Bug 200378

Summary: [Curl] Crash while destructing a URL in ~SocketStreamHandle due to data race
Product: WebKit Reporter: Fujii Hironori <Hironori.Fujii>
Component: PlatformAssignee: Fujii Hironori <Hironori.Fujii>
Status: RESOLVED FIXED    
Severity: Normal CC: basuke, commit-queue, don.olmstead, ross.kirsling, takashi.komori, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=200266
Attachments:
Description Flags
CrashLog_45dc_2019-08-02_12-10-23-628.txt
none
Patch none

Fujii Hironori
Reported 2019-08-01 20:19:55 PDT
[Curl] double free of URL in ~SocketStreamHandle python ./Tools/Scripts/run-webkit-tests --debug --wincairo --no-new-test-results --fully-parallel --iterations=50 http/tests/websocket/tests/hybi > Frame[00] Triage Symbol: [ntdll!RtlReportFatalFailure+0x9] > Frame[01] Ignore Symbol: [ntdll!RtlReportCriticalFailure+0x97] > Frame[02] Ignore Symbol: [ntdll!RtlpHeapHandleError+0x12] > Frame[03] Triage Symbol: [ntdll!RtlpHpHeapHandleError+0x7a] > Frame[04] Ignore Symbol: [ntdll!RtlpLogHeapFailure+0x45] > Frame[05] Triage Symbol: [ntdll!RtlpFreeHeapInternal+0x80d] > Frame[06] Ignore Symbol: [ntdll!RtlFreeHeap+0x51] > Frame[07] Triage Symbol: [ucrtbase!_free_base+0x1b] > Frame[08] Ignore Symbol: [WTF!WTF::fastFree+0x14] > Frame[09] Triage Symbol: [WTF!WTF::StringImpl::destroy+0x1d] > Frame[0a] Triage Symbol: [WTF!WTF::StringImpl::deref+0x31] > Frame[0b] Triage Symbol: [WTF!WTF::derefIfNotNull<WTF::StringImpl>+0x1f] > Frame[0c] Triage Symbol: [WTF!WTF::RefPtr<WTF::StringImpl,WTF::DumbPtrTraits<WTF::StringImpl> >::~RefPtr+0x38] > Frame[0d] Triage Symbol: [WTF!WTF::String::~String+0x13] > Frame[0e] Triage Symbol: [WTF!WTF::URL::~URL+0x13] > Frame[0f] Triage Symbol: [WebKit2!WebCore::SocketStreamHandle::~SocketStreamHandle+0x22] > Frame[10] Triage Symbol: [WebKit2!WebCore::SocketStreamHandleImpl::~SocketStreamHandleImpl+0xba] > Frame[11] Triage Symbol: [WebKit2!WebCore::SocketStreamHandleImpl::~SocketStreamHandleImpl+0x2c] > Frame[12] Triage Symbol: [WebKit2!WTF::ThreadSafeRefCounted<WebCore::SocketStreamHandle,WTF::DestructionThread::Main>::deref::<unnamed-tag>::operator+0x41] > Frame[13] Triage Symbol: [WebKit2!WTF::ThreadSafeRefCounted<WebCore::SocketStreamHandle,WTF::DestructionThread::Main>::deref+0x8f] > Frame[14] Triage Symbol: [WebKit2!WTF::Ref<WebCore::SocketStreamHandleImpl,WTF::DumbPtrTraits<WebCore::SocketStreamHandleImpl> >::~Ref+0x33] > Frame[15] Triage Symbol: [WebKit2!WebKit::NetworkSocketStream::~NetworkSocketStream+0x49] > Frame[16] Triage Symbol: [WebKit2!WebKit::NetworkSocketStream::~NetworkSocketStream+0x2c] > Frame[17] Triage Symbol: [WebKit2!WTF::RefCounted<WebKit::NetworkSocketStream>::deref+0x60] > Frame[18] Triage Symbol: [WebKit2!WTF::derefIfNotNull<WebKit::NetworkSocketStream>+0x26] > Frame[19] Triage Symbol: [WebKit2!WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> >::~RefPtr+0x38] > Frame[1a] Triage Symbol: [WebKit2!WTF::KeyValuePairHashTraits<WTF::HashTraits<unsigned long long>,WTF::HashTraits<WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> > > >::customDeleteBucket+0x21] > Frame[1b] Triage Symbol: [WebKit2!WTF::hashTraitsDeleteBucket<WTF::HashMap<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> >,WTF::IntHash<unsigned long long>,WTF::HashTraits<unsigned long long>,WTF::HashTraits<WTF::RefPtr<WebKit::Netw+0x13] > Frame[1c] Triage Symbol: [WebKit2!WTF::HashTable<unsigned long long,WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> > >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSo+0x13] > Frame[1d] Triage Symbol: [WebKit2!WTF::HashTable<unsigned long long,WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> > >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSo+0x25] > Frame[1e] Triage Symbol: [WebKit2!WTF::HashTable<unsigned long long,WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> > >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSo+0x2c] > Frame[1f] Triage Symbol: [WebKit2!WTF::HashTable<unsigned long long,WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> > >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSo+0x84] > Frame[20] Triage Symbol: [WebKit2!WTF::HashMap<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> >,WTF::IntHash<unsigned long long>,WTF::HashTraits<unsigned long long>,WTF::HashTraits<WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtr+0xae] > Frame[21] Triage Symbol: [WebKit2!WTF::HashMap<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> >,WTF::IntHash<unsigned long long>,WTF::HashTraits<unsigned long long>,WTF::HashTraits<WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtr+0x48] > Frame[22] Triage Symbol: [WebKit2!WebKit::NetworkConnectionToWebProcess::didReceiveMessage+0x342] > Frame[23] Triage Symbol: [WebKit2!IPC::Connection::dispatchMessage+0x226] > Frame[24] Triage Symbol: [WebKit2!IPC::Connection::dispatchMessage+0x295] > Frame[25] Triage Symbol: [WebKit2!IPC::Connection::dispatchOneIncomingMessage+0x11d] > Frame[26] Triage Symbol: [WebKit2!IPC::Connection::enqueueIncomingMessage::<unnamed-tag>::operator+0x5c] > Frame[27] Triage Symbol: [WebKit2!WTF::Detail::CallableWrapper<`lambda at ..\..\Source\WebKit\Platform\IPC\Connection.cpp:974:30',void>::call+0x17] > Frame[28] Triage Symbol: [WTF!WTF::Function<void +0x90] > Frame[29] Triage Symbol: [WTF!WTF::RunLoop::performWork+0x126] > Frame[2a] Ignore Symbol: [WTF!WTF::RunLoop::wndProc+0x75] > Frame[2b] Ignore Symbol: [WTF!WTF::RunLoop::RunLoopWndProc+0x59] > Frame[2c] Triage Symbol: [USER32!UserCallWinProcCheckWow+0x2bd] > Frame[2d] Triage Symbol: [USER32!DispatchMessageWorker+0x1e2] > Frame[2e] Triage Symbol: [WTF!WTF::RunLoop::run+0x63] > Frame[2f] Triage Symbol: [WebKit2!WebKit::AuxiliaryProcessMain<WebKit::NetworkProcess,WebKit::AuxiliaryProcessMainBase>+0xa5] > Frame[30] Triage Symbol: [WebKit2!WebKit::NetworkProcessMainWin+0x1b] > Frame[31] Triage Symbol: [WebKitNetworkProcess!main+0x1c] > Frame[32] Triage Symbol: [WebKitNetworkProcess!__scrt_common_main_seh+0x10c] > Frame[33] Triage Symbol: [KERNEL32!BaseThreadInitThunk+0x14] > Frame[34] Triage Symbol: [ntdll!RtlUserThreadStart+0x21]
Attachments
CrashLog_45dc_2019-08-02_12-10-23-628.txt (90.24 KB, text/plain)
2019-08-01 20:25 PDT, Fujii Hironori 		no flags
Details
Patch (3.17 KB, patch)
2019-08-01 21:04 PDT, Fujii Hironori 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2019-08-01 20:21:10 PDT
URL::isolatedCopy() is called in the worker thread. It should be called in the main thread.
Fujii Hironori
Comment 2 2019-08-01 20:25:48 PDT
Created attachment 375385 [details] CrashLog_45dc_2019-08-02_12-10-23-628.txt
Fujii Hironori
Comment 3 2019-08-01 21:04:41 PDT
Created attachment 375391 [details] Patch
WebKit Commit Bot
Comment 4 2019-08-02 14:32:17 PDT
Comment on attachment 375391 [details] Patch Clearing flags on attachment: 375391 Committed r248182: <https://trac.webkit.org/changeset/248182>
WebKit Commit Bot
Comment 5 2019-08-02 14:32:18 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 6 2019-08-02 14:33:21 PDT
<rdar://problem/53880042>
Fujii Hironori
Comment 7 2019-08-04 18:43:59 PDT
*** Bug 200266 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.