Bug 192513

Summary: Crash in WebCore::ServiceWorkerGlobalScope
Product: WebKit Reporter: Alicia Boya García <aboya>
Component: Service WorkersAssignee: youenn fablet <youennf>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, bfulgham, commit-queue, mcatanzaro, product-security, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Alicia Boya García
Reported 2018-12-07 13:50:26 PST
Happened while loading http://youtube.com in Debug. The page continued working after that. (gdb) f 1 #1 0x00007efe604440e6 in WTF::Ref<WebCore::ServiceWorkerThread, WTF::DumbPtrTraits<WebCore::ServiceWorkerThread> >::operator-> (this=0x7efdf02ae620) at DerivedSources/ForwardingHeaders/wtf/Ref.h:119 119 T* operator->() const { ASSERT(m_ptr); return PtrTraits::unwrap(m_ptr); } (gdb) p m_ptr $1 = (WTF::DumbPtrTraits<WebCore::ServiceWorkerThread>::StorageType) 0x0 [Current thread is 1 (Thread 0x7efe46465ac0 (LWP 23273))] #0 WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:255 #1 0x00007efe604440e6 in WTF::Ref<WebCore::ServiceWorkerThread, WTF::DumbPtrTraits<WebCore::ServiceWorkerThread> >::operator-> (this=0x7efdf02ae620) at DerivedSources/ForwardingHeaders/wtf/Ref.h:119 #2 0x00007efe6043c6ac in WebCore::ServiceWorkerGlobalScope::<lambda()>::operator()(void) (__closure=0x7efdf02ae620) at ../../Source/WebCore/workers/service/ServiceWorkerGlobalScope.cpp:65 #3 0x00007efe60443de2 in WTF::Function<void()>::CallableWrapper<WebCore::ServiceWorkerGlobalScope::skipWaiting(WTF::Ref<WebCore::DeferredPromise>&&)::<lambda()> >::call(void) (this=0x7efdf02ae618) at DerivedSources/ForwardingHeaders/wtf/Function.h:101 #4 0x00007efe5d585f42 in WTF::Function<void ()>::operator()() const (this=0x7ffeca2f0158) at DerivedSources/ForwardingHeaders/wtf/Function.h:56 #5 0x00007efe5304bf05 in WTF::dispatchFunctionsFromMainThread () at ../../Source/WTF/wtf/MainThread.cpp:115 #6 0x00007efe530aa2bd in WTF::MainThreadDispatcher::fired (this=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>) at ../../Source/WTF/wtf/generic/MainThreadGeneric.cpp:67 #7 0x00007efe530aa404 in WTF::RunLoop::Timer<WTF::MainThreadDispatcher>::fired (this=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>) at ../../Source/WTF/wtf/RunLoop.h:148 #8 0x00007efe530ad14b in WTF::RunLoop::TimerBase::<lambda(gpointer)>::operator()(gpointer) const (__closure=0x0, userData=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>) at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:170 #9 0x00007efe530ad1a3 in WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer) () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:176 #10 0x00007efe530ac8c8 in WTF::<lambda(GSource*, GSourceFunc, gpointer)>::operator()(GSource *, GSourceFunc, gpointer) const (__closure=0x0, source=0x7efdc80031a0, callback=0x7efe530ad186 <WTF::RunLoop::TimerBase::<lambda(gpointer)>::_FUN(gpointer)>, userData=0x7efe54285220 <WTF::scheduleDispatchFunctionsOnMainThread()::dispatcher>) at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:45 #11 0x00007efe530ac8f8 in WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer) () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:46 #12 0x00007efe4a526818 in g_main_dispatch () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3148 #13 g_main_context_dispatch () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3813 #14 0x00007efe4a526bd8 in g_main_context_iterate () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3886 #15 0x00007efe4a526ec2 in g_main_loop_run () at /webkit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:4082 #16 0x00007efe530ace06 in WTF::RunLoop::run () at ../../Source/WTF/wtf/glib/RunLoopGLib.cpp:96 #17 0x00007efe5df87a71 in WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain> (argc=3, argv=0x7ffeca2f0598) at ../../Source/WebKit/Shared/unix/ChildProcessMain.h:61 #18 0x00007efe5df8534f in WebKit::WebProcessMainUnix (argc=3, argv=0x7ffeca2f0598) at ../../Source/WebKit/WebProcess/gtk/WebProcessMainGtk.cpp:67 #19 0x0000000000400cc1 in main (argc=3, argv=0x7ffeca2f0598) at ../../Source/WebKit/WebProcess/EntryPoint/unix/WebProcessMain.cpp:52
Attachments
Patch (1.97 KB, patch)
2019-01-04 10:00 PST, youenn fablet 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2018-12-07 13:50:47 PST
<rdar://problem/46563880>
Michael Catanzaro
Comment 2 2018-12-22 17:14:57 PST
(Note that null pointer dereference is at worst a DoS issue, so I don't think this needs to remain private.)
Michael Catanzaro
Comment 3 2018-12-22 17:17:53 PST
Just from quick code inspection: connection->skipWaiting(workerThread->identifier(), [workerThread = WTFMove(workerThread), requestIdentifier] { This is illegal because workerThread could be moved from in the second argument before the first argument is evaluated. It needs a temporary variable to hold the result of workerThread->identifier().
youenn fablet
Comment 4 2019-01-04 10:00:44 PST
Created attachment 358327 [details] Patch
WebKit Commit Bot
Comment 5 2019-01-04 10:47:32 PST
Comment on attachment 358327 [details] Patch Clearing flags on attachment: 358327 Committed r239620: <https://trac.webkit.org/changeset/239620>
WebKit Commit Bot
Comment 6 2019-01-04 10:47:34 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.