Bug 186805

Summary:

WebCoreNSURLSessionDataTaskClient::redirectReceived() calls WebCore on non-main thread

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

Page Loading

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, beidson, commit-queue, ddkilzer, ggaren, webkit-bug-importer, youennf

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description Chris Dumez 2018-06-19 08:39:32 PDT

WebCoreNSURLSessionDataTaskClient::redirectReceived() calls WebCore on non-main thread:
Thread 6 name:  Dispatch queue: NSOperationQueue 0x1006c5730 (QOS: UNSPECIFIED)
Thread 6 Crashed:
0   WebKit                        	0x00000001918dab74 WebKit::WebProcess::ensureNetworkProcessConnection() + 244 (WebProcess.cpp:1105)
1   WebKit                        	0x00000001918daad0 WebKit::WebProcess::ensureNetworkProcessConnection() + 80 (WebProcess.cpp:1104)
2   WebKit                        	0x0000000191903f24 WebKit::WebResourceLoader::messageSenderConnection() + 16 (WebResourceLoader.cpp:71)
3   WebKit                        	0x00000001916c49e8 IPC::MessageSender::sendMessage(std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >, WTF::OptionSet<IPC::SendOption>) + 36 (MessageSender.cpp:39)
4   WebKit                        	0x0000000191904c30 bool IPC::MessageSender::send<Messages::NetworkResourceLoader::ContinueWillSendRequest>(Messages::NetworkResourceLoader::ContinueWillSendRequest const&, unsigned long long, WTF::OptionSet<IPC::SendOption>) + 132 (MessageSender.h:49)
5   WebKit                        	0x0000000191904b9c WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebKit::WebResourceLoader::willSendRequest(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&)::$_0>::call(WebCore::ResourceRequest&&) + 80 (MessageSender.h:39)
6   WebCore                       	0x000000018ae0c524 WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebCore::SubresourceLoader::willSendRequestInternal(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&)::$_0::operator()(WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&, WebCore::ResourceRequest&&)::'lambda'(WebCore::ResourceRequest&&)>::call(WebCore::ResourceRequest&&) + 120 (Function.h:56)
7   WebCore                       	0x000000018ae00d24 WebCore::ResourceLoader::willSendRequestInternal(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&) + 1584 (Function.h:56)
8   WebCore                       	0x000000018ae07f4c WebCore::SubresourceLoader::willSendRequestInternal(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&)::$_0::operator()(WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&, WebCore::ResourceRequest&&) + 356 (SubresourceLoader.cpp:190)
9   WebCore                       	0x000000018ae36448 WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebCore::CachedRawResource::redirectReceived(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&)::$_1>::call(WebCore::ResourceRequest&&) + 84 (Function.h:56)
10  WebCore                       	0x000000018ae2c3ec WebCore::iterateClients(WebCore::CachedResourceClientWalker<WebCore::CachedRawResourceClient>&&, WebCore::CachedResourceHandle<WebCore::CachedRawResource>&&, WebCore::ResourceRequest&&, std::__1::unique_ptr<WebCore::ResourceResponse, std::__1::default_delete<WebCore::ResourceResponse> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&) + 552 (Function.h:56)
11  WebCore                       	0x000000018b36c7f8 WTF::Function<void ()>::CallableWrapper<-[WebCoreNSURLSessionDataTask resource:receivedRedirect:request:completionHandler:]::$_11>::call() + 448 (Function.h:56)
12  Foundation                    	0x0000000182084694 __NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__ + 16 (NSOperation.m:1467)
13  Foundation                    	0x0000000181fc4410 -[NSBlockOperation main] + 72 (NSOperation.m:1486)
14  Foundation                    	0x0000000181fb3ff8 -[__NSOperationInternal _start:] + 848 (NSOperation.m:830)
15  Foundation                    	0x0000000182086298 __NSOQSchedule_f + 404 (NSOperation.m:2081)
16  libdispatch.dylib             	0x0000000180f6ca2c _dispatch_client_callout + 16 (object.m:507)
17  libdispatch.dylib             	0x0000000180f74e8c _dispatch_continuation_pop$VARIANT$mp + 424 (inline_internal.h:2500)
18  libdispatch.dylib             	0x0000000180f737c4 _dispatch_async_redirect_invoke$VARIANT$mp + 604 (queue.c:3426)
19  libdispatch.dylib             	0x0000000180f79ca4 _dispatch_root_queue_drain + 588 (inline_internal.h:2539)
20  libdispatch.dylib             	0x0000000180f799f4 _dispatch_worker_thread3 + 120 (queue.c:6101)
21  libsystem_pthread.dylib       	0x0000000181295044 _pthread_wqthread + 1176 (pthread.c:2286)
22  libsystem_pthread.dylib       	0x0000000181294ba0 start_wqthread + 4

Comment 1 Chris Dumez 2018-06-19 08:39:43 PDT

<rdar://problem/36960714>

Comment 2 Chris Dumez 2018-06-19 08:43:34 PDT

Created attachment 343058 [details]
Patch

Comment 3 Geoffrey Garen 2018-06-19 09:47:08 PDT

Are these failures real?

  js/mozilla/eval/exhaustive-fun-normalcaller-indirect-normalcode.html [ Crash ]
  js/mozilla/eval/exhaustive-fun-strictcaller-indirect-normalcode.html [ Crash ]
  js/mozilla/eval/exhaustive-global-normalcaller-direct-normalcode.html [ Crash ]
  js/mozilla/eval/exhaustive-global-normalcaller-indirect-normalcode.html [ Crash ]
  js/mozilla/eval/exhaustive-global-strictcaller-indirect-normalcode.html [ Crash ]
  js/mozilla/eval/undeclared-name-in-nested-strict-eval.html [ Crash ]

Comment 4 Chris Dumez 2018-06-19 09:47:54 PDT

Comment on attachment 343058 [details]
Patch

Let's wait but I doubt it.

Comment 5 Chris Dumez 2018-06-19 09:49:37 PDT

(In reply to Chris Dumez from comment #4)
> Comment on attachment 343058 [details]
> Patch
> 
> Let's wait but I doubt it.

As I thought, the crashes are happening on the bots:
https://build.webkit.org/results/Apple%20High%20Sierra%20Debug%20WK1%20(Tests)/r232959%20(4297)/results.html

Comment 6 Chris Dumez 2018-06-19 09:50:04 PDT

(In reply to Chris Dumez from comment #5)
> (In reply to Chris Dumez from comment #4)
> > Comment on attachment 343058 [details]
> > Patch
> > 
> > Let's wait but I doubt it.
> 
> As I thought, the crashes are happening on the bots:
> https://build.webkit.org/results/
> Apple%20High%20Sierra%20Debug%20WK1%20(Tests)/r232959%20(4297)/results.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00000001068efae0 WTFCrash + 16 (Assertions.cpp:267)
1   com.apple.JavaScriptCore      	0x0000000106a31d46 JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int)::operator()(JSC::GCSafeConcurrentJSLocker const&, int, int) const + 278 (JSObjectInlines.h:206)
2   com.apple.JavaScriptCore      	0x0000000106a31434 int JSC::Structure::add<(JSC::Structure::ShouldPin)1, JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int)>(JSC::VM&, JSC::PropertyName, unsigned int, JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int) const&) + 772 (StructureInlines.h:402)
3   com.apple.JavaScriptCore      	0x0000000106a3111b int JSC::Structure::addPropertyWithoutTransition<JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int)>(JSC::VM&, JSC::PropertyName, unsigned int, JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int) const&) + 59 (StructureInlines.h:444)
4   com.apple.JavaScriptCore      	0x0000000106a2fb9a JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*) + 138 (JSObjectInlines.h:209)
5   com.apple.JavaScriptCore      	0x00000001072ab4c7 bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) + 1111 (JSObjectInlines.h:303)
6   com.apple.JavaScriptCore      	0x0000000107c0359c JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 2236 (JSObject.cpp:825)
7   com.apple.JavaScriptCore      	0x00000001072aaeb0 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1168 (JSObjectInlines.h:242)
8   com.apple.JavaScriptCore      	0x0000000107bfd245 JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 69 (JSObject.cpp:755)
9   com.apple.JavaScriptCore      	0x0000000107b91323 JSC::JSGlobalObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 899 (JSGlobalObject.cpp:1103)
10  com.apple.WebCore             	0x0000000112cf4438 WebCore::JSDOMWindow::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 568 (JSDOMWindowCustom.cpp:300)
11  com.apple.JavaScriptCore      	0x000000010782f3d7 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*) + 2775 (Interpreter.cpp:1215)
12  com.apple.JavaScriptCore      	0x0000000107bdc17c JSC::globalFuncEval(JSC::ExecState*) + 1372 (JSGlobalObjectFunctions.cpp:508)

Comment 7 WebKit Commit Bot 2018-06-19 10:12:29 PDT

Comment on attachment 343058 [details]
Patch

Clearing flags on attachment: 343058

Committed r232965: <https://trac.webkit.org/changeset/232965>

Comment 8 WebKit Commit Bot 2018-06-19 10:12:30 PDT

All reviewed patches have been landed.  Closing bug.