Bug 213526

Summary: REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRoutingArbitratorProxy, WTF::EmptyCounter>::contains<WebKit::AudioSessionRoutingArbitratorProxy> const
Product: WebKit Reporter: Jer Noble <jer.noble>
Component: New BugsAssignee: Jer Noble <jer.noble>
Status: RESOLVED FIXED    
Severity: Normal CC: eric.carlson, ews-watchlist, glenn, peng.liu6, philipj, sergio, slewis, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Jer Noble
Reported 2020-06-23 12:29:30 PDT
REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRoutingArbitratorProxy, WTF::EmptyCounter>::contains<WebKit::AudioSessionRoutingArbitratorProxy> const
Attachments
Patch (2.76 KB, patch)
2020-06-23 12:31 PDT, Jer Noble 		no flags
DetailsFormatted DiffDiff
Patch (2.76 KB, patch)
2020-06-23 13:53 PDT, Jer Noble 		no flags
DetailsFormatted DiffDiff
Patch (1.60 KB, patch)
2020-06-23 23:34 PDT, Jer Noble 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Jer Noble
Comment 1 2020-06-23 12:30:04 PDT
<rdar://problem/64591777>
Jer Noble
Comment 2 2020-06-23 12:31:57 PDT
Created attachment 402582 [details] Patch
Jer Noble
Comment 3 2020-06-23 13:53:42 PDT
Created attachment 402588 [details] Patch
Jer Noble
Comment 4 2020-06-23 15:20:49 PDT
No crashes when running tests locally.
Jer Noble
Comment 5 2020-06-23 23:17:09 PDT
Whelp, I updated sources, re-built, and re-ran tests and crashes aplenty. The crash log shows an assertion in the UniqueRef operator->() called from WebProcessProxy::shutDown(). So the underlying cause /must/ be that WebProcessProxy was dealloc'd (and it's UniqueRef member's destructor called) sometime before shutDown().
Jer Noble
Comment 6 2020-06-23 23:19:46 PDT
Oh! I bet WebProcessPool::disconnectProcess(WebProcessProxy*) has the side-effect of destroying the WebProcessProxy! And the next line is the UniqueRef operator->() which is showing a crash result. That means the underlying problem has nothing to do with the ASSERT in the patch above, but instead that any call after disconnectProcess(this) is a potential unsafe access of freed memory.
Jer Noble
Comment 7 2020-06-23 23:34:39 PDT
Created attachment 402624 [details] Patch
Jer Noble
Comment 8 2020-06-23 23:55:26 PDT
The above fix definitely eliminated all the crashes seen previously when running run-webkit-tests against a release build.
EWS
Comment 9 2020-06-24 08:24:50 PDT
Committed r263456: <https://trac.webkit.org/changeset/263456> All reviewed patches have been landed. Closing bug and clearing flags on attachment 402624 [details].
Note You need to log in before you can comment on or make changes to this bug.