Bug 192513

Summary:

Crash in WebCore::ServiceWorkerGlobalScope

Product:

WebKit

Reporter:

Alicia Boya García <aboya>

Component:

Service Workers

Assignee:

youenn fablet <youennf>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

achristensen, bfulgham, commit-queue, mcatanzaro, product-security, webkit-bug-importer, youennf

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Description Alicia Boya García 2018-12-07 13:50:26 PST

Happened while loading http://youtube.com in Debug. The page continued working after that.

(gdb) f 1
#1  0x00007efe604440e6 in WTF::Ref<WebCore::ServiceWorkerThread, WTF::DumbPtrTraits<WebCore::ServiceWorkerThread> >::operator-> (this=0x7efdf02ae620) at DerivedSources/ForwardingHeaders/wtf/Ref.h:119
119	    T* operator->() const { ASSERT(m_ptr); return PtrTraits::unwrap(m_ptr); }
(gdb) p m_ptr
$1 = (WTF::DumbPtrTraits<WebCore::ServiceWorkerThread>::StorageType) 0x0

[Current thread is 1 (Thread 0x7efe46465ac0 (LWP 23273))]
#0  WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:255
#1  0x00007efe604440e6 in WTF::Ref<WebCore::ServiceWorkerThread, WTF::DumbPtrTraits<WebCore::ServiceWorkerThread> >::operator-> (this=0x7efdf02ae620) at DerivedSources/ForwardingHeaders/wtf/Ref.h:119
#2  0x00007efe6043c6ac in WebCore::ServiceWorkerGlobalScope::<lambda()>::operator()(void) (__closure=0x7efdf02ae620) at ../../Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp:65
#3  0x00007efe60443de2 in WTF::Function<void()>::CallableWrapper<WebCore::ServiceWorkerGlobalScope::skipWaiting(WTF::Ref<WebCore::DeferredPromise>&&)::<lambda()> >::call(void) (this=0x7efdf02ae618)
    at DerivedSources/ForwardingHeaders/wtf/Function.h:101
#4  0x00007efe5d585f42 in WTF::Function<void ()>::operator()() const (this=0x7ffeca2f0158) at DerivedSources/ForwardingHeaders/wtf/Function.h:56
#5  0x00007efe5304bf05 in WTF::dispatchFunctionsFromMainThread () at ../../Source/WTF/wtf/MainThread.cpp:115
#6  0x00007efe530aa2bd in WTF::MainThreadDispatcher::fired (this=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>) at ../../Source/WTF/wtf/generic/MainThreadGeneric.cpp:67
#7  0x00007efe530aa404 in WTF::RunLoop::Timer<WTF::MainThreadDispatcher>::fired (this=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>) at ../../Source/WTF/wtf/RunLoop.h:148
#8  0x00007efe530ad14b in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator()(gpointer) const (__closure=0x0, userData=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>)
    at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:170
#9  0x00007efe530ad1a3 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:176
#10 0x00007efe530ac8c8 in WTF::<lambda(GSource*, GSourceFunc, gpointer)>::operator()(GSource *, GSourceFunc, gpointer) const (__closure=0x0, source=0x7efdc80031a0, 
    callback=0x7efe530ad186 <WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer)>, userData=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>)
    at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:45
#11 0x00007efe530ac8f8 in WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer) () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:46
#12 0x00007efe4a526818 in g_main_dispatch () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3148
#13 g_main_context_dispatch () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3813
#14 0x00007efe4a526bd8 in g_main_context_iterate () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3886
#15 0x00007efe4a526ec2 in g_main_loop_run () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:4082
#16 0x00007efe530ace06 in WTF::RunLoop::run () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:96
#17 0x00007efe5df87a71 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=3, argv=0x7ffeca2f0598) at ../../Source/WebKit/Shared/unix/ChildProcessMain.h:61
#18 0x00007efe5df8534f in WebKit::WebProcessMainUnix (argc=3, argv=0x7ffeca2f0598) at ../../Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:67
#19 0x0000000000400cc1 in main (argc=3, argv=0x7ffeca2f0598) at ../../Source/WebKit/WebProcess/EntryPoint/unix/WebProcessMain.cpp:52

Comment 1 Radar WebKit Bug Importer 2018-12-07 13:50:47 PST

<rdar://problem/46563880>

Comment 2 Michael Catanzaro 2018-12-22 17:14:57 PST

(Note that null pointer dereference is at worst a DoS issue, so I don't think this needs to remain private.)

Comment 3 Michael Catanzaro 2018-12-22 17:17:53 PST

Just from quick code inspection:

            connection->skipWaiting(workerThread->identifier(), [workerThread = WTFMove(workerThread), requestIdentifier] {

This is illegal because workerThread could be moved from in the second argument before the first argument is evaluated. It needs a temporary variable to hold the result of workerThread->identifier().

Comment 4 youenn fablet 2019-01-04 10:00:44 PST

Created attachment 358327 [details]
Patch

Comment 5 WebKit Commit Bot 2019-01-04 10:47:32 PST

Comment on attachment 358327 [details]
Patch

Clearing flags on attachment: 358327

Committed r239620: <https://trac.webkit.org/changeset/239620>

Comment 6 WebKit Commit Bot 2019-01-04 10:47:34 PST

All reviewed patches have been landed.  Closing bug.