Bug 220445

Summary:

Make it safe to re-enter HashMap::clear()

Product:

WebKit

Reporter:

Chris Dumez <cdumez>

Component:

Web Template Framework

Assignee:

Chris Dumez <cdumez>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, cmarcelo, darin, ews-watchlist, ggaren, webkit-bug-importer, wenson_hsieh

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Chris Dumez

Reported 2021-01-07 16:40:42 PST

Make it safe to re-enter HashMap::clear(). This will fix the following crashes on the GPUProcess bot: Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000000bbadbeef Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Segmentation fault: 11 Termination Reason: Namespace SIGNAL, Code 0xb Terminating Process: exc handler [27650] VM Regions Near 0xbbadbeef: --> __TEXT 0000000106dc3000-0000000106dc4000 [ 4K] r-x/r-x SM=COW /Volumes/VOLUME/*/*.Development Application Specific Information: CRASHING TEST: fast/canvas/canvas-overloads-strokeText.html Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 com.apple.JavaScriptCore 0x0000000622535c2e WTFCrash + 14 (Assertions.cpp:295) 1 com.apple.WebCore 0x00000005ff704dfb WTFCrashWithInfo(int, char const*, char const*, int) + 27 2 com.apple.WebCore 0x00000005ff719db8 WTF::RefCountedBase::hasOneRef() const + 104 (RefCounted.h:55) 3 com.apple.WebCore 0x00000005ff719c9c WTF::RefCountedBase::applyRefDerefThreadingCheck() const + 28 (RefCounted.h:106) 4 com.apple.WebCore 0x00000005ff719b0c WTF::RefCountedBase::derefBase() const + 28 (RefCounted.h:130) 5 com.apple.WebCore 0x00000006006072af WTF::RefCounted<WebCore::ImageBuffer, std::__1::default_delete<WebCore::ImageBuffer> >::deref() const + 31 (RefCounted.h:189) 6 com.apple.WebCore 0x0000000603b1daf5 WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >::~Ref() + 53 (Ref.h:62) 7 com.apple.WebCore 0x0000000603b1dab5 WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >::~Ref() + 21 (Ref.h:62) 8 com.apple.WebCore 0x0000000603b1da8e WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >::~KeyValuePair() + 30 (KeyValuePair.h:33) 9 com.apple.WebCore 0x0000000603b1d9c5 WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >::~KeyValuePair() + 21 (KeyValuePair.h:33) 10 com.apple.WebCore 0x0000000603b1d951 WTF::HashTable<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::KeyValuePairTraits, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> > >::deallocateTable(WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >*) + 97 (HashTable.h:1237) 11 com.apple.WebCore 0x0000000603b23cdb WTF::HashTable<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::KeyValuePairTraits, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> > >::clear() + 59 (HashTable.h:1383) 12 com.apple.WebCore 0x0000000603b13ce5 WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::clear() + 21 (HashMap.h:475) 13 com.apple.WebCore 0x0000000603b13c48 WebCore::DisplayList::DisplayList::clear() + 104 (DisplayList.cpp:83) 14 com.apple.WebKit 0x00000005f19bdbb6 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::clearDisplayList() + 38 (RemoteImageBufferProxy.h:247) 15 com.apple.WebKit 0x00000005f19bc139 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::changeDestinationImageBuffer(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>) + 105 (RemoteImageBufferProxy.h:237) 16 com.apple.WebKit 0x00000005f19578a6 WebKit::RemoteRenderingBackendProxy::willAppendItem(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>) + 198 (RemoteRenderingBackendProxy.cpp:238) 17 com.apple.WebKit 0x00000005f19bc783 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::willAppendItemOfType(WebCore::DisplayList::ItemType) + 99 (RemoteImageBufferProxy.h:253) 18 com.apple.WebCore 0x0000000603b36185 WebCore::DisplayList::Recorder::willAppendItemOfType(WebCore::DisplayList::ItemType) + 85 (DisplayListRecorder.cpp:112) 19 com.apple.WebKit 0x00000005f19bdbe5 void WebCore::DisplayList::Recorder::append<WebCore::DisplayList::FlushContext, WTF::ObjectIdentifier<WebCore::DisplayList::FlushIdentifierType>&>(WTF::ObjectIdentifier<WebCore::DisplayList::FlushIdentifierType>&) + 37 (DisplayListRecorder.h:155) 20 com.apple.WebKit 0x00000005f19bdb7d WebCore::DisplayList::Recorder::flushContext(WTF::ObjectIdentifier<WebCore::DisplayList::FlushIdentifierType>) + 29 (DisplayListRecorder.h:73) 21 com.apple.WebKit 0x00000005f19bc040 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::flushDrawingContextAsync() + 160 22 com.apple.WebKit 0x00000005f19bbf7d WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::flushDrawingContext() + 125 (RemoteImageBufferProxy.h:198) 23 com.apple.WebKit 0x00000005f19bd79d WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 125 (RemoteImageBufferProxy.h:69) 24 com.apple.WebKit 0x00000005f19bbd25 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 21 (RemoteImageBufferProxy.h:72) 25 com.apple.WebKit 0x00000005f19bbd4c WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 28 (RemoteImageBufferProxy.h:66) 26 com.apple.WebCore 0x000000060060730f std::__1::default_delete<WebCore::ImageBuffer>::operator()(WebCore::ImageBuffer*) const + 47 (memory:2339) 27 com.apple.WebCore 0x00000006006072d2 WTF::RefCounted<WebCore::ImageBuffer, std::__1::default_delete<WebCore::ImageBuffer> >::deref() const + 66 (RefCounted.h:191) 28 com.apple.WebCore 0x0000000603b1daf5 WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >::~Ref() + 53 (Ref.h:62) 29 com.apple.WebCore 0x0000000603b1dab5 WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >::~Ref() + 21 (Ref.h:62) 30 com.apple.WebCore 0x0000000603b1da8e WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >::~KeyValuePair() + 30 (KeyValuePair.h:33) 31 com.apple.WebCore 0x0000000603b1d9c5 WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >::~KeyValuePair() + 21 (KeyValuePair.h:33) 32 com.apple.WebCore 0x0000000603b1d951 WTF::HashTable<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::KeyValuePairTraits, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> > >::deallocateTable(WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >*) + 97 (HashTable.h:1237) 33 com.apple.WebCore 0x0000000603b23cdb WTF::HashTable<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::KeyValuePairTraits, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> > >::clear() + 59 (HashTable.h:1383) 34 com.apple.WebCore 0x0000000603b13ce5 WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::clear() + 21 (HashMap.h:475) 35 com.apple.WebCore 0x0000000603b13c48 WebCore::DisplayList::DisplayList::clear() + 104 (DisplayList.cpp:83) 36 com.apple.WebKit 0x00000005f19bdbb6 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::clearDisplayList() + 38 (RemoteImageBufferProxy.h:247) 37 com.apple.WebKit 0x00000005f19bc063 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::flushDrawingContextAsync() + 195 (RemoteImageBufferProxy.h:214) 38 com.apple.WebKit 0x00000005f19bbf7d WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::flushDrawingContext() + 125 (RemoteImageBufferProxy.h:198) 39 com.apple.WebKit 0x00000005f19bd79d WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 125 (RemoteImageBufferProxy.h:69) 40 com.apple.WebKit 0x00000005f19bbd25 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 21 (RemoteImageBufferProxy.h:72) 41 com.apple.WebKit 0x00000005f19bbd4c WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 28 (RemoteImageBufferProxy.h:66) 42 com.apple.WebCore 0x000000060060730f std::__1::default_delete<WebCore::ImageBuffer>::operator()(WebCore::ImageBuffer*) const + 47 (memory:2339) 43 com.apple.WebCore 0x00000006006072d2 WTF::RefCounted<WebCore::ImageBuffer, std::__1::default_delete<WebCore::ImageBuffer> >::deref() const + 66 (RefCounted.h:191) 44 com.apple.WebCore 0x0000000600607257 WTF::DefaultRefDerefTraits<WebCore::ImageBuffer>::derefIfNotNull(WebCore::ImageBuffer*) + 55 (RefPtr.h:43) 45 com.apple.WebCore 0x0000000600607219 WTF::RefPtr<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::ImageBuffer> >::~RefPtr() + 41 (RefPtr.h:73) 46 com.apple.WebCore 0x00000006006071e5 WTF::RefPtr<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::ImageBuffer> >::~RefPtr() + 21 (RefPtr.h:73) 47 com.apple.WebCore 0x0000000602b39c33 WebCore::HTMLCanvasElement::~HTMLCanvasElement() + 195 (HTMLCanvasElement.cpp:157) 48 com.apple.WebCore 0x0000000602b39d15 WebCore::HTMLCanvasElement::~HTMLCanvasElement() + 21 (HTMLCanvasElement.cpp:158) 49 com.apple.WebCore 0x0000000602b39d7c WebCore::HTMLCanvasElement::~HTMLCanvasElement() + 28 (HTMLCanvasElement.cpp:149) 50 com.apple.WebCore 0x00000006027e45ef WebCore::Node::removedLastRef() + 223 (Node.cpp:2564) 51 com.apple.WebCore 0x00000005ff9a215f WebCore::Node::deref() const + 527 (Node.h:801)

Attachments
Patch (3.21 KB, patch) 2021-01-07 16:48 PST, Chris Dumez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2021-01-07 16:48:04 PST

Created attachment 417223 [details] Patch

Geoffrey Garen

Comment 2 2021-01-07 20:46:25 PST

Comment on attachment 417223 [details] Patch r=me

Chris Dumez

Comment 3 2021-01-08 07:45:26 PST

Comment on attachment 417223 [details] Patch Clearing flags on attachment: 417223 Committed r271296: <https://trac.webkit.org/changeset/271296>

Chris Dumez

Comment 4 2021-01-08 07:45:29 PST

All reviewed patches have been landed. Closing bug.

Radar WebKit Bug Importer

Comment 5 2021-01-08 07:46:16 PST

<rdar://problem/72930238>

Note You need to log in before you can comment on or make changes to this bug.