[Webkit-unassigned] [Bug 181017] New: ASSERT in MessagePort shutdown code

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 19 20:56:18 PST 2017


https://bugs.webkit.org/show_bug.cgi?id=181017

            Bug ID: 181017
           Summary: ASSERT in MessagePort shutdown code
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: beidson at apple.com

ASSERT in MessagePort shutdown code

Ran across this while working on MessagePorts for Service Workers.

The following command in a debug build:
run-webkit-tests fast/events/message-port-constructor-for-deleted-document.html fast/events/message-port-context-destroyed.html

Results in the following:

ASSERTION FAILED: m_closed
/Users/bradeeoh/git/OpenSource/Source/WebCore/dom/MessagePort.cpp(138) : void WebCore::MessagePort::contextDestroyed()
1   0x112a3d72d WTFCrash
2   0x11b260cf3 WebCore::MessagePort::contextDestroyed()
3   0x11b2d9a3a WebCore::ScriptExecutionContext::~ScriptExecutionContext()
4   0x11b16e1bd WebCore::Document::~Document()
5   0x11b4ac775 WebCore::HTMLDocument::~HTMLDocument()
6   0x11b4ac795 WebCore::HTMLDocument::~HTMLDocument()
7   0x11b4ac879 WebCore::HTMLDocument::~HTMLDocument()
8   0x11b16f570 WebCore::Document::decrementReferencingNodeCount()
9   0x11b16f2c4 WebCore::Document::removedLastRef()
10  0x11b293eb7 WebCore::Node::removedLastRef()
11  0x119496db3 WebCore::Node::deref()
12  0x11b28a1d5 WebCore::Node::derefEventTarget()
13  0x1197b3bc6 WebCore::EventTarget::deref()
14  0x1197b3b9f WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >::~Ref()
15  0x1197a18a5 WTF::Ref<WebCore::EventTarget, WTF::DumbPtrTraits<WebCore::EventTarget> >::~Ref()
16  0x119c52219 WebCore::JSDOMWrapper<WebCore::EventTarget>::~JSDOMWrapper()
17  0x119c521f5 WebCore::JSEventTarget::~JSEventTarget()
18  0x119c49fd5 WebCore::JSEventTarget::~JSEventTarget()
19  0x119c46c1d WebCore::JSEventTarget::destroy(JSC::JSCell*)
....

So the ScriptExecutionContext is being destroyed but hasn't told its MessagePorts to close.

It normally tells its MessagePorts to close inside stopActiveDOMObjects.

This test is arranged such that stopActiveDOMObjects is called, *then* a MessagePort is added later, and therefore that MessagePort is never told to close.

Of course the real problem is that MessagePorts are added after stopActiveDOMObjects is called - "Active DOM Objects" and similar objects should not be added then.

Indeed if I add an ASSERT inside ScriptExecutionContext::createdMessagePort:
    ASSERT(!m_activeDOMObjectsAreStopped);

It fires.

So that's the bug.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20171220/3ea9ce0f/attachment-0001.html>


More information about the webkit-unassigned mailing list