Bug 254378

Summary:

REGRESSION(261977@main): TestWebKitAPI.ProcessSwap.ResizeWebViewDuringCrossSiteProvisionalNavigation is a constant crash

Product:

WebKit

Reporter:

Robert Jenner <jenner>

Component:

New Bugs

Assignee:

Nikos Mouchtaris <nmouchtaris>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

nmouchtaris, webkit-bot-watchers-bugzilla, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=253739

Attachments:

Description	Flags
Crash log from reproduction.	none

Description Robert Jenner 2023-03-23 17:17:41 PDT

TestWebKitAPI.ProcessSwap.ResizeWebViewDuringCrossSiteProvisionalNavigation

is a constant crash on iOS, and a flaky crash on Ventura Debug. 


HISTORY:
https://results.webkit.org/?suite=api-tests&test=TestWebKitAPI.ProcessSwap.ResizeWebViewDuringCrossSiteProvisionalNavigation

Crash text:

TestWebKitAPI.ProcessSwap.ResizeWebViewDuringCrossSiteProvisionalNavigation
        Child process terminated with signal 11: Segmentation fault

Comment 1 Radar WebKit Bug Importer 2023-03-23 17:18:02 PDT

<rdar://problem/107161569>

Comment 2 Robert Jenner 2023-03-23 17:19:23 PDT

I was able to reproduce the crash at iOS 16 Release ToT running the test as follows:


run-api-tests --no-build --iOS-simulator TestWebKitAPI.ProcessSwap.ResizeWebViewDuringCrossSiteProvisionalNavigation


With said reproduction case I was able to get a little more information about the crash itself:

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   WebKit                        	       0x105b12658 unwrap + 0 (RawPtrTraits.h:44) [inlined]
1   WebKit                        	       0x105b12658 operator-> + 0 (RefPtr.h:84) [inlined]
2   WebKit                        	       0x105b12658 WebKit::RemoteScrollingCoordinatorProxy::viewSizeDidChange() + 0 (RemoteScrollingCoordinatorProxy.cpp:395)
3   WebKit                        	       0x10593a694 WebKit::RemoteLayerTreeDrawingAreaProxy::sizeDidChange() + 40 (RemoteLayerTreeDrawingAreaProxy.mm:95)
4   WebKit                        	       0x1059cafa4 WebKit::DrawingAreaProxy::setSize(WebCore::IntSize const&, WebCore::IntSize const&) + 108 (DrawingAreaProxy.cpp:76)
5   WebKit                        	       0x105a4f958 WebKit::WebPageProxy::setDrawingArea(std::__1::unique_ptr<WebKit::DrawingAreaProxy, std::__1::default_delete<WebKit::DrawingAreaProxy>>&&) + 144 (WebPageProxy.cpp:1160)
6   WebKit                        	       0x105a4f7ac WebKit::WebPageProxy::swapToProvisionalPage(std::__1::unique_ptr<WebKit::ProvisionalPageProxy, std::__1::default_delete<WebKit::ProvisionalPageProxy>>) + 376 (WebPageProxy.cpp:1003)
7   WebKit                        	       0x105a5a904 WebKit::WebPageProxy::commitProvisionalPage(WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&) + 480 (WebPageProxy.cpp:3811)
8   WebKit                        	       0x1059e0cf8 WebKit::ProvisionalPageProxy::didCommitLoadForFrame(WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&) + 560 (ProvisionalPageProxy.cpp:323)
9   WebKit                        	       0x1059eb394 operator()<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData> + 52 (HandleMessage.h:136) [inlined]
10  WebKit                        	       0x1059eb394 */HandleMessage.h:135:9), WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData> + 52 (type_traits:3924) [inlined]
11  WebKit                        	       0x1059eb394 */HandleMessage.h:135:9), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData>, 0UL, 1UL, 2UL, 3UL, 4UL, 5UL, 6UL, 7UL, 8UL, 9UL, 10UL, 11UL, 12UL, 13UL> + 92 (tuple:1536) [inlined]
12  WebKit                        	       0x1059eb394 */HandleMessage.h:135:9), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType> >, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData> > + 92 (tuple:1545) [inlined]
13  WebKit                        	       0x1059eb394 void IPC::callMemberFunction<WebKit::ProvisionalPageProxy, WebKit::ProvisionalPageProxy, void (WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData>>(WebKit::ProvisionalPageProxy*, void (WebKit::ProvisionalPageProxy::*)(WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&), std::__1::tuple<WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData, WebCore::ResourceRequest, unsigned long long, WTF::String, bool, WebCore::FrameLoadType, WebCore::CertificateInfo, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData>&&) + 108 (HandleMessage.h:134)
14  WebKit                        	       0x1059e2724 void IPC::handleMessage<Messages::WebPageProxy::DidCommitLoadForFrame, WebKit::ProvisionalPageProxy, WebKit::ProvisionalPageProxy, void (WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&)>(IPC::Connection&, IPC::Decoder&, WebKit::ProvisionalPageProxy*, void (WebKit::ProvisionalPageProxy::*)(WebCore::ProcessQualified<WTF::ObjectIdentifier<WebCore::FrameIdentifierType>>, WebKit::FrameInfoData&&, WebCore::ResourceRequest&&, unsigned long long, WTF::String const&, bool, WebCore::FrameLoadType, WebCore::CertificateInfo const&, bool, bool, bool, WebCore::HasInsecureContent, WebCore::MouseEventPolicy, WebKit::UserData const&)) + 96 (HandleMessage.h:236)
15  WebKit                        	       0x105e82db4 IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 272 (MessageReceiverMap.cpp:129)
16  WebKit                        	       0x105aa23ec WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 32 (WebProcessProxy.cpp:987)
17  WebKit                        	       0x105e7e9fc IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder>>) + 312 (Connection.cpp:1245)
18  WebKit                        	       0x105e7edcc IPC::Connection::dispatchIncomingMessages() + 456 (Connection.cpp:1355)
19  JavaScriptCore                	       0x109892458 operator() + 16 (Function.h:82) [inlined]
20  JavaScriptCore                	       0x109892458 WTF::RunLoop::performWork() + 168 (RunLoop.cpp:147)
21  JavaScriptCore                	       0x109892f68 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:46)
22  CoreFoundation                	       0x10f16d070 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24
23  CoreFoundation                	       0x10f16cfb8 __CFRunLoopDoSource0 + 172
24  CoreFoundation                	       0x10f16c728 __CFRunLoopDoSources0 + 232
25  CoreFoundation                	       0x10f166e68 __CFRunLoopRun + 756
26  CoreFoundation                	       0x10f16675c CFRunLoopRunSpecific + 584
27  Foundation                    	       0x11184400c -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 208
28  TestWebKitAPI                 	       0x102e192c4 TestWebKitAPI::Util::run(bool*) + 88 (UtilitiesCocoa.mm:35)
29  TestWebKitAPI                 	       0x102b5409c ProcessSwap_ResizeWebViewDuringCrossSiteProvisionalNavigation_Test::TestBody() + 740 (ProcessSwapOnNavigation.mm:7224)
30  TestWebKitAPI                 	       0x102e59570 void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) + 100
31  TestWebKitAPI                 	       0x102e594b4 testing::Test::Run() + 188
32  TestWebKitAPI                 	       0x102e5a24c testing::TestInfo::Run() + 236
33  TestWebKitAPI                 	       0x102e5aad4 testing::TestSuite::Run() + 304
34  TestWebKitAPI                 	       0x102e65008 testing::internal::UnitTestImpl::RunAllTests() + 828
35  TestWebKitAPI                 	       0x102e64ba8 bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) + 100
36  TestWebKitAPI                 	       0x102e64b10 testing::UnitTest::Run() + 124
37  TestWebKitAPI                 	       0x102926698 RUN_ALL_TESTS() + 16 (gtest.h:2471)
38  TestWebKitAPI                 	       0x102926654 TestWebKitAPI::TestsController::run(int, char**) + 108 (TestsController.cpp:89)
39  TestWebKitAPI                 	       0x102e3d2bc main + 220 (mainIOS.mm:56)
40  dyld_sim                      	       0x1052bdfa0 start_sim + 20
41  dyld                          	       0x1053bdf28 start + 2236

Full crash log attached to this bug.

Comment 3 Robert Jenner 2023-03-23 17:20:08 PDT

Created attachment 465561 [details]
Crash log from reproduction.

Comment 4 Robert Jenner 2023-03-23 17:30:53 PDT

I have bisected the regression point to 261977@main. I'm able to reproduce the crash at that commit, but not at 261976@main. 


Starting on Nikos who introduced https://commits.webkit.org/261977@main that appears to have caused this crash.

Comment 5 Nikos Mouchtaris 2023-03-23 18:35:04 PDT

Pull request: https://github.com/WebKit/WebKit/pull/11900

Comment 6 EWS 2023-03-24 14:37:31 PDT

Committed 262099@main (b0a888801632): <https://commits.webkit.org/262099@main>

Reviewed commits have been landed. Closing PR #11900 and removing active labels.