Bug 219867

Summary:

[GPUProcess] Crash in SharedRingBufferStorage::setStorage() under GuardMalloc

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

WebAssembly

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

darin, eric.carlson, ews-watchlist, ggaren, glenn, jer.noble, peng.liu6, philipj, sergio, webkit-bug-importer, youennf

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

See Also:

https://bugs.webkit.org/show_bug.cgi?id=219859

Bug Depends on:

Bug Blocks:

219818

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	none

Description Chris Dumez 2020-12-14 11:38:39 PST

Crash in SharedRingBufferStorage::setStorage() under GuardMalloc when running WebAudio tests:

Thread 0 Crashed:
0   com.apple.WebKit              	0x00000001108a36ee WebKit::SharedRingBufferStorage::setStorage(WTF::RefPtr<WebKit::SharedMemory, WTF::RawPtrTraits<WebKit::SharedMemory>, WTF::DefaultRefDerefTraits<WebKit::SharedMemory> >&&) + 206 (SharedRingBufferStorage.cpp:38)
1   com.apple.WebKit              	0x00000001108a3888 WebKit::SharedRingBufferStorage::deallocate() + 56 (SharedRingBufferStorage.cpp:59)
2   com.apple.WebCore             	0x0000000121d25a15 WebCore::CARingBuffer::deallocate() + 37 (CARingBuffer.cpp:89)
3   com.apple.WebCore             	0x0000000121d259bc WebCore::CARingBuffer::~CARingBuffer() + 28 (CARingBuffer.cpp:53)
4   com.apple.WebCore             	0x0000000121d25aa5 WebCore::CARingBuffer::~CARingBuffer() + 21 (CARingBuffer.cpp:52)
5   com.apple.WebCore             	0x000000011de61e2b std::__1::default_delete<WebCore::CARingBuffer>::operator()(WebCore::CARingBuffer*) const + 43 (memory:2368)
6   com.apple.WebCore             	0x000000011de61daf std::__1::unique_ptr<WebCore::CARingBuffer, std::__1::default_delete<WebCore::CARingBuffer> >::reset(WebCore::CARingBuffer*) + 95 (memory:2623)
7   com.apple.WebCore             	0x000000011de61d49 std::__1::unique_ptr<WebCore::CARingBuffer, std::__1::default_delete<WebCore::CARingBuffer> >::~unique_ptr() + 25 (memory:2577)
8   com.apple.WebCore             	0x000000011de5bf25 std::__1::unique_ptr<WebCore::CARingBuffer, std::__1::default_delete<WebCore::CARingBuffer> >::~unique_ptr() + 21 (memory:2577)
9   com.apple.WebCore             	0x000000011de5c18a WebCore::AudioSourceProviderAVFObjC::~AudioSourceProviderAVFObjC() + 330 (AudioSourceProviderAVFObjC.mm:95)
10  com.apple.WebCore             	0x000000011de5c495 WebCore::AudioSourceProviderAVFObjC::~AudioSourceProviderAVFObjC() + 21 (AudioSourceProviderAVFObjC.mm:87)
11  com.apple.WebCore             	0x000000011de5c4bc WebCore::AudioSourceProviderAVFObjC::~AudioSourceProviderAVFObjC() + 28 (AudioSourceProviderAVFObjC.mm:87)
12  com.apple.WebCore             	0x000000011de61744 WTF::ThreadSafeRefCounted<WebCore::AudioSourceProviderAVFObjC, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const + 52 (ThreadSafeRefCounted.h:117)
13  com.apple.WebCore             	0x000000011de616fd WTF::ThreadSafeRefCounted<WebCore::AudioSourceProviderAVFObjC, (WTF::DestructionThread)0>::deref() const + 61 (ThreadSafeRefCounted.h:135)
14  com.apple.WebCore             	0x000000011e2108a7 WTF::DefaultRefDerefTraits<WebCore::AudioSourceProviderAVFObjC>::derefIfNotNull(WebCore::AudioSourceProviderAVFObjC*) + 55 (RefPtr.h:42)
15  com.apple.WebCore             	0x000000011e210869 WTF::RefPtr<WebCore::AudioSourceProviderAVFObjC, WTF::RawPtrTraits<WebCore::AudioSourceProviderAVFObjC>, WTF::DefaultRefDerefTraits<WebCore::AudioSourceProviderAVFObjC> >::~RefPtr() + 41 (RefPtr.h:73)
16  com.apple.WebCore             	0x000000011e1e9015 WTF::RefPtr<WebCore::AudioSourceProviderAVFObjC, WTF::RawPtrTraits<WebCore::AudioSourceProviderAVFObjC>, WTF::DefaultRefDerefTraits<WebCore::AudioSourceProviderAVFObjC> >::~RefPtr() + 21 (RefPtr.h:73)
17  com.apple.WebCore             	0x000000011e1e95eb WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC() + 1307 (MediaPlayerPrivateAVFoundationObjC.mm:457)
18  com.apple.WebCore             	0x000000011e1ea925 WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC() + 21 (MediaPlayerPrivateAVFoundationObjC.mm:443)
19  com.apple.WebCore             	0x000000011e1ea98c WebCore::MediaPlayerPrivateAVFoundationObjC::~MediaPlayerPrivateAVFoundationObjC() + 28 (MediaPlayerPrivateAVFoundationObjC.mm:443)
20  com.apple.WebCore             	0x0000000121e5eebf std::__1::default_delete<WebCore::MediaPlayerPrivateInterface>::operator()(WebCore::MediaPlayerPrivateInterface*) const + 47 (memory:2368)
21  com.apple.WebCore             	0x0000000121e5ee3f std::__1::unique_ptr<WebCore::MediaPlayerPrivateInterface, std::__1::default_delete<WebCore::MediaPlayerPrivateInterface> >::reset(WebCore::MediaPlayerPrivateInterface*) + 95 (memory:2623)
22  com.apple.WebCore             	0x0000000121e5edd9 std::__1::unique_ptr<WebCore::MediaPlayerPrivateInterface, std::__1::default_delete<WebCore::MediaPlayerPrivateInterface> >::~unique_ptr() + 25 (memory:2577)
23  com.apple.WebCore             	0x0000000121e432a5 std::__1::unique_ptr<WebCore::MediaPlayerPrivateInterface, std::__1::default_delete<WebCore::MediaPlayerPrivateInterface> >::~unique_ptr() + 21 (memory:2577)
24  com.apple.WebCore             	0x0000000121e43261 WebCore::MediaPlayer::~MediaPlayer() + 241 (MediaPlayer.cpp:424)
25  com.apple.WebCore             	0x0000000121e432e5 WebCore::MediaPlayer::~MediaPlayer() + 21 (MediaPlayer.cpp:422)
26  com.apple.WebCore             	0x0000000121e4330c WebCore::MediaPlayer::~MediaPlayer() + 28 (MediaPlayer.cpp:422)
27  com.apple.WebKit              	0x00000001101db91f std::__1::default_delete<WebCore::MediaPlayer>::operator()(WebCore::MediaPlayer*) const + 47 (memory:2368)
28  com.apple.WebKit              	0x00000001101db8e2 WTF::RefCounted<WebCore::MediaPlayer, std::__1::default_delete<WebCore::MediaPlayer> >::deref() const + 66 (RefCounted.h:190)
29  com.apple.WebKit              	0x00000001101db867 WTF::DefaultRefDerefTraits<WebCore::MediaPlayer>::derefIfNotNull(WebCore::MediaPlayer*) + 55 (RefPtr.h:42)
30  com.apple.WebKit              	0x00000001101db829 WTF::RefPtr<WebCore::MediaPlayer, WTF::RawPtrTraits<WebCore::MediaPlayer>, WTF::DefaultRefDerefTraits<WebCore::MediaPlayer> >::~RefPtr() + 41 (RefPtr.h:73)
31  com.apple.WebKit              	0x00000001101b4d75 WTF::RefPtr<WebCore::MediaPlayer, WTF::RawPtrTraits<WebCore::MediaPlayer>, WTF::DefaultRefDerefTraits<WebCore::MediaPlayer> >::~RefPtr() + 21 (RefPtr.h:73)
32  com.apple.WebKit              	0x0000000110239a53 WebKit::RemoteMediaPlayerProxy::~RemoteMediaPlayerProxy() + 307 (RemoteMediaPlayerProxy.cpp:93)

Comment 1 Chris Dumez 2020-12-14 12:30:42 PST

Created attachment 416183 [details]
Patch

Comment 2 Chris Dumez 2020-12-14 12:32:00 PST

Created attachment 416185 [details]
Patch

Comment 3 Darin Adler 2020-12-14 12:36:44 PST

Comment on attachment 416185 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=416185&action=review

> Source/WebKit/GPUProcess/media/RemoteAudioSourceProviderProxy.cpp:64
> +    auto ringBuffer = makeUniqueRef<CARingBuffer>(makeUniqueRef<SharedRingBufferStorage>([this, protectedThis = makeRef(*this)](SharedMemory* memory) mutable {
> +        storageChanged(memory);
> +    }));

I might have written:

    protectedThis->storageChanged(memory);

And then not captured "this".

Comment 4 Chris Dumez 2020-12-14 12:40:03 PST

Created attachment 416186 [details]
Patch

Comment 5 Chris Dumez 2020-12-14 12:40:22 PST

(In reply to Darin Adler from comment #3)
> Comment on attachment 416185 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=416185&action=review
> 
> > Source/WebKit/GPUProcess/media/RemoteAudioSourceProviderProxy.cpp:64
> > +    auto ringBuffer = makeUniqueRef<CARingBuffer>(makeUniqueRef<SharedRingBufferStorage>([this, protectedThis = makeRef(*this)](SharedMemory* memory) mutable {
> > +        storageChanged(memory);
> > +    }));
> 
> I might have written:
> 
>     protectedThis->storageChanged(memory);
> 
> And then not captured "this".

Done.

Comment 6 Peng Liu 2020-12-14 13:00:28 PST

Comment on attachment 416186 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=416186&action=review

> Source/WebKit/ChangeLog:15
> +        of the CARingBuffer is not tried to the lifetime of RemoteAudioSourceProviderProxy.

Nit.
s/tried/tied/

Comment 7 Chris Dumez 2020-12-14 13:15:01 PST

Created attachment 416190 [details]
Patch

Comment 8 EWS 2020-12-14 14:10:22 PST

Committed r270804: <https://trac.webkit.org/changeset/270804>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 416190 [details].

Comment 9 Radar WebKit Bug Importer 2020-12-14 14:11:24 PST

<rdar://problem/72313619>