174526 – Regression(r199039): Possible crash under NetworkSocketStream::didFailSocketStream()

RESOLVED FIXED174526

Regression(r199039): Possible crash under NetworkSocketStream::didFailSocketStream()

https://bugs.webkit.org/show_bug.cgi?id=174526

Summary Regression(r199039): Possible crash under NetworkSocketStream::didFailSocketS...

Chris Dumez

Reported 2017-07-14 13:42:44 PDT

Possible crash under NetworkSocketStream::didFailSocketStream(): Thread 0 Crashed ↩:: Dispatch queue: com.apple.main-thread 0 com.apple.WebKit 0x00007fffa1de73e2 IPC::Connection::sendMessage(std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >, WTF::OptionSet<IPC::SendOption>) + 26 1 com.apple.WebKit 0x00007fffa1e2062f IPC::MessageSender::sendMessage(std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >, WTF::OptionSet<IPC::SendOption>) + 57 2 com.apple.WebKit 0x00007fffa1e7cf2a bool IPC::MessageSender::send<Messages::WebSocketStream::DidFailSocketStream>(Messages::WebSocketStream::DidFailSocketStream const&, unsigned long long, WTF::OptionSet<IPC::SendOption>) + 112 3 com.apple.WebKit 0x00007fffa1e7ca31 non-virtual thunk to WebKit::NetworkSocketStream::didFailSocketStream(WebCore::SocketStreamHandle&, WebCore::SocketStreamError const&) + 51 4 com.apple.WebCore 0x00007fffa16cf679 WebCore::SocketStreamHandleImpl::SocketStreamHandleImpl(WebCore::URL const&, WebCore::SocketStreamHandleClient&, WebCore::SessionID, WTF::String const&, WebCore::SourceApplicationAuditToken&&) + 793 5 com.apple.WebKit 0x00007fffa1e7c597 WebKit::NetworkSocketStream::create(WebCore::URL&&, WebCore::SessionID, WTF::String const&, unsigned long long, IPC::Connection&, WebCore::SourceApplicationAuditToken&&) + 147 6 com.apple.WebKit 0x00007fffa1e574bd WebKit::NetworkConnectionToWebProcess::createSocketStream(WebCore::URL&&, WebCore::SessionID, WTF::String, unsigned long long) + 107 7 com.apple.WebKit 0x00007fffa1e5cd65 void IPC::callMemberFunctionImpl<WebKit::NetworkConnectionToWebProcess, void (WebKit::NetworkConnectionToWebProcess::*)(WebCore::URL&&, WebCore::SessionID, WTF::String, unsigned long long), std::__1::tuple<WebCore::URL, WebCore::SessionID, WTF::String, unsigned long long>, 0ul, 1ul, 2ul, 3ul>(WebKit::NetworkConnectionToWebProcess*, void (WebKit::NetworkConnectionToWebProcess::*)(WebCore::URL&&, WebCore::SessionID, WTF::String, unsigned long long), std::__1::tuple<WebCore::URL, WebCore::SessionID, WTF::String, unsigned long long>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul, 2ul, 3ul>) + 63 8 com.apple.WebKit 0x00007fffa1e5b2fa void IPC::handleMessage<Messages::NetworkConnectionToWebProcess::CreateSocketStream, WebKit::NetworkConnectionToWebProcess, void (WebKit::NetworkConnectionToWebProcess::*)(WebCore::URL&&, WebCore::SessionID, WTF::String, unsigned long long)>(IPC::Decoder&, WebKit::NetworkConnectionToWebProcess*, void (WebKit::NetworkConnectionToWebProcess::*)(WebCore::URL&&, WebCore::SessionID, WTF::String, unsigned long long)) + 94 9 com.apple.WebKit 0x00007fffa1de69b5 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 119 10 com.apple.WebKit 0x00007fffa1de94ee IPC::Connection::dispatchOneMessage() + 176 11 com.apple.JavaScriptCore 0x00007fff96dcee39 WTF::RunLoop::performWork() + 169 12 com.apple.JavaScriptCore 0x00007fff96dcf0f2 WTF::RunLoop::performWork(void*) + 34 13 com.apple.CoreFoundation 0x00007fff93362c51 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 14 com.apple.CoreFoundation 0x00007fff93345a6f __CFRunLoopDoSources0 + 271 15 com.apple.CoreFoundation 0x00007fff9334501f __CFRunLoopRun + 1039 16 com.apple.CoreFoundation 0x00007fff93344999 CFRunLoopRunSpecific + 409 17 com.apple.Foundation 0x00007fff953e5306 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 277 18 com.apple.Foundation 0x00007fff953e51de -[NSRunLoop(NSRunLoop) run] + 76 19 libxpc.dylib 0x00007fffba9c5e2b _xpc_objc_main + 672 20 libxpc.dylib 0x00007fffba9c4a21 xpc_main + 417 21 com.apple.WebKit.Networking 0x10892a6a1 main + 490 (/BuildRoot/Library/Caches/com.apple.xbs/Sources/WebKit2/WebKit2-7604.1.28.2/Shared/EntryPointUtilities/mac/XPCService/XPCServiceMain.mm:148) 22 libdyld.dylib 0x00007fffba6fa639 start + 1

Attachments
Patch (4.85 KB, patch) 2017-07-14 13:46 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews102 for mac-elcapitan (1.13 MB, application/zip) 2017-07-14 14:39 PDT, Build Bot	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2017-07-14 13:43:10 PDT

<rdar://problem/32831441>

Chris Dumez

Comment 2 2017-07-14 13:46:00 PDT

Created attachment 315481 [details] Patch

Build Bot

Comment 3 2017-07-14 14:39:05 PDT

Comment on attachment 315481 [details] Patch Attachment 315481 [details] did not pass mac-ews (mac): Output: http://webkit-queues.webkit.org/results/4121474 New failing tests: security/contentSecurityPolicy/video-with-data-url-allowed-by-media-src-star.html

Build Bot

Comment 4 2017-07-14 14:39:06 PDT

Created attachment 315487 [details] Archive of layout-test-results from ews102 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-ews. Bot: ews102 Port: mac-elcapitan Platform: Mac OS X 10.11.6

Brent Fulgham

Comment 5 2017-07-14 14:40:16 PDT

Comment on attachment 315481 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=315481&action=review r=me > Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:92 > + }); Wow! Nice catch.

Brent Fulgham

Comment 6 2017-07-14 14:40:34 PDT

The 'mac' test failure doesn't seem likely to be related to this patch.

Chris Dumez

Comment 7 2017-07-14 14:42:59 PDT

(In reply to Brent Fulgham from comment #6) > The 'mac' test failure doesn't seem likely to be related to this patch. Indeed, the test is currently failing on the non-EWS bots. The tree is red.

WebKit Commit Bot

Comment 8 2017-07-14 14:45:43 PDT

Comment on attachment 315481 [details] Patch Clearing flags on attachment: 315481 Committed r219525: <http://trac.webkit.org/changeset/219525>

WebKit Commit Bot

Comment 9 2017-07-14 14:45:45 PDT

All reviewed patches have been landed. Closing bug.

Alexey Proskuryakov

Comment 10 2017-07-15 08:08:57 PDT

Comment on attachment 315481 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=315481&action=review >> Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:92 >> + }); > > Wow! Nice catch. Can m_client get zeroed out in between?

Chris Dumez

Comment 11 2017-07-18 08:58:13 PDT

Comment on attachment 315481 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=315481&action=review >>> Source/WebCore/platform/network/cf/SocketStreamHandleImplCFNet.cpp:92 >>> + }); >> >> Wow! Nice catch. > > Can m_client get zeroed out in between? m_client is a reference, not a pointer and cannot be zeroed out.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit2

Assignee

Chris Dumez

Reported

2017-07-14 13:42 PDT

Modified

2017-07-18 08:58 PDT History

CC List

6 users Show

URL

Keywords InRadar

Depends on

Blocks