Bug 181061

Summary: Crash when clearing std::optional<WebKit::WebServiceWorkerFetchTaskClient::BlobLoader>
Product: WebKit Reporter: youenn fablet <youennf>
Component: Service WorkersAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, cdumez, commit-queue, ggaren, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

youenn fablet
Reported 2017-12-20 15:33:05 PST
==79588==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700015ad90 at pc 0x00010b45eb67 bp 0x7ffee743cb50 sp 0x7ffee743cb48 WRITE of size 1 at 0x60700015ad90 thread T0 ==79588==WARNING: invalid path to external symbolizer! ==79588==WARNING: Failed to use and restart external symbolizer! #0 0x10b45eb66 in std::optional<WebKit::WebServiceWorkerFetchTaskClient::BlobLoader>::clear() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcf0b66) #1 0x10b45d0ed in std::optional<WebKit::WebServiceWorkerFetchTaskClient::BlobLoader>::operator=(std::nullopt_t) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcef0ed) #2 0x11cc2b119 in WebCore::DocumentThreadableLoader::didFinishLoading(unsigned long) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x28f6119) #3 0x11cd42967 in WebCore::CachedResource::checkNotify() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2a0d967) #4 0x11cd3f6ba in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2a0a6ba) #5 0x11ccddc2e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x29a8c2e) #6 0x10b42382b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcb582b) #7 0x10b426b8e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcb8b8e) #8 0x10b42607f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcb807f) #9 0x10aaf07c0 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x3827c0) #10 0x10a8a496e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x13696e) #11 0x10a8ae486 in IPC::Connection::dispatchOneMessage() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x140486) #12 0x12b2321a7 in WTF::RunLoop::performWork() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScrip<br> (Truncated recent description)
Attachments
Patch (1.42 KB, patch)
2017-12-20 15:52 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch for landing (1.43 KB, patch)
2017-12-20 16:50 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2017-12-20 15:52:21 PST
Created attachment 329960 [details] Patch
Alex Christensen
Comment 2 2017-12-20 16:40:47 PST
Comment on attachment 329960 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=329960&action=review > Source/WebKit/WebProcess/Storage/WebServiceWorkerFetchTaskClient.cpp:117 > - m_blobLoader = std::nullopt; > + auto toDelete = WTFMove(m_blobLoader); I think it would be better to just do std::exchange(m_blobLoader, std::nullopt). Then we wouldn't need to give anything a strange unused name.
youenn fablet
Comment 3 2017-12-20 16:50:25 PST
Created attachment 329966 [details] Patch for landing
WebKit Commit Bot
Comment 4 2017-12-20 17:39:12 PST
Comment on attachment 329966 [details] Patch for landing Clearing flags on attachment: 329966 Committed r226206: <https://trac.webkit.org/changeset/226206>
WebKit Commit Bot
Comment 5 2017-12-20 17:39:13 PST
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 6 2017-12-20 17:41:08 PST
<rdar://problem/36168892>
Note You need to log in before you can comment on or make changes to this bug.