[Webkit-unassigned] [Bug 272170] New: [iOS 17.5 beta] Crash in WebKit::ExtensionCapabilityGrant::operator=

Thu Apr 4 10:59:49 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=272170

            Bug ID: 272170
           Summary: [iOS 17.5 beta] Crash in
                    WebKit::ExtensionCapabilityGrant::operator=
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ajuma at chromium.org
                CC: achristensen at apple.com, aestes at apple.com,
                    pvollan at apple.com

Chrome for iOS is getting reports of a new crash in iOS 17.5 beta, in WebKit::ExtensionCapabilityGrant::operator=. We don't have steps to reproduce, but the crash happens after the following exception:

[Exception] BUG IN CLIENT OF RUNNINGBOARD: Dealloc called before invalidate for assertion <RBSAssertion:0x#| state:RBSAssertionStateValid descriptor:<<RBSAssertionDescriptor| "Browser Engine helper assertion targeting pid #" ID:#-#-# target:#<#-9-com.google.chrome.ios>>>

The stack is:
0x0000000187292014      (libobjc.A.dylib + 0x00016014)          objc_exception_throw
0x000000018e8f7864      (Foundation + 0x006de864)               -[NSAssertionHandler handleFailureInMethod:object:file:lineNumber:description:]
0x000000019e5edd08      (RunningBoardServices + 0x0001dd08)     -[RBSAssertion dealloc]
0x000000022f8ce3f4      (BrowserEngineKit + 0x0001a3f4)         __swift_memcpy0_1
0x000000018e03f368      (libswiftCore.dylib + 0x003ab368)       _swift_release_dealloc
0x000000018e040484      (libswiftCore.dylib + 0x003ac484)       bool swift::RefCounts<swift::RefCountBitsT<(swift::RefCountInlinedness)1>>::doDecrementSlow<(swift::PerformDeinit)1>(swift::RefCountBitsT<(swift::RefCountInlinedness)1>, unsigned int)
0x00000001a54f7974      (WebKit + 0x00697974)                   WebKit::ExtensionCapabilityGrant::operator=(WebKit::ExtensionCapabilityGrant&&)
0x00000001a54fc2fc      (WebKit + 0x0069c2fc)                   WebKit::finalizeGrant(WTF::String const&, WebKit::AuxiliaryProcessProxy*, WebKit::ExtensionCapabilityGrant&&)
0x00000001a54fbde8      (WebKit + 0x0069bde8)                   WTF::Detail::CallableWrapper<auto WTF::NativePromise<WebKit::PlatformExtensionCapabilityGrants, WebKit::ExtensionCapabilityGrantError, 0u>::whenSettled<WebKit::ExtensionCapabilityGranter::grant(WebKit::ExtensionCapability const&)::$_4>(WTF::RefCountedSerialFunctionDispatcher&, WebKit::ExtensionCapabilityGranter::grant(WebKit::ExtensionCapability const&)::$_4&&, WTF::Logger::LogSiteIdentifier const&)::'lambda'(std::experimental::fundamentals_v3::expected<WebKit::PlatformExtensionCapabilityGrants, WebKit::ExtensionCapabilityGrantError>&&), void, auto WTF::NativePromise<WebKit::PlatformExtensionCapabilityGrants, WebKit::ExtensionCapabilityGrantError, 0u>::whenSettled<WebKit::ExtensionCapabilityGranter::grant(WebKit::ExtensionCapability const&)::$_4>(WTF::RefCountedSerialFunctionDispatcher&, WebKit::ExtensionCapabilityGranter::grant(WebKit::ExtensionCapability const&)::$_4&&, WTF::Logger::LogSiteIdentifier const&)::'lambda'(std::experimental::fundamentals_v3::expected<WebKit::PlatformExtensionCapabilityGrants, WebKit::ExtensionCapabilityGrantError>&&)>::call(auto WTF::NativePromise<WebKit::PlatformExtensionCapabilityGrants, WebKit::ExtensionCapabilityGrantError, 0u>::whenSettled<WebKit::ExtensionCapabilityGranter::grant(WebKit::ExtensionCapability const&)::$_4>(WTF::RefCountedSerialFunctionDispatcher&, WebKit::ExtensionCapabilityGranter::grant(WebKit::ExtensionCapability const&)::$_4&&, WTF::Logger::LogSiteIdentifier const&)::'lambda'(std::experimental::fundamentals_v3::expected<WebKit::PlatformExtensionCapabilityGrants, WebKit::ExtensionCapabilityGrantError>&&))
0x00000001a54fc910      (WebKit + 0x0069c910)                   WTF::NativePromise<WebKit::PlatformExtensionCapabilityGrants, WebKit::ExtensionCapabilityGrantError, 0u>::ThenCallback<false, void>::processResult(std::experimental::fundamentals_v3::expected<WebKit::PlatformExtensionCapabilityGrants, WebKit::ExtensionCapabilityGrantError>&)
0x00000001a54fb508      (WebKit + 0x0069b508)                   WTF::Detail::CallableWrapper<WTF::NativePromise<WebKit::PlatformExtensionCapabilityGrants, WebKit::ExtensionCapabilityGrantError, 0u>::ThenCallbackBase::dispatch(WTF::NativePromise<WebKit::PlatformExtensionCapabilityGrants, WebKit::ExtensionCapabilityGrantError, 0u>&, WTF::Locker<WTF::Lock>&)::'lambda'(), void>::call()
0x00000001a5e55cac      (JavaScriptCore + 0x00059cac)           WTF::RunLoop::performWork()
0x00000001a5e56bd4      (JavaScriptCore + 0x0005abd4)           WTF::RunLoop::performWork(void*)
0x000000018f3c2870      (CoreFoundation + 0x00056870)           __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x000000018f3c2804      (CoreFoundation + 0x00056804)           __CFRunLoopDoSource0
0x000000018f3c02d4      (CoreFoundation + 0x000542d4)           __CFRunLoopDoSources0
0x000000018f3bf4c0      (CoreFoundation + 0x000534c0)           __CFRunLoopRun
0x000000018f3bed14      (CoreFoundation + 0x00052d14)           CFRunLoopRunSpecific
0x00000001d48311a4      (GraphicsServices + 0x000011a4)         GSEventRunModal
0x00000001919f9fa8      (UIKitCore + 0x00408fa8)                -[UIApplication _run]
0x0000000191aaded4      (UIKitCore + 0x004bced4)                UIApplicationMain
0x00000001044a9e18      (Chrome -chrome_exe_main.mm:54)         (anonymous namespace)::RunUIApplicationMain(int, char**)
0x00000001044a9e18      (Chrome -chrome_exe_main.mm:107)        main
0x00000001b36d0e48      (dyld + 0x0003ce48)                     start

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240404/07ac4546/attachment-0001.htm>