Bug 157000 - Crash under MemoryCache::remove()
Summary: Crash under MemoryCache::remove()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-04-25 15:29 PDT by Chris Dumez
Modified: 2016-04-25 17:49 PDT (History)
6 users (show)

See Also:


Attachments
Patch (3.71 KB, patch)
2016-04-25 16:24 PDT, Chris Dumez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2016-04-25 15:29:11 PDT
Crash under MemoryCache::remove():
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000438)
[  0] 0x00007fff96f24da7 WebCore`WebCore::MemoryCache::remove(WebCore::CachedResource&) [inlined] WebCore::CachedResource::sessionID() const at CachedResource.h:116:42
       112 	    const URL& url() const { return m_resourceRequest.url();}
       113 	#if ENABLE(CACHE_PARTITIONING)
       114 	    const String& cachePartition() const { return m_resourceRequest.cachePartition(); }
       115 	#endif
    -> 116 	    SessionID sessionID() const { return m_sessionID; }
       117 	    Type type() const { return static_cast<Type>(m_type); }
       118 	    
       119 	    ResourceLoadPriority loadPriority() const { return m_loadPriority; }
       120 	    void setLoadPriority(const Optional<ResourceLoadPriority>&);
    

     0x00007fff96f24d94:     movq %rdi, %r14
     0x00007fff96f24d97:     movq 0x158(%r14), %rax
     0x00007fff96f24d9e:    testq %rax, %rax
     0x00007fff96f24da1:       je 0xb0f08c             ; <+780> at MemoryCache.cpp:450
 ->  0x00007fff96f24da7:     movq 0x438(%r13), %r9
     0x00007fff96f24dae:     movl 0x164(%r14), %r8d
     0x00007fff96f24db5:     movl %r8d, %esi
     0x00007fff96f24db8:     andl %r9d, %esi
     0x00007fff96f24dbb:     movq %rsi, %rcx

[  0] 0x00007fff96f24da7 WebCore`WebCore::MemoryCache::remove(WebCore::CachedResource&) + 39 at MemoryCache.cpp:427
       423 	    ASSERT(WTF::isMainThread());
       424 	    LOG(ResourceLoading, "Evicting resource %p for '%s' from cache", &resource, resource.url().string().latin1().data());
       425 	    // The resource may have already been removed by someone other than our caller,
       426 	    // who needed a fresh copy for a reload. See <http://bugs.webkit.org/show_bug.cgi?id=12479#c6>.
    -> 427 	    if (auto* resources = sessionResourceMap(resource.sessionID())) {
       428 	#if ENABLE(CACHE_PARTITIONING)
       429 	        auto key = std::make_pair(resource.url(), resource.cachePartition());
       430 	#else
       431 	        auto& key = resource.url();
    
[  1] 0x00007fff96f27673 WebCore`WebCore::MemoryCache::evictResources(WebCore::SessionID) + 99 at MemoryCache.cpp:743:9
       739 	        return;
       740 	    auto& resources = *it->value;
       741 	
       742 	    for (int i = 0, size = resources.size(); i < size; ++i)
    -> 743 	        remove(*resources.begin()->value);
       744 	
       745 	    ASSERT(!m_sessionResources.contains(sessionID));
       746 	}
       747 	
    

     0x00007fff96f27660:     movq %r14, %rdi
     0x00007fff96f27663:    callq 0xb11c70             ; WTF::HashMap<std::__1::pair<WebCore::URL, WTF::String>, WebCore::CachedResource*, WTF::PairHash<WebCore::URL, WTF::String>, WTF::HashTraits<std::__1::pair<WebCore::URL, WTF::String> >, WTF::HashTraits<WebCore::CachedResource*> >::begin at HashMap.h:217
     0x00007fff96f27668:     movq 0x40(%rax), %rsi
     0x00007fff96f2766c:     movq %r15, %rdi
 ->  0x00007fff96f2766f:    callq 0xb0ed80             ; WebCore::MemoryCache::remove at MemoryCache.cpp:422
     0x00007fff96f27674:     decl %ebx
     0x00007fff96f27676:      jne 0xb11660             ; <+80> at MemoryCache.cpp:743
     0x00007fff96f27678:     addq $0x8, %rsp
     0x00007fff96f2767c:     popq %rbx

[  2] 0x00007fff94286040 WebKit`WebKit::WebProcess::deleteWebsiteData(WebCore::SessionID, unsigned long long, std::__1::chrono::time_point<std::__1::chrono::system_clock, std::__1::chrono::duration<long long, std::__1::ratio<1l, 1000000l> > >, unsigned long long) + 56 at WebProcess.cpp:1179:9
       1175	    UNUSED_PARAM(modifiedSince);
       1176	
       1177	    if (websiteDataTypes & WebsiteDataTypeMemoryCache) {
       1178	        PageCache::singleton().pruneToSizeNow(0, PruningReason::None);
    -> 1179	        MemoryCache::singleton().evictResources(sessionID);
       1180	
       1181	        CrossOriginPreflightResultCache::singleton().empty();
       1182	    }
       1183	
    

     0x00007fff9428602c:    callq 0x2bd96a             ; symbol stub for: WebCore::PageCache::pruneToSizeNow(unsigned int, WebCore::PruningReason)
     0x00007fff94286031:    callq 0x2bc1a6             ; symbol stub for: WebCore::MemoryCache::singleton()
     0x00007fff94286036:     movq %rax, %rdi
     0x00007fff94286039:     movq %r15, %rsi
 ->  0x00007fff9428603c:    callq 0x2bc194             ; symbol stub for: WebCore::MemoryCache::evictResources(WebCore::SessionID)
     0x00007fff94286041:    callq 0x2bd274             ; symbol stub for: WebCore::CrossOriginPreflightResultCache::singleton()
     0x00007fff94286046:     movq %rax, %rdi
     0x00007fff94286049:    callq 0x2bd26e             ; symbol stub for: WebCore::CrossOriginPreflightResultCache::empty()
     0x00007fff9428604e:     movq 0x50(%rbx), %rdi
Comment 1 Chris Dumez 2016-04-25 15:29:39 PDT
rdar://problem/23344660
Comment 2 Chris Dumez 2016-04-25 16:24:22 PDT
Created attachment 277287 [details]
Patch
Comment 3 WebKit Commit Bot 2016-04-25 16:26:28 PDT
Attachment 277287 [details] did not pass style-queue:


ERROR: Source/WebCore/loader/cache/MemoryCache.cpp:284:  Extra space before ( in function call  [whitespace/parens] [4]
Total errors found: 1 in 3 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 4 Andreas Kling 2016-04-25 16:27:45 PDT
Comment on attachment 277287 [details]
Patch

Would be nice with a test but r=me
Comment 5 WebKit Commit Bot 2016-04-25 17:49:42 PDT
Comment on attachment 277287 [details]
Patch

Clearing flags on attachment: 277287

Committed r200066: <http://trac.webkit.org/changeset/200066>
Comment 6 WebKit Commit Bot 2016-04-25 17:49:47 PDT
All reviewed patches have been landed.  Closing bug.