182271 2018-01-29 17:22:33 -0800 [WPE][GTK] Make RunLoop::TimerBase robust to its own deletion inside its source callback 2018-02-01 11:41:17 -0800 1 1 1 Unclassified WebKit WebKitGTK Other PC Linux RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=182365 P2 Normal --- 1 mcatanzaro mcatanzaro benjamin bugs-noreply cdumez cgarcia cmarcelo dbates ews-watchlist mcatanzaro rniwa ysuzuki oldest_to_newest 1394352 0 mcatanzaro 2018-01-29 17:22:33 -0800 This error occurs 100% when starting GTK MiniBrowser. You just need to wait a few seconds after page load completes. The problem is surely that the RunLoop::Timer owned by the HysteresisActivity owned by SpeculativeLoadManager::PendingFrameLoad has been destroyed already, yet its source callback (the lambda in its constructor) is executing anyway. I think that should only be possible if it's created on one thread and destroyed on another, which would be unsafe. To verify, I tried adding a call to g_source_is_destroyed(g_main_current_source()) at the top of the callback, which I think should have "fixed" it if that was the problem, but it didn't, which surprised me. Then I added some asserts and confirmed that PendingFrameLoads are only used on the main thread. So that's not it. I'm not sure what's going wrong, and I've been staring at this for two hours now, so time to move on.... ==21247==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000005d68 at pc 0x7f7acd13c0fc bp 0x7fff70b96df0 sp 0x7fff70b96de0 READ of size 1 at 0x611000005d68 thread T0 #0 0x7f7acd13c0fb in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::operator()(void*) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8b0fb) #1 0x7f7acd13c137 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8b137) #2 0x7f7acd13b05f in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a05f) #3 0x7f7acd13b08e in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a08e) #4 0x7f7ac20c57b4 in g_main_dispatch /home/mcatanzaro/Projects/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3148 #5 0x7f7ac20c57b4 in g_main_context_dispatch /home/mcatanzaro/Projects/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3813 #6 0x7f7ac20c5b57 in g_main_context_iterate /home/mcatanzaro/Projects/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3886 #7 0x7f7ac20c5e61 in g_main_loop_run /home/mcatanzaro/Projects/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:4082 #8 0x7f7acd13b91b in WTF::RunLoop::run() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a91b) #9 0x7f7ada78f646 in int WebKit::ChildProcessMain<WebKit::NetworkProcess, WebKit::NetworkProcessMain>(int, char**) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xa5e6646) #10 0x7f7ada78f2f1 in NetworkProcessMainUnix (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xa5e62f1) #11 0x400ec1 in main (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/bin/WebKitNetworkProcess+0x400ec1) #12 0x7f7abdbbd009 in __libc_start_main (/lib64/libc.so.6+0x21009) #13 0x400d99 in _start (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/bin/WebKitNetworkProcess+0x400d99) 0x611000005d68 is located 168 bytes inside of 224-byte region [0x611000005cc0,0x611000005da0) freed by thread T0 here: #0 0x7f7ae82664b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8) #1 0x7f7acd1511bd in bmalloc::DebugHeap::free(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4ca01bd) #2 0x7f7acd15074e in bmalloc::Deallocator::deallocateSlowCase(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c9f74e) #3 0x7f7acd04215c in bmalloc::Deallocator::deallocate(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b9115c) #4 0x7f7acd042574 in bmalloc::Cache::deallocate(bmalloc::HeapKind, void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b91574) #5 0x7f7acd04272a in bmalloc::api::free(void*, bmalloc::HeapKind) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b9172a) #6 0x7f7acd041444 in WTF::fastFree(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b90444) #7 0x7f7ad9b3152c in WTF::RefCounted<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad>::operator delete(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x998852c) #8 0x7f7ad9b29554 in WTF::RefCounted<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad>::deref() const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9980554) #9 0x7f7ad9b390ef in void WTF::derefIfNotNull<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad>(WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99900ef) #10 0x7f7ad9b327a9 in WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >::~RefPtr() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99897a9) #11 0x7f7ad9b47067 in WTF::KeyValuePairHashTraits<WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::customDeleteBucket(WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x999e067) #12 0x7f7ad9b45bea in std::enable_if<WTF::HashTraitHasCustomDelete<WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::value, void>::type WTF::hashTraitsDeleteBucket<WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >(WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x999cbea) #13 0x7f7ad9b42e22 in WTF::HashTable<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >::deleteBucket(WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9999e22) #14 0x7f7ad9b3eae9 in WTF::HashTable<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >::remove(WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9995ae9) #15 0x7f7ad9b3a760 in WTF::HashTable<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >::removeAndInvalidateWithoutEntryConsistencyCheck(WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9991760) #16 0x7f7ad9b33f41 in WTF::HashTable<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >::removeWithoutEntryConsistencyCheck(WTF::HashTableIterator<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x998af41) #17 0x7f7ad9b2d4c4 in WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::remove(WTF::HashTableIteratorAdapter<WTF::HashTable<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99844c4) #18 0x7f7ad9b262ea in WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::remove(std::pair<unsigned long, unsigned long> const&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x997d2ea) #19 0x7f7ad9b15217 in WebKit::NetworkCache::SpeculativeLoadManager::registerLoad(std::pair<unsigned long, unsigned long> const&, WebCore::ResourceRequest const&, WebKit::NetworkCache::Key const&)::{lambda()#1}::operator()() const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x996c217) #20 0x7f7ad9b20557 in WTF::Function<void ()>::CallableWrapper<WebKit::NetworkCache::SpeculativeLoadManager::registerLoad(std::pair<unsigned long, unsigned long> const&, WebCore::ResourceRequest const&, WebKit::NetworkCache::Key const&)::{lambda()#1}>::call() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9977557) #21 0x7f7ad999bc69 in WTF::Function<void ()>::operator()() const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x97f2c69) #22 0x7f7ad9b21c11 in WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad::markLoadAsCompleted() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9978c11) #23 0x7f7ad9b21dd4 in WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad::PendingFrameLoad(WebKit::NetworkCache::Storage&, WebKit::NetworkCache::Key const&, WTF::Function<void ()>&&)::{lambda(PAL::HysteresisState)#1}::operator()(PAL::HysteresisState) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9978dd4) #24 0x7f7ad9b4a481 in WTF::Function<void (PAL::HysteresisState)>::CallableWrapper<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad::PendingFrameLoad(WebKit::NetworkCache::Storage&, WebKit::NetworkCache::Key const&, WTF::Function<void ()>&&)::{lambda(PAL::HysteresisState)#1}>::call(PAL::HysteresisState) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99a1481) #25 0x7f7ad9b23f22 in WTF::Function<void (PAL::HysteresisState)>::operator()(PAL::HysteresisState) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x997af22) #26 0x7f7ad9b21509 in PAL::HysteresisActivity::hysteresisTimerFired() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9978509) #27 0x7f7ad9b4a5c4 in WTF::RunLoop::Timer<PAL::HysteresisActivity>::fired() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99a15c4) #28 0x7f7acd13c0ac in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::operator()(void*) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8b0ac) #29 0x7f7acd13c137 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8b137) previously allocated by thread T0 here: #0 0x7f7ae8266850 in malloc (/lib64/libasan.so.4+0xde850) #1 0x7f7acd150f3f in bmalloc::DebugHeap::malloc(unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c9ff3f) #2 0x7f7acd14c6c0 in bmalloc::Allocator::allocateSlowCase(unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c9b6c0) #3 0x7f7acd041fd3 in bmalloc::Allocator::allocate(unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b90fd3) #4 0x7f7acd04230a in bmalloc::Cache::allocate(bmalloc::HeapKind, unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b9130a) #5 0x7f7acd04268a in bmalloc::api::malloc(unsigned long, bmalloc::HeapKind) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b9168a) #6 0x7f7acd041017 in WTF::fastMalloc(unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b90017) #7 0x7f7ad9b24786 in WTF::RefCounted<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad>::operator new(unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x997b786) #8 0x7f7ad9b217cf in WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad::create(WebKit::NetworkCache::Storage&, WebKit::NetworkCache::Key const&, WTF::Function<void ()>&&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99787cf) #9 0x7f7ad9b15921 in WebKit::NetworkCache::SpeculativeLoadManager::registerLoad(std::pair<unsigned long, unsigned long> const&, WebCore::ResourceRequest const&, WebKit::NetworkCache::Key const&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x996c921) #10 0x7f7ad9aee110 in WebKit::NetworkCache::Cache::retrieve(WebCore::ResourceRequest const&, std::pair<unsigned long, unsigned long> const&, WTF::Function<void (std::unique_ptr<WebKit::NetworkCache::Entry, std::default_delete<WebKit::NetworkCache::Entry> >)>&&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9945110) #11 0x7f7ad9a2cbc1 in WebKit::NetworkResourceLoader::retrieveCacheEntry(WebCore::ResourceRequest const&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9883bc1) #12 0x7f7ad9a2c93c in WebKit::NetworkResourceLoader::start() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x988393c) #13 0x7f7ad9995270 in WebKit::NetworkConnectionToWebProcess::scheduleResourceLoad(WebKit::NetworkResourceLoadParameters const&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x97ec270) #14 0x7f7adad57e77 in void IPC::callMemberFunctionImpl<WebKit::NetworkConnectionToWebProcess, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&), std::tuple<WebKit::NetworkResourceLoadParameters>, 0ul>(WebKit::NetworkConnectionToWebProcess*, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&), std::tuple<WebKit::NetworkResourceLoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xabaee77) #15 0x7f7adad5505c in void IPC::callMemberFunction<WebKit::NetworkConnectionToWebProcess, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&), std::tuple<WebKit::NetworkResourceLoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::NetworkResourceLoadParameters>&&, WebKit::NetworkConnectionToWebProcess*, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&)) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xabac05c) #16 0x7f7adad4f046 in void IPC::handleMessage<Messages::NetworkConnectionToWebProcess::ScheduleResourceLoad, WebKit::NetworkConnectionToWebProcess, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&)>(IPC::Decoder&, WebKit::NetworkConnectionToWebProcess*, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&)) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xaba6046) #17 0x7f7adad4c595 in WebKit::NetworkConnectionToWebProcess::didReceiveNetworkConnectionToWebProcessMessage(IPC::Connection&, IPC::Decoder&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xaba3595) #18 0x7f7ad9993a86 in WebKit::NetworkConnectionToWebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x97eaa86) #19 0x7f7ad9bc66ac in IPC::Connection::dispatchMessage(IPC::Decoder&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9a1d6ac) #20 0x7f7ad9bc699b in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9a1d99b) #21 0x7f7ad9bc6ed0 in IPC::Connection::dispatchOneMessage() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9a1ded0) #22 0x7f7ad9bc6333 in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}::operator()() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9a1d333) #23 0x7f7ad9bcf59f in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}>::call() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9a2659f) #24 0x7f7ad999bc69 in WTF::Function<void ()>::operator()() const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x97f2c69) #25 0x7f7acd08cf2f in WTF::RunLoop::performWork() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4bdbf2f) #26 0x7f7acd13b0bf in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a0bf) #27 0x7f7acd13b0e3 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a0e3) #28 0x7f7acd13b05f in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a05f) #29 0x7f7acd13b08e in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a08e) SUMMARY: AddressSanitizer: heap-use-after-free (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8b0fb) in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::operator()(void*) const Shadow bytes around the buggy address: 0x0c227fff8b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8b60: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c227fff8b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8b90: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c227fff8ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd 0x0c227fff8bb0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff8bc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8be0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fff8bf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==21247==ABORTING 1394503 1 cgarcia 2018-01-30 04:40:34 -0800 I think the problem is that the pending frame load is deleted inside the hysteresis callback. - markLoadAsCompleted() is called by hysteresis - markLoadAsCompleted() ends up calling m_loadCompletionHandler() - the completion handler removes the pending frame load from the map which deletes it. The completion handler is the last thing done by markLoadAsCompleted(), so I'm not sure that's a problem. Could you try protecting this before calling m_loadCompletionHandler just in case? 1394800 2 mcatanzaro 2018-01-30 15:30:12 -0800 (In reply to Carlos Garcia Campos from comment #1) > I think the problem is that the pending frame load is deleted inside the > hysteresis callback. > > - markLoadAsCompleted() is called by hysteresis > - markLoadAsCompleted() ends up calling m_loadCompletionHandler() > - the completion handler removes the pending frame load from the map which > deletes it. > > The completion handler is the last thing done by markLoadAsCompleted(), so > I'm not sure that's a problem. Could you try protecting this before calling > m_loadCompletionHandler just in case? Seems like a nice explanation; now I think I finally understand it. I spent too much time squinting at the RunLoop code, and not enough looking at SpeculativeLoadManager. The problem probably doesn't occur for Cocoa ports because their Timer does not do extra work immediately after firing its callback, but ours needs to reset the ready time. Adding a protector does not help, probably because even with the protector, the Timer is still dead when control returns to its source callback. 1394802 3 mcatanzaro 2018-01-30 15:38:28 -0800 I think our RunLoop::Timer might be the only one that is not robust to being destroyed during its user callback, and I don't see an easy fix for SpeculativeLoadManager, but it is simple to fix in our RunLoop::Timer, so I suggest we leave SpeculativeLoadManager alone and change our RunLoop::Timer instead. CCing Chris just in case he wants to change SpeculativeLoadManager anyway. 1394808 4 332717 mcatanzaro 2018-01-30 15:52:38 -0800 Created attachment 332717 Patch 1394809 5 mcatanzaro 2018-01-30 15:54:10 -0800 (In reply to Michael Catanzaro from comment #3) > CCing Chris just in case he wants to change SpeculativeLoadManager anyway. (Probably not, because it's tricky to fix, but the current code is relying on platform-specific implementation details of RunLoop, which is a bit dangerous.) 1394929 6 332717 cgarcia 2018-01-31 00:13:49 -0800 Comment on attachment 332717 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=332717&action=review Have you checked that asan doesn't report any issues in speculative loader after this patch? > Source/WTF/wtf/glib/RunLoopGLib.cpp:171 > + if (g_source_is_destroyed(g_main_current_source())) > + return G_SOURCE_REMOVE; Why don't we keep a pointer to the source before calling fired instead of using g_main_current_source()? I also wonder if we could simply update the ready time before calling fired() instead. RunLoopGeneric has the same problem, btw: bool fired() { if (!isActive()) return false; m_function(); if (!m_isRepeating) return false; updateReadyTime(); return isActive(); } 1394998 7 mcatanzaro 2018-01-31 08:25:00 -0800 (In reply to Carlos Garcia Campos from comment #6) > Why don't we keep a pointer to the source before calling fired instead of > using g_main_current_source()? Sure, I considered doing that. It's an extra ref/unref operation, no big deal. > I also wonder if we could simply update the > ready time before calling fired() instead. I don't know. Changing this would be somewhat scarier. But I think it should be fine.... > RunLoopGeneric has the same > problem, btw: > > bool fired() > { > if (!isActive()) > return false; > > m_function(); > > if (!m_isRepeating) > return false; > > updateReadyTime(); > return isActive(); > } Indeed. I did check to see if it was a problem there, but clearly I messed up, as usual. 1395163 8 mcatanzaro 2018-01-31 14:45:41 -0800 Yusuke, it doesn't look simple to fix RunLoopGeneric, because it will be deleted before the return from m_function(). Do you have any opinion on how we should handle this? If we aren't able to change RunLoopGeneric, then we should try to come up with some way to assert that the Timer has not deleted itself, which is also going to be quite tricky to implement. 1395239 9 mcatanzaro 2018-01-31 16:45:13 -0800 I'm investigating our options for RunLoopGeneric. (In reply to Michael Catanzaro from comment #7) > I don't know. Changing this would be somewhat scarier. But I think it should > be fine.... I think it would be OK, but I'm really not sure, so I am going to stick with keeping a local ref of the GSource. 1395250 10 mcatanzaro 2018-01-31 16:55:23 -0800 Sorry for the spam Ryosuke, I saw you modified Timer and thought you might be interested... but it was a different Timer. (In reply to Michael Catanzaro from comment #9) > I'm investigating our options for RunLoopGeneric. ScheduledTask is ThreadSafeRefCounted. That was a good design decision. I bet all it needs is a protector. I'm going to file a separate bug for this so we can land it separately, because I haven't tested it. Bug #182365. 1395299 11 332834 mcatanzaro 2018-01-31 18:48:33 -0800 Created attachment 332834 Patch 1395372 12 332834 cgarcia 2018-01-31 23:55:36 -0800 Comment on attachment 332834 Patch View in context: https://bugs.webkit.org/attachment.cgi?id=332834&action=review > Source/WTF/wtf/glib/RunLoopGLib.cpp:169 > + GRefPtr<GSource> protectedSource = timer->m_source; We don't need a ref, the source is reffed by dispatch before calling this callback un unreffed after, so it will be alive for sure after calling fired(). 1395584 13 mcatanzaro 2018-02-01 11:41:17 -0800 Committed r227976: <https://trac.webkit.org/changeset/227976> 332717 2018-01-30 15:52:38 -0800 2018-01-31 18:48:31 -0800 Patch bug-182271-20180130175237.patch text/plain 2247 mcatanzaro U3VidmVyc2lvbiBSZXZpc2lvbjogMjI3ODQ1CmRpZmYgLS1naXQgYS9Tb3VyY2UvV1RGL0NoYW5n ZUxvZyBiL1NvdXJjZS9XVEYvQ2hhbmdlTG9nCmluZGV4IDk4MTUwZTY3NGY5YzIwMTBjY2NhYmNm YTUwMzFmYzU4Mjg4YzhiOGQuLjYyMmI0NmYwNTcyZThiZDE1YzI0NTM4ODE2YWRmZWQ2OTZmZjBl MjQgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XVEYvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XVEYvQ2hh bmdlTG9nCkBAIC0xLDMgKzEsMTkgQEAKKzIwMTgtMDEtMzAgIE1pY2hhZWwgQ2F0YW56YXJvICA8 bWNhdGFuemFyb0BpZ2FsaWEuY29tPgorCisgICAgICAgIFtXUEVdW0dUS10gTWFrZSBSdW5Mb29w OjpUaW1lckJhc2Ugcm9idXN0IHRvIGl0cyBvd24gZGVsZXRpb24gaW5zaWRlIGl0cyBzb3VyY2Ug Y2FsbGJhY2sKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTE4MjI3MQorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IFJ1bkxvb3BUaW1lcjo6ZmlyZWQgZXhlY3V0ZXMgdGhlIHVzZXIncyBjYWxsYmFjaywgd2hpY2gg Y291bGQgZGVsZXRlIHRoZSBSdW5Mb29wVGltZXIKKyAgICAgICAgaXRzZWxmLiBCdXQgdGhlIHNv dXJjZSBjYWxsYmFjayBpcyBub3QgcHJlcGFyZWQgdG8gaGFuZGxlIHRoaXMgY2FzZS4gV2UgY2Fu IGRldGVjdCBpdAorICAgICAgICBlYXNpbHksIGJlY2F1c2UgVGltZXJCYXNlJ3MgZGVzdHJ1Y3Rv ciB3aWxsIGNhbGwgZ19zb3VyY2VfZGVzdHJveSgpLCB3aGljaCBjb25mdXNpbmdseQorICAgICAg ICByZW1vdmVzIHRoZSBHU291cmNlIGZyb20gaXRzIEdNYWluQ29udGV4dCB3aXRob3V0IGFjdHVh bGx5IGRlc3Ryb3lpbmcgdGhlIEdTb3VyY2UuIFRoZW4gd2UKKyAgICAgICAgY2FuIGNoZWNrIGlm IHRoZSBHU291cmNlIGlzIHN0aWxsIGF0dGFjaGVkIHVzaW5nIGdfc291cmNlX2lzX2Rlc3Ryb3ll ZCgpLgorCisgICAgICAgICogd3RmL2dsaWIvUnVuTG9vcEdMaWIuY3BwOgorICAgICAgICAoV1RG OjpSdW5Mb29wOjpUaW1lckJhc2U6OlRpbWVyQmFzZSk6CisKIDIwMTgtMDEtMzAgIERvbiBPbG1z dGVhZCAgPGRvbi5vbG1zdGVhZEBzb255LmNvbT4KIAogICAgICAgICBbQ01ha2VdIE1ha2UgV1RG IGhlYWRlcnMgY29waWVzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV1RGL3d0Zi9nbGliL1J1bkxvb3BH TGliLmNwcCBiL1NvdXJjZS9XVEYvd3RmL2dsaWIvUnVuTG9vcEdMaWIuY3BwCmluZGV4IGE3Yjgy ZDAyOGU4MDUwZDE4NzYwZTNjOTc0YjU3MTNjNzkyY2M1ZjUuLmY1ODY5ZDAxYTZjNzQzN2NkMzcw M2U4NDc3MmZjMDgxZDM1ZmNlMjMgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XVEYvd3RmL2dsaWIvUnVu TG9vcEdMaWIuY3BwCisrKyBiL1NvdXJjZS9XVEYvd3RmL2dsaWIvUnVuTG9vcEdMaWIuY3BwCkBA IC0xNjIsOCArMTYyLDEzIEBAIFJ1bkxvb3A6OlRpbWVyQmFzZTo6VGltZXJCYXNlKFJ1bkxvb3Am IHJ1bkxvb3ApCiAgICAgZ19zb3VyY2Vfc2V0X3ByaW9yaXR5KG1fc291cmNlLmdldCgpLCBSdW5M b29wU291cmNlUHJpb3JpdHk6OlJ1bkxvb3BUaW1lcik7CiAgICAgZ19zb3VyY2Vfc2V0X25hbWUo bV9zb3VyY2UuZ2V0KCksICJbV2ViS2l0XSBSdW5Mb29wOjpUaW1lciB3b3JrIik7CiAgICAgZ19z b3VyY2Vfc2V0X2NhbGxiYWNrKG1fc291cmNlLmdldCgpLCBbXShncG9pbnRlciB1c2VyRGF0YSkg LT4gZ2Jvb2xlYW4geworICAgICAgICAvLyBmaXJlZCgpIGV4ZWN1dGVzIHRoZSB1c2VyJ3MgY2Fs bGJhY2suIEl0IG1heSBkZXN0cm95IHRpbWVyLCB3aGljaCBpcworICAgICAgICAvLyB3aHkgd2Ug bXVzdCBjaGVjayBpZiB0aGUgc291cmNlIGlzIHN0aWxsIGFjdGl2ZSBhZnRlcndhcmRzIGJlZm9y ZSBpdAorICAgICAgICAvLyBpcyBzYWZlIHRvIGRlcmVmZXJlbmNlIHRpbWVyIGFnYWluLgogICAg ICAgICBSdW5Mb29wOjpUaW1lckJhc2UqIHRpbWVyID0gc3RhdGljX2Nhc3Q8UnVuTG9vcDo6VGlt ZXJCYXNlKj4odXNlckRhdGEpOwogICAgICAgICB0aW1lci0+ZmlyZWQoKTsKKyAgICAgICAgaWYg KGdfc291cmNlX2lzX2Rlc3Ryb3llZChnX21haW5fY3VycmVudF9zb3VyY2UoKSkpCisgICAgICAg ICAgICByZXR1cm4gR19TT1VSQ0VfUkVNT1ZFOwogICAgICAgICBpZiAodGltZXItPm1faXNSZXBl YXRpbmcpCiAgICAgICAgICAgICB0aW1lci0+dXBkYXRlUmVhZHlUaW1lKCk7CiAgICAgICAgIHJl dHVybiBHX1NPVVJDRV9DT05USU5VRTsK 332834 2018-01-31 18:48:33 -0800 2018-01-31 23:55:36 -0800 Patch bug-182271-20180131204832.patch text/plain 2301 mcatanzaro U3VidmVyc2lvbiBSZXZpc2lvbjogMjI3OTQzCmRpZmYgLS1naXQgYS9Tb3VyY2UvV1RGL0NoYW5n ZUxvZyBiL1NvdXJjZS9XVEYvQ2hhbmdlTG9nCmluZGV4IDJiNDU0NjU1ODA5NDE5ODQ1M2ZkYzc3 YmE4M2EzOGEwOWE1M2RkOTYuLjU0YzFmNWRiOGE0MDRjOTI1NzY3ZGE1ZWViODhhM2Y4MWU4YzRl Y2EgMTAwNjQ0Ci0tLSBhL1NvdXJjZS9XVEYvQ2hhbmdlTG9nCisrKyBiL1NvdXJjZS9XVEYvQ2hh bmdlTG9nCkBAIC0xLDMgKzEsMTkgQEAKKzIwMTgtMDEtMzEgIE1pY2hhZWwgQ2F0YW56YXJvICA8 bWNhdGFuemFyb0BpZ2FsaWEuY29tPgorCisgICAgICAgIFtXUEVdW0dUS10gTWFrZSBSdW5Mb29w OjpUaW1lckJhc2Ugcm9idXN0IHRvIGl0cyBvd24gZGVsZXRpb24gaW5zaWRlIGl0cyBzb3VyY2Ug Y2FsbGJhY2sKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTE4MjI3MQorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IFJ1bkxvb3BUaW1lcjo6ZmlyZWQgZXhlY3V0ZXMgdGhlIHVzZXIncyBjYWxsYmFjaywgd2hpY2gg Y291bGQgZGVsZXRlIHRoZSBSdW5Mb29wVGltZXIKKyAgICAgICAgaXRzZWxmLiBCdXQgdGhlIHNv dXJjZSBjYWxsYmFjayBpcyBub3QgcHJlcGFyZWQgdG8gaGFuZGxlIHRoaXMgY2FzZS4gV2UgY2Fu IGRldGVjdCBpdAorICAgICAgICBlYXNpbHksIGJlY2F1c2UgVGltZXJCYXNlJ3MgZGVzdHJ1Y3Rv ciB3aWxsIGNhbGwgZ19zb3VyY2VfZGVzdHJveSgpLCB3aGljaCBjb25mdXNpbmdseQorICAgICAg ICByZW1vdmVzIHRoZSBHU291cmNlIGZyb20gaXRzIEdNYWluQ29udGV4dCB3aXRob3V0IGFjdHVh bGx5IGRlc3Ryb3lpbmcgdGhlIEdTb3VyY2UuIFRoZW4gd2UKKyAgICAgICAgY2FuIGNoZWNrIGlm IHRoZSBHU291cmNlIGlzIHN0aWxsIGF0dGFjaGVkIHVzaW5nIGdfc291cmNlX2lzX2Rlc3Ryb3ll ZCgpLgorCisgICAgICAgICogd3RmL2dsaWIvUnVuTG9vcEdMaWIuY3BwOgorICAgICAgICAoV1RG OjpSdW5Mb29wOjpUaW1lckJhc2U6OlRpbWVyQmFzZSk6CisKIDIwMTgtMDEtMzEgIE1hcmsgTGFt ICA8bWFyay5sYW1AYXBwbGUuY29tPgogCiAgICAgICAgIEZpeCBzb21lIEFSTTY0XzMyIGJ1aWxk IGZhaWx1cmVzLgpkaWZmIC0tZ2l0IGEvU291cmNlL1dURi93dGYvZ2xpYi9SdW5Mb29wR0xpYi5j cHAgYi9Tb3VyY2UvV1RGL3d0Zi9nbGliL1J1bkxvb3BHTGliLmNwcAppbmRleCBhN2I4MmQwMjhl ODA1MGQxODc2MGUzYzk3NGI1NzEzYzc5MmNjNWY1Li41YTc0ZWYzMzU2Nzk5ZWFmNWFhZTc1NDE0 MDUyMGU2ZTgzMmI5MzBkIDEwMDY0NAotLS0gYS9Tb3VyY2UvV1RGL3d0Zi9nbGliL1J1bkxvb3BH TGliLmNwcAorKysgYi9Tb3VyY2UvV1RGL3d0Zi9nbGliL1J1bkxvb3BHTGliLmNwcApAQCAtMTYy LDggKzE2MiwxNCBAQCBSdW5Mb29wOjpUaW1lckJhc2U6OlRpbWVyQmFzZShSdW5Mb29wJiBydW5M b29wKQogICAgIGdfc291cmNlX3NldF9wcmlvcml0eShtX3NvdXJjZS5nZXQoKSwgUnVuTG9vcFNv dXJjZVByaW9yaXR5OjpSdW5Mb29wVGltZXIpOwogICAgIGdfc291cmNlX3NldF9uYW1lKG1fc291 cmNlLmdldCgpLCAiW1dlYktpdF0gUnVuTG9vcDo6VGltZXIgd29yayIpOwogICAgIGdfc291cmNl X3NldF9jYWxsYmFjayhtX3NvdXJjZS5nZXQoKSwgW10oZ3BvaW50ZXIgdXNlckRhdGEpIC0+IGdi b29sZWFuIHsKKyAgICAgICAgLy8gZmlyZWQoKSBleGVjdXRlcyB0aGUgdXNlcidzIGNhbGxiYWNr LiBJdCBtYXkgZGVzdHJveSB0aW1lciwgd2hpY2ggaXMKKyAgICAgICAgLy8gd2h5IHdlIG11c3Qg Y2hlY2sgaWYgdGhlIHNvdXJjZSBpcyBzdGlsbCBhY3RpdmUgYWZ0ZXJ3YXJkcyBiZWZvcmUgaXQK KyAgICAgICAgLy8gaXMgc2FmZSB0byBkZXJlZmVyZW5jZSB0aW1lciBhZ2Fpbi4KICAgICAgICAg UnVuTG9vcDo6VGltZXJCYXNlKiB0aW1lciA9IHN0YXRpY19jYXN0PFJ1bkxvb3A6OlRpbWVyQmFz ZSo+KHVzZXJEYXRhKTsKKyAgICAgICAgR1JlZlB0cjxHU291cmNlPiBwcm90ZWN0ZWRTb3VyY2Ug PSB0aW1lci0+bV9zb3VyY2U7CiAgICAgICAgIHRpbWVyLT5maXJlZCgpOworICAgICAgICBpZiAo Z19zb3VyY2VfaXNfZGVzdHJveWVkKHByb3RlY3RlZFNvdXJjZS5nZXQoKSkpCisgICAgICAgICAg ICByZXR1cm4gR19TT1VSQ0VfUkVNT1ZFOwogICAgICAgICBpZiAodGltZXItPm1faXNSZXBlYXRp bmcpCiAgICAgICAgICAgICB0aW1lci0+dXBkYXRlUmVhZHlUaW1lKCk7CiAgICAgICAgIHJldHVy biBHX1NPVVJDRV9DT05USU5VRTsK