Bug 204796

Summary: [iOS 13] Crash in NetworkProcessProxy::takeUploadAssertion
Product: WebKit Reporter: Ali Juma <ajuma>
Component: Page LoadingAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, beidson, cdumez, commit-queue, ggaren, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch none

Ali Juma
Reported 2019-12-03 08:33:48 PST
Chrome for iOS is getting a moderate number of crashes reported in NetworkProcessProxy::takeUploadAssertion, which seem to be from WebProcessPool::setWebProcessHasUploads calling takeUploadAssertion on a null m_networkProcess. We don't have steps to reproduce, but this happens most commonly on https://www.homedepot.com, on various product pages and search pages (e.g., https://www.homedepot.com/p/Supreme-Oil-Supreme-Deep-Frying-Oil-with-PNT-Oil-384-fl-oz-1879/202532163, https://www.homedepot.com/s/fence%2520staples?searchtype=suggest&NCNI-5). All reports are from iOS 13.0 and above, including 13.3 beta. Would checking for a null m_networkProcess in WebProcessPool::setWebProcessHasUploads be an appropriate fix? Here's a crash stack: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000020 ] 0x00000001cb9d6958 (WebKit + 0x00329958 ) WebKit::NetworkProcessProxy::takeUploadAssertion() 0x00000001cb93f6cc (WebKit + 0x002926cc ) WebKit::WebProcessPool::setWebProcessHasUploads(WTF::ObjectIdentifier<WebCore::ProcessIdentifierType>) 0x00000001cb93f6cc (WebKit + 0x002926cc ) WebKit::WebProcessPool::setWebProcessHasUploads(WTF::ObjectIdentifier<WebCore::ProcessIdentifierType>) 0x00000001cbba9bdc (WebKit + 0x004fcbdc ) WebKit::WebProcessPool::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 0x00000001cb6f50e4 (WebKit + 0x000480e4 ) IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) 0x00000001cb94264c (WebKit + 0x0029564c ) WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) 0x00000001cb6df73c (WebKit + 0x0003273c ) IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) 0x00000001cb6e258c (WebKit + 0x0003558c ) IPC::Connection::dispatchIncomingMessages() 0x00000001d2da4a68 (JavaScriptCore + 0x00036a68 ) WTF::RunLoop::performWork() 0x00000001d2da4d28 (JavaScriptCore + 0x00036d28 ) WTF::RunLoop::performWork(void*)
Attachments
Patch (1.93 KB, patch)
2020-02-28 13:06 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2019-12-03 08:43:37 PST
(In reply to Ali Juma from comment #0) > Chrome for iOS is getting a moderate number of crashes reported in > NetworkProcessProxy::takeUploadAssertion, which seem to be from > WebProcessPool::setWebProcessHasUploads calling takeUploadAssertion on a > null m_networkProcess. > > We don't have steps to reproduce, but this happens most commonly on > https://www.homedepot.com, on various product pages and search pages (e.g., > https://www.homedepot.com/p/Supreme-Oil-Supreme-Deep-Frying-Oil-with-PNT-Oil- > 384-fl-oz-1879/202532163, > https://www.homedepot.com/s/fence%2520staples?searchtype=suggest&NCNI-5). > > All reports are from iOS 13.0 and above, including 13.3 beta. > > Would checking for a null m_networkProcess in > WebProcessPool::setWebProcessHasUploads be an appropriate fix? In my opinion, we should call ensureNetworkProcess() instead of doing a null-check, but Brady wrote this piece for code I believe so he may know better.
Alexey Proskuryakov
Comment 2 2019-12-04 00:11:34 PST
rdar://problem/52720009&52720030
Chris Dumez
Comment 3 2020-02-28 13:06:58 PST
Created attachment 392009 [details] Patch
WebKit Commit Bot
Comment 4 2020-02-28 17:25:51 PST
Comment on attachment 392009 [details] Patch Clearing flags on attachment: 392009 Committed r257675: <https://trac.webkit.org/changeset/257675>
WebKit Commit Bot
Comment 5 2020-02-28 17:25:53 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.