Bug 186805

Summary: WebCoreNSURLSessionDataTaskClient::redirectReceived() calls WebCore on non-main thread
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: Page LoadingAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, commit-queue, ddkilzer, ggaren, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Chris Dumez
Reported 2018-06-19 08:39:32 PDT
WebCoreNSURLSessionDataTaskClient::redirectReceived() calls WebCore on non-main thread: Thread 6 name: Dispatch queue: NSOperationQueue 0x1006c5730 (QOS: UNSPECIFIED) Thread 6 Crashed: 0 WebKit 0x00000001918dab74 WebKit::WebProcess::ensureNetworkProcessConnection() + 244 (WebProcess.cpp:1105) 1 WebKit 0x00000001918daad0 WebKit::WebProcess::ensureNetworkProcessConnection() + 80 (WebProcess.cpp:1104) 2 WebKit 0x0000000191903f24 WebKit::WebResourceLoader::messageSenderConnection() + 16 (WebResourceLoader.cpp:71) 3 WebKit 0x00000001916c49e8 IPC::MessageSender::sendMessage(std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >, WTF::OptionSet<IPC::SendOption>) + 36 (MessageSender.cpp:39) 4 WebKit 0x0000000191904c30 bool IPC::MessageSender::send<Messages::NetworkResourceLoader::ContinueWillSendRequest>(Messages::NetworkResourceLoader::ContinueWillSendRequest const&, unsigned long long, WTF::OptionSet<IPC::SendOption>) + 132 (MessageSender.h:49) 5 WebKit 0x0000000191904b9c WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebKit::WebResourceLoader::willSendRequest(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&)::$_0>::call(WebCore::ResourceRequest&&) + 80 (MessageSender.h:39) 6 WebCore 0x000000018ae0c524 WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebCore::SubresourceLoader::willSendRequestInternal(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&)::$_0::operator()(WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&, WebCore::ResourceRequest&&)::'lambda'(WebCore::ResourceRequest&&)>::call(WebCore::ResourceRequest&&) + 120 (Function.h:56) 7 WebCore 0x000000018ae00d24 WebCore::ResourceLoader::willSendRequestInternal(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&) + 1584 (Function.h:56) 8 WebCore 0x000000018ae07f4c WebCore::SubresourceLoader::willSendRequestInternal(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&)::$_0::operator()(WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&, WebCore::ResourceRequest&&) + 356 (SubresourceLoader.cpp:190) 9 WebCore 0x000000018ae36448 WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebCore::CachedRawResource::redirectReceived(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&)::$_1>::call(WebCore::ResourceRequest&&) + 84 (Function.h:56) 10 WebCore 0x000000018ae2c3ec WebCore::iterateClients(WebCore::CachedResourceClientWalker<WebCore::CachedRawResourceClient>&&, WebCore::CachedResourceHandle<WebCore::CachedRawResource>&&, WebCore::ResourceRequest&&, std::__1::unique_ptr<WebCore::ResourceResponse, std::__1::default_delete<WebCore::ResourceResponse> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&) + 552 (Function.h:56) 11 WebCore 0x000000018b36c7f8 WTF::Function<void ()>::CallableWrapper<-[WebCoreNSURLSessionDataTask resource:receivedRedirect:request:completionHandler:]::$_11>::call() + 448 (Function.h:56) 12 Foundation 0x0000000182084694 __NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__ + 16 (NSOperation.m:1467) 13 Foundation 0x0000000181fc4410 -[NSBlockOperation main] + 72 (NSOperation.m:1486) 14 Foundation 0x0000000181fb3ff8 -[__NSOperationInternal _start:] + 848 (NSOperation.m:830) 15 Foundation 0x0000000182086298 __NSOQSchedule_f + 404 (NSOperation.m:2081) 16 libdispatch.dylib 0x0000000180f6ca2c _dispatch_client_callout + 16 (object.m:507) 17 libdispatch.dylib 0x0000000180f74e8c _dispatch_continuation_pop$VARIANT$mp + 424 (inline_internal.h:2500) 18 libdispatch.dylib 0x0000000180f737c4 _dispatch_async_redirect_invoke$VARIANT$mp + 604 (queue.c:3426) 19 libdispatch.dylib 0x0000000180f79ca4 _dispatch_root_queue_drain + 588 (inline_internal.h:2539) 20 libdispatch.dylib 0x0000000180f799f4 _dispatch_worker_thread3 + 120 (queue.c:6101) 21 libsystem_pthread.dylib 0x0000000181295044 _pthread_wqthread + 1176 (pthread.c:2286) 22 libsystem_pthread.dylib 0x0000000181294ba0 start_wqthread + 4
Attachments
Patch (2.12 KB, patch)
2018-06-19 08:43 PDT, Chris Dumez
no flags
Chris Dumez
Comment 1 2018-06-19 08:39:43 PDT
Chris Dumez
Comment 2 2018-06-19 08:43:34 PDT
Geoffrey Garen
Comment 3 2018-06-19 09:47:08 PDT
Are these failures real? js/mozilla/eval/exhaustive-fun-normalcaller-indirect-normalcode.html [ Crash ] js/mozilla/eval/exhaustive-fun-strictcaller-indirect-normalcode.html [ Crash ] js/mozilla/eval/exhaustive-global-normalcaller-direct-normalcode.html [ Crash ] js/mozilla/eval/exhaustive-global-normalcaller-indirect-normalcode.html [ Crash ] js/mozilla/eval/exhaustive-global-strictcaller-indirect-normalcode.html [ Crash ] js/mozilla/eval/undeclared-name-in-nested-strict-eval.html [ Crash ]
Chris Dumez
Comment 4 2018-06-19 09:47:54 PDT
Comment on attachment 343058 [details] Patch Let's wait but I doubt it.
Chris Dumez
Comment 5 2018-06-19 09:49:37 PDT
(In reply to Chris Dumez from comment #4) > Comment on attachment 343058 [details] > Patch > > Let's wait but I doubt it. As I thought, the crashes are happening on the bots: https://build.webkit.org/results/Apple%20High%20Sierra%20Debug%20WK1%20(Tests)/r232959%20(4297)/results.html
Chris Dumez
Comment 6 2018-06-19 09:50:04 PDT
(In reply to Chris Dumez from comment #5) > (In reply to Chris Dumez from comment #4) > > Comment on attachment 343058 [details] > > Patch > > > > Let's wait but I doubt it. > > As I thought, the crashes are happening on the bots: > https://build.webkit.org/results/ > Apple%20High%20Sierra%20Debug%20WK1%20(Tests)/r232959%20(4297)/results.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x00000001068efae0 WTFCrash + 16 (Assertions.cpp:267) 1 com.apple.JavaScriptCore 0x0000000106a31d46 JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int)::operator()(JSC::GCSafeConcurrentJSLocker const&, int, int) const + 278 (JSObjectInlines.h:206) 2 com.apple.JavaScriptCore 0x0000000106a31434 int JSC::Structure::add<(JSC::Structure::ShouldPin)1, JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int)>(JSC::VM&, JSC::PropertyName, unsigned int, JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int) const&) + 772 (StructureInlines.h:402) 3 com.apple.JavaScriptCore 0x0000000106a3111b int JSC::Structure::addPropertyWithoutTransition<JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int)>(JSC::VM&, JSC::PropertyName, unsigned int, JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int) const&) + 59 (StructureInlines.h:444) 4 com.apple.JavaScriptCore 0x0000000106a2fb9a JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*) + 138 (JSObjectInlines.h:209) 5 com.apple.JavaScriptCore 0x00000001072ab4c7 bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) + 1111 (JSObjectInlines.h:303) 6 com.apple.JavaScriptCore 0x0000000107c0359c JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 2236 (JSObject.cpp:825) 7 com.apple.JavaScriptCore 0x00000001072aaeb0 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1168 (JSObjectInlines.h:242) 8 com.apple.JavaScriptCore 0x0000000107bfd245 JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 69 (JSObject.cpp:755) 9 com.apple.JavaScriptCore 0x0000000107b91323 JSC::JSGlobalObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 899 (JSGlobalObject.cpp:1103) 10 com.apple.WebCore 0x0000000112cf4438 WebCore::JSDOMWindow::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 568 (JSDOMWindowCustom.cpp:300) 11 com.apple.JavaScriptCore 0x000000010782f3d7 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*) + 2775 (Interpreter.cpp:1215) 12 com.apple.JavaScriptCore 0x0000000107bdc17c JSC::globalFuncEval(JSC::ExecState*) + 1372 (JSGlobalObjectFunctions.cpp:508)
WebKit Commit Bot
Comment 7 2018-06-19 10:12:29 PDT
Comment on attachment 343058 [details] Patch Clearing flags on attachment: 343058 Committed r232965: <https://trac.webkit.org/changeset/232965>
WebKit Commit Bot
Comment 8 2018-06-19 10:12:30 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.