Bug 199907

Summary: Crash under WebPage::boundaryEventOccurred
Product: WebKit Reporter: Per Arne Vollan <pvollan>
Component: WebKit Misc.Assignee: Per Arne Vollan <pvollan>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, cdumez, cfleizach, commit-queue, ggaren, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Description Per Arne Vollan 2019-07-18 08:00:52 PDT 
A nullptr check is needed in this method.
Comment 1 Per Arne Vollan 2019-07-18 08:02:19 PDT 
Created attachment 374384 [details]
Patch
Comment 2 Per Arne Vollan 2019-07-18 08:06:41 PDT 
rdar://problem/53189800
Comment 3 Geoffrey Garen 2019-07-18 08:20:44 PDT 
Comment on attachment 374384 [details]
Patch

Under what conditions can corePage() be null? I don't see anything that would ever clear it (except for the WebPage destructor).

If the error here is use after free of WebPage, I think we need a different fix.
Comment 4 Per Arne Vollan 2019-07-18 08:40:50 PDT 
Created attachment 374386 [details]
Patch
Comment 5 Chris Dumez 2019-07-18 08:40:58 PDT 
Comment on attachment 374384 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=374384&action=review

> Source/WebKit/WebProcess/WebPage/WebPage.cpp:6600
> +    if (!corePage() || !corePage()->speechSynthesisClient())

I agree with Geoff, I do not see how corePage() can be null unless we're in the WebPage destructor.

Can you also clarify how Page::speechSynthesisClient() can return null here? It never seems to get nulled out inside Page, and it seems to get initialized unconditionally (as long as ENABLED(SPEECH_SYNTHESIS)):
#if ENABLE(SPEECH_SYNTHESIS)
    pageConfiguration.speechSynthesisClient = std::make_unique<WebSpeechSynthesisClient>(*this);
#endif
Comment 6 Chris Dumez 2019-07-18 08:41:12 PDT 
Comment on attachment 374386 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=374386&action=review

> Source/WebKit/WebProcess/WebPage/WebPage.cpp:6600
> +    if (!corePage()->speechSynthesisClient())

Please see my comment on the previous patch.
Comment 7 Per Arne Vollan 2019-07-18 08:53:44 PDT 
(In reply to Chris Dumez from comment #6)
> Comment on attachment 374386 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=374386&action=review
> 
> > Source/WebKit/WebProcess/WebPage/WebPage.cpp:6600
> > +    if (!corePage()->speechSynthesisClient())
> 
> Please see my comment on the previous patch.

Yes, I believe you are right. The reason for the crash is probably that m_currentSpeechUtterance in SpeechSynthesis is null. I will update the patch.

Thanks for reviewing, everybody!
Comment 8 Chris Dumez 2019-07-18 08:54:48 PDT 
(In reply to Per Arne Vollan from comment #7)
> (In reply to Chris Dumez from comment #6)
> > Comment on attachment 374386 [details]
> > Patch
> > 
> > View in context:
> > https://bugs.webkit.org/attachment.cgi?id=374386&action=review
> > 
> > > Source/WebKit/WebProcess/WebPage/WebPage.cpp:6600
> > > +    if (!corePage()->speechSynthesisClient())
> > 
> > Please see my comment on the previous patch.
> 
> Yes, I believe you are right. The reason for the crash is probably that
> m_currentSpeechUtterance in SpeechSynthesis is null. I will update the patch.

This is what I said on the radar yesterday :)

> 
> Thanks for reviewing, everybody!
Comment 9 Brent Fulgham 2019-07-18 09:48:38 PDT 
Comment on attachment 374386 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=374386&action=review

>>>> Source/WebKit/WebProcess/WebPage/WebPage.cpp:6600
>>>> +    if (!corePage()->speechSynthesisClient())
>>> 
>>> Please see my comment on the previous patch.
>> 
>> Yes, I believe you are right. The reason for the crash is probably that m_currentSpeechUtterance in SpeechSynthesis is null. I will update the patch.
>> 
>> Thanks for reviewing, everybody!
> 
> This is what I said on the radar yesterday :)

We do seem to have other cases where corePage() is nullptr checked, but perhaps those checks should not be present.

Does the IPC layer not protect against return messages being sent to a WebContent process that is closing down? Maybe we are hitting the crash when something racy happens between the start of an async speech call, and the return message comes back when the process has terminated...
Comment 10 Per Arne Vollan 2019-07-18 13:45:24 PDT 
Created attachment 374411 [details]
Patch
Comment 11 Per Arne Vollan 2019-07-18 13:47:42 PDT 
Comment on attachment 374411 [details]
Patch

Thanks for reviewing!
Comment 12 Brent Fulgham 2019-07-18 14:24:21 PDT 
Comment on attachment 374411 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=374411&action=review

> Source/WebCore/Modules/speech/SpeechSynthesis.cpp:255
>  {

I wonder if we hit this code when SpeechSynthesis::handleSpeakingCompleted() calls fireEvent with an error state?
Comment 13 WebKit Commit Bot 2019-07-18 14:41:34 PDT 
The commit-queue encountered the following flaky tests while processing attachment 374411 [details]:

storage/indexeddb/dont-wedge.html bug 199883 (authors: beidson@apple.com, commit-queue@webkit.org, dgrogan@chromium.org, and mark.lam@apple.com)
The commit-queue is continuing to process your patch.
Comment 14 WebKit Commit Bot 2019-07-18 14:42:20 PDT 
Comment on attachment 374411 [details]
Patch

Clearing flags on attachment: 374411

Committed r247620: <https://trac.webkit.org/changeset/247620>
Comment 15 WebKit Commit Bot 2019-07-18 14:42:22 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 16 chris fleizach 2019-07-18 14:56:34 PDT 
I'll add even with these changes, I'm hitting a lot of asserts and and debug asserts. working through it with rdar://53235469