 0x13b6c02e4 JSC::callJSCallbackFunction(JSC::JSGlobalObject*, JSC::CallFrame*) + 32 (JSCallbackFunction.cpp:42)
Attachments
Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2024-09-04 14:12:53 PDT
<rdar://problem/135298645>
Andres Gonzalez
Comment 2 2024-09-04 14:22:09 PDT
Pull request: https://github.com/WebKit/WebKit/pull/33141
EWS
Comment 3 2024-09-05 06:41:50 PDT
Committed 283206@main (1d817283101f): <https://commits.webkit.org/283206@main> Reviewed commits have been landed. Closing PR #33141 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.