Bug 45575 - REGRESSION: fast/files/workers tests crash
Summary: REGRESSION: fast/files/workers tests crash
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore JavaScript (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac OS X 10.5
: P2 Normal
Assignee: Oliver Hunt
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-10 16:33 PDT by Jian Li
Modified: 2013-05-22 15:18 PDT (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jian Li 2010-09-10 16:33:03 PDT 
The crash is caused by r66850. The crash stack is:

#0  0x00000001018af63c in WTF::StringImpl::isIdentifier (this=0x0) at StringImpl.h:212
#1  0x000000010139ae86 in JSC::Identifier::add (exec=0x11b010040, r=0x0) at Identifier.h:97
#2  0x00000001018bafad in JSC::Identifier::Identifier (this=0x11a6a10e0, exec=0x11b010040, s=@0x11a012ce0) at Identifier.h:41
#3  0x00000001018ae740 in WebCore::CloneDeserializer::deserialize (this=0x11a6a11d0) at /Users/jianli/WebKit/WebCore/bindings/js/SerializedScriptValue.cpp:1227
#4  0x00000001018bd38a in WebCore::CloneDeserializer::deserialize (exec=0x11b010040, globalObject=0x111740080, buffer=@0x105d5e868) at /Users/jianli/WebKit/WebCore/bindings/js/SerializedScriptValue.cpp:761
#5  0x00000001018aea35 in WebCore::SerializedScriptValue::deserialize (this=0x105d5e860, exec=0x11b010040, globalObject=0x111740080) at /Users/jianli/WebKit/WebCore/bindings/js/SerializedScriptValue.cpp:1331
#6  0x00000001014d7dba in WebCore::jsMessageEventData (exec=0x11b010040, slotBase={m_ptr = 0x111744100}) at /Users/jianli/WebKit/WebKitBuild/Debug/DerivedSources/WebCore/JSMessageEvent.cpp:178
#7  0x00000001001285dc in JSC::PropertySlot::getValue (this=0x11a6a1440, exec=0x11b010040, propertyName=@0x11a015cd0) at PropertySlot.h:78
#8  0x00000001001328bc in JSC::JSValue::get (this=0x11a6a14b0, exec=0x11b010040, propertyName=@0x11a015cd0, slot=@0x11a6a1440) at JSObject.h:659
#9  0x00000001001d49e4 in cti_op_get_by_id (args=0x11a6a14f0) at /Users/jianli/WebKit/JavaScriptCore/jit/JITStubs.cpp:1597
Could not find the frame base for "WTF::doubleHash(unsigned int)".
#10 0x00000001001ca7d9 in WTF::doubleHash (key=) at HashTable.h:447
#11 0x00000001001aa43c in JSC::JITCode::execute (this=0x11a0117b8, registerFile=0x11a002008, callFrame=0x11b010040, globalData=0x11a800400, exception=0x11a801d48) at JITCode.h:77
#12 0x00000001001a5d0a in JSC::Interpreter::executeCall (this=0x11a001ff0, callFrame=0x11a002f38, function=0x111744040, callType=JSC::CallTypeJS, callData=@0x11a6a18d0, thisValue={m_ptr = 0x111740080}, args=@0x11a6a1880, exception=0x11a801d48) at /Users/jianli/WebKit/JavaScriptCore/interpreter/Interpreter.cpp:780
#13 0x000000010015ddf7 in JSC::call (exec=0x11a002f38, functionObject={m_ptr = 0x111744040}, callType=JSC::CallTypeJS, callData=@0x11a6a18d0, thisValue={m_ptr = 0x111740080}, args=@0x11a6a1880) at /Users/jianli/WebKit/JavaScriptCore/runtime/CallData.cpp:38
#14 0x000000010144b0c0 in WebCore::JSEventListener::handleEvent (this=0x11a0157c0, scriptExecutionContext=0x11a000920, event=0x11a012a70) at /Users/jianli/WebKit/WebCore/bindings/js/JSEventListener.cpp:124
#15 0x000000010118321c in WebCore::EventTarget::fireEventListeners (this=0x11a000ad0, event=0x11a012a70, d=0x11a000b40, entry=@0x11a0121c0) at /Users/jianli/WebKit/WebCore/dom/EventTarget.cpp:339
#16 0x000000010118383d in WebCore::EventTarget::fireEventListeners (this=0x11a000ad0, event=0x11a012a70) at /Users/jianli/WebKit/WebCore/dom/EventTarget.cpp:300
#17 0x00000001011839c1 in WebCore::EventTarget::dispatchEvent (this=0x11a000ad0, event=@0x11a6a1bd0) at /Users/jianli/WebKit/WebCore/dom/EventTarget.cpp:286
#18 0x0000000101a51639 in WebCore::MessageWorkerContextTask::performTask (this=0x105d5e880, scriptContext=0x11a000920) at /Users/jianli/WebKit/WebCore/workers/WorkerMessagingProxy.cpp:67
#19 0x0000000101a51d50 in WebCore::WorkerRunLoop::Task::performTask (this=0x105d27890, context=0x11a000920) at /Users/jianli/WebKit/WebCore/workers/WorkerRunLoop.cpp:198
#20 0x0000000101a5202f in WebCore::WorkerRunLoop::runInMode (this=0x105d284f8, context=0x11a000920, predicate=@0x11a6a1d60) at /Users/jianli/WebKit/WebCore/workers/WorkerRunLoop.cpp:162
#21 0x0000000101a5211d in WebCore::WorkerRunLoop::run (this=0x105d284f8, context=0x11a000920) at /Users/jianli/WebKit/WebCore/workers/WorkerRunLoop.cpp:133
#22 0x0000000101a55ea6 in WebCore::WorkerThread::runEventLoop (this=0x105d284e0) at /Users/jianli/WebKit/WebCore/workers/WorkerThread.cpp:162
#23 0x0000000101021770 in WebCore::DedicatedWorkerThread::runEventLoop (this=0x105d284e0) at /Users/jianli/WebKit/WebCore/workers/DedicatedWorkerThread.cpp:66
#24 0x0000000101a56664 in WebCore::WorkerThread::workerThread (this=0x105d284e0) at /Users/jianli/WebKit/WebCore/workers/WorkerThread.cpp:140
#25 0x0000000101a5671b in WebCore::WorkerThread::workerThreadStart (thread=0x105d284e0) at /Users/jianli/WebKit/WebCore/workers/WorkerThread.cpp:117
#26 0x00000001002b3c29 in WTF::threadEntryPoint (contextData=0x105d279e0) at /Users/jianli/WebKit/JavaScriptCore/wtf/Threading.cpp:65
#27 0x00007fff88c128b6 in _pthread_start ()
#28 0x00007fff88c12769 in thread_start ()

It seems that the serialization of File/Blob objects are not thread safe in rewriting of SerializedScriptValue. This happens when we post a File/Blob object from the main thread to the worker thread.
Comment 1 Alexey Proskuryakov 2010-09-13 14:22:15 PDT 
Please CC author and reviewer of the original patch that caused a regression, when it's known.
Comment 2 Jian Li 2011-03-09 17:35:56 PST 
Oliver and Sam have already been cc-ed.
Comment 3 Mark Rowe (bdash) 2012-02-14 15:15:19 PST 
Which revision introduced this regression?
Comment 4 Jian Li 2012-02-14 15:18:00 PST 
(In reply to comment #3)
> Which revision introduced this regression?

http://trac.webkit.org/changeset/66850
Comment 5 Ryosuke Niwa 2013-05-22 15:17:03 PDT 
Doesn't hit an assertion or crash anymore.
Comment 6 Ryosuke Niwa 2013-05-22 15:18:09 PDT 
Committed r150546: <http://trac.webkit.org/changeset/150546>