Bug 195141
| Summary: | New string formatting triggers crashes in compositing logging code | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Simon Fraser (smfr) <simon.fraser> |
| Component: | WebKit Misc. | Assignee: | Darin Adler <darin> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | darin, simon.fraser, tsavell, webkit-bot-watchers-bugzilla, webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=195210 | ||
| Bug Depends on: | |||
| Bug Blocks: | 194893 | ||
Simon Fraser (smfr)
When compositing logging is enabled (-WebCoreLogging="Compositing") in the iOS simulator in debug, then the web process crashes:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_platform.dylib 0x00000004e0363d09 _platform_memmove$VARIANT$Haswell + 41
1 com.apple.WebCore 0x00000004e99fa637 void WTF::StringImpl::copyCharacters<unsigned char>(unsigned char*, unsigned char const*, unsigned int) + 71 (StringImpl.h:1089)
2 com.apple.WebCore 0x00000004e9bb46a4 void WTF::StringTypeAdapter<WTF::HexNumberBuffer, void>::writeTo<unsigned char>(unsigned char*) const + 68 (HexNumber.h:104)
3 com.apple.WebCore 0x00000004ecb93e7e void WTF::StringTypeAdapter<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, void>::writeTo<unsigned char>(unsigned char*) const + 174 (StringConcatenate.h:230)
4 com.apple.WebCore 0x00000004ecb92ba4 void WTF::makeStringAccumulator<unsigned char, WTF::StringTypeAdapter<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<unsigned long long, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void> >(unsigned char*, WTF::StringTypeAdapter<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<unsigned long long, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>) + 164 (StringConcatenate.h:258)
5 com.apple.WebCore 0x00000004ecb92495 WTF::String WTF::tryMakeStringFromAdapters<WTF::StringTypeAdapter<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<unsigned long long, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void> >(WTF::StringTypeAdapter<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<unsigned long long, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>) + 1685 (StringConcatenate.h:279)
6 com.apple.WebCore 0x00000004ecb91dd8 WTF::String WTF::tryMakeString<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, char const*, unsigned long long, char const*, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char const*, WTF::FormattedNumber, char const*>(WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, char const*, unsigned long long, char const*, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char const*, WTF::FormattedNumber, char const*) + 648 (StringConcatenate.h:295)
7 com.apple.WebCore 0x00000004ecb6da61 WTF::String WTF::makeString<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, char const*, unsigned long long, char const*, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char const*, WTF::FormattedNumber, char const*>(WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, char const*, unsigned long long, char const*, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char const*, WTF::FormattedNumber, char const*) + 945 (StringConcatenate.h:302)
8 com.apple.WebCore 0x00000004ecb6d013 WebCore::RenderLayerCompositor::logLayerInfo(WebCore::RenderLayer const&, char const*, int) + 1155 (RenderLayerCompositor.cpp:1327)
9 com.apple.WebCore 0x00000004ecb6a05d WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::DumbPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul>&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>, int) + 765 (RenderLayerCompositor.cpp:1202)
10 com.apple.WebCore 0x00000004ecb6a448 WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::DumbPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul>&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>, int) + 1768 (RenderLayerCompositor.cpp:1236)
11 com.apple.WebCore 0x00000004ecb6a448 WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::DumbPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul>&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>, int) + 1768 (RenderLayerCompositor.cpp:1236)
12 com.apple.WebCore 0x00000004ecb3a55c WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*) + 2908 (RenderLayerCompositor.cpp:762)
Somehow HexNumberBuffer ends up with a bad length:
(lldb) fr va m_padding.underlyingAdapter.m_buffer
(const WTF::HexNumberBuffer &) m_padding.underlyingAdapter.m_buffer = 0x00007ffeebc8aa80: {
characters = (__elems_ = "0.000")
length = 631693656
}
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Simon Fraser (smfr)
It's weird that characters is "0.000" which is obviously one of the other float-formatted strings. The caller is notable in that it takes a lot of Strings things.
Darin Adler
Looks like a bug in how "pad" combines with "hex". I’ll add unit tests for that, get it working, and re-land the String::format removal patch.
Simon Fraser (smfr)
My rollout caused storage tests to crash:
https://build.webkit.org/results/Apple%20High%20Sierra%20Debug%20WK1%20(Tests)/r242199%20(8015)/results.html
Do we need to roll out more?
Truitt Savell
Tracking the crashing tests in https://bugs.webkit.org/show_bug.cgi?id=195210
Truitt Savell
I talked with sihui and she found that https://trac.webkit.org/changeset/242075/webkit is calling a function from r242014 and is crashing due to the rollout. Looks like we will need to roll this change out too to resolve the crashing tests.
Darin Adler
The pad function had an object lifetime bug. Now fixed and checked in.
<https://trac.webkit.org/changeset/242308>
I don’t understand how the other problem was caused by the rollout, so not sure it’s fixed.
Radar WebKit Bug Importer
<rdar://problem/48532653>