192513 2018-12-07 13:50:26 -0800 Crash in WebCore::ServiceWorkerGlobalScope 2019-01-04 10:47:34 -0800 1 1 1 Unclassified WebKit Service Workers WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 aboya youennf achristensen bfulgham commit-queue mcatanzaro product-security webkit-bug-importer youennf oldest_to_newest 1486130 0 aboya 2018-12-07 13:50:26 -0800 Happened while loading http://youtube.com in Debug. The page continued working after that. (gdb) f 1 #1 0x00007efe604440e6 in WTF::Ref<WebCore::ServiceWorkerThread, WTF::DumbPtrTraits<WebCore::ServiceWorkerThread> >::operator-> (this=0x7efdf02ae620) at DerivedSources/ForwardingHeaders/wtf/Ref.h:119 119 T* operator->() const { ASSERT(m_ptr); return PtrTraits::unwrap(m_ptr); } (gdb) p m_ptr $1 = (WTF::DumbPtrTraits<WebCore::ServiceWorkerThread>::StorageType) 0x0 [Current thread is 1 (Thread 0x7efe46465ac0 (LWP 23273))] #0 WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:255 #1 0x00007efe604440e6 in WTF::Ref<WebCore::ServiceWorkerThread, WTF::DumbPtrTraits<WebCore::ServiceWorkerThread> >::operator-> (this=0x7efdf02ae620) at DerivedSources/ForwardingHeaders/wtf/Ref.h:119 #2 0x00007efe6043c6ac in WebCore::ServiceWorkerGlobalScope::<lambda()>::operator()(void) (__closure=0x7efdf02ae620) at ../../Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp:65 #3 0x00007efe60443de2 in WTF::Function<void()>::CallableWrapper<WebCore::ServiceWorkerGlobalScope::skipWaiting(WTF::Ref<WebCore::DeferredPromise>&&)::<lambda()> >::call(void) (this=0x7efdf02ae618) at DerivedSources/ForwardingHeaders/wtf/Function.h:101 #4 0x00007efe5d585f42 in WTF::Function<void ()>::operator()() const (this=0x7ffeca2f0158) at DerivedSources/ForwardingHeaders/wtf/Function.h:56 #5 0x00007efe5304bf05 in WTF::dispatchFunctionsFromMainThread () at ../../Source/WTF/wtf/MainThread.cpp:115 #6 0x00007efe530aa2bd in WTF::MainThreadDispatcher::fired (this=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>) at ../../Source/WTF/wtf/generic/MainThreadGeneric.cpp:67 #7 0x00007efe530aa404 in WTF::RunLoop::Timer<WTF::MainThreadDispatcher>::fired (this=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>) at ../../Source/WTF/wtf/RunLoop.h:148 #8 0x00007efe530ad14b in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator()(gpointer) const (__closure=0x0, userData=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>) at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:170 #9 0x00007efe530ad1a3 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:176 #10 0x00007efe530ac8c8 in WTF::<lambda(GSource*, GSourceFunc, gpointer)>::operator()(GSource *, GSourceFunc, gpointer) const (__closure=0x0, source=0x7efdc80031a0, callback=0x7efe530ad186 <WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer)>, userData=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>) at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:45 #11 0x00007efe530ac8f8 in WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer) () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:46 #12 0x00007efe4a526818 in g_main_dispatch () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3148 #13 g_main_context_dispatch () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3813 #14 0x00007efe4a526bd8 in g_main_context_iterate () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3886 #15 0x00007efe4a526ec2 in g_main_loop_run () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:4082 #16 0x00007efe530ace06 in WTF::RunLoop::run () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:96 #17 0x00007efe5df87a71 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=3, argv=0x7ffeca2f0598) at ../../Source/WebKit/Shared/unix/ChildProcessMain.h:61 #18 0x00007efe5df8534f in WebKit::WebProcessMainUnix (argc=3, argv=0x7ffeca2f0598) at ../../Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:67 #19 0x0000000000400cc1 in main (argc=3, argv=0x7ffeca2f0598) at ../../Source/WebKit/WebProcess/EntryPoint/unix/WebProcessMain.cpp:52 1486131 1 webkit-bug-importer 2018-12-07 13:50:47 -0800 <rdar://problem/46563880> 1490648 2 mcatanzaro 2018-12-22 17:14:57 -0800 (Note that null pointer dereference is at worst a DoS issue, so I don't think this needs to remain private.) 1490649 3 mcatanzaro 2018-12-22 17:17:53 -0800 Just from quick code inspection: connection->skipWaiting(workerThread->identifier(), [workerThread = WTFMove(workerThread), requestIdentifier] { This is illegal because workerThread could be moved from in the second argument before the first argument is evaluated. It needs a temporary variable to hold the result of workerThread->identifier(). 1491694 4 358327 youennf 2019-01-04 10:00:44 -0800 Created attachment 358327 Patch 1491733 5 358327 commit-queue 2019-01-04 10:47:32 -0800 Comment on attachment 358327 Patch Clearing flags on attachment: 358327 Committed r239620: <https://trac.webkit.org/changeset/239620> 1491734 6 commit-queue 2019-01-04 10:47:34 -0800 All reviewed patches have been landed. Closing bug. 358327 2019-01-04 10:00:44 -0800 2019-01-04 10:47:32 -0800 Patch bug-192513-20190104100043.patch text/plain 2019 youennf U3VidmVyc2lvbiBSZXZpc2lvbjogMjM5NTk0CmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29yZS9D aGFuZ2VMb2cgYi9Tb3VyY2UvV2ViQ29yZS9DaGFuZ2VMb2cKaW5kZXggZWZjODkyZmQwNGM4OTVk ZGZmOTM1YzI5MWViMWU1MGZhYTU0OTdjYS4uMDY4MjkxNDczNTVlNTk1MWQ5NWY1NWEzYjgzNjEy YjMwYTc0MzY5NiAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCisrKyBiL1Nv dXJjZS9XZWJDb3JlL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE2IEBACisyMDE5LTAxLTA0ICBZb3Vl bm4gRmFibGV0ICA8eW91ZW5uQGFwcGxlLmNvbT4KKworICAgICAgICBDcmFzaCBpbiBXZWJDb3Jl OjpTZXJ2aWNlV29ya2VyR2xvYmFsU2NvcGUKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5v cmcvc2hvd19idWcuY2dpP2lkPTE5MjUxMworICAgICAgICA8cmRhcjovL3Byb2JsZW0vNDY1NjM4 ODA+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgU3Rv cmUgdGhlIGlkZW50aWZpZXIgaW4gaXRzIG93biB2YXJpYWJsZSB0byBtYWtlIHN1cmUgd2UgZG8g bm90IHVzZSB3b3JrZXJUaHJlYWQgYWZ0ZXIgYmVpbmcgbW92ZWQuCisKKyAgICAgICAgKiB3b3Jr ZXJzL3NlcnZpY2UvU2VydmljZVdvcmtlckdsb2JhbFNjb3BlLmNwcDoKKyAgICAgICAgKFdlYkNv cmU6OlNlcnZpY2VXb3JrZXJHbG9iYWxTY29wZTo6c2tpcFdhaXRpbmcpOgorCiAyMDE5LTAxLTAz ICBZb3Vlbm4gRmFibGV0ICA8eW91ZW5uQGFwcGxlLmNvbT4KIAogICAgICAgICBDU1AgdmlvbGF0 aW9uIHJlcG9ydHMgc2hvdWxkIGJ5cGFzcyBDU1AgY2hlY2tzCmRpZmYgLS1naXQgYS9Tb3VyY2Uv V2ViQ29yZS93b3JrZXJzL3NlcnZpY2UvU2VydmljZVdvcmtlckdsb2JhbFNjb3BlLmNwcCBiL1Nv dXJjZS9XZWJDb3JlL3dvcmtlcnMvc2VydmljZS9TZXJ2aWNlV29ya2VyR2xvYmFsU2NvcGUuY3Bw CmluZGV4IGZlNDI5YWJiOTJlNDFmZjRlYzI1MzMwMWJmNWY0YmQzNGFjODRiYjQuLjg4YWQ3ZmY3 ODZiMmE0MzgxNjYwOGU5ODgwY2Y5Nzc3NWQzOWQ2ZWMgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XZWJD b3JlL3dvcmtlcnMvc2VydmljZS9TZXJ2aWNlV29ya2VyR2xvYmFsU2NvcGUuY3BwCisrKyBiL1Nv dXJjZS9XZWJDb3JlL3dvcmtlcnMvc2VydmljZS9TZXJ2aWNlV29ya2VyR2xvYmFsU2NvcGUuY3Bw CkBAIC02Miw3ICs2Miw4IEBAIHZvaWQgU2VydmljZVdvcmtlckdsb2JhbFNjb3BlOjpza2lwV2Fp dGluZyhSZWY8RGVmZXJyZWRQcm9taXNlPiYmIHByb21pc2UpCiAKICAgICBjYWxsT25NYWluVGhy ZWFkKFt3b3JrZXJUaHJlYWQgPSBtYWtlUmVmKHRocmVhZCgpKSwgcmVxdWVzdElkZW50aWZpZXJd KCkgbXV0YWJsZSB7CiAgICAgICAgIGlmIChhdXRvKiBjb25uZWN0aW9uID0gU1dDb250ZXh0TWFu YWdlcjo6c2luZ2xldG9uKCkuY29ubmVjdGlvbigpKSB7Ci0gICAgICAgICAgICBjb25uZWN0aW9u LT5za2lwV2FpdGluZyh3b3JrZXJUaHJlYWQtPmlkZW50aWZpZXIoKSwgW3dvcmtlclRocmVhZCA9 IFdURk1vdmUod29ya2VyVGhyZWFkKSwgcmVxdWVzdElkZW50aWZpZXJdIHsKKyAgICAgICAgICAg IGF1dG8gaWRlbnRpZmllciA9IHdvcmtlclRocmVhZC0+aWRlbnRpZmllcigpOworICAgICAgICAg ICAgY29ubmVjdGlvbi0+c2tpcFdhaXRpbmcoaWRlbnRpZmllciwgW3dvcmtlclRocmVhZCA9IFdU Rk1vdmUod29ya2VyVGhyZWFkKSwgcmVxdWVzdElkZW50aWZpZXJdIHsKICAgICAgICAgICAgICAg ICB3b3JrZXJUaHJlYWQtPnJ1bkxvb3AoKS5wb3N0VGFzayhbcmVxdWVzdElkZW50aWZpZXJdKGF1 dG8mIGNvbnRleHQpIHsKICAgICAgICAgICAgICAgICAgICAgYXV0byYgc2NvcGUgPSBkb3duY2Fz dDxTZXJ2aWNlV29ya2VyR2xvYmFsU2NvcGU+KGNvbnRleHQpOwogICAgICAgICAgICAgICAgICAg ICBpZiAoYXV0byBwcm9taXNlID0gc2NvcGUubV9wZW5kaW5nU2tpcFdhaXRpbmdQcm9taXNlcy50 YWtlKHJlcXVlc3RJZGVudGlmaWVyKSkK