[Webkit-unassigned] [Bug 230662] New: REGRESSION (r282865?): ASSERTION FAILED: Unsafe to ref/deref from different threads m_isOwnedByMainThread == isMainThread() (230644)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Sep 22 20:06:14 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=230662

            Bug ID: 230662
           Summary: REGRESSION (r282865?): ASSERTION FAILED: Unsafe to
                    ref/deref from different threads m_isOwnedByMainThread
                    == isMainThread() (230644)
           Product: WebKit
           Version: Other
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: InRadar
          Severity: Normal
          Priority: P2
         Component: Media
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: jean-yves.avenard at apple.com

Seen in WK1 tests:
2021-09-22 12:21:01.415 DumpRenderTree[58389:29549883] *** WARNING: Method convertPointToBase: in class NSView is deprecated on 10.7 and later. It should not be used in new applications. 
ASSERTION FAILED: Unsafe to ref/deref from different threads
m_isOwnedByMainThread == isMainThread()
/Volumes/Data/worker/bigsur-debug/build/WebKitBuild/Debug/usr/local/include/wtf/RefCounted.h(114) : void WTF::RefCountedBase::applyRefDerefThreadingCheck() const
1   0x107107539 WTFCrash
2   0x12849df91 WTF::RefCountedBase::applyRefDerefThreadingCheck() const
3   0x12849dd6c WTF::RefCountedBase::derefBase() const
4   0x12850920f WTF::RefCounted<WebCore::SharedBuffer, std::__1::default_delete<WebCore::SharedBuffer> >::deref() const
5   0x1285091dc WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >::~Ref()
6   0x1284fe755 WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >::~Ref()
7   0x1289ba0ea WebCore::SourceBufferParserAVFObjC::appendData(WebCore::SourceBufferParser::Segment&&, WTF::CompletionHandler<void ()>&&, WebCore::SourceBufferParser::AppendFlags)
8   0x1289cbf7c WebCore::SourceBufferPrivateAVFObjC::append(WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >&&)::$_13::operator()()
9   0x1289cbeac invocation function for block in WebCore::SourceBufferPrivateAVFObjC::append(WTF::Ref<WebCore::SharedBuffer, WTF::RawPtrTraits<WebCore::SharedBuffer> >&&)
10  0x7fff2020d623 _dispatch_call_block_and_release
11  0x7fff2020e806 _dispatch_client_callout
12  0x7fff202111b0 _dispatch_continuation_pop
13  0x7fff20210887 _dispatch_async_redirect_invoke
14  0x7fff2021d818 _dispatch_root_queue_drain
15  0x7fff2021df70 _dispatch_worker_thread2
16  0x7fff203b5417 _pthread_wqthread
17  0x7fff203b442f start_wqthread

The issue at hand is that the call to dispatch_async takes an objective-C block ; which doesn't move the rvalue but instead copy it.
So we end up with all the captured objects being copied which increase the refcount to the SharedBuffer.

Due to a race with the task being run (and destructed) on the source buffer parser thread before the dispatch_async returns, and trigger the assertion.

The quick fix is to make SharedBuffer have a thread-safe refcount ; long term fix would be to have the SourceBufferPrivateAVFObjC use a WorkQueue instead, but due to how it would be used with the SourceBufferPrivate, it needs extra method (such as WaitUntilIdle() )

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210923/2b40e666/attachment.htm>

More information about the webkit-unassigned mailing list