[Webkit-unassigned] [Bug 210731] REGRESSION (r260345): 2 IndexedDB tests are crashing in JSC::reportZappedCellAndCrash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Apr 19 22:26:45 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=210731

--- Comment #3 from Yusuke Suzuki <ysuzuki at apple.com> ---
This test was previously skipped because it is including BigInt syntax. This test immediately throws SyntaxError. So nothing in this test was executed before.

Now JSC supports BigInt syntax. Then, this test is now executed. And crash happens when deserializaing DOMMatrixReadOnly.

This is because DOMMatrixReadOnly requires JSGlobalObject with DOM implementations, since DOMMatrixReadOnly is WebCore object, not JSC object.

However, IDBSerializationContext.cpp is using plain JSGlobalObject. This is wrong since it is JSC JSGlobalObject and it does not include DOMMatrix implementations.

 77     ASSERT(!m_globalObject);
 78     m_vm = JSC::VM::create();
 79
 80     JSC::JSLockHolder locker(m_vm.get());
 81     m_globalObject.set(*m_vm, JSC::JSGlobalObject::create(*m_vm, JSC::JSGlobalObject::createStructure(*m_vm, JSC::jsNull())));
 82 }

in `IDBSerializationContext.cpp`.

The stderr message "Unexpected global object: Object: 0x124376268 with butterfly 0x1818550448 (Structure 0x1331397a0:[0xd8f4, GlobalObject, {Object:100, Function:101, Array:102, RegExp:103, String:104, Promise:105, BigInt:106, Intl:107, $vm:108, WebAssembly:109}, NonArray, Proto:0x117642b68, Dictionary, Leaf]), StructureID: 55540" is emitted from ebCore::JSDOMGlobalObject::scriptExecutionContext, because this is not a DOM JSGlobalObject.

    frame #0: 0x0000000103650633 WebCore`WTFCrashWithInfo((null)=178, (null)="./bindings/js/JSDOMGlobalObject.cpp", (null)="WebCore::ScriptExecutionContext *WebCore::JSDOMGlobalObject::scriptExecutionContext() const", (null)=222) at Assertions.h:671:5 [opt]
  * frame #1: 0x00000001042f3496 WebCore`WebCore::JSDOMGlobalObject::scriptExecutionContext(this=<unavailable>) const at JSDOMGlobalObject.cpp:178:5 [opt]
    frame #2: 0x00000001038a20f7 WebCore`WebCore::JSDOMMatrixReadOnlyPrototype::finishCreation(this=0x00000001331580d0, vm=0x000000012448e000) at JSDOMMatrixReadOnly.cpp:250:54 [opt]
    frame #3: 0x00000001038a2515 WebCore`WebCore::JSDOMMatrixReadOnly::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] WebCore::JSDOMMatrixReadOnlyPrototype::create(vm=0x000000012448e000, globalObject=<unavailable>, structure=0x0000000133139880) at JSDOMMatrixReadOnly.cpp:122:14 [opt]
    frame #4: 0x00000001038a247c WebCore`WebCore::JSDOMMatrixReadOnly::createPrototype(vm=0x000000012448e000, globalObject=<unavailable>) at JSDOMMatrixReadOnly.cpp:279 [opt]
    frame #5: 0x0000000103899414 WebCore`WebCore::JSDOMMatrix::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] JSC::Structure* WebCore::getDOMStructure<WebCore::JSDOMMatrixReadOnly>(vm=<unavailable>, globalObject=0x0000000124376268) at JSDOMWrapperCache.h:85:93 [opt]
    frame #6: 0x00000001038993f5 WebCore`WebCore::JSDOMMatrix::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] JSC::JSObject* WebCore::getDOMPrototype<WebCore::JSDOMMatrixReadOnly>(vm=<unavailable>, globalObject=0x0000000124376268) at JSDOMWrapperCache.h:96 [opt]
    frame #7: 0x00000001038993f5 WebCore`WebCore::JSDOMMatrix::createPrototype(JSC::VM&, WebCore::JSDOMGlobalObject&) [inlined] WebCore::JSDOMMatrixReadOnly::prototype(vm=<unavailable>, globalObject=0x0000000124376268) at JSDOMMatrixReadOnly.cpp:284 [opt]
    frame #8: 0x00000001038993f5 WebCore`WebCore::JSDOMMatrix::createPrototype(vm=0x000000012448e000, globalObject=0x0000000124376268) at JSDOMMatrix.cpp:280 [opt]
    frame #9: 0x000000010389eab1 WebCore`std::__1::enable_if<std::is_same<WebCore::DOMMatrix, WebCore::DOMMatrix>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::DOMMatrix>::WrapperClass*>::type WebCore::createWrapper<WebCore::DOMMatrix, WebCore::DOMMatrix>(WebCore::JSDOMGlobalObject*, WTF::Ref<WebCore::DOMMatrix, WTF::DumbPtrTraits<WebCore::DOMMatrix> >&&) [inlined] JSC::Structure* WebCore::getDOMStructure<WebCore::JSDOMMatrix>(vm=0x000000012448e000, globalObject=0x0000000124376268) at JSDOMWrapperCache.h:85:93 [opt]
    frame #10: 0x000000010389ea92 WebCore`std::__1::enable_if<std::is_same<WebCore::DOMMatrix, WebCore::DOMMatrix>::value, WebCore::JSDOMWrapperConverterTraits<WebCore::DOMMatrix>::WrapperClass*>::type WebCore::createWrapper<WebCore::DOMMatrix, WebCore::DOMMatrix>(globalObject=0x0000000124376268, domObject=0x00007000025653f0) at JSDOMWrapperCache.h:187 [opt]
    frame #11: 0x000000010434aa6d WebCore`JSC::JSValue WebCore::CloneDeserializer::readDOMMatrix<WebCore::DOMMatrix>(this=<unavailable>) at SerializedScriptValue.cpp:0 [opt]
    frame #12: 0x0000000104338a56 WebCore`WebCore::CloneDeserializer::deserialize(this=0x00007000025657d8) at SerializedScriptValue.cpp:3569:36 [opt]
    frame #13: 0x000000010433d79c WebCore`WebCore::CloneDeserializer::deserialize(lexicalGlobalObject=<unavailable>, globalObject=<unavailable>, messagePorts=<unavailable>, imageBuffers=<unavailable>, arrayBufferContentsArray=<unavailable>, buffer={ size = 54, capacity = 61 }, blobURLs={ size = 0, capacity = 0 }, blobFilePaths={ size = 0, capacity = 0 }, sharedBuffers={ size = 0, capacity = 0 }, wasmModules={ size = 0, capacity = 0 }) at SerializedScriptValue.cpp:1944:29 [opt]
    frame #14: 0x000000010433d4ef WebCore`WebCore::SerializedScriptValue::deserialize(this=0x0000000132c923c0, lexicalGlobalObject=<unavailable>, globalObject=<unavailable>, messagePorts={ size = 0, capacity = 0 }, blobURLs={ size = 0, capacity = 0 }, blobFilePaths=<unavailable>, throwExceptions=NonThrowing) at SerializedScriptValue.cpp:3905:36 [opt]
    frame #15: 0x00000001042f031c WebCore`WebCore::deserializeIDBValueToJSValue(lexicalGlobalObject=0x0000000124376268, globalObject=0x0000000124376268, value=<unavailable>) at IDBBindingUtilities.cpp:391:39 [opt]
    frame #16: 0x0000000104040714 WebCore`WebCore::IDBServer::SQLiteIDBBackingStore::updateAllIndexesForAddRecord(this=0x000000013331f6c0, info=0x0000000132f3d060, key=0x0000700002565d58, value=<unavailable>, recordID=1) at SQLiteIDBBackingStore.cpp:1855:20 [opt]
    frame #17: 0x0000000104040d3e WebCore`WebCore::IDBServer::SQLiteIDBBackingStore::addRecord(this=0x000000013331f6c0, transactionIdentifier=<unavailable>, objectStoreInfo=0x0000000132f3d060, keyData=<unavailable>, value=0x000000013323ce58) at SQLiteIDBBackingStore.cpp:1929:18 [opt]
    frame #18: 0x000000010404fb9d WebCore`WebCore::IDBServer::UniqueIDBDatabase::putOrAdd(this=<unavailable>, requestData=<unavailable>, keyData=0x000000013323ce30, value=0x000000013323ce58, overwriteMode=Overwrite, callback=WebCore::IDBServer::KeyDataCallback @ 0x0000700002565e58)>) at UniqueIDBDatabase.cpp:763:29 [opt]
    frame #19: 0x000000010405429d WebCore`WebCore::IDBServer::UniqueIDBDatabaseTransaction::putOrAdd(this=<unavailable>, requestData=0x000000013323cda8, keyData=0x000000013323ce30, value=<unavailable>, overwriteMode=<unavailable>) at UniqueIDBDatabaseTransaction.cpp:263:15 [opt]
    frame #20: 0x0000000103ff6dff WebCore`WebCore::IDBServer::IDBServer::putOrAdd(this=<unavailable>, requestData=0x000000013323cda8, keyData=0x000000013323ce30, value=0x000000013323ce58, overwriteMode=Overwrite) at IDBServer.cpp:313:18 [opt]
    frame #21: 0x0000000108866696 WebKitLegacy`WTF::Detail::CallableWrapper<InProcessIDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode)::$_33, void>::call() [inlined] InProcessIDBServer::putOrAdd(this=0x000000013323cd98)::$_33::operator()() const at InProcessIDBServer.cpp:351:19 [opt]
    frame #22: 0x0000000108866661 WebKitLegacy`WTF::Detail::CallableWrapper<InProcessIDBServer::putOrAdd(WebCore::IDBRequestData const&, WebCore::IDBKeyData const&, WebCore::IDBValue const&, WebCore::IndexedDB::ObjectStoreOverwriteMode)::$_33, void>::call(this=0x000000013323cd90) at Function.h:52 [opt]
    frame #23: 0x000000010888686d WebKitLegacy`WebCore::StorageThread::threadEntryPoint() [inlined] WTF::Function<void ()>::operator(this=<unavailable>)() const at Function.h:84:35 [opt]
    frame #24: 0x0000000108886864 WebKitLegacy`WebCore::StorageThread::threadEntryPoint(this=<unavailable>) at StorageThread.cpp:78 [opt]
    frame #25: 0x000000010047219c JavaScriptCore`WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) [inlined] WTF::Function<void ()>::operator(this=<unavailable>)() const at Function.h:84:35 [opt]
    frame #26: 0x0000000100472193 JavaScriptCore`WTF::Thread::entryPoint(newThreadContext=0x00000001328d19c0) at Threading.cpp:168 [opt]
    frame #27: 0x00000001004746c9 JavaScriptCore`WTF::wtfThreadEntryPoint(context=<unavailable>) at ThreadingPOSIX.cpp:200:5 [opt]
    frame #28: 0x00007fff711a7a10 libsystem_pthread.dylib`_pthread_start + 224
    frame #29: 0x00007fff711a353f libsystem_pthread.dylib`thread_start + 15

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200420/9490d38e/attachment-0001.htm>

More information about the webkit-unassigned mailing list