Bug 116814

Summary:

Webkit crashes while loading content from Application Cache

Product:

WebKit

Reporter:

Charles Wei <charles.wei>

Component:

Page Loading

Assignee:

Charles Wei <charles.wei>

Status:

RESOLVED FIXED

Severity:

Major

CC:

abarth, ap, beidson, buildbot, commit-queue, japhet, koivisto, rniwa, rwlbuis, staikos

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Archive of layout-test-results from webkit-ews-16 for mac-mountainlion-wk2	none
Patch	none
Patch	none
Patch	none

Charles Wei

Reported 2013-05-27 02:14:47 PDT

WebKit crashes while trying to load the content from page cache. (gdb) bt #0 0x00007ffff67ac452 in WebCore::CachedRawResource::responseReceived (this=0x7fffdea40a00, response=...) at /home/cswei/project/tot/Source/WebCore/loader/cache/CachedRawResource.cpp:132 #1 0x00007ffff680ad6e in WebCore::SubresourceLoader::didReceiveResponse (this=0x7fffdea00800, response=...) at /home/cswei/project/tot/Source/WebCore/loader/SubresourceLoader.cpp:184 #2 0x00007ffff67c764e in substituteResourceDeliveryTimerFired (this=<optimized out>) at /home/cswei/project/tot/Source/WebCore/loader/DocumentLoader.cpp:1100 #3 WebCore::DocumentLoader::substituteResourceDeliveryTimerFired (this=<optimized out>) at /home/cswei/project/tot/Source/WebCore/loader/DocumentLoader.cpp:1081 #4 0x00007ffff6964ea2 in WebCore::ThreadTimers::sharedTimerFiredInternal (this=0x7fffde9f80f0) at /home/cswei/project/tot/Source/WebCore/platform/ThreadTimers.cpp:129 #5 0x00007ffff3e6ff19 in QObject::event(QEvent*) () from /usr/local/Qt-5.1.0/lib/libQt5Core.so.5 #6 0x00007ffff4d339d4 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Qt-5.1.0/lib/libQt5Widgets.so.5 #7 0x00007ffff4d36c91 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Qt-5.1.0/lib/libQt5Widgets.so.5 #8 0x00007ffff3e47724 in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Qt-5.1.0/lib/libQt5Core.so.5 #9 0x00007ffff3e90acc in QTimerInfoList::activateTimers() () from /usr/local/Qt-5.1.0/lib/libQt5Core.so.5 #10 0x00007ffff3e912dd in ?? () from /usr/local/Qt-5.1.0/lib/libQt5Core.so.5 #11 0x00007fffef264a5d in g_main_context_dispatch () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #12 0x00007fffef265258 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #13 0x00007fffef265429 in g_main_context_iteration () from /lib/x86_64-linux-gnu/libglib-2.0.so.0 #14 0x00007ffff3e91ab4 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Qt-5.1.0/lib/libQt5Core.so.5 #15 0x00007ffff3e464bb in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Qt-5.1.0/lib/libQt5Core.so.5 #16 0x00007ffff3e4a580 in QCoreApplication::exec() () from /usr/local/Qt-5.1.0/lib/libQt5Core.so.5 #17 0x00000000004156b0 in launcherMain (app=...) at /home/cswei/project/tot/Tools/QtTestBrowser/qttestbrowser.cpp:54 #18 main (argc=1, argv=<optimized out>) at /home/cswei/project/tot/Tools/QtTestBrowser/qttestbrowser.cpp:318 (gdb) list 131 126 } 127 128 void CachedRawResource::responseReceived(const ResourceResponse& response) 129 { 130 CachedResourceHandle<CachedRawResource> protect(this); 131 if (!m_identifier) 132 m_identifier = m_loader->identifier(); 133 CachedResource::responseReceived(response); 134 CachedResourceClientWalker<CachedRawResourceClient> w(m_clients); 135 while (CachedRawResourceClient* c = w.next()) (gdb) p m_loader $1 = {m_ptr = 0x0} This is caused by the commit: b124248928cde28a4a55c7982b2dcb6e7200d492 for bug: https://bugs.webkit.org/show_bug.cgi?id=104969, and commit a3265403bade6d561d38c58139bddd93ff271496 for https://bugs.webkit.org/show_bug.cgi?id=112722, both of which merge MainResourceLoader into DocumentLoader. Before these patches, when a main resource loading fails, the MainResourceLoader will try appcache before notifying the DocumentLoader, and will keep the loading status appropriate when loading the substitute data from the AppCache. After these patches, this functionality was moved to DocumentLoader::mainReceivedError(), which tries to load from Appcache. But when the application reaches here, the ResourceLoader(SubResourceLoader) is already is in finishing state after ResourceLoader::didFail() and SubresourceLoader::didFail(), and the CachedResources associated with them already destroyed. We should move the ApplicationCache check the first thing when a resource loading fails (info ResourceLoader::didFail(ResourceHandle, Error)). which now only takes care of Subresource but not MainResource.

Attachments
Patch (2.34 KB, patch) 2013-05-27 03:02 PDT, Charles Wei	no flags	Details Formatted Diff Diff
Patch (7.25 KB, patch) 2013-05-29 05:52 PDT, Charles Wei	no flags	Details Formatted Diff Diff
Archive of layout-test-results from webkit-ews-16 for mac-mountainlion-wk2 (1.30 MB, application/zip) 2013-05-29 06:25 PDT, Build Bot	no flags	Details
Patch (6.05 KB, patch) 2013-05-31 00:01 PDT, Charles Wei	no flags	Details Formatted Diff Diff
Patch (6.30 KB, patch) 2013-06-02 20:23 PDT, Charles Wei	no flags	Details Formatted Diff Diff
Patch (8.73 KB, patch) 2013-06-03 00:05 PDT, Charles Wei	no flags	Details Formatted Diff Diff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.

Charles Wei

Comment 1 2013-05-27 03:02:34 PDT

Created attachment 202960 [details] Patch

Sam Weinig

Comment 2 2013-05-27 20:33:53 PDT

Comment on attachment 202960 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=202960&action=review > Source/WebCore/ChangeLog:8 > + Webkit crashes while loading content from Application Cache > + https://bugs.webkit.org/show_bug.cgi?id=116814 > + > + Reviewed by NOBODY (OOPS!). > + > + No new tests, refactor appcache loading. This doesn't make sense. If this is fixing a crash, it is not just refactoring. And if is a crash fix, it should have a test case.

Alexey Proskuryakov

Comment 3 2013-05-28 09:28:35 PDT

For Apple engineers: see also <rdar://problem/13744574>.

Brady Eidson

Comment 4 2013-05-28 10:01:32 PDT

(In reply to comment #3) > For Apple engineers: see also <rdar://problem/13744574>. And possibly 13997217

Charles Wei

Comment 5 2013-05-29 05:52:03 PDT

Created attachment 203188 [details] Patch

Build Bot

Comment 6 2013-05-29 06:25:35 PDT

Comment on attachment 203188 [details] Patch Attachment 203188 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.appspot.com/results/693290 New failing tests: fast/dom/location-new-window-no-crash.html

Build Bot

Comment 7 2013-05-29 06:25:37 PDT

Created attachment 203191 [details] Archive of layout-test-results from webkit-ews-16 for mac-mountainlion-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: webkit-ews-16 Port: mac-mountainlion-wk2 Platform: Mac OS X 10.8.3

Charles Wei

Comment 8 2013-05-29 19:40:23 PDT

Comment on attachment 203188 [details] Patch Don't think that regression is relevant. re-raise the commit flag to try

Alexey Proskuryakov

Comment 9 2013-05-30 10:05:48 PDT

I do get a crash with this test on Mac, although with a different stack trace: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.WebCore 0x00007fff927e2c61 WebCore::ApplicationCacheHost::scheduleLoadFallbackResourceFromApplicationCache(WebCore::ResourceLoader*, WebCore::ApplicationCache*) + 273 1 com.apple.WebCore 0x00007fff92905429 WebCore::ApplicationCacheHost::maybeLoadFallbackForMainError(WebCore::ResourceRequest const&, WebCore::ResourceError const&) + 153 2 com.apple.WebCore 0x00007fff92c9e746 WebCore::DocumentLoader::mainReceivedError(WebCore::ResourceError const&) + 38 3 com.apple.WebCore 0x00007fff927bd3b6 WebCore::CachedResource::checkNotify() + 166 4 com.apple.WebCore 0x00007fff927e2e15 WebCore::SubresourceLoader::didFail(WebCore::ResourceError const&) + 197

Alexey Proskuryakov

Comment 10 2013-05-30 10:12:21 PDT

Comment on attachment 203188 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=203188&action=review > LayoutTests/http/tests/appcache/main-resource-fallback-for-network-error-crash.html:13 > +function setNetworkEnabled(state) This function is never called. I don't think that the test verifies that the bug is fixed when running in an automated manner. Please verify tests by removing the associated code changes, and confirming that they actually fail without those. > LayoutTests/http/tests/appcache/main-resource-fallback-for-network-error-crash.html:34 > + if (window.testRunner) > + { > + var evt = document.createEvent("MouseEvents"); > + evt.initMouseEvent("click"); > + var link = document.getElementById("Link"); > + link.dispatchEvent(evt); > + return; > + } There is no need to simulate a click to navigate, you can just do window.location = "resources/does-not-exist";

Charles Wei

Comment 11 2013-05-31 00:01:29 PDT

Created attachment 203410 [details] Patch

Alexey Proskuryakov

Comment 12 2013-05-31 00:04:18 PDT

Comment on attachment 203410 [details] Patch Does this test crash without the fix?

Charles Wei

Comment 13 2013-05-31 00:14:54 PDT

(In reply to comment #12) > (From update of attachment 203410 [details]) > Does this test crash without the fix? Yes.

Alexey Proskuryakov

Comment 14 2013-05-31 09:35:32 PDT

Does it crash in DumpRenderTree? There is nothing in the test that implements "please make sure the server is down or disconnect your device from any data connection so the connection request to the server will fail".

Charles Wei

Comment 15 2013-05-31 22:57:58 PDT

(In reply to comment #14) > Does it crash in DumpRenderTree? > > There is nothing in the test that implements "please make sure the server is down or disconnect your device from any data connection so the connection request to the server will fail". Yes, we don't have the mechanism to simulate the network error(not http error 3xx, 4xx, 5xx) with DumpRenderTree (at least I am not aware of). So we can't reproduce the problem with automation test. So I moved them to ManualTests. If you know the way to simulate the physical network error, please let me know and I can move them to automation test under LayoutTests.

Alexey Proskuryakov

Comment 16 2013-05-31 23:07:40 PDT

We have a way to simulate a disconnect, and we use it in most application cache tests. You had this function in the second version of the patch, setNetworkEnabled().

Charles Wei

Comment 17 2013-06-02 20:23:14 PDT

Created attachment 203552 [details] Patch

Charles Wei

Comment 18 2013-06-02 20:27:17 PDT

(In reply to comment #16) > We have a way to simulate a disconnect, and we use it in most application cache tests. You had this function in the second version of the patch, setNetworkEnabled(). Thanks for the comments, Alex. I come up with an automation test case that can reproduce the crash following your suggestions, please see that in the new patch above.

Darin Adler

Comment 19 2013-06-02 20:45:11 PDT

Comment on attachment 203552 [details] Patch Should we fix this bug in ApplicationCacheHost::maybeLoadFallbackForError instead? It can tell if the resource is the main resource. I think we could just eliminate maybeLoadFallbackForMainError or make it a private function. Seems that would be more elegant. Naturally we’d still delete the function call from DocumentLoader::mainReceivedError, but we’d leave ResourceLoader::didFail alone. What do you think? r=me to do this fix, but I think my refinement could make the division of responsibilities between ResourceLoader and ApplicationCacheHost better.

Charles Wei

Comment 20 2013-06-02 20:53:43 PDT

(In reply to comment #19) > (From update of attachment 203552 [details]) > Should we fix this bug in ApplicationCacheHost::maybeLoadFallbackForError instead? It can tell if the resource is the main resource. I think we could just eliminate maybeLoadFallbackForMainError or make it a private function. Seems that would be more elegant. Naturally we’d still delete the function call from DocumentLoader::mainReceivedError, but we’d leave ResourceLoader::didFail alone. > > What do you think? > > r=me to do this fix, but I think my refinement could make the division of responsibilities between ResourceLoader and ApplicationCacheHost better. That sounds like a reasonable suggestion. I'll try that, thanks.

Charles Wei

Comment 21 2013-06-03 00:05:24 PDT

Created attachment 203557 [details] Patch

Charles Wei

Comment 22 2013-06-03 01:38:05 PDT

Comment on attachment 203557 [details] Patch Commit it.

WebKit Commit Bot

Comment 23 2013-06-03 01:58:31 PDT

Comment on attachment 203557 [details] Patch Clearing flags on attachment: 203557 Committed r151099: <http://trac.webkit.org/changeset/151099>

WebKit Commit Bot

Comment 24 2013-06-03 01:58:35 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.