Bug 248496

Summary: [ New Test ] (256342@main): [ macOS Debug ] fast/events/message-port-gc-after-removing-event-listener.html is a flaky crash
Product: WebKit Reporter: Karl Rackler <rackler>
Component: New BugsAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, webkit-bot-watchers-bugzilla, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=193184

Description Karl Rackler 2022-11-29 14:27:42 PST 
Description:
fast/events/message-port-gc-after-removing-event-listener.html

The test was added at 256342@main and was a flaky crash since then.  The history shows this affecting macOS Debug.

This issue can be bisected to 256342@main using the command: 
run-webkit-tests --debug --iterations 4000 --exit-after-n-failures 1 --exit-after-n-crashes-or-timeouts 1 --debug-rwt-logging --no-retry --force --no-build -f fast/events/message-port-gc-after-removing-event-listener.html 

Result: 
Unexpected flakiness: crashes (1)
  fast/events/message-port-gc-after-removing-event-listener.html [ Pass Crash ]

History:
https://results.webkit.org/?suite=layout-tests&test=fast%2Fevents%2Fmessage-port-gc-after-removing-event-listener.html&style=debug&platform=mac

Crash Log:
No crash log found for com.apple.WebKit.WebContent.Development:79000.

stdout:

stderr:
com.apple.WebKit.WebContent.Development terminated (pid 79000) for reason: crash
LEAK: 1 WebPageProxy
Comment 1 Radar WebKit Bug Importer 2022-11-29 14:28:07 PST 
<rdar://problem/102784521>
Comment 2 Chris Dumez 2022-11-29 14:38:52 PST 
I managed to get this crash trace from one of the bots:

Crashed Thread:        12  WebCore: Worker

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000005
Exception Codes:       0x0000000000000001, 0x0000000000000005

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [41345]

VM Region Info: 0x5 is not in any region.  Bytes before following region: 4377247739
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      UNUSED SPACE AT START
--->  
      __TEXT                      104e78000-104e7c000    [   16K] r-x/r-x SM=COW  ...t.Development

Thread 12 Crashed:: Dispatch queue: 
0  com.apple.WebCore       	       0x108ca1d64 JSC::JSCell::isObject() const
1  com.apple.WebCore       	       0x108cb4c08 JSC::JSValue::isObject() const
2  com.apple.WebCore       	       0x108cb4c08 JSC::JSValue::isObject() const
3  com.apple.WebCore       	       0x10b177420 WebCore::isWorldCompatible(JSC::JSGlobalObject&, JSC::JSValue)
4  com.apple.WebCore       	       0x10b177338 WebCore::cloneAcrossWorlds(JSC::JSGlobalObject&, WebCore::JSDOMObject const&, JSC::JSValue)
5  com.apple.WebCore       	       0x10b1605f0 WebCore::cachedPropertyValue(JSC::JSGlobalObject&, WebCore::JSDOMObject const&, WebCore::JSValueInWrappedObject&, WTF::Function<JSC::JSValue ()> const&)
6  com.apple.WebCore       	       0x10b207e2c WebCore::JSMessageEvent::ports(JSC::JSGlobalObject&) const
7  com.apple.WebCore       	       0x10948e9b8 WebCore::jsMessageEvent_portsGetter(JSC::JSGlobalObject&, WebCore::JSMessageEvent&)
8  com.apple.WebCore       	       0x1093cbf0c long long WebCore::IDLAttribute<WebCore::JSMessageEvent>::get<&(WebCore::jsMessageEvent_portsGetter(JSC::JSGlobalObject&, WebCore::JSMessageEvent&)), (WebCore::CastedThisErrorBehavior)3>(JSC::JSGlobalObject&, long long, JSC::PropertyName)
9  com.apple.WebCore       	       0x1093cbde8 WebCore::jsMessageEvent_ports(JSC::JSGlobalObject*, long long, JSC::PropertyName)
10  com.apple.JavaScriptCore	       0x147530c9c WTF::FunctionPtr<(WTF::PtrTag)57072, long long (JSC::JSGlobalObject*, long long, JSC::PropertyName), (WTF::FunctionAttributes)1>::operator()(JSC::JSGlobalObject*, long long, JSC::PropertyName) const
11  com.apple.JavaScriptCore	       0x147794a0c JSC::PropertySlot::customGetter(JSC::VM&, JSC::PropertyName) const
12  com.apple.JavaScriptCore	       0x145f6716c JSC::PropertySlot::getValue(JSC::JSGlobalObject*, JSC::PropertyName) const
13  com.apple.JavaScriptCore	       0x14602c6e0 JSC::JSValue::get(JSC::JSGlobalObject*, JSC::PropertyName, JSC::PropertySlot&) const
14  com.apple.JavaScriptCore	       0x147115f40 JSC::LLInt::performLLIntGetByID(JSC::BytecodeIndex, JSC::CodeBlock*, JSC::JSGlobalObject*, JSC::JSValue, JSC::Identifier const&, JSC::GetByIdModeMetadata&)
15  com.apple.JavaScriptCore	       0x147115ca8 llint_slow_path_get_by_id
Comment 3 Chris Dumez 2022-11-29 14:56:29 PST 
I don't think this is a regression from my change. I believe the new test exposed a pre-existing issue. In particular, I believe that the worker is being terminated while MessageEvent.ports is getting called and we don't properly deal with this.
Comment 4 Alexey Proskuryakov 2022-11-29 15:27:09 PST 
Is there a way to adjust the test so that it doesn't run into this? We do need a working test for the original fix.
Comment 5 Chris Dumez 2022-11-29 15:27:38 PST 
(In reply to Alexey Proskuryakov from comment #4)
> Is there a way to adjust the test so that it doesn't run into this? We do
> need a working test for the original fix.

I will upload a fix shortly.
Comment 6 Chris Dumez 2022-11-29 15:33:43 PST 
Pull request: https://github.com/WebKit/WebKit/pull/6947
Comment 7 EWS 2022-11-30 08:00:24 PST 
Committed 257180@main (c9f7f8272c10): <https://commits.webkit.org/257180@main>

Reviewed commits have been landed. Closing PR #6947 and removing active labels.