Bug 79013 (CVE-2013-0880)

Summary:

Layout Test http/tests/workers/terminate-during-sync-operation.html is flaky

Product:

WebKit

Reporter:

Yuta Kitamura <yutak>

Component:

Tools / Tests

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

abarth, cevans, dimich, jamesr, jsbell, kinuko, levin, leviw, mark.lam, michaeln, ojan, rniwa, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none

Yuta Kitamura

Reported 2012-02-19 22:40:38 PST

The following layout test crashes occasionally on all platforms: http/tests/workers/terminate-during-sync-operation.html Probable cause: http://test-results.appspot.com/dashboards/flakiness_dashboard.html#showExpectations=true&tests=http%2Ftests%2Fworkers%2Fterminate-during-sync-operation.html The following log from "Webkit Linux (dbg)" looks interesting, but I'm not quite sure whether these are relevant. ERROR: SQLite database could not set temp_store to memory third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp(97) : bool WebCore::SQLiteDatabase::open(const WTF::String&, bool) ERROR: Unable to turn on incremental auto-vacuum (0 not an error) third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp(272) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) ERROR: Unable to turn on incremental auto-vacuum (9 interrupted) third_party/WebKit/Source/WebCore/storage/AbstractDatabase.cpp(272) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) ...

Attachments
Patch (3.09 KB, patch) 2013-01-24 22:52 PST, Adam Barth	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2012-06-09 13:37:25 PDT

*** Bug 77047 has been marked as a duplicate of this bug. ***

Ryosuke Niwa

Comment 2 2012-06-09 13:38:13 PDT

Doesn't crash anymore but times out intermittently.

James Robinson

Comment 3 2012-09-14 18:31:42 PDT

It's still crashing: crash log for DumpRenderTree (pid 23311): STDOUT: <empty> STDERR: ASSERTION FAILED: !AssertNoEventDispatch::isEventDispatchForbidden() STDERR: third_party/WebKit/Source/WebCore/dom/EventTarget.cpp(162) : bool WebCore::EventTarget::fireEventListeners(WebCore::Event*) STDERR: 1 0x7f49ace5121c STDERR: 2 0x7f49ace511b2 STDERR: 3 0x7f49adae74fd STDERR: 4 0x7f49adae9e47 STDERR: 5 0x7f49adae9a12 STDERR: 6 0x7f49adae976b STDERR: 7 0x7f49adaee1a3 STDERR: 8 0x7f49adadb125 STDERR: 9 0x7f49adaee0bd STDERR: 10 0x7f49adaeddb4 STDERR: 11 0x7f49acd68189 STDERR: 12 0x7f49acd687ac STDERR: 13 0x7f49a37049ca STDERR: 14 0x7f49a3461cdd clone STDERR: [23311:23996:15135171814855:ERROR:process_util_posix.cc(143)] Received signal 11 STDERR: ERROR: Unable to turn on incremental auto-vacuum (9 interrupted) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Error (9) preparing statement to read text result from database (SELECT value FROM __WebKitDatabaseInfoTable__ WHERE key = 'WebKitDatabaseVersionKey';) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(72) : bool WebCore::retrieveTextResultFromDatabase(WebCore::SQLiteDatabase&, const WTF::String&, WTF::String&) STDERR: ERROR: Failed to retrieve version from database http://127.0.0.1:8000:: STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(428) : bool WebCore::AbstractDatabase::getVersionFromDatabase(WTF::String&, bool) STDERR: ERROR: SQLite database could not set temp_store to memory STDERR: third_party/WebKit/Source/WebCore/platform/sql/SQLiteDatabase.cpp(97) : bool WebCore::SQLiteDatabase::open(const WTF::String&, bool) STDERR: ERROR: Unable to turn on incremental auto-vacuum (0 not an error) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Error (9) preparing statement to read text result from database (SELECT value FROM __WebKitDatabaseInfoTable__ WHERE key = 'WebKitDatabaseVersionKey';) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(72) : bool WebCore::retrieveTextResultFromDatabase(WebCore::SQLiteDatabase&, const WTF::String&, WTF::String&) STDERR: ERROR: Failed to retrieve version from database http://127.0.0.1:8000:: STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(428) : bool WebCore::AbstractDatabase::getVersionFromDatabase(WTF::String&, bool) STDERR: ERROR: Unable to turn on incremental auto-vacuum (9 interrupted) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(274) : virtual bool WebCore::AbstractDatabase::performOpenAndVerify(bool, WebCore::ExceptionCode&, WTF::String&) STDERR: ERROR: Error (9) preparing statement to read text result from database (SELECT value FROM __WebKitDatabaseInfoTable__ WHERE key = 'WebKitDatabaseVersionKey';) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(72) : bool WebCore::retrieveTextResultFromDatabase(WebCore::SQLiteDatabase&, const WTF::String&, WTF::String&) STDERR: ERROR: Failed to retrieve version from database http://127.0.0.1:8000:: STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(428) : bool WebCore::AbstractDatabase::getVersionFromDatabase(WTF::String&, bool) STDERR: ERROR: Error (9) preparing statement to read text result from database (SELECT value FROM __WebKitDatabaseInfoTable__ WHERE key = 'WebKitDatabaseVersionKey';) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(72) : bool WebCore::retrieveTextResultFromDatabase(WebCore::SQLiteDatabase&, const WTF::String&, WTF::String&) STDERR: ERROR: Failed to retrieve version from database http://127.0.0.1:8000:: STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(428) : bool WebCore::AbstractDatabase::getVersionFromDatabase(WTF::String&, bool) STDERR: ERROR: Error (9) preparing statement to read text result from database (SELECT value FROM __WebKitDatabaseInfoTable__ WHERE key = 'WebKitDatabaseVersionKey';) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(72) : bool WebCore::retrieveTextResultFromDatabase(WebCore::SQLiteDatabase&, const WTF::String&, WTF::String&) STDERR: ERROR: Failed to retrieve version from database http://127.0.0.1:8000:: STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(428) : bool WebCore::AbstractDatabase::getVersionFromDatabase(WTF::String&, bool) STDERR: ERROR: Error (9) reading text result from database (SELECT value FROM __WebKitDatabaseInfoTable__ WHERE key = 'WebKitDatabaseVersionKey';) STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(86) : bool WebCore::retrieveTextResultFromDatabase(WebCore::SQLiteDatabase&, const WTF::String&, WTF::String&) STDERR: ERROR: Failed to retrieve version from database http://127.0.0.1:8000:: STDERR: third_party/WebKit/Source/WebCore/Modules/webdatabase/AbstractDatabase.cpp(428) : bool WebCore::AbstractDatabase::getVersionFromDatabase(WTF::String&, bool) STDERR: base::debug::StackTrace::StackTrace() [0x7f49aa0895fa] STDERR: base::(anonymous namespace)::StackDumpSignalHandler() [0x7f49aa0f0bcd] STDERR: 0x7f49a33aeaf0 STDERR: WebCore::EventTarget::fireEventListeners() [0x7f49ace51226] STDERR: WebCore::EventTarget::dispatchEvent() [0x7f49ace511b2] STDERR: WebCore::MessageWorkerContextTask::performTask() [0x7f49adae74fd] STDERR: WebCore::WorkerRunLoop::Task::performTask() [0x7f49adae9e47] STDERR: WebCore::WorkerRunLoop::runInMode() [0x7f49adae9a12] STDERR: WebCore::WorkerRunLoop::run() [0x7f49adae976b] STDERR: WebCore::WorkerThread::runEventLoop() [0x7f49adaee1a3] STDERR: WebCore::DedicatedWorkerThread::runEventLoop() [0x7f49adadb125] STDERR: WebCore::WorkerThread::workerThread() [0x7f49adaee0bd] STDERR: WebCore::WorkerThread::workerThreadStart() [0x7f49adaeddb4] STDERR: WTF::threadEntryPoint() [0x7f49acd68189] STDERR: WTF::wtfThreadEntryPoint() [0x7f49acd687ac] STDERR: start_thread [0x7f49a37049ca] STDERR: 0x7f49a3461cdd

James Robinson

Comment 4 2012-09-14 18:44:03 PDT

That crash may be from http://trac.webkit.org/changeset/128673 which is rolled out now.

Ojan Vafai

Comment 5 2012-10-02 14:26:01 PDT

Patch was recommitted as http://trac.webkit.org/changeset/130077 and now we're seeing crashes again. Should we rollout? http://test-results.appspot.com/dashboards/flakiness_dashboard.html#showExpectations=true&tests=http%2Ftests%2Fworkers%2Fterminate-during-sync-operation.html Still crashes in release builds with the following output: crash log for DumpRenderTree (pid 1689): STDOUT: <empty> STDERR: DumpRenderTree(1689,0xb3e13000) malloc: *** error for object 0xba23ea0: pointer being freed was not allocated STDERR: *** set a breakpoint in malloc_error_break to debug

Ojan Vafai

Comment 6 2012-10-02 14:32:09 PDT

Actually, I'm not sure the memory corruption is from 130077. Webkit Linux got the following output at r130053: crash log for DumpRenderTree (pid 5053): STDOUT: <empty> STDERR: third_party/tcmalloc/chromium/src/free_list.cc:133] Memory corruption detected. STDERR: third_party/tcmalloc/chromium/src/free_list.cc:133] Memory corruption detected.

Joshua Bell

Comment 7 2012-11-08 11:12:24 PST

Still crashing flakily on all platforms (recently: linux 32 release, mac 10.7 release, win7, win7 debug) but only about 3% of the time. Updating the test expectation.

Adam Barth

Comment 8 2013-01-24 22:52:31 PST

Created attachment 184674 [details] Patch

WebKit Review Bot

Comment 9 2013-01-24 22:56:49 PST

Comment on attachment 184674 [details] Patch Rejecting attachment 184674 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=gce-cq-04', 'apply-attachment', '--no-update', '--non-interactive', 184674, '--port=chromium-xvfb']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue Last 500 characters of output: t/webkit-commit-queue Parsed 4 diffs from patch file(s). patch: **** Can't create file /tmp/pp4X5lCs : No space left on device patch: **** Can't create file /tmp/ppwgJ2Ps : No space left on device patch: **** Can't create file /tmp/ppNOaXss : No space left on device patch: **** Can't create file /tmp/pppdWTCv : No space left on device Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', '--force', '--reviewer', 'David Levin']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue Full output: http://queues.webkit.org/results/16122142

WebKit Review Bot

Comment 10 2013-01-24 23:23:27 PST

Comment on attachment 184674 [details] Patch Rejecting attachment 184674 [details] from commit-queue. Failed to run "['/mnt/git/webkit-commit-queue/Tools/Scripts/webkit-patch', '--status-host=queues.webkit.org', '--bot-id=gce-cq-04', 'apply-attachment', '--no-update', '--non-interactive', 184674, '--port=chromium-xvfb']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue Last 500 characters of output: t/webkit-commit-queue Parsed 4 diffs from patch file(s). patch: **** Can't create file /tmp/ppKT9Zny : No space left on device patch: **** Can't create file /tmp/ppYndTBy : No space left on device patch: **** Can't create file /tmp/ppg1fSJB : No space left on device patch: **** Can't create file /tmp/pprJfYiB : No space left on device Failed to run "[u'/mnt/git/webkit-commit-queue/Tools/Scripts/svn-apply', '--force', '--reviewer', 'David Levin']" exit_code: 2 cwd: /mnt/git/webkit-commit-queue Full output: http://queues.webkit.org/results/16111397

WebKit Review Bot

Comment 11 2013-01-28 22:54:22 PST

Comment on attachment 184674 [details] Patch Clearing flags on attachment: 184674 Committed r141057: <http://trac.webkit.org/changeset/141057>

WebKit Review Bot

Comment 12 2013-01-28 22:54:27 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.