[Webkit-unassigned] [Bug 282243] New: REGRESSION(iOS 18.2): Crash in DownloadProxy::~DownloadProxy

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 29 09:12:59 PDT 2024 

https://bugs.webkit.org/show_bug.cgi?id=282243

            Bug ID: 282243
           Summary: REGRESSION(iOS 18.2): Crash in
                    DownloadProxy::~DownloadProxy
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebKit API
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ajuma at chromium.org
                CC: cdumez at apple.com, pvollan at apple.com

Created attachment 473071

  --> https://bugs.webkit.org/attachment.cgi?id=473071&action=review

Crash log

Chrome for iOS is getting a very large number of reports of a new crash in DownloadProxy::~DownloadProxy in iOS 18.2 beta. This is by far our top crash on build 22C5109p, 7 times more frequent than the next top crash signature.

I've attached a crash log. The crashing stack is:

0x000000019b58b9b0(WebKit + 0x009939b0) WebKit::DownloadProxy::~DownloadProxy()
0x000000019b14edd4(WebKit + 0x00556dd4) -[WKDownload dealloc]
0x0000000100547094(Chrome -download_native_task_bridge.mm:140) -[DownloadNativeTaskBridge cancel]
0x0000000100548578(Chrome -download_native_task_impl.mm:38) web::DownloadNativeTaskImpl::~DownloadNativeTaskImpl()
0x00000001005f35b8(Chrome -web_state_impl_realized_web_state.mm:219) web::WebStateImpl::RealizedWebState::TearDown()
0x00000001005f1824(Chrome -web_state_impl.mm:177) web::WebStateImpl::~WebStateImpl()
0x00000001005f18e8(Chrome -web_state_impl.mm:174) web::WebStateImpl::~WebStateImpl()
0x000000010060b394(Chrome -web_state_list.mm:347) WebStateList::CloseWebStateAt(int, int)
0x0000000100d947c4(Chrome -regular_grid_mediator.mm:45) -[RegularGridMediator closeItemWithID:]
0x0000000100d8c1ec(Chrome -base_grid_mediator.mm:1846) -[BaseGridMediator closeItemWithIdentifier:]
0x0000000100b6db84(Chrome -base_grid_view_controller.mm:1019) -[BaseGridViewController closeButtonTappedForCell:]
0x0000000100b72308(Chrome -grid_cell.mm:612) -[GridCell closeButtonTapped:]
0x0000000187364c34(UIKitCore + 0x003c4c34)-[UIApplication sendAction:to:from:forEvent:]
0x0000000187364b0c(UIKitCore + 0x003c4b0c)-[UIControl sendAction:to:forEvent:]
0x000000018736495c(UIKitCore + 0x003c495c)-[UIControl _sendActionsForEvents:withEvent:]
0x0000000187afd92c(UIKitCore + 0x00b5d92c)-[UIButton _sendActionsForEvents:withEvent:]
0x0000000187aff140(UIKitCore + 0x00b5f140)-[UIControl touchesEnded:withEvent:]
0x0000000187820d04(UIKitCore + 0x00880d04)-[UIGestureDelayedEventComponentDispatcher sendDelayedTouches]
0x0000000187018464(UIKitCore + 0x00078464)_UIGestureEnvironmentUpdate
0x000000018710c698(UIKitCore + 0x0016c698)-[UIGestureEnvironment _deliverEvent:toGestureRecognizers:usingBlock:]
0x00000001872ad188(UIKitCore + 0x0030d188)-[UIGestureEnvironment _updateForEvent:window:]
0x00000001872ac56c(UIKitCore + 0x0030c56c)-[UIWindow sendEvent:]
0x0000000187140b24(UIKitCore + 0x001a0b24)-[UIApplication sendEvent:]
0x0000000187141050(UIKitCore + 0x001a1050)__dispatchPreprocessedEventFromEventQueue
0x000000018714aef0(UIKitCore + 0x001aaef0)__processEventQueue
0x00000001870436bc(UIKitCore + 0x000a36bc)updateCycleEntry
0x0000000187041434(UIKitCore + 0x000a1434)_UIUpdateSequenceRun
0x0000000187041084(UIKitCore + 0x000a1084)schedulerStepScheduledMainSection
0x0000000187041ff8(UIKitCore + 0x000a1ff8)runloopSourceCallback
0x00000001847e2328(CoreFoundation + 0x00056328)__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x00000001847e22bc(CoreFoundation + 0x000562bc)__CFRunLoopDoSource0
0x00000001847dfdc0(CoreFoundation + 0x00053dc0)__CFRunLoopDoSources0
0x00000001847defbc(CoreFoundation + 0x00052fbc)__CFRunLoopRun
0x00000001847de830(CoreFoundation + 0x00052830)CFRunLoopRunSpecific
0x00000001d23551c4(GraphicsServices + 0x000011c4)GSEventRunModal
0x0000000187374118(UIKitCore + 0x003d4118)-[UIApplication _run]
0x00000001874228f0(UIKitCore + 0x004828f0)UIApplicationMain
0x0000000100030260(Chrome -chrome_exe_main.mm:118)ChromeMain(int, char**)
0x00000001ab57f848(dyld + 0x00033848)start

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20241029/a038f547/attachment.htm>

More information about the webkit-unassigned mailing list