Bug 174522

Summary: Possible crash in ~UserGestureIndicator() when on non-main thread
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebCore Misc.Assignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: beidson, buildbot, dbates, esprehn+autocc, kangil.han, sam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 174592    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch none

Chris Dumez
Reported 2017-07-14 12:31:55 PDT
Possible crash in ~UserGestureIndicator() when on non-main thread: Thread 27 Crashed:: WebCore: Worker 0 com.apple.WebCore 0x00007fffaef36330 WebCore::UserGestureIndicator::~UserGestureIndicator() + 176 1 com.apple.WebCore 0x00007fffadeb9b70 WebCore::DOMTimer::fired() + 1008 2 com.apple.WebCore 0x00007fffadde13e0 WebCore::ThreadTimers::sharedTimerFiredInternal() + 176 3 com.apple.WebCore 0x00007fffaefead6d WebCore::WorkerRunLoop::runInMode(WebCore::WorkerGlobalScope*, WebCore::ModePredicate const&, WebCore::WorkerRunLoop::WaitMode) + 365 4 com.apple.WebCore 0x00007fffaefeaba0 WebCore::WorkerRunLoop::run(WebCore::WorkerGlobalScope*) + 96 5 com.apple.WebCore 0x00007fffaefee421 WebCore::WorkerThread::workerThread() + 929 6 com.apple.JavaScriptCore 0x00007fffa8db1c62 WTF::threadEntryPoint(void*) + 178 7 com.apple.JavaScriptCore 0x00007fffa8db1b8f WTF::wtfThreadEntryPoint(void*) + 15 8 libsystem_pthread.dylib 0x00007fffbc8e2aab _pthread_body + 180 9 libsystem_pthread.dylib 0x00007fffbc8e29f7 _pthread_start + 286 10 libsystem_pthread.dylib 0x00007fffbc8e21fd thread_start + 13
Attachments
Patch (1.92 KB, patch)
2017-07-14 12:38 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (5.19 KB, patch)
2017-07-14 14:48 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2017-07-14 12:32:19 PDT
<rdar://problem/30283071>
Chris Dumez
Comment 2 2017-07-14 12:38:44 PDT
Created attachment 315472 [details] Patch
Brady Eidson
Comment 3 2017-07-14 13:22:15 PDT
Comment on attachment 315472 [details] Patch This seems like we could actually write a test for it?
Chris Dumez
Comment 4 2017-07-14 13:39:50 PDT
(In reply to Brady Eidson from comment #3) > Comment on attachment 315472 [details] > Patch > > This seems like we could actually write a test for it? I will try but it seems pretty racy.
Chris Dumez
Comment 5 2017-07-14 13:53:22 PDT
(In reply to Chris Dumez from comment #4) > (In reply to Brady Eidson from comment #3) > > Comment on attachment 315472 [details] > > Patch > > > > This seems like we could actually write a test for it? > > I will try but it seems pretty racy. I *think* a user gesture needs to happen on the main thread and *while* this user gesture is happening (i.e. there is still a UserGestureIndicator object alive for the gesture), a DOMTimer needs to fire in a worker thread.
Sam Weinig
Comment 6 2017-07-14 14:05:18 PDT
Comment on attachment 315472 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=315472&action=review > Source/WebCore/dom/UserGestureIndicator.cpp:71 > + // It is only safe to use currentToken() on the main thread. > + m_previousToken = currentToken(); Seems like you should ASSERT(isMainThread()) in currentToken().
Chris Dumez
Comment 7 2017-07-14 14:06:15 PDT
(In reply to Sam Weinig from comment #6) > Comment on attachment 315472 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=315472&action=review > > > Source/WebCore/dom/UserGestureIndicator.cpp:71 > > + // It is only safe to use currentToken() on the main thread. > > + m_previousToken = currentToken(); > > Seems like you should ASSERT(isMainThread()) in currentToken(). Thanks, I'll add the ASSERT and am trying to write a test right now.
Sam Weinig
Comment 8 2017-07-14 14:07:56 PDT
Comment on attachment 315472 [details] Patch r=me with the ASSERT.
Chris Dumez
Comment 9 2017-07-14 14:48:03 PDT
Created attachment 315491 [details] Patch
Chris Dumez
Comment 10 2017-07-14 15:17:43 PDT
Comment on attachment 315491 [details] Patch Will wait for debug EWS before landing.
Chris Dumez
Comment 11 2017-07-14 16:02:57 PDT
Comment on attachment 315491 [details] Patch Clearing flags on attachment: 315491 Committed r219531: <http://trac.webkit.org/changeset/219531>
Chris Dumez
Comment 12 2017-07-14 16:02:58 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.