Bug 227088

Summary: [iOS 15] Crash in IPC::clearAsyncReplyHandlers
Product: WebKit Reporter: Ali Juma <ajuma>
Component: WebKit2Assignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Normal CC: cdumez, kkinnunen, simon.fraser, thorton, wenson_hsieh
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Ali Juma 2021-06-16 12:48:05 PDT 
Chrome for iOS is getting a relatively large number of crash reports in IPC::clearAsyncReplyHandlers, on iOS 15.

Most of the crash reports are on iPad. 

Here's the crash stack:

CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000000 ]
0x00000001903e7230	(WebKit + 0x0042f230)		WTF::Detail::CallableWrapper<WebKit::WebPageProxy::handlePreventableTouchEvent(WebKit::NativeWebTouchEvent&)::$_15, void, bool&&>::call(bool&&)
0x00000001903e7224	(WebKit + 0x0042f224)		WTF::Detail::CallableWrapper<WebKit::WebPageProxy::handlePreventableTouchEvent(WebKit::NativeWebTouchEvent&)::$_15, void, bool&&>::call(bool&&)
0x00000001903e6f64	(WebKit + 0x0042ef64)		WTF::Detail::CallableWrapper<unsigned long long IPC::MessageSender::sendWithAsyncReply<Messages::EventDispatcher::TouchEvent, WebKit::WebPageProxy::handlePreventableTouchEvent(WebKit::NativeWebTouchEvent&)::$_15>(Messages::EventDispatcher::TouchEvent&&, WebKit::WebPageProxy::handlePreventableTouchEvent(WebKit::NativeWebTouchEvent&)::$_15&&, unsigned long long, WTF::OptionSet<IPC::SendOption>)::'lambda'(IPC::Decoder*), void, IPC::Decoder*>::call(IPC::Decoder*)
0x000000018ffeda9c	(WebKit + 0x00035a9c)		WTF::CompletionHandler<void (IPC::Decoder*)>::operator()(IPC::Decoder*)
0x000000018ffeda9c	(WebKit + 0x00035a9c)		WTF::CompletionHandler<void (IPC::Decoder*)>::operator()(IPC::Decoder*)
0x000000018ffeae54	(WebKit + 0x00032e54)		IPC::clearAsyncReplyHandlers(IPC::Connection const&)
0x000000018ffea97c	(WebKit + 0x0003297c)		IPC::Connection::~Connection()
0x000000018ffe04b0	(WebKit + 0x000284b0)		WTF::Detail::CallableWrapper<WTF::ThreadSafeRefCounted<IPC::Connection, (WTF::DestructionThread)2>::deref() const::'lambda'(), void>::call()
0x000000018d91c0fc	(JavaScriptCore + 0x00000000010b40fc)		WTF::RunLoop::performWork()
0x000000018d91d5f4	(JavaScriptCore + 0x00000000010b55f4)		WTF::RunLoop::performWork(void*)
0x0000000181754160	(CoreFoundation + 0x000a5160)		__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x00000001817a80d0	(CoreFoundation + 0x000f90d0)		__CFRunLoopDoSource0
0x0000000181710480	(CoreFoundation + 0x00061480)		__CFRunLoopDoSources0
0x00000001817208d4	(CoreFoundation + 0x000718d4)		__CFRunLoopRun
0x000000018172e318	(CoreFoundation + 0x0007f318)		CFRunLoopRunSpecific
0x000000019d0cc5fc	(GraphicsServices + 0x000035fc)		GSEventRunModal
0x0000000183f069ac	(UIKitCore + 0x003d19ac)		-[UIApplication _run]
0x0000000183f06420	(UIKitCore + 0x003d1420)		UIApplicationMain
0x0000000102087f30	(Chrome -chrome_exe_main.mm:66)		main
0x0000000104019218
Comment 1 Wenson Hsieh 2021-06-16 12:53:02 PDT 
Seems like a dupe of https://bugs.webkit.org/show_bug.cgi?id=226426?
Comment 2 Ali Juma 2021-06-16 13:26:26 PDT 
Thanks, this does seem like a dupe of bug 226426.

*** This bug has been marked as a duplicate of bug 226426 ***