Bug 183668

Summary: ServiceWorkerClientFetch::didReceiveData should check for m_encodedDataLength
Product: WebKit Reporter: youenn fablet <youennf>
Component: Service WorkersAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: cdumez, commit-queue, ews-watchlist, rniwa, ryanhaddad, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Archive of layout-test-results from ews106 for mac-sierra-wk2
none
Archive of layout-test-results from ews126 for ios-simulator-wk2
none
Patch none

youenn fablet
Reported 2018-03-15 11:07:38 PDT
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x000000011aaea1d4 WTFCrash + 36 (Assertions.cpp:271) 1 com.apple.WebKit 0x0000000105458c31 WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >::releaseNonNull() + 81 (RefPtr.h:74) 2 com.apple.WebKit 0x0000000105458b9e WebKit::ServiceWorkerClientFetch::didReceiveData(IPC::DataReference const&, long long)::$_1::operator()() const + 110 (ServiceWorkerClientFetch.cpp:173) 3 com.apple.WebKit 0x0000000105458a99 WTF::Function<void ()>::CallableWrapper<WebKit::ServiceWorkerClientFetch::didReceiveData(IPC::DataReference const&, long long)::$_1>::call() + 25 (Function.h:101) 4 com.apple.JavaScriptCore 0x000000011ab061cb WTF::Function<void ()>::operator()() const + 139 (Function.h:56) 5 com.apple.JavaScriptCore 0x000000011ab29404 WTF::dispatchFunctionsFromMainThread() + 324 (MainThread.cpp:129) 6 com.apple.JavaScriptCore 0x000000011ab2c5a1 WTF::timerFired(__CFRunLoopTimer*, void*) + 49 (MainThreadMac.mm:111) 7 com.apple.CoreFoundation 0x00007fff9305be04 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20 8 com.apple.CoreFoundation 0x00007fff9305ba93 __CFRunLoopDoTimer + 1075 9 com.apple.CoreFoundation 0x00007fff9305b5ea __CFRunLoopDoTimers + 298 10 com.apple.CoreFoundation 0x00007fff93052fc1 __CFRunLoopRun + 2081 11 com.apple.CoreFoundation 0x00007fff93052544 CFRunLoopRunSpecific + 420 12 com.apple.HIToolbox 0x00007fff925b1ebc RunCurrentEventLoopInMode + 240 13 com.apple.HIToolbox 0x00007fff925b1cf1 ReceiveNextEventCommon + 432 14 com.apple.HIToolbox 0x00007fff925b1b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71 15 com.apple.AppKit 0x00007fff90b48a54 _DPSNextEvent + 1120 16 com.apple.AppKit 0x00007fff912c47ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796 17 com.apple.AppKit 0x00007fff90b3d3db -[NSApplication run] + 926 18 com.apple.AppKit 0x00007fff90b07e0e NSApplicationMain + 1237 19 libxpc.dylib 0x00007fffa8fe58c7 _xpc_objc_main + 775 20 libxpc.dylib 0x00007fffa8fe42e4 xpc_main + 494 21 com.apple.WebKit.WebContent 0x0000000104df8145 main + 1189 (XPCServiceMain.mm:148) 22 libdyld.dylib 0x00007fffa8d8c235 start + 1
Attachments
Patch (1.44 KB, patch)
2018-03-15 11:08 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Patch (1.91 KB, patch)
2018-03-15 14:14 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews106 for mac-sierra-wk2 (3.59 MB, application/zip)
2018-03-15 15:39 PDT, EWS Watchlist 		no flags
Details
Archive of layout-test-results from ews126 for ios-simulator-wk2 (2.74 MB, application/zip)
2018-03-15 16:02 PDT, EWS Watchlist 		no flags
Details
Patch (1.98 KB, patch)
2018-03-20 10:17 PDT, youenn fablet 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
youenn fablet
Comment 1 2018-03-15 11:08:41 PDT
Created attachment 335864 [details] Patch
youenn fablet
Comment 2 2018-03-15 14:10:21 PDT
This crash happens because ServiceWorkerClientFetch can call m_loader->didReceiveBuffer at two different places (IPC or completion handler for response check). In which case, we free the buffer and set back m_encodedLength to zero.
youenn fablet
Comment 3 2018-03-15 14:14:41 PDT
Created attachment 335882 [details] Patch
EWS Watchlist
Comment 4 2018-03-15 15:39:07 PDT
Comment on attachment 335882 [details] Patch Attachment 335882 [details] did not pass mac-wk2-ews (mac-wk2): Output: http://webkit-queues.webkit.org/results/6970917 Number of test failures exceeded the failure limit.
EWS Watchlist
Comment 5 2018-03-15 15:39:08 PDT
Created attachment 335895 [details] Archive of layout-test-results from ews106 for mac-sierra-wk2 The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews. Bot: ews106 Port: mac-sierra-wk2 Platform: Mac OS X 10.12.6
EWS Watchlist
Comment 6 2018-03-15 16:02:14 PDT
Comment on attachment 335882 [details] Patch Attachment 335882 [details] did not pass ios-sim-ews (ios-simulator-wk2): Output: http://webkit-queues.webkit.org/results/6971035 Number of test failures exceeded the failure limit.
EWS Watchlist
Comment 7 2018-03-15 16:02:16 PDT
Created attachment 335902 [details] Archive of layout-test-results from ews126 for ios-simulator-wk2 The attached test failures were seen while running run-webkit-tests on the ios-sim-ews. Bot: ews126 Port: ios-simulator-wk2 Platform: Mac OS X 10.12.6
Chris Dumez
Comment 8 2018-03-16 09:15:18 PDT
Comment on attachment 335882 [details] Patch r- given test failures :)
youenn fablet
Comment 9 2018-03-20 08:57:42 PDT
rdar://problem/38473926
youenn fablet
Comment 10 2018-03-20 10:17:20 PDT
Created attachment 336129 [details] Patch
WebKit Commit Bot
Comment 11 2018-03-20 14:53:42 PDT
Comment on attachment 336129 [details] Patch Clearing flags on attachment: 336129 Committed r229774: <https://trac.webkit.org/changeset/229774>
WebKit Commit Bot
Comment 12 2018-03-20 14:53:44 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.