[Webkit-unassigned] [Bug 199319] New: [iOS 13] Frequent crash in RemoteLayerTreeDrawingAreaProxy's destructor from failing main-thread assertion

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Jun 28 07:11:01 PDT 2019 

https://bugs.webkit.org/show_bug.cgi?id=199319

            Bug ID: 199319
           Summary: [iOS 13] Frequent crash in
                    RemoteLayerTreeDrawingAreaProxy's destructor from
                    failing main-thread assertion
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Layout and Rendering
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ajuma at chromium.org
                CC: bfulgham at webkit.org, simon.fraser at apple.com,
                    zalan at apple.com

On Chrome for iOS, we're seeing a new iOS 13-only crash in the call to CallbackMap::invalidate in RemoteLayerTreeDrawingAreaProxy's destructor.

It looks like the RemoteLayerTreeDrawingAreaProxy is being destroyed on a non-main thread (as a result of LinkPresentation-related calls), so in CallbackMap::invalidate we're crashing on "RELEASE_ASSERT(RunLoop::isMain());".

It's our 3rd most common crash on iOS 13, and the top WebKit-related crash.

We don't have repro steps but 20% of the crash URLs are PDFs (much higher than average).

The full crash stack is:

(WebKit + 0x0001c450)   WTFCrashWithInfo(int, char const*, char const*, int)
(WebKit + 0x0022ca28)   WebKit::CallbackMap::invalidate(WebKit::CallbackBase::Error)
(WebKit + 0x0023f98c)   WebKit::RemoteLayerTreeDrawingAreaProxy::~RemoteLayerTreeDrawingAreaProxy()
(WebKit + 0x0023fa84)   WebKit::RemoteLayerTreeDrawingAreaProxy::~RemoteLayerTreeDrawingAreaProxy()
(WebKit + 0x0024b710)   WebKit::WebPageProxy::resetState(WebKit::WebPageProxy::ResetStateReason)
(WebKit + 0x00248e20)   WebKit::WebPageProxy::close()
(LinkPresentation + 0x00029930) -[LPURLFetcher _completedWithData:MIMEType:error:]
(LinkPresentation + 0x000297fc) -[LPURLFetcher _failedWithErrorCode:underlyingError:]
(LinkPresentation + 0x00029758) -[LPURLFetcher cancel]
(LinkPresentation + 0x0002b434) -[LPFetcherGroup _completed]
(LinkPresentation + 0x0005314c) -[LPMetadataProvider _completedWithError:]
(LinkPresentation + 0x00052fcc) -[LPMetadataProvider _failedWithErrorCode:underlyingError:]
(LinkPresentation + 0x00050ad4) -[LPMetadataProvider _cancelDueToTimeout]
(LinkPresentation + 0x0004ef18) __48-[LPMetadataProvider _willStartFetchingMetadata]_block_invoke
(Foundation + 0x001ce33c)       __70+[_NSActivityAssertion _performExpiringActivityWithReason:usingBlock:]_block_invoke.81
(libdispatch.dylib + 0x0005b674)        _dispatch_call_block_and_release
(libdispatch.dylib + 0x0005c1e8)        _dispatch_client_callout
(libdispatch.dylib + 0x00035ed4)        _dispatch_continuation_pop$VARIANT$armv81
(libdispatch.dylib + 0x00035700)        _dispatch_async_redirect_invoke
(libdispatch.dylib + 0x00042188)        _dispatch_root_queue_drain
(libdispatch.dylib + 0x0004292c)        _dispatch_worker_thread2
(libsystem_pthread.dylib + 0x0000bfc8)  _pthread_wqthread

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190628/a93a9d61/attachment.html>

More information about the webkit-unassigned mailing list