Bug 219867

Summary: [GPUProcess] Crash in SharedRingBufferStorage::setStorage() under GuardMalloc
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: WebAssemblyAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, eric.carlson, ews-watchlist, ggaren, glenn, jer.noble, peng.liu6, philipj, sergio, webkit-bug-importer, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=219859
Bug Depends on:    
Bug Blocks: 219818    
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch none

Chris Dumez
Reported 2020-12-14 11:38:39 PST
Crash in SharedRingBufferStorage::setStorage() under GuardMalloc when running WebAudio tests: Thread 0 Crashed: 0 com.apple.WebKit 0x00000001108a36ee WebKit::SharedRingBufferStorage::setStorage(WTF::RefPtr<WebKit::SharedMemory, WTF::RawPtrTraits<WebKit::SharedMemory>, WTF::DefaultRefDerefTraits<WebKit::SharedMemory> >&&) + 206 (SharedRingBufferStorage.cpp:38) 1 com.apple.WebKit 0x00000001108a3888 WebKit::SharedRingBufferStorage::deallocate() + 56 (SharedRingBufferStorage.cpp:59) 2 com.apple.WebCore 0x0000000121d25a15 WebCore::CARingBuffer::deallocate() + 37 (CARingBuffer.cpp:89) 3 com.apple.WebCore 0x0000000121d259bc WebCore::CARingBuffer::~CARingBuffer() + 28 (CARingBuffer.cpp:53) 4 com.apple.WebCore 0x0000000121d25aa5 WebCore::CARingBuffer::~CARingBuffer() + 21 (CARingBuffer.cpp:52) 5 com.apple.WebCore 0x000000011de61e2b std::__1::default_delete<WebCore::CARingBuffer>::operator()(WebCore::CARingBuffer*) const + 43 (memory:2368) 6 com.apple.WebCore 0x000000011de61daf std::__1::unique_ptr<WebCore::CARingBuffer, std::__1::default_delete<WebCore::CARingBuffer> >::reset(WebCore::CARingBuffer*) + 95 (memory:2623) 7 com.apple.WebCore 0x000000011de61d49 std::__1::unique_ptr<WebCore::CARingBuffer, std::__1::default_delete<WebCore::CARingBuffer> >::~unique_ptr() + 25 (memory:2577) 8 com.apple.WebCore 0x000000011de5bf25 std::__1::unique_ptr<WebCore::CARingBuffer, std::__1::default_delete<WebCore::CARingBuffer> >::~unique_ptr() + 21 (memory:2577) 9 com.apple.WebCore 0x000000011de5c18a WebCore::AudioSourceProviderAVFObjC::~AudioSourceProviderAVFObjC() + 330 (AudioSourceProviderAVFObjC.mm:95) 10 com.apple.WebCore 0x000000011de5c495 WebCore::AudioSourceProviderAVFObjC::~AudioSourceProviderAVFObjC() + 21 (AudioSourceProviderAVFObjC.mm:87) 11 com.apple.WebCore 0x000000011de5c4bc WebCore::AudioSourceProviderAVFObjC::~AudioSourceProviderAVFObjC() + 28 (AudioSourceProviderAVFObjC.mm:87) 12 com.apple.WebCore 0x000000011de61744 WTF::ThreadSafeRefCounted<WebCore::AudioSourceProviderAVFObjC, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const + 52 (ThreadSafeRefCounted.h:117) 13 com.apple.WebCore 0x000000011de616fd WTF::ThreadSafeRefCounted<WebCore::AudioSourceProviderAVFObjC, (WTF::DestructionThread)0>::deref() const + 61 (ThreadSafeRefCounted.h:135) 14 com.apple.WebCore 0x000000011e2108a7 WTF::DefaultRefDerefTraits<WebCore::AudioSourceProviderAVFObjC>::derefIfNotNull(WebCore::AudioSourceProviderAVFObjC*) + 55 (RefPtr.h:42) 15 com.apple.WebCore 0x000000011e210869 WTF::RefPtr<WebCore::AudioSourceProviderAVFObjC, WTF::RawPtrTraits<WebCore::AudioSourceProviderAVFObjC>, WTF::DefaultRefDerefTraits<WebCore::AudioSourceProviderAVFObjC> >::~RefPtr() + 41 (RefPtr.h:73) 16 com.apple.WebCore 0x000000011e1e9015 WTF::RefPtr<WebCore::AudioSourceProviderAVFObjC, WTF::RawPtrTraits<WebCore::AudioSourceProviderAVFObjC>, WTF::DefaultRefDerefTraits<WebCore::AudioSourceProviderAVFObjC> >::~RefPtr() + 21 (RefPtr.h:73) 17 com.apple.WebCore 0x000000011e1e95eb WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC() + 1307 (MediaPlayerPrivateAVFoundationObjC.mm:457) 18 com.apple.WebCore 0x000000011e1ea925 WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC() + 21 (MediaPlayerPrivateAVFoundationObjC.mm:443) 19 com.apple.WebCore 0x000000011e1ea98c WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC() + 28 (MediaPlayerPrivateAVFoundationObjC.mm:443) 20 com.apple.WebCore 0x0000000121e5eebf std::__1::default_delete<WebCore::MediaPlayerPrivateInterface>::operator()(WebCore::MediaPlayerPrivateInterface*) const + 47 (memory:2368) 21 com.apple.WebCore 0x0000000121e5ee3f std::__1::unique_ptr<WebCore::MediaPlayerPrivateInterface, std::__1::default_delete<WebCore::MediaPlayerPrivateInterface> >::reset(WebCore::MediaPlayerPrivateInterface*) + 95 (memory:2623) 22 com.apple.WebCore 0x0000000121e5edd9 std::__1::unique_ptr<WebCore::MediaPlayerPrivateInterface, std::__1::default_delete<WebCore::MediaPlayerPrivateInterface> >::~unique_ptr() + 25 (memory:2577) 23 com.apple.WebCore 0x0000000121e432a5 std::__1::unique_ptr<WebCore::MediaPlayerPrivateInterface, std::__1::default_delete<WebCore::MediaPlayerPrivateInterface> >::~unique_ptr() + 21 (memory:2577) 24 com.apple.WebCore 0x0000000121e43261 WebCore::MediaPlayer::~MediaPlayer() + 241 (MediaPlayer.cpp:424) 25 com.apple.WebCore 0x0000000121e432e5 WebCore::MediaPlayer::~MediaPlayer() + 21 (MediaPlayer.cpp:422) 26 com.apple.WebCore 0x0000000121e4330c WebCore::MediaPlayer::~MediaPlayer() + 28 (MediaPlayer.cpp:422) 27 com.apple.WebKit 0x00000001101db91f std::__1::default_delete<WebCore::MediaPlayer>::operator()(WebCore::MediaPlayer*) const + 47 (memory:2368) 28 com.apple.WebKit 0x00000001101db8e2 WTF::RefCounted<WebCore::MediaPlayer, std::__1::default_delete<WebCore::MediaPlayer> >::deref() const + 66 (RefCounted.h:190) 29 com.apple.WebKit 0x00000001101db867 WTF::DefaultRefDerefTraits<WebCore::MediaPlayer>::derefIfNotNull(WebCore::MediaPlayer*) + 55 (RefPtr.h:42) 30 com.apple.WebKit 0x00000001101db829 WTF::RefPtr<WebCore::MediaPlayer, WTF::RawPtrTraits<WebCore::MediaPlayer>, WTF::DefaultRefDerefTraits<WebCore::MediaPlayer> >::~RefPtr() + 41 (RefPtr.h:73) 31 com.apple.WebKit 0x00000001101b4d75 WTF::RefPtr<WebCore::MediaPlayer, WTF::RawPtrTraits<WebCore::MediaPlayer>, WTF::DefaultRefDerefTraits<WebCore::MediaPlayer> >::~RefPtr() + 21 (RefPtr.h:73) 32 com.apple.WebKit 0x0000000110239a53 WebKit::RemoteMediaPlayerProxy::~RemoteMediaPlayerProxy() + 307 (RemoteMediaPlayerProxy.cpp:93)
Attachments
Patch (21.66 KB, patch)
2020-12-14 12:30 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (21.61 KB, patch)
2020-12-14 12:32 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (21.61 KB, patch)
2020-12-14 12:40 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (21.61 KB, patch)
2020-12-14 13:15 PST, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2020-12-14 12:30:42 PST
Created attachment 416183 [details] Patch
Chris Dumez
Comment 2 2020-12-14 12:32:00 PST
Created attachment 416185 [details] Patch
Darin Adler
Comment 3 2020-12-14 12:36:44 PST
Comment on attachment 416185 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=416185&action=review > Source/WebKit/GPUProcess/media/RemoteAudioSourceProviderProxy.cpp:64 > + auto ringBuffer = makeUniqueRef<CARingBuffer>(makeUniqueRef<SharedRingBufferStorage>([this, protectedThis = makeRef(*this)](SharedMemory* memory) mutable { > + storageChanged(memory); > + })); I might have written: protectedThis->storageChanged(memory); And then not captured "this".
Chris Dumez
Comment 4 2020-12-14 12:40:03 PST
Created attachment 416186 [details] Patch
Chris Dumez
Comment 5 2020-12-14 12:40:22 PST
(In reply to Darin Adler from comment #3) > Comment on attachment 416185 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=416185&action=review > > > Source/WebKit/GPUProcess/media/RemoteAudioSourceProviderProxy.cpp:64 > > + auto ringBuffer = makeUniqueRef<CARingBuffer>(makeUniqueRef<SharedRingBufferStorage>([this, protectedThis = makeRef(*this)](SharedMemory* memory) mutable { > > + storageChanged(memory); > > + })); > > I might have written: > > protectedThis->storageChanged(memory); > > And then not captured "this". Done.
Peng Liu
Comment 6 2020-12-14 13:00:28 PST
Comment on attachment 416186 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=416186&action=review > Source/WebKit/ChangeLog:15 > + of the CARingBuffer is not tried to the lifetime of RemoteAudioSourceProviderProxy. Nit. s/tried/tied/
Chris Dumez
Comment 7 2020-12-14 13:15:01 PST
Created attachment 416190 [details] Patch
EWS
Comment 8 2020-12-14 14:10:22 PST
Committed r270804: <https://trac.webkit.org/changeset/270804> All reviewed patches have been landed. Closing bug and clearing flags on attachment 416190 [details].
Radar WebKit Bug Importer
Comment 9 2020-12-14 14:11:24 PST
<rdar://problem/72313619>
Note You need to log in before you can comment on or make changes to this bug.