[Webkit-unassigned] [Bug 278500] New: REGRESSION (282564 at main): [ macOS iOS wk2 debug arm64 ] imported/w3c/web-platform-tests/navigation-api/navigate-event/replaceState-inside-back-handler.html is a constant crash with a assertion failure.

Wed Aug 21 16:08:10 PDT 2024

https://bugs.webkit.org/show_bug.cgi?id=278500

            Bug ID: 278500
           Summary: REGRESSION (282564 at main): [ macOS iOS wk2 debug arm64
                    ]
                    imported/w3c/web-platform-tests/navigation-api/navigat
                    e-event/replaceState-inside-back-handler.html is a
                    constant crash with a  assertion failure.
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore JavaScript
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: aviduya at apple.com
                CC: achristensen at apple.com, pgriffis at igalia.com,
                    webkit-bot-watchers-bugzilla at group.apple.com,
                    webkit-bug-importer at group.apple.com

imported/w3c/web-platform-tests/navigation-api/navigate-event/replaceState-inside-back-handler.html 
is a constant crash producing an assertion failure.

HISTORY: 
https://results.webkit.org/?platform=mac&platform=ios&suite=layout-tests&test=imported%2Fw3c%2Fweb-platform-tests%2Fnavigation-api%2Fnavigate-event%2FreplaceState-inside-back-handler.html 

LOG: 
1   0x35b3ad4d8 WebCore::DOMPromise::whenPromiseIsSettled(WebCore::JSDOMGlobalObject*, JSC::JSObject*, WTF::Function<void ()>&&)
2   0x35b3ad01c WebCore::DOMPromise::whenSettled(std::__1::function<void ()>&&)
3   0x35cfa8a68 WebCore::waitForAllPromises(WTF::Vector<WTF::RefPtr<WebCore::DOMPromise, WTF::RawPtrTraits<WebCore::DOMPromise>, WTF::DefaultRefDerefTraits<WebCore::DOMPromise>>, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WTF::Function<void ()>&&, WTF::Function<void (JSC::JSValue)>&&)
4   0x35cfa7dd8 WebCore::Navigation::innerDispatchNavigateEvent(WebCore::NavigationNavigationType, WTF::Ref<WebCore::NavigationDestination, WTF::RawPtrTraits<WebCore::NavigationDestination>, WTF::DefaultRefDerefTraits<WebCore::NavigationDestination>>&&, WTF::String const&, WebCore::FormState*, WebCore::SerializedScriptValue*)
5   0x35cfa9014 WebCore::Navigation::dispatchPushReplaceReloadNavigateEvent(WTF::URL const&, WebCore::NavigationNavigationType, bool, WebCore::FormState*, WebCore::SerializedScriptValue*)

LINK: 
https://build.webkit.org/results/Apple-Sonoma-Debug-AppleSilicon-WK2-Tests/282576@main%20(3805)/imported/w3c/web-platform-tests/navigation-api/navigate-event/replaceState-inside-back-handler-crash-log.txt

DESCRIPTION: 
In 282564 at main changes were made in Navigation. I tried to bisect the regression but it seems that 282564 at main had a build failure. In 282563 at main the crash does not occur. 

REPRODUCIBILITY: 
I was able to reproduce the constant crash on ToT using command 
run-webkit-test imported/w3c/web-platform-tests/navigation-api/navigate-event/replaceState-inside-back-handler.html --debug --iterations 10

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240821/a65a16d3/attachment.htm>