Bug 199907

Summary: Crash under WebPage::boundaryEventOccurred
Product: WebKit Reporter: Per Arne Vollan <pvollan>
Component: WebKit Misc.Assignee: Per Arne Vollan <pvollan>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, cfleizach, commit-queue, ggaren, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Per Arne Vollan
Reported 2019-07-18 08:00:52 PDT
A nullptr check is needed in this method.
Attachments
Patch (1.84 KB, patch)
2019-07-18 08:02 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (1.79 KB, patch)
2019-07-18 08:40 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Patch (2.53 KB, patch)
2019-07-18 13:45 PDT, Per Arne Vollan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Per Arne Vollan
Comment 1 2019-07-18 08:02:19 PDT
Created attachment 374384 [details] Patch
Per Arne Vollan
Comment 2 2019-07-18 08:06:41 PDT
rdar://problem/53189800
Geoffrey Garen
Comment 3 2019-07-18 08:20:44 PDT
Comment on attachment 374384 [details] Patch Under what conditions can corePage() be null? I don't see anything that would ever clear it (except for the WebPage destructor). If the error here is use after free of WebPage, I think we need a different fix.
Per Arne Vollan
Comment 4 2019-07-18 08:40:50 PDT
Created attachment 374386 [details] Patch
Chris Dumez
Comment 5 2019-07-18 08:40:58 PDT
Comment on attachment 374384 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374384&action=review > Source/WebKit/WebProcess/WebPage/WebPage.cpp:6600 > + if (!corePage() || !corePage()->speechSynthesisClient()) I agree with Geoff, I do not see how corePage() can be null unless we're in the WebPage destructor. Can you also clarify how Page::speechSynthesisClient() can return null here? It never seems to get nulled out inside Page, and it seems to get initialized unconditionally (as long as ENABLED(SPEECH_SYNTHESIS)): #if ENABLE(SPEECH_SYNTHESIS) pageConfiguration.speechSynthesisClient = std::make_unique<WebSpeechSynthesisClient>(*this); #endif
Chris Dumez
Comment 6 2019-07-18 08:41:12 PDT
Comment on attachment 374386 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374386&action=review > Source/WebKit/WebProcess/WebPage/WebPage.cpp:6600 > + if (!corePage()->speechSynthesisClient()) Please see my comment on the previous patch.
Per Arne Vollan
Comment 7 2019-07-18 08:53:44 PDT
(In reply to Chris Dumez from comment #6) > Comment on attachment 374386 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=374386&action=review > > > Source/WebKit/WebProcess/WebPage/WebPage.cpp:6600 > > + if (!corePage()->speechSynthesisClient()) > > Please see my comment on the previous patch. Yes, I believe you are right. The reason for the crash is probably that m_currentSpeechUtterance in SpeechSynthesis is null. I will update the patch. Thanks for reviewing, everybody!
Chris Dumez
Comment 8 2019-07-18 08:54:48 PDT
(In reply to Per Arne Vollan from comment #7) > (In reply to Chris Dumez from comment #6) > > Comment on attachment 374386 [details] > > Patch > > > > View in context: > > https://bugs.webkit.org/attachment.cgi?id=374386&action=review > > > > > Source/WebKit/WebProcess/WebPage/WebPage.cpp:6600 > > > + if (!corePage()->speechSynthesisClient()) > > > > Please see my comment on the previous patch. > > Yes, I believe you are right. The reason for the crash is probably that > m_currentSpeechUtterance in SpeechSynthesis is null. I will update the patch. This is what I said on the radar yesterday :) > > Thanks for reviewing, everybody!
Brent Fulgham
Comment 9 2019-07-18 09:48:38 PDT
Comment on attachment 374386 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374386&action=review >>>> Source/WebKit/WebProcess/WebPage/WebPage.cpp:6600 >>>> + if (!corePage()->speechSynthesisClient()) >>> >>> Please see my comment on the previous patch. >> >> Yes, I believe you are right. The reason for the crash is probably that m_currentSpeechUtterance in SpeechSynthesis is null. I will update the patch. >> >> Thanks for reviewing, everybody! > > This is what I said on the radar yesterday :) We do seem to have other cases where corePage() is nullptr checked, but perhaps those checks should not be present. Does the IPC layer not protect against return messages being sent to a WebContent process that is closing down? Maybe we are hitting the crash when something racy happens between the start of an async speech call, and the return message comes back when the process has terminated...
Per Arne Vollan
Comment 10 2019-07-18 13:45:24 PDT
Created attachment 374411 [details] Patch
Per Arne Vollan
Comment 11 2019-07-18 13:47:42 PDT
Comment on attachment 374411 [details] Patch Thanks for reviewing!
Brent Fulgham
Comment 12 2019-07-18 14:24:21 PDT
Comment on attachment 374411 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=374411&action=review > Source/WebCore/Modules/speech/SpeechSynthesis.cpp:255 > { I wonder if we hit this code when SpeechSynthesis::handleSpeakingCompleted() calls fireEvent with an error state?
WebKit Commit Bot
Comment 13 2019-07-18 14:41:34 PDT
The commit-queue encountered the following flaky tests while processing attachment 374411 [details]: storage/indexeddb/dont-wedge.html bug 199883 (authors: beidson@apple.com, commit-queue@webkit.org, dgrogan@chromium.org, and mark.lam@apple.com) The commit-queue is continuing to process your patch.
WebKit Commit Bot
Comment 14 2019-07-18 14:42:20 PDT
Comment on attachment 374411 [details] Patch Clearing flags on attachment: 374411 Committed r247620: <https://trac.webkit.org/changeset/247620>
WebKit Commit Bot
Comment 15 2019-07-18 14:42:22 PDT
All reviewed patches have been landed. Closing bug.
chris fleizach
Comment 16 2019-07-18 14:56:34 PDT
I'll add even with these changes, I'm hitting a lot of asserts and and debug asserts. working through it with rdar://53235469
Note You need to log in before you can comment on or make changes to this bug.