Bug 104922

Summary: [WK2] Frequent NetworkProcess crashes due to null connection when closing tabs
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: WebKit2Assignee: Alexey Proskuryakov <ap>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch andersca: review+

Alexey Proskuryakov
Reported 2012-12-13 09:13:27 PST
When a tab is closed, WebProcess goes away, but NetworkProcess will still sometimes attempt to send messages to it if there were outstanding loads. NetworkResourceLoader and NetworkConnectionToWebProcess both have m_connection that is zeroed on on connection close, and that causes null pointer crashes in IPC machinery. This is easy to reproduce on sites that use long-standing connections, like gmail. <rdar://problem/12870065>
Attachments
proposed patch (3.57 KB, patch)
2012-12-13 09:17 PST, Alexey Proskuryakov 		andersca: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2012-12-13 09:17:36 PST
Created attachment 179283 [details] proposed patch
Oliver Hunt
Comment 2 2012-12-13 09:30:32 PST
Comment on attachment 179283 [details] proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=179283&action=review > Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp:-147 > - m_connection->unregisterObserver(this); Why arbitrarily delta this and not have if (RefPtr<blah> connection = m_connection) connection->unregisterObserver(this) ? > Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp:-148 > - m_connection = 0; If connection is null this doesn't hurt, does it hurt to explicitly clear m_connection if it is non-null?
Alexey Proskuryakov
Comment 3 2012-12-13 10:04:17 PST
Comment on attachment 179283 [details] proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=179283&action=review >> Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp:-147 >> - m_connection->unregisterObserver(this); > > Why arbitrarily delta this and not have if (RefPtr<blah> connection = m_connection) connection->unregisterObserver(this) ? There is another unregisterObserver call in destructor, there is no reason to do this twice. >> Source/WebKit2/NetworkProcess/NetworkResourceLoader.cpp:-148 >> - m_connection = 0; > > If connection is null this doesn't hurt, does it hurt to explicitly clear m_connection if it is non-null? I'm not sure if I understand the question. m_connection being null is why this crash happens, so it definitely hurts to clear it.
Alexey Proskuryakov
Comment 4 2012-12-13 10:34:08 PST
Committed <http://trac.webkit.org/changeset/137610>.
Note You need to log in before you can comment on or make changes to this bug.