RESOLVED FIXED290826
ASSERTION FAILED: Unsafe to ref/deref from different threads : m_isOwnedByMainThread == isMainThread() : under WebCore::JSTrustedTypePolicy::visitAdditionalChildren<JSC::SlotVisitor> 
https://bugs.webkit.org/show_bug.cgi?id=290826
Summary ASSERTION FAILED: Unsafe to ref/deref from different threads : m_isOwnedByMai...
Fujii Hironori
Reported 2025-03-31 22:03:49 PDT
trusted-types tests are randomly crashing. Windows Debug 292992@main Regressions: Unexpected crashes (1) imported/w3c/web-platform-tests/trusted-types/default-policy-report-only.html [ Crash ] ASSERTION FAILED: Unsafe to ref/deref from different threads m_isOwnedByMainThread == isMainThread() C:\BW\work\build\WebKitBuild\Debug\WTF\Headers\wtf/RefCounted.h(119) : void WTF::RefCountedBase::applyRefDerefThreadingCheck() const 1 00007FFFE74F7498 WTF::RefCountedBase::applyRefDerefThreadingCheck 2 00007FFFE75048A8 WTF::RefCountedBase::ref 3 00007FFFE9CAB70A WTF::DefaultRefDerefTraits<WebCore::CreateScriptURLCallback>::refIfNotNull 4 00007FFFE9CAB6CA WTF::RefPtr<WebCore::CreateScriptURLCallback,WTF::RawPtrTraits<WebCore::CreateScriptURLCallback>,WTF::DefaultRefDerefTraits<WebCore::CreateScriptURLCallback> >::RefPtr 5 00007FFFE9CAAD26 WTF::RefPtr<WebCore::CreateScriptURLCallback,WTF::RawPtrTraits<WebCore::CreateScriptURLCallback>,WTF::DefaultRefDerefTraits<WebCore::CreateScriptURLCallback> >::operator= 6 00007FFFE9CAAEE9 WebCore::JSTrustedTypePolicy::visitAdditionalChildren<JSC::SlotVisitor> 7 00007FFFE8E709A6 WebCore::JSTrustedTypePolicy::visitChildrenImpl<JSC::SlotVisitor> 8 00007FFFE8E5AFED WebCore::JSTrustedTypePolicy::visitChildren 9 00007FFFF4CD346B JSC::MethodTable::visitChildren 10 00007FFFF4CD0AB1 JSC::SlotVisitor::visitChildren 11 00007FFFF4CCF89E JSC::SlotVisitor::drain::<lambda_3>::operator() 12 00007FFFF4CCBD36 JSC::SlotVisitor::forEachMarkStack<`lambda at C:\BW\work\build\Source\JavaScriptCore\heap\SlotVisitor.cpp:500:13'> 13 00007FFFF4CCBCBC JSC::SlotVisitor::drain 14 00007FFFF4CCC902 JSC::SlotVisitor::drainFromShared 15 00007FFFF4C0B026 JSC::Heap::runBeginPhase::<lambda_33>::operator() 16 00007FFFF4C0AF07 WTF::SharedTaskFunctor<void (),`lambda at C:\BW\work\build\Source\JavaScriptCore\heap\Heap.cpp:1481:9'>::run 17 00007FFFF619B668 WTF::ParallelHelperClient::runTask 18 00007FFFF619C610 WTF::ParallelHelperPool::Thread::work 19 00007FFFF612CA8A WTF::AutomaticThread::start::<lambda_0>::operator() 20 00007FFFF612C787 WTF::Detail::CallableWrapper<`lambda at C:\BW\work\build\Source\WTF\wtf\AutomaticThread.cpp:169:9',void>::call 21 00007FFFF46EA85C WTF::Function<void ()>::operator() 22 00007FFFF629FD73 WTF::Thread::entryPoint 23 00007FFFF6378B63 WTF::wtfThreadEntryPoint 24 00007FF854AD1BB2 configthreadlocale 25 00007FF855837374 BaseThreadInitThunk 26 00007FF8571DCC91 RtlUserThreadStart ERROR: 000001D1694A1730 - [PID=15040] WebProcessProxy::didClose (web process crash) C:\BW\work\build\Source\WebKit\UIProcess/WebProcessProxy.cpp(1273) : virtual void WebKit::WebProcessProxy::didClose(IPC::Connection &) ERROR: 000001D1694A1730 - [PID=15040] WebProcessProxy::processDidTerminateOrFailedToLaunch: reason=Crash C:\BW\work\build\Source\WebKit\UIProcess/WebProcessProxy.cpp(1288) : void WebKit::WebProcessProxy::processDidTerminateOrFailedToLaunch(ProcessTerminationReason) ERROR: 000001D16949ABE0 - [pageProxyID=6404, webPageID=6405, PID=15040] WebPageProxy::processDidTerminate: (pid 15040), reason=Crash C:\BW\work\build\Source\WebKit\UIProcess/WebPageProxy.cpp(11039) : void WebKit::WebPageProxy::resetStateAfterProcessTermination(ProcessTerminationReason) ERROR: 000001D16949ABE0 - [pageProxyID=6404, webPageID=6405, PID=15040] WebPageProxy::dispatchProcessDidTerminate: reason=Crash C:\BW\work\build\Source\WebKit\UIProcess/WebPageProxy.cpp(11098) : void WebKit::WebPageProxy::dispatchProcessDidTerminate(WebProcessProxy &, ProcessTerminationReason) WebProcess terminated (pid 15040) for reason: crash
Attachments
Patch (2.42 KB, patch)
2025-04-02 12:14 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2025-03-31 22:04:27 PDT
This is reproducible with the following command and Windows Debug builds: > python ./Tools/Scripts/run-webkit-tests --debug --no-retry imported/w3c/web-platform-tests/trusted-types/ --iter=100 -f Unexpected flakiness: crashes (2) imported/w3c/web-platform-tests/trusted-types/TrustedTypePolicyFactory-getAttributeType.html [ Crash Pass ] imported/w3c/web-platform-tests/trusted-types/default-policy-callback-arguments.html [ Crash Pass ]
Fujii Hironori
Comment 2 2025-04-01 21:38:10 PDT
Hi Luke and Ryosuke, Looking though the `WebCore/bindings/js` directory, only `JSTrustedTypePolicy::visitAdditionalChildren` does ref-ing in `visitAdditionalChildren`. https://github.com/WebKit/WebKit/blob/aa298b6b8f4a74ac6c71d9c46de51c5ee18a1794/Source/WebCore/bindings/js/JSTrustedTypePolicyCustom.cpp#L41-L43 Is this code correct? Or, CreateHTMLCallback has to be a ThreadSafeRefCounted?
Ryosuke Niwa
Comment 3 2025-04-01 22:43:20 PDT
Oh, looks like this code manually grabs a lock and synchronizes with the main thread? So that should be safe in terms of ref() but the code is definitely not thread safe for deref(). It can corrupt refCount.
Radar WebKit Bug Importer
Comment 4 2025-04-01 22:43:33 PDT
<rdar://problem/148400517>
Ryosuke Niwa
Comment 5 2025-04-02 12:14:13 PDT
Pull request: https://github.com/apple/WebKit/pull/2946
Ryosuke Niwa
Comment 6 2025-04-02 12:14:49 PDT
Created attachment 474808 [details] Patch
Ryosuke Niwa
Comment 7 2025-04-02 17:17:42 PDT
Actually, nobody seems to have shipped trusted types yet so we can fix this in main.
Ryosuke Niwa
Comment 8 2025-04-02 17:20:49 PDT
Pull request: https://github.com/WebKit/WebKit/pull/43502
EWS
Comment 9 2025-04-02 22:44:36 PDT
Committed 293145@main (59b9ac30c4c6): <https://commits.webkit.org/293145@main> Reviewed commits have been landed. Closing PR #43502 and removing active labels.
EWS
Comment 10 2025-04-07 09:48:56 PDT
Committed 289651.401@safari-7621-branch (55899a8ab0b3): <https://commits.webkit.org/289651.401@safari-7621-branch> Reviewed commits have been landed. Closing PR #2960 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.