Bug 147411 - Crash calling webSocket.close() from onError handler for blocked web socket
Summary: Crash calling webSocket.close() from onError handler for blocked web socket
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Page Loading (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Brady Eidson
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-07-29 11:39 PDT by Brady Eidson
Modified: 2015-07-30 21:37 PDT (History)
2 users (show)

See Also:


Attachments
Patch v1 (10.09 KB, patch)
2015-07-29 11:45 PDT, Brady Eidson
thorton: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Brady Eidson 2015-07-29 11:39:43 PDT
Crash calling webSocket.close() from onError handler for blocked web socket

This was introduced with http://trac.webkit.org/changeset/185848, but isn't really a regression in the traditional sense.

In radar rdar://problem/21771620

In the crashing frame, the m_handshake is null, because the error callback is happening before there was ever a handshake.

>  1 com.apple.WebCore              0x7fff862c0e99 WebCore::URL::stringCenterEllipsizedToLength(unsigned int) const + 0x19
   2 com.apple.WebCore              0x7fff86338c78 WebCore::WebSocketChannel::fail(WTF::String const&) + 0x88
   3 com.apple.WebCore              0x7fff86336232 WebCore::WebSocket::close(int, WTF::String const&, int&) + 0x162
   4 com.apple.WebCore              0x7fff85ea5994 WebCore::jsWebSocketPrototypeFunctionClose(JSC::ExecState*) + 0x104
   5                                0x0000290f31801028 0 + 45145231724584
   6 com.apple.JavaScriptCore       0x7fff8934e706 llint_entry + 0x598d
   7 com.apple.JavaScriptCore       0x7fff8934e706 llint_entry + 0x598d
   8 com.apple.JavaScriptCore       0x7fff89348b69 vmEntryToJavaScript + 0x146
   9 com.apple.JavaScriptCore       0x7fff89271879 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 0xa9
  10 com.apple.JavaScriptCore       0x7fff88e4b49d JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 0x1ed
  11 com.apple.JavaScriptCore       0x7fff88e4b29e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 0x3e
  12 com.apple.JavaScriptCore       0x7fff88f6228a JSC::boundFunctionCall(JSC::ExecState*) + 0x24a
  13 com.apple.JavaScriptCore       0x7fff89348d02 vmEntryToNative + 0x14c
  14 com.apple.JavaScriptCore       0x7fff88e4b4dd JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 0x22d
  15 com.apple.JavaScriptCore       0x7fff88fe5807 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 0x47
  16 com.apple.WebCore              0x7fff8552ce6a WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 0x3ea
  17 com.apple.WebCore              0x7fff859553bb WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) + 0x27b
  18 com.apple.WebCore              0x7fff85436ba0 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 0xe0
  19 com.apple.WebCore              0x7fff8552a69d WebCore::EventTarget::dispatchEvent(WTF::PassRefPtr<WebCore::Event>) + 0x5d
  20 com.apple.WebCore              0x7fff8633735a std::__1::__function::__func<WebCore::WebSocket::connect(WTF::String const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul> const&, int&)::$_0, std::__1::allocator<WebCore::WebSocket::connect(WTF::String const&, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul> const&, int&)::$_0>, void ()>::operator()() + 0x4a
  21 com.apple.JavaScriptCore       0x7fff8942ef86 WTF::RunLoop::performWork() + 0x1b6
Comment 1 Brady Eidson 2015-07-29 11:45:07 PDT
Created attachment 257760 [details]
Patch v1
Comment 2 Brady Eidson 2015-07-29 14:10:11 PDT
https://trac.webkit.org/changeset/187556
Comment 3 Michael Catanzaro 2015-07-29 17:17:50 PDT
Whoops, thank you for fixing it!
Comment 4 Brady Eidson 2015-07-29 20:13:23 PDT
(In reply to comment #3)
> Whoops, thank you for fixing it!

Your test was SO CLOSE to covering it. :)
Comment 5 Michael Catanzaro 2015-07-30 18:40:48 PDT
Let it be known that I found comment #4 extremely amusing....
Comment 6 Brady Eidson 2015-07-30 21:37:20 PDT
(In reply to comment #5)
> Let it be known that I found comment #4 extremely amusing....

Let it be known that I appreciate that somebody caught that.