Bug 174522 - Possible crash in ~UserGestureIndicator() when on non-main thread
Summary: Possible crash in ~UserGestureIndicator() when on non-main thread
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on: 174592
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-14 12:31 PDT by Chris Dumez
Modified: 2017-07-17 12:53 PDT (History)
7 users (show)

See Also:

Attachments
Patch (1.92 KB, patch)
2017-07-14 12:38 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Patch (5.19 KB, patch)
2017-07-14 14:48 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2017-07-14 12:31:55 PDT 
Possible crash in ~UserGestureIndicator() when on non-main thread:
Thread 27 Crashed:: WebCore: Worker
0   com.apple.WebCore             	0x00007fffaef36330 WebCore::UserGestureIndicator::~UserGestureIndicator() + 176
1   com.apple.WebCore             	0x00007fffadeb9b70 WebCore::DOMTimer::fired() + 1008
2   com.apple.WebCore             	0x00007fffadde13e0 WebCore::ThreadTimers::sharedTimerFiredInternal() + 176
3   com.apple.WebCore             	0x00007fffaefead6d WebCore::WorkerRunLoop::runInMode(WebCore::WorkerGlobalScope*, WebCore::ModePredicate const&, WebCore::WorkerRunLoop::WaitMode) + 365
4   com.apple.WebCore             	0x00007fffaefeaba0 WebCore::WorkerRunLoop::run(WebCore::WorkerGlobalScope*) + 96
5   com.apple.WebCore             	0x00007fffaefee421 WebCore::WorkerThread::workerThread() + 929
6   com.apple.JavaScriptCore      	0x00007fffa8db1c62 WTF::threadEntryPoint(void*) + 178
7   com.apple.JavaScriptCore      	0x00007fffa8db1b8f WTF::wtfThreadEntryPoint(void*) + 15
8   libsystem_pthread.dylib       	0x00007fffbc8e2aab _pthread_body + 180
9   libsystem_pthread.dylib       	0x00007fffbc8e29f7 _pthread_start + 286
10  libsystem_pthread.dylib       	0x00007fffbc8e21fd thread_start + 13
Comment 1 Chris Dumez 2017-07-14 12:32:19 PDT 
<rdar://problem/30283071>
Comment 2 Chris Dumez 2017-07-14 12:38:44 PDT 
Created attachment 315472 [details]
Patch
Comment 3 Brady Eidson 2017-07-14 13:22:15 PDT 
Comment on attachment 315472 [details]
Patch

This seems like we could actually write a test for it?
Comment 4 Chris Dumez 2017-07-14 13:39:50 PDT 
(In reply to Brady Eidson from comment #3)
> Comment on attachment 315472 [details]
> Patch
> 
> This seems like we could actually write a test for it?

I will try but it seems pretty racy.
Comment 5 Chris Dumez 2017-07-14 13:53:22 PDT 
(In reply to Chris Dumez from comment #4)
> (In reply to Brady Eidson from comment #3)
> > Comment on attachment 315472 [details]
> > Patch
> > 
> > This seems like we could actually write a test for it?
> 
> I will try but it seems pretty racy.

I *think* a user gesture needs to happen on the main thread and *while* this user gesture is happening (i.e. there is still a UserGestureIndicator object alive for the gesture), a DOMTimer needs to fire in a worker thread.
Comment 6 Sam Weinig 2017-07-14 14:05:18 PDT 
Comment on attachment 315472 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=315472&action=review

> Source/WebCore/dom/UserGestureIndicator.cpp:71
> +    // It is only safe to use currentToken() on the main thread.
> +    m_previousToken = currentToken();

Seems like you should ASSERT(isMainThread()) in currentToken().
Comment 7 Chris Dumez 2017-07-14 14:06:15 PDT 
(In reply to Sam Weinig from comment #6)
> Comment on attachment 315472 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=315472&action=review
> 
> > Source/WebCore/dom/UserGestureIndicator.cpp:71
> > +    // It is only safe to use currentToken() on the main thread.
> > +    m_previousToken = currentToken();
> 
> Seems like you should ASSERT(isMainThread()) in currentToken().

Thanks, I'll add the ASSERT and am trying to write a test right now.
Comment 8 Sam Weinig 2017-07-14 14:07:56 PDT 
Comment on attachment 315472 [details]
Patch

r=me with the ASSERT.
Comment 9 Chris Dumez 2017-07-14 14:48:03 PDT 
Created attachment 315491 [details]
Patch
Comment 10 Chris Dumez 2017-07-14 15:17:43 PDT 
Comment on attachment 315491 [details]
Patch

Will wait for debug EWS before landing.
Comment 11 Chris Dumez 2017-07-14 16:02:57 PDT 
Comment on attachment 315491 [details]
Patch

Clearing flags on attachment: 315491

Committed r219531: <http://trac.webkit.org/changeset/219531>
Comment 12 Chris Dumez 2017-07-14 16:02:58 PDT 
All reviewed patches have been landed.  Closing bug.