181061 – Crash when clearing std::optional<WebKit::WebServiceWorkerFetchTaskClient::BlobLoader>

Bug 181061 - Crash when clearing std::optional<WebKit::WebServiceWorkerFetchTaskClient::BlobLoader>

Summary: Crash when clearing std::optional<WebKit::WebServiceWorkerFetchTaskClient::Bl...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Service Workers (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	youenn fablet

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2017-12-20 15:33 PST by youenn fablet
Modified:	2017-12-20 17:41 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Patch (1.42 KB, patch) 2017-12-20 15:52 PST, youenn fablet	no flags	Details \| Formatted Diff \| Diff
Patch for landing (1.43 KB, patch) 2017-12-20 16:50 PST, youenn fablet	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description youenn fablet 2017-12-20 15:33:05 PST

==79588==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700015ad90 at pc 0x00010b45eb67 bp 0x7ffee743cb50 sp 0x7ffee743cb48
WRITE of size 1 at 0x60700015ad90 thread T0
==79588==WARNING: invalid path to external symbolizer!
==79588==WARNING: Failed to use and restart external symbolizer!
#0 0x10b45eb66 in std::optional<WebKit::WebServiceWorkerFetchTaskClient::BlobLoader>::clear() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcf0b66)
#1 0x10b45d0ed in std::optional<WebKit::WebServiceWorkerFetchTaskClient::BlobLoader>::operator=(std::nullopt_t) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcef0ed)
#2 0x11cc2b119 in WebCore::DocumentThreadableLoader::didFinishLoading(unsigned long) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x28f6119)
#3 0x11cd42967 in WebCore::CachedResource::checkNotify() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2a0d967)
#4 0x11cd3f6ba in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x2a0a6ba)
#5 0x11ccddc2e in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore:x86_64+0x29a8c2e)
#6 0x10b42382b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcb582b)
#7 0x10b426b8e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcb8b8e)
#8 0x10b42607f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0xcb807f)
#9 0x10aaf07c0 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x3827c0)
#10 0x10a8a496e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x13696e)
#11 0x10a8ae486 in IPC::Connection::dispatchOneMessage() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit:x86_64+0x140486)
#12 0x12b2321a7 in WTF::RunLoop::performWork() (/Volumes/Data/slave/high-sierra-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScrip<br> (Truncated recent description)

Comment 1 youenn fablet 2017-12-20 15:52:21 PST

Created attachment 329960 [details]
Patch

Comment 2 Alex Christensen 2017-12-20 16:40:47 PST

Comment on attachment 329960 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=329960&action=review

> Source/WebKit/WebProcess/Storage/WebServiceWorkerFetchTaskClient.cpp:117
> -    m_blobLoader = std::nullopt;
> +    auto toDelete = WTFMove(m_blobLoader);

I think it would be better to just do std::exchange(m_blobLoader, std::nullopt).  Then we wouldn't need to give anything a strange unused name.

Comment 3 youenn fablet 2017-12-20 16:50:25 PST

Created attachment 329966 [details]
Patch for landing

Comment 4 WebKit Commit Bot 2017-12-20 17:39:12 PST

Comment on attachment 329966 [details]
Patch for landing

Clearing flags on attachment: 329966

Committed r226206: <https://trac.webkit.org/changeset/226206>

Comment 5 WebKit Commit Bot 2017-12-20 17:39:13 PST

All reviewed patches have been landed.  Closing bug.

Comment 6 Radar WebKit Bug Importer 2017-12-20 17:41:08 PST

<rdar://problem/36168892>