182271 – [WPE][GTK] Make RunLoop::TimerBase robust to its own deletion inside its source callback

RESOLVED FIXED 182271

[WPE][GTK] Make RunLoop::TimerBase robust to its own deletion inside its source callback

https://bugs.webkit.org/show_bug.cgi?id=182271

Summary [WPE][GTK] Make RunLoop::TimerBase robust to its own deletion inside its sour...

Michael Catanzaro

Reported 2018-01-29 17:22:33 PST

This error occurs 100% when starting GTK MiniBrowser. You just need to wait a few seconds after page load completes. The problem is surely that the RunLoop::Timer owned by the HysteresisActivity owned by SpeculativeLoadManager::PendingFrameLoad has been destroyed already, yet its source callback (the lambda in its constructor) is executing anyway. I think that should only be possible if it's created on one thread and destroyed on another, which would be unsafe. To verify, I tried adding a call to g_source_is_destroyed(g_main_current_source()) at the top of the callback, which I think should have "fixed" it if that was the problem, but it didn't, which surprised me. Then I added some asserts and confirmed that PendingFrameLoads are only used on the main thread. So that's not it. I'm not sure what's going wrong, and I've been staring at this for two hours now, so time to move on.... ==21247==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000005d68 at pc 0x7f7acd13c0fc bp 0x7fff70b96df0 sp 0x7fff70b96de0 READ of size 1 at 0x611000005d68 thread T0 #0 0x7f7acd13c0fb in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::operator()(void*) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8b0fb) #1 0x7f7acd13c137 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8b137) #2 0x7f7acd13b05f in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a05f) #3 0x7f7acd13b08e in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a08e) #4 0x7f7ac20c57b4 in g_main_dispatch /home/mcatanzaro/Projects/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3148 #5 0x7f7ac20c57b4 in g_main_context_dispatch /home/mcatanzaro/Projects/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3813 #6 0x7f7ac20c5b57 in g_main_context_iterate /home/mcatanzaro/Projects/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:3886 #7 0x7f7ac20c5e61 in g_main_loop_run /home/mcatanzaro/Projects/WebKit/WebKitBuild/DependenciesGTK/Source/glib-2.54.2/glib/gmain.c:4082 #8 0x7f7acd13b91b in WTF::RunLoop::run() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a91b) #9 0x7f7ada78f646 in int WebKit::ChildProcessMain<WebKit::NetworkProcess, WebKit::NetworkProcessMain>(int, char**) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xa5e6646) #10 0x7f7ada78f2f1 in NetworkProcessMainUnix (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xa5e62f1) #11 0x400ec1 in main (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/bin/WebKitNetworkProcess+0x400ec1) #12 0x7f7abdbbd009 in __libc_start_main (/lib64/libc.so.6+0x21009) #13 0x400d99 in _start (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/bin/WebKitNetworkProcess+0x400d99) 0x611000005d68 is located 168 bytes inside of 224-byte region [0x611000005cc0,0x611000005da0) freed by thread T0 here: #0 0x7f7ae82664b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8) #1 0x7f7acd1511bd in bmalloc::DebugHeap::free(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4ca01bd) #2 0x7f7acd15074e in bmalloc::Deallocator::deallocateSlowCase(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c9f74e) #3 0x7f7acd04215c in bmalloc::Deallocator::deallocate(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b9115c) #4 0x7f7acd042574 in bmalloc::Cache::deallocate(bmalloc::HeapKind, void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b91574) #5 0x7f7acd04272a in bmalloc::api::free(void*, bmalloc::HeapKind) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b9172a) #6 0x7f7acd041444 in WTF::fastFree(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b90444) #7 0x7f7ad9b3152c in WTF::RefCounted<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad>::operator delete(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x998852c) #8 0x7f7ad9b29554 in WTF::RefCounted<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad>::deref() const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9980554) #9 0x7f7ad9b390ef in void WTF::derefIfNotNull<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad>(WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99900ef) #10 0x7f7ad9b327a9 in WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >::~RefPtr() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99897a9) #11 0x7f7ad9b47067 in WTF::KeyValuePairHashTraits<WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::customDeleteBucket(WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x999e067) #12 0x7f7ad9b45bea in std::enable_if<WTF::HashTraitHasCustomDelete<WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::value, void>::type WTF::hashTraitsDeleteBucket<WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >(WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x999cbea) #13 0x7f7ad9b42e22 in WTF::HashTable<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >::deleteBucket(WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9999e22) #14 0x7f7ad9b3eae9 in WTF::HashTable<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >::remove(WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9995ae9) #15 0x7f7ad9b3a760 in WTF::HashTable<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >::removeAndInvalidateWithoutEntryConsistencyCheck(WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9991760) #16 0x7f7ad9b33f41 in WTF::HashTable<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >::removeWithoutEntryConsistencyCheck(WTF::HashTableIterator<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x998af41) #17 0x7f7ad9b2d4c4 in WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::remove(WTF::HashTableIteratorAdapter<WTF::HashTable<std::pair<unsigned long, unsigned long>, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::KeyValuePairTraits, WTF::HashTraits<std::pair<unsigned long, unsigned long> > >, WTF::KeyValuePair<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99844c4) #18 0x7f7ad9b262ea in WTF::HashMap<std::pair<unsigned long, unsigned long>, WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> >, WTF::PairHash<unsigned long, unsigned long>, WTF::HashTraits<std::pair<unsigned long, unsigned long> >, WTF::HashTraits<WTF::RefPtr<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad, WTF::DumbPtrTraits<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad> > > >::remove(std::pair<unsigned long, unsigned long> const&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x997d2ea) #19 0x7f7ad9b15217 in WebKit::NetworkCache::SpeculativeLoadManager::registerLoad(std::pair<unsigned long, unsigned long> const&, WebCore::ResourceRequest const&, WebKit::NetworkCache::Key const&)::{lambda()#1}::operator()() const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x996c217) #20 0x7f7ad9b20557 in WTF::Function<void ()>::CallableWrapper<WebKit::NetworkCache::SpeculativeLoadManager::registerLoad(std::pair<unsigned long, unsigned long> const&, WebCore::ResourceRequest const&, WebKit::NetworkCache::Key const&)::{lambda()#1}>::call() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9977557) #21 0x7f7ad999bc69 in WTF::Function<void ()>::operator()() const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x97f2c69) #22 0x7f7ad9b21c11 in WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad::markLoadAsCompleted() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9978c11) #23 0x7f7ad9b21dd4 in WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad::PendingFrameLoad(WebKit::NetworkCache::Storage&, WebKit::NetworkCache::Key const&, WTF::Function<void ()>&&)::{lambda(PAL::HysteresisState)#1}::operator()(PAL::HysteresisState) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9978dd4) #24 0x7f7ad9b4a481 in WTF::Function<void (PAL::HysteresisState)>::CallableWrapper<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad::PendingFrameLoad(WebKit::NetworkCache::Storage&, WebKit::NetworkCache::Key const&, WTF::Function<void ()>&&)::{lambda(PAL::HysteresisState)#1}>::call(PAL::HysteresisState) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99a1481) #25 0x7f7ad9b23f22 in WTF::Function<void (PAL::HysteresisState)>::operator()(PAL::HysteresisState) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x997af22) #26 0x7f7ad9b21509 in PAL::HysteresisActivity::hysteresisTimerFired() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9978509) #27 0x7f7ad9b4a5c4 in WTF::RunLoop::Timer<PAL::HysteresisActivity>::fired() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99a15c4) #28 0x7f7acd13c0ac in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::operator()(void*) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8b0ac) #29 0x7f7acd13c137 in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::_FUN(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8b137) previously allocated by thread T0 here: #0 0x7f7ae8266850 in malloc (/lib64/libasan.so.4+0xde850) #1 0x7f7acd150f3f in bmalloc::DebugHeap::malloc(unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c9ff3f) #2 0x7f7acd14c6c0 in bmalloc::Allocator::allocateSlowCase(unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c9b6c0) #3 0x7f7acd041fd3 in bmalloc::Allocator::allocate(unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b90fd3) #4 0x7f7acd04230a in bmalloc::Cache::allocate(bmalloc::HeapKind, unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b9130a) #5 0x7f7acd04268a in bmalloc::api::malloc(unsigned long, bmalloc::HeapKind) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b9168a) #6 0x7f7acd041017 in WTF::fastMalloc(unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4b90017) #7 0x7f7ad9b24786 in WTF::RefCounted<WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad>::operator new(unsigned long) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x997b786) #8 0x7f7ad9b217cf in WebKit::NetworkCache::SpeculativeLoadManager::PendingFrameLoad::create(WebKit::NetworkCache::Storage&, WebKit::NetworkCache::Key const&, WTF::Function<void ()>&&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x99787cf) #9 0x7f7ad9b15921 in WebKit::NetworkCache::SpeculativeLoadManager::registerLoad(std::pair<unsigned long, unsigned long> const&, WebCore::ResourceRequest const&, WebKit::NetworkCache::Key const&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x996c921) #10 0x7f7ad9aee110 in WebKit::NetworkCache::Cache::retrieve(WebCore::ResourceRequest const&, std::pair<unsigned long, unsigned long> const&, WTF::Function<void (std::unique_ptr<WebKit::NetworkCache::Entry, std::default_delete<WebKit::NetworkCache::Entry> >)>&&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9945110) #11 0x7f7ad9a2cbc1 in WebKit::NetworkResourceLoader::retrieveCacheEntry(WebCore::ResourceRequest const&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9883bc1) #12 0x7f7ad9a2c93c in WebKit::NetworkResourceLoader::start() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x988393c) #13 0x7f7ad9995270 in WebKit::NetworkConnectionToWebProcess::scheduleResourceLoad(WebKit::NetworkResourceLoadParameters const&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x97ec270) #14 0x7f7adad57e77 in void IPC::callMemberFunctionImpl<WebKit::NetworkConnectionToWebProcess, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&), std::tuple<WebKit::NetworkResourceLoadParameters>, 0ul>(WebKit::NetworkConnectionToWebProcess*, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&), std::tuple<WebKit::NetworkResourceLoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xabaee77) #15 0x7f7adad5505c in void IPC::callMemberFunction<WebKit::NetworkConnectionToWebProcess, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&), std::tuple<WebKit::NetworkResourceLoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::NetworkResourceLoadParameters>&&, WebKit::NetworkConnectionToWebProcess*, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&)) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xabac05c) #16 0x7f7adad4f046 in void IPC::handleMessage<Messages::NetworkConnectionToWebProcess::ScheduleResourceLoad, WebKit::NetworkConnectionToWebProcess, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&)>(IPC::Decoder&, WebKit::NetworkConnectionToWebProcess*, void (WebKit::NetworkConnectionToWebProcess::*)(WebKit::NetworkResourceLoadParameters const&)) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xaba6046) #17 0x7f7adad4c595 in WebKit::NetworkConnectionToWebProcess::didReceiveNetworkConnectionToWebProcessMessage(IPC::Connection&, IPC::Decoder&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0xaba3595) #18 0x7f7ad9993a86 in WebKit::NetworkConnectionToWebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x97eaa86) #19 0x7f7ad9bc66ac in IPC::Connection::dispatchMessage(IPC::Decoder&) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9a1d6ac) #20 0x7f7ad9bc699b in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9a1d99b) #21 0x7f7ad9bc6ed0 in IPC::Connection::dispatchOneMessage() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9a1ded0) #22 0x7f7ad9bc6333 in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}::operator()() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9a1d333) #23 0x7f7ad9bcf59f in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}>::call() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x9a2659f) #24 0x7f7ad999bc69 in WTF::Function<void ()>::operator()() const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libwebkit2gtk-4.0.so.37+0x97f2c69) #25 0x7f7acd08cf2f in WTF::RunLoop::performWork() (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4bdbf2f) #26 0x7f7acd13b0bf in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a0bf) #27 0x7f7acd13b0e3 in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a0e3) #28 0x7f7acd13b05f in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a05f) #29 0x7f7acd13b08e in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8a08e) SUMMARY: AddressSanitizer: heap-use-after-free (/home/mcatanzaro/Projects/WebKit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18+0x4c8b0fb) in WTF::RunLoop::TimerBase::TimerBase(WTF::RunLoop&)::{lambda(void*)#1}::operator()(void*) const Shadow bytes around the buggy address: 0x0c227fff8b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8b60: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c227fff8b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff8b90: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd =>0x0c227fff8ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd 0x0c227fff8bb0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff8bc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff8be0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fff8bf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==21247==ABORTING

Attachments
Patch (2.19 KB, patch) 2018-01-30 15:52 PST, Michael Catanzaro	no flags	Details Formatted Diff Diff
Patch (2.25 KB, patch) 2018-01-31 18:48 PST, Michael Catanzaro	cgarcia: review+	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Carlos Garcia Campos

Comment 1 2018-01-30 04:40:34 PST

I think the problem is that the pending frame load is deleted inside the hysteresis callback. - markLoadAsCompleted() is called by hysteresis - markLoadAsCompleted() ends up calling m_loadCompletionHandler() - the completion handler removes the pending frame load from the map which deletes it. The completion handler is the last thing done by markLoadAsCompleted(), so I'm not sure that's a problem. Could you try protecting this before calling m_loadCompletionHandler just in case?

Michael Catanzaro

Comment 2 2018-01-30 15:30:12 PST

(In reply to Carlos Garcia Campos from comment #1) > I think the problem is that the pending frame load is deleted inside the > hysteresis callback. > > - markLoadAsCompleted() is called by hysteresis > - markLoadAsCompleted() ends up calling m_loadCompletionHandler() > - the completion handler removes the pending frame load from the map which > deletes it. > > The completion handler is the last thing done by markLoadAsCompleted(), so > I'm not sure that's a problem. Could you try protecting this before calling > m_loadCompletionHandler just in case? Seems like a nice explanation; now I think I finally understand it. I spent too much time squinting at the RunLoop code, and not enough looking at SpeculativeLoadManager. The problem probably doesn't occur for Cocoa ports because their Timer does not do extra work immediately after firing its callback, but ours needs to reset the ready time. Adding a protector does not help, probably because even with the protector, the Timer is still dead when control returns to its source callback.

Michael Catanzaro

Comment 3 2018-01-30 15:38:28 PST

I think our RunLoop::Timer might be the only one that is not robust to being destroyed during its user callback, and I don't see an easy fix for SpeculativeLoadManager, but it is simple to fix in our RunLoop::Timer, so I suggest we leave SpeculativeLoadManager alone and change our RunLoop::Timer instead. CCing Chris just in case he wants to change SpeculativeLoadManager anyway.

Michael Catanzaro

Comment 4 2018-01-30 15:52:38 PST

Created attachment 332717 [details] Patch

Michael Catanzaro

Comment 5 2018-01-30 15:54:10 PST

(In reply to Michael Catanzaro from comment #3) > CCing Chris just in case he wants to change SpeculativeLoadManager anyway. (Probably not, because it's tricky to fix, but the current code is relying on platform-specific implementation details of RunLoop, which is a bit dangerous.)

Carlos Garcia Campos

Comment 6 2018-01-31 00:13:49 PST

Comment on attachment 332717 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=332717&action=review Have you checked that asan doesn't report any issues in speculative loader after this patch? > Source/WTF/wtf/glib/RunLoopGLib.cpp:171 > + if (g_source_is_destroyed(g_main_current_source())) > + return G_SOURCE_REMOVE; Why don't we keep a pointer to the source before calling fired instead of using g_main_current_source()? I also wonder if we could simply update the ready time before calling fired() instead. RunLoopGeneric has the same problem, btw: bool fired() { if (!isActive()) return false; m_function(); if (!m_isRepeating) return false; updateReadyTime(); return isActive(); }

Michael Catanzaro

Comment 7 2018-01-31 08:25:00 PST

(In reply to Carlos Garcia Campos from comment #6) > Why don't we keep a pointer to the source before calling fired instead of > using g_main_current_source()? Sure, I considered doing that. It's an extra ref/unref operation, no big deal. > I also wonder if we could simply update the > ready time before calling fired() instead. I don't know. Changing this would be somewhat scarier. But I think it should be fine.... > RunLoopGeneric has the same > problem, btw: > > bool fired() > { > if (!isActive()) > return false; > > m_function(); > > if (!m_isRepeating) > return false; > > updateReadyTime(); > return isActive(); > } Indeed. I did check to see if it was a problem there, but clearly I messed up, as usual.

Michael Catanzaro

Comment 8 2018-01-31 14:45:41 PST

Yusuke, it doesn't look simple to fix RunLoopGeneric, because it will be deleted before the return from m_function(). Do you have any opinion on how we should handle this? If we aren't able to change RunLoopGeneric, then we should try to come up with some way to assert that the Timer has not deleted itself, which is also going to be quite tricky to implement.

Michael Catanzaro

Comment 9 2018-01-31 16:45:13 PST

I'm investigating our options for RunLoopGeneric. (In reply to Michael Catanzaro from comment #7) > I don't know. Changing this would be somewhat scarier. But I think it should > be fine.... I think it would be OK, but I'm really not sure, so I am going to stick with keeping a local ref of the GSource.

Michael Catanzaro

Comment 10 2018-01-31 16:55:23 PST

Sorry for the spam Ryosuke, I saw you modified Timer and thought you might be interested... but it was a different Timer. (In reply to Michael Catanzaro from comment #9) > I'm investigating our options for RunLoopGeneric. ScheduledTask is ThreadSafeRefCounted. That was a good design decision. I bet all it needs is a protector. I'm going to file a separate bug for this so we can land it separately, because I haven't tested it. Bug #182365.

Michael Catanzaro

Comment 11 2018-01-31 18:48:33 PST

Created attachment 332834 [details] Patch

Carlos Garcia Campos

Comment 12 2018-01-31 23:55:36 PST

Comment on attachment 332834 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=332834&action=review > Source/WTF/wtf/glib/RunLoopGLib.cpp:169 > + GRefPtr<GSource> protectedSource = timer->m_source; We don't need a ref, the source is reffed by dispatch before calling this callback un unreffed after, so it will be alive for sure after calling fired().

Michael Catanzaro

Comment 13 2018-02-01 11:41:17 PST

Committed r227976: <https://trac.webkit.org/changeset/227976>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware PC

OS Linux

Product WebKit

Component WebKitGTK

Assignee

Michael Catanzaro

Reported

2018-01-29 17:22 PST

Modified

2018-02-01 11:41 PST History

CC List

10 users Show

URL

Keywords

Depends on

Blocks