Bug 51115

Summary:

Crash in web process after the connection had been closed

Product:

WebKit

Reporter:

Balazs Kelemen <kbalazs>

Component:

WebKit2

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

andersca, kenneth, kling, sam

Priority:

Version:

528+ (Nightly build)

Hardware:

OS:

All

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
patch v4	none
Patch	sam: review+

Balazs Kelemen

Reported 2010-12-15 09:48:17 PST

This is the story: 1. The UI process close the last page 2. The connection of the web process is invalidated 3. The work queue of the connection is still running and it detects disconnection and call connectionDidClose 4. m_client is 0 so connectionDidClose does a null dereference That means we need a null check in connectionDidClose. I don't know exactly how ports other than Qt affected by the problem but a null check does not costs too much so I think it is better to handle that in the common part of the implementation. I investigated a lot of how should that fixed correctly and I think this is the best.

Attachments
Patch (1.57 KB, patch) 2010-12-16 01:55 PST, Balazs Kelemen	no flags	Details Formatted Diff Diff
Patch (2.51 KB, patch) 2010-12-20 05:09 PST, Balazs Kelemen	no flags	Details Formatted Diff Diff
Patch (3.21 KB, patch) 2010-12-20 17:27 PST, Balazs Kelemen	no flags	Details Formatted Diff Diff
patch v4 (3.92 KB, patch) 2011-01-14 05:52 PST, Balazs Kelemen	no flags	Details Formatted Diff Diff
Patch (7.83 KB, patch) 2011-02-07 17:32 PST, Anders Carlsson	sam: review+	Details Formatted Diff Diff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.

Balazs Kelemen

Comment 1 2010-12-15 10:02:26 PST

Note that the crash is only visible in the debugger.

Balazs Kelemen

Comment 2 2010-12-16 01:55:02 PST

Created attachment 76743 [details] Patch

Balazs Kelemen

Comment 3 2010-12-20 04:59:12 PST

After I got an assert in connectionDidClose while working on other stuff but having this patch in my branch, I decided to fix by not calling connectionDidClose at all when the connection had been invalidated. That would rather need a Qt only change.

Balazs Kelemen

Comment 4 2010-12-20 05:09:15 PST

Created attachment 76988 [details] Patch

Kenneth Rohde Christiansen

Comment 5 2010-12-20 05:29:52 PST

Comment on attachment 76988 [details] Patch Looks sensible

Balazs Kelemen

Comment 6 2010-12-20 07:12:17 PST

Comment on attachment 76988 [details] Patch Clearing flags on attachment: 76988 Committed r74345: <http://trac.webkit.org/changeset/74345>

Balazs Kelemen

Comment 7 2010-12-20 07:12:26 PST

All reviewed patches have been landed. Closing bug.

Anders Carlsson

Comment 8 2010-12-20 10:33:49 PST

This patch is not correct, m_client must either be an atomic variable or protected by a lock. I'm going to revert this.

Kenneth Rohde Christiansen

Comment 9 2010-12-20 10:54:13 PST

(In reply to comment #8) > This patch is not correct, m_client must either be an atomic variable or protected by a lock. I'm going to revert this. Please do.

Anders Carlsson

Comment 10 2010-12-20 10:54:35 PST

Reverted r74345 for reason: Not the correct fix. Committed r74355: <http://trac.webkit.org/changeset/74355>

Balazs Kelemen

Comment 11 2010-12-20 17:27:41 PST

Created attachment 77057 [details] Patch

Darin Adler

Comment 12 2010-12-20 17:35:49 PST

Comment on attachment 77057 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=77057&action=review I think Anders should review, but I do have one comment. > WebKit2/Platform/CoreIPC/Connection.cpp:349 > + m_client = 0; // No need to lock here since the connectino has been closed on the work thread. Typo: connectino

Darin Adler

Comment 13 2010-12-29 17:16:11 PST

Comment on attachment 77057 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=77057&action=review I’d like to review, but I’d like to hear from Anders whether he thinks this is the right solution. > WebKit2/ChangeLog:8 > + Add mutual exclusion for m_client. Typically for a single pointer we could use a function like the Mac OS X OSAtomicCompareAndSwapPtrBarrier instead of a mutex. I don’t know if that’s desirable here or not. > WebKit2/Platform/CoreIPC/Connection.cpp:342 > - if (!m_client) > + if (!isValid()) Is this better? Generally speaking if code is going to be manipulating m_client directly, I am not sure that isValid is providing a helpful abstraction inside the Connection class.

Balazs Kelemen

Comment 14 2011-01-02 19:05:40 PST

(In reply to comment #13) > (From update of attachment 77057 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=77057&action=review > > I’d like to review, but I’d like to hear from Anders whether he thinks this is the right solution. > > > WebKit2/ChangeLog:8 > > + Add mutual exclusion for m_client. > > Typically for a single pointer we could use a function like the Mac OS X OSAtomicCompareAndSwapPtrBarrier instead of a mutex. I don’t know if that’s desirable here or not. I don't have a strong opinion about that. However, if we want atomic functionality then I think it should be introduced into WTF for all platforms. > > > WebKit2/Platform/CoreIPC/Connection.cpp:342 > > - if (!m_client) > > + if (!isValid()) > > Is this better? Generally speaking if code is going to be manipulating m_client directly, I am not sure that isValid is providing a helpful abstraction inside the Connection class. Yes, maybe just saying |!m_client| is more straightforward here.

Balazs Kelemen

Comment 15 2011-01-06 02:05:55 PST

I should refine my opinion about using atomic here. This is not enough in the following situation: { Client* client = ATOMIC_READ(m_client); if (!client) return; --> Right now the listener thread invalidates the connection. --> After that the client is allowed to be destructed so we can end up in --> accessing a deleted object in the following line. client->didCloseOnConnectionWorkQueue(&m_connectionQueue, this); } So the didClose... call should be in a mutually excluded block.

Balazs Kelemen

Comment 16 2011-01-14 05:52:51 PST

Created attachment 78932 [details] patch v4 Patch with the isValid/m_client change suggested by Darin.

Balazs Kelemen

Comment 17 2011-02-01 10:24:36 PST

ping

Anders Carlsson

Comment 18 2011-02-07 17:18:02 PST

(In reply to comment #17) > ping Sorry for not looking at this earlier. I've decided to go with a simpler approach and get rid of the Client::connectionDidCloseOnWorkQueue.

Anders Carlsson

Comment 19 2011-02-07 17:32:57 PST

Created attachment 81556 [details] Patch

Anders Carlsson

Comment 20 2011-02-07 17:44:54 PST

Committed r77874: <http://trac.webkit.org/changeset/77874>

Note You need to log in before you can comment on or make changes to this bug.