Bug 260033

Summary:	Crash under IPC::Connection::setOutgoingMessageQueueIsGrowingLargeCallback()'s lambda
Product:	WebKit	Reporter:	Chris Dumez <cdumez>
Component:	WebKit2	Assignee:	Chris Dumez <cdumez>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	kkinnunen, webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Chris Dumez

Reported 2023-08-10 11:09:53 PDT

Crash under IPC::Connection::setOutgoingMessageQueueIsGrowingLargeCallback()'s lambda: ``` Thread 7 Crashed:: Dispatch queue: com.apple.WebKit.Storage.2.00 0 JavaScriptCore 0x1376a483c WTFCrash + 24 (Assertions.cpp:327) 1 WebKit 0x1187b9484 WTFCrashWithInfo(int, char const*, char const*, int) + 36 (Assertions.h:762) 2 WebKit 0x11982e6ac WTF::WeakPtr<WebKit::NetworkConnectionToWebProcess, WTF::DefaultWeakPtrImpl>::operator->() const + 120 (WeakPtr.h:138) 3 WebKit 0x11982e574 WebKit::NetworkConnectionToWebProcess::NetworkConnectionToWebProcess(WebKit::NetworkProcess&, WTF::ObjectIdentifierGeneric<WebCore::ProcessIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, PAL::SessionID, WebKit::NetworkProcessConnectionParameters&&, IPC::Connection::Identifier)::$_10::operator()() const + 48 (NetworkConnectionToWebProcess.cpp:157) 4 WebKit 0x11982e424 WTF::Detail::CallableWrapper<WebKit::NetworkConnectionToWebProcess::NetworkConnectionToWebProcess(WebKit::NetworkProcess&, WTF::ObjectIdentifierGeneric<WebCore::ProcessIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, PAL::SessionID, WebKit::NetworkProcessConnectionParameters&&, IPC::Connection::Identifier)::$_10, void>::call() + 32 (Function.h:53) 5 WebKit 0x1187cb2f8 WTF::Function<void ()>::operator()() const + 172 (Function.h:82) 6 WebKit 0x11b8bd65c IPC::Connection::sendMessage(WTF::UniqueRef<IPC::Encoder>&&, WTF::OptionSet<IPC::SendOption>, std::__1::optional<WTF::Thread::QOS>) + 1620 (Connection.cpp:584) 7 WebKit 0x11b8bc984 IPC::Connection::sendSyncReply(WTF::UniqueRef<IPC::Encoder>&&) + 84 (Connection.cpp:626) 8 WebKit 0x118eead9c auto void IPC::handleMessageAsync<Messages::NetworkStorageManager::SetItem, WebKit::NetworkStorageManager, WebKit::NetworkStorageManager, void (IPC::Connection&, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits>, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaImplIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WTF::String&&, WTF::String&&, WTF::String&&, WTF::CompletionHandler<void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>&&)>(IPC::Connection&, IPC::Decoder&, WebKit::NetworkStorageManager*, void (WebKit::NetworkStorageManager::*)(IPC::Connection&, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits>, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaImplIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WTF::String&&, WTF::String&&, WTF::String&&, WTF::CompletionHandler<void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>&&))::'lambda'(auto&&...)::operator()<bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>>(auto&&...) + 180 (HandleMessage.h:313) 9 WebKit 0x118eeabd8 WTF::Detail::CallableWrapper<void IPC::handleMessageAsync<Messages::NetworkStorageManager::SetItem, WebKit::NetworkStorageManager, WebKit::NetworkStorageManager, void (IPC::Connection&, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits>, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaImplIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WTF::String&&, WTF::String&&, WTF::String&&, WTF::CompletionHandler<void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>&&)>(IPC::Connection&, IPC::Decoder&, WebKit::NetworkStorageManager*, void (WebKit::NetworkStorageManager::*)(IPC::Connection&, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits>, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaImplIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WTF::String&&, WTF::String&&, WTF::String&&, WTF::CompletionHandler<void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>&&))::'lambda'(auto&&...), void, bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&>::call(bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&) + 52 (Function.h:53) 10 WebKit 0x119e128f8 WTF::Function<void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>::operator()(bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&) const + 196 (Function.h:82) 11 WebKit 0x119dbd6f4 WTF::CompletionHandler<void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>::operator()(bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&) + 160 (CompletionHandler.h:75) 12 WebKit 0x119dbd5e8 WebKit::NetworkStorageManager::setItem(IPC::Connection&, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits>, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaImplIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WTF::String&&, WTF::String&&, WTF::String&&, WTF::CompletionHandler<void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>&&) + 508 (NetworkStorageManager.cpp:1357) 13 WebKit 0x118eebb58 auto void IPC::callMemberFunction<WebKit::NetworkStorageManager, WebKit::NetworkStorageManager, void (IPC::Connection&, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits>, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaImplIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WTF::String&&, WTF::String&&, WTF::String&&, WTF::CompletionHandler<void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>&&), std::__1::tuple<WTF::ObjectIdentifierGeneric<WebKit::StorageAreaIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits>, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaImplIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WTF::String, WTF::String, WTF::String>, void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>(WebKit::NetworkStorageManager*, void (WebKit::NetworkStorageManager::*)(IPC::Connection&, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits>, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaImplIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WTF::String&&, WTF::String&&, WTF::String&&, WTF::CompletionHandler<void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>&&), IPC::Connection&, std::__1::tuple<WTF::ObjectIdentifierGeneric<WebKit::StorageAreaIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits>, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaImplIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WTF::String, WTF::String, WTF::String>&&, WTF::CompletionHandler<void (bool, WTF::HashMap<WTF::String, WTF::String, WTF::DefaultHash<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTraits<WTF::String>, WTF::HashTableTraits>&&)>&&)::'lambda'(auto&&...)::operator()<WTF::ObjectIdentifierGeneric<WebKit::StorageAreaIdentifierType, WTF::ObjectIdentifierThreadSafeAccessTraits>, WTF::ObjectIdentifierGeneric<WebKit::StorageAreaImplIdentifierType, WTF::ObjectIdentifierMainThreadAccessTraits>, WTF::String, WTF::String, WTF::String>(auto&&...) const + 252 (HandleMessage.h:158) ```

Attachments
Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2023-08-10 11:13:03 PDT

Pull request: https://github.com/WebKit/WebKit/pull/16573

EWS

Comment 2 2023-08-10 12:33:01 PDT

Committed 266773@main (bd5d32f902e1): <https://commits.webkit.org/266773@main> Reviewed commits have been landed. Closing PR #16573 and removing active labels.

Radar WebKit Bug Importer

Comment 3 2023-08-10 12:34:17 PDT

<rdar://problem/113708285>

Note You need to log in before you can comment on or make changes to this bug.