301998 2025-11-05 00:55:18 -0800 Function=(const Function&&) is a footgun in waiting 2025-11-12 00:56:11 -0800 1 1 1 Unclassified WebKit Web Template Framework WebKit Nightly Build Unspecified Unspecified NEW https://bugs.webkit.org/show_bug.cgi?id=302139 InRadar P2 Normal --- 1 jean-yves.avenard webkit-unassigned cdumez webkit-bug-importer oldest_to_newest 2156532 0 jean-yves.avenard 2025-11-05 00:55:18 -0800 Today I encountered an issue that is rather problematic. the code was ``` ensureOnDispatcherWithConnection([callback = WTFMove(callback)](auto& renderer, auto& connection) { assertIsCurrent(queueSingleton()); renderer.m_hasAvailableVideoFrameCallback = WTFMove(callback); connection.send(Messages::RemoteAudioVideoRendererProxyManager::NotifyWhenHasAvailableVideoFrame(renderer.m_identifier, !!renderer.m_hasAvailableVideoFrameCallback), 0); }); ``` the code crashed with an infinite recursion. At first I was surprised it even compiled as I had forgotten the `mutable` keyword and didn't expect `renderer.m_hasAvailableVideoFrameCallback = WTFMove(callback);` to even compile. the stack trace was ``` thread #2, queue = 'AudioVideoRendererRemote', stop reason = EXC_BAD_ACCESS (code=2, address=0x16b1e7fd0) * frame #0: 0x0000000131360128 JavaScriptCore`WTF::assertMallocRestrictionForCurrentThreadScope() at MallocCommon.cpp:58 frame #1: 0x0000000131305994 JavaScriptCore`WTF::fastMalloc(size=16) at FastMalloc.cpp:537:5 [opt] frame #2: 0x000000011b5587c8 WebKit`WTF::Detail::CallableWrapperAllocatorBase::operator new(size=16) at Function.h:38:5 frame #3: 0x000000011f79665c WebKit`std::__1::unique_ptr<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, std::__1::default_delete<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>>> std::__1::make_unique[abi:sn200100]<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, WTF::Function<void (WTF::MediaTime const&, double)> const, 0>(__args=0x00000001190cc1a8) at unique_ptr.h:767:26 frame #4: 0x000000011f7965a4 WebKit`decltype(auto) WTF::makeUnique<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, WTF::Function<void (WTF::MediaTime const&, double)> const>(args=0x00000001190cc1a8) at StdLibExtras.h:871:12 frame #5: 0x000000011f79685c WebKit`WTF::Function<void (WTF::MediaTime const&, double)>::Function<WTF::Function<void (WTF::MediaTime const&, double)> const>(this=0x00000001193cf538, callable=0x00000001190cc1a8) at Function.h:80:29 frame #6: 0x000000011f79677c WebKit`WTF::Function<void (WTF::MediaTime const&, double)>::Function<WTF::Function<void (WTF::MediaTime const&, double)> const>(this=0x00000001193cf538, callable=0x00000001190cc1a8) at Function.h:80:130 frame #7: 0x000000011f796744 WebKit`WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>::CallableWrapper(this=0x00000001193cf530, callable=0x00000001190cc1a8) at Function.h:56:11 frame #8: 0x000000011f7966a8 WebKit`WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>::CallableWrapper(this=0x00000001193cf530, callable=0x00000001190cc1a8) at Function.h:56:41 frame #9: 0x000000011f796668 WebKit`std::__1::unique_ptr<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, std::__1::default_delete<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>>> std::__1::make_unique[abi:sn200100]<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, WTF::Function<void (WTF::MediaTime const&, double)> const, 0>(__args=0x00000001190cc1a8) at unique_ptr.h:767:30 frame #10: 0x000000011f7965a4 WebKit`decltype(auto) WTF::makeUnique<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, WTF::Function<void (WTF::MediaTime const&, double)> const>(args=0x00000001190cc1a8) at StdLibExtras.h:871:12 frame #11: 0x000000011f79685c WebKit`WTF::Function<void (WTF::MediaTime const&, double)>::Function<WTF::Function<void (WTF::MediaTime const&, double)> const>(this=0x00000001193cf528, callable=0x00000001190cc1a8) at Function.h:80:29 frame #12: 0x000000011f79677c WebKit`WTF::Function<void (WTF::MediaTime const&, double)>::Function<WTF::Function<void (WTF::MediaTime const&, double)> const>(this=0x00000001193cf528, callable=0x00000001190cc1a8) at Function.h:80:130 frame #13: 0x000000011f796744 WebKit`WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>::CallableWrapper(this=0x00000001193cf520, callable=0x00000001190cc1a8) at Function.h:56:11 frame #14: 0x000000011f7966a8 WebKit`WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>::CallableWrapper(this=0x00000001193cf520, callable=0x00000001190cc1a8) at Function.h:56:41 frame #15: 0x000000011f796668 WebKit`std::__1::unique_ptr<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, std::__1::default_delete<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>>> std::__1::make_unique[abi:sn200100]<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, WTF::Function<void (WTF::MediaTime const&, double)> const, 0>(__args=0x00000001190cc1a8) at unique_ptr.h:767:30 frame #16: 0x000000011f7965a4 WebKit`decltype(auto) WTF::makeUnique<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, WTF::Function<void (WTF::MediaTime const&, double)> const>(args=0x00000001190cc1a8) at StdLibExtras.h:871:12 frame #17: 0x000000011f79685c WebKit`WTF::Function<void (WTF::MediaTime const&, double)>::Function<WTF::Function<void (WTF::MediaTime const&, double)> const>(this=0x00000001193cf518, callable=0x00000001190cc1a8) at Function.h:80:29 frame #18: 0x000000011f79677c WebKit`WTF::Function<void (WTF::MediaTime const&, double)>::Function<WTF::Function<void (WTF::MediaTime const&, double)> const>(this=0x00000001193cf518, callable=0x00000001190cc1a8) at Function.h:80:130 frame #19: 0x000000011f796744 WebKit`WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>::CallableWrapper(this=0x00000001193cf510, callable=0x00000001190cc1a8) at Function.h:56:11 frame #20: 0x000000011f7966a8 WebKit`WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>::CallableWrapper(this=0x00000001193cf510, callable=0x00000001190cc1a8) at Function.h:56:41 frame #21: 0x000000011f796668 WebKit`std::__1::unique_ptr<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, std::__1::default_delete<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, [....] repeat 4000 times WTF::MediaTime const&, double>>> std::__1::make_unique[abi:sn200100]<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, WTF::Function<void (WTF::MediaTime const&, double)> const, 0>(__args=0x00000001190cc1a8) at unique_ptr.h:767:30 frame #10480: 0x000000011f7965a4 WebKit`decltype(auto) WTF::makeUnique<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, WTF::Function<void (WTF::MediaTime const&, double)> const>(args=0x00000001190cc1a8) at StdLibExtras.h:871:12 frame #10481: 0x000000011f79685c WebKit`WTF::Function<void (WTF::MediaTime const&, double)>::Function<WTF::Function<void (WTF::MediaTime const&, double)> const>(this=0x00000001193c8768, callable=0x00000001190cc1a8) at Function.h:80:29 frame #10482: 0x000000011f79677c WebKit`WTF::Function<void (WTF::MediaTime const&, double)>::Function<WTF::Function<void (WTF::MediaTime const&, double)> const>(this=0x00000001193c8768, callable=0x00000001190cc1a8) at Function.h:80:130 frame #10483: 0x000000011f796744 WebKit`WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>::CallableWrapper(this=0x00000001193c8760, callable=0x00000001190cc1a8) at Function.h:56:11 frame #10484: 0x000000011f7966a8 WebKit`WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>::CallableWrapper(this=0x00000001193c8760, callable=0x00000001190cc1a8) at Function.h:56:41 frame #10485: 0x000000011f796668 WebKit`std::__1::unique_ptr<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, std::__1::default_delete<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>>> std::__1::make_unique[abi:sn200100]<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, WTF::Function<void (WTF::MediaTime const&, double)> const, 0>(__args=0x00000001190cc1a8) at unique_ptr.h:767:30 frame #11128: 0x000000011f7965a4 WebKit`decltype(auto) WTF::makeUnique<WTF::Detail::CallableWrapper<WTF::Function<void (WTF::MediaTime const&, double)> const, void, WTF::MediaTime const&, double>, WTF::Function<void (WTF::MediaTime const&, double)> const>(args=0x00000001190cc1a8) at StdLibExtras.h:871:12 frame #11129: 0x000000011f79645c WebKit`WTF::Function<void (WTF::MediaTime const&, double)>& WTF::Function<void (WTF::MediaTime const&, double)>::operator=<WTF::Function<void (WTF::MediaTime const&, double)> const>(this=0x00000001192602e0, callable=0x00000001190cc1a8) at Function.h:112:29 frame #11130: 0x000000011f7963b0 WebKit`_ZZN6WebKit24AudioVideoRendererRemote32notifyWhenHasAvailableVideoFrameEON3WTF8FunctionIFvRKNS1_9MediaTimeEdEEEENK3$_0clIS0_N3IPC10ConnectionEEEDaRT_RT0_(this=0x00000001190cc1a8, renderer=0x0000000119260210, connection=0x0000000119262100) at AudioVideoRendererRemote.cpp:207:51 frame #11131: 0x000000011f7962d0 WebKit`WTF::Detail::CallableWrapper<WebKit::AudioVideoRendererRemote::notifyWhenHasAvailableVideoFrame(WTF::Function<void (WTF::MediaTime const&, double)>&&)::$_0, void, WebKit::AudioVideoRendererRemote&, IPC::Connection&>::call(this=0x00000001190cc1a0, in=0x0000000119260210, in=0x0000000119262100) at Function.h:59:39 frame #11132: 0x000000011f7afd90 WebKit`WTF::Function<void (WebKit::AudioVideoRendererRemote&, IPC::Connection&)>::operator()(this=0x00000001190d81d8, in=0x0000000119260210, in=0x0000000119262100) const at Function.h:103:35 frame #11133: 0x000000011f7afca0 WebKit`WebKit::AudioVideoRendererRemote::ensureOnDispatcherWithConnection(WTF::Function<void (WebKit::AudioVideoRendererRemote&, IPC::Connection&)>&&)::$_0::operator()(this=0x00000001190d81c8) at AudioVideoRendererRemote.cpp:647:9 frame #11134: 0x000000011f7afb2c WebKit`WTF::Detail::CallableWrapper<WebKit::AudioVideoRendererRemote::ensureOnDispatcherWithConnection(WTF::Function<void (WebKit::AudioVideoRendererRemote&, IPC::Connection&)>&&)::$_0, void>::call(this=0x00000001190d81c0) at Function.h:59:39 frame #11135: 0x00000001312d7614 JavaScriptCore`WTF::Function<void ()>::operator()(this=0x00000001190cc1b0) const at Function.h:103:35 frame #11136: 0x00000001314d0c2c JavaScriptCore`WTF::(anonymous namespace)::DispatchWorkItem::operator()(this=0x00000001190cc1b0) at WorkQueueCocoa.cpp:40:25 frame #11137: 0x00000001314cf85c JavaScriptCore`void WTF::dispatchWorkItem<WTF::(anonymous namespace)::DispatchWorkItem>(dispatchContext=0x00000001190cc1b0) at WorkQueueCocoa.cpp:48:5 frame #11138: 0x0000000104de14dc libdispatch.dylib`_dispatch_client_callout + 16 frame #11139: 0x0000000104dcd7bc libdispatch.dylib`_dispatch_lane_serial_drain + 820 frame #11140: 0x0000000104dce65c libdispatch.dylib`_dispatch_lane_invoke + 440 frame #11141: 0x0000000104ddc220 libdispatch.dylib`_dispatch_root_queue_drain_deferred_wlh + 664 frame #11142: 0x0000000104ddb700 libdispatch.dylib`_dispatch_workloop_worker_thread + 752 frame #11143: 0x0000000104e677e4 libsystem_pthread.dylib`_pthread_wqthread + 292 ``` The code for the operator= Function=(const Function&&) starts with doing ``` Function& operator=(CallableType&& callable) { m_callableWrapper = makeUnique<Detail::CallableWrapper<CallableType, Out, In...>>(std::forward<CallableType>(callable)); return *this; } ``` and from there CallableWrapper tries to create a new function and so forth. It may be best to check that neither CallableType nor FunctionType are const. 2158187 1 webkit-bug-importer 2025-11-12 00:56:11 -0800 <rdar://problem/164544374>