Bug 183668 - ServiceWorkerClientFetch::didReceiveData should check for m_encodedDataLength
Summary: ServiceWorkerClientFetch::didReceiveData should check for m_encodedDataLength
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Service Workers (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: youenn fablet
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-03-15 11:07 PDT by youenn fablet
Modified: 2018-03-20 14:53 PDT (History)
6 users (show)

See Also:

Attachments
Patch (1.44 KB, patch)
2018-03-15 11:08 PDT, youenn fablet 		no flags Details | Formatted Diff | Diff
Patch (1.91 KB, patch)
2018-03-15 14:14 PDT, youenn fablet 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews106 for mac-sierra-wk2 (3.59 MB, application/zip)
2018-03-15 15:39 PDT, EWS Watchlist 		no flags Details
Archive of layout-test-results from ews126 for ios-simulator-wk2 (2.74 MB, application/zip)
2018-03-15 16:02 PDT, EWS Watchlist 		no flags Details
Patch (1.98 KB, patch)
2018-03-20 10:17 PDT, youenn fablet 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description youenn fablet 2018-03-15 11:07:38 PDT 
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x000000011aaea1d4 WTFCrash + 36 (Assertions.cpp:271)
1   com.apple.WebKit              	0x0000000105458c31 WTF::RefPtr<WebCore::SharedBuffer, WTF::DumbPtrTraits<WebCore::SharedBuffer> >::releaseNonNull() + 81 (RefPtr.h:74)
2   com.apple.WebKit              	0x0000000105458b9e WebKit::ServiceWorkerClientFetch::didReceiveData(IPC::DataReference const&, long long)::$_1::operator()() const + 110 (ServiceWorkerClientFetch.cpp:173)
3   com.apple.WebKit              	0x0000000105458a99 WTF::Function<void ()>::CallableWrapper<WebKit::ServiceWorkerClientFetch::didReceiveData(IPC::DataReference const&, long long)::$_1>::call() + 25 (Function.h:101)
4   com.apple.JavaScriptCore      	0x000000011ab061cb WTF::Function<void ()>::operator()() const + 139 (Function.h:56)
5   com.apple.JavaScriptCore      	0x000000011ab29404 WTF::dispatchFunctionsFromMainThread() + 324 (MainThread.cpp:129)
6   com.apple.JavaScriptCore      	0x000000011ab2c5a1 WTF::timerFired(__CFRunLoopTimer*, void*) + 49 (MainThreadMac.mm:111)
7   com.apple.CoreFoundation      	0x00007fff9305be04 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
8   com.apple.CoreFoundation      	0x00007fff9305ba93 __CFRunLoopDoTimer + 1075
9   com.apple.CoreFoundation      	0x00007fff9305b5ea __CFRunLoopDoTimers + 298
10  com.apple.CoreFoundation      	0x00007fff93052fc1 __CFRunLoopRun + 2081
11  com.apple.CoreFoundation      	0x00007fff93052544 CFRunLoopRunSpecific + 420
12  com.apple.HIToolbox           	0x00007fff925b1ebc RunCurrentEventLoopInMode + 240
13  com.apple.HIToolbox           	0x00007fff925b1cf1 ReceiveNextEventCommon + 432
14  com.apple.HIToolbox           	0x00007fff925b1b26 _BlockUntilNextEventMatchingListInModeWithFilter + 71
15  com.apple.AppKit              	0x00007fff90b48a54 _DPSNextEvent + 1120
16  com.apple.AppKit              	0x00007fff912c47ee -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 2796
17  com.apple.AppKit              	0x00007fff90b3d3db -[NSApplication run] + 926
18  com.apple.AppKit              	0x00007fff90b07e0e NSApplicationMain + 1237
19  libxpc.dylib                  	0x00007fffa8fe58c7 _xpc_objc_main + 775
20  libxpc.dylib                  	0x00007fffa8fe42e4 xpc_main + 494
21  com.apple.WebKit.WebContent   	0x0000000104df8145 main + 1189 (XPCServiceMain.mm:148)
22  libdyld.dylib                 	0x00007fffa8d8c235 start + 1
Comment 1 youenn fablet 2018-03-15 11:08:41 PDT 
Created attachment 335864 [details]
Patch
Comment 2 youenn fablet 2018-03-15 14:10:21 PDT 
This crash happens because ServiceWorkerClientFetch can call m_loader->didReceiveBuffer at two different places (IPC or completion handler for response check).
In which case, we free the buffer and set back m_encodedLength to zero.
Comment 3 youenn fablet 2018-03-15 14:14:41 PDT 
Created attachment 335882 [details]
Patch
Comment 4 EWS Watchlist 2018-03-15 15:39:07 PDT 
Comment on attachment 335882 [details]
Patch

Attachment 335882 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/6970917

Number of test failures exceeded the failure limit.
Comment 5 EWS Watchlist 2018-03-15 15:39:08 PDT 
Created attachment 335895 [details]
Archive of layout-test-results from ews106 for mac-sierra-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-sierra-wk2  Platform: Mac OS X 10.12.6
Comment 6 EWS Watchlist 2018-03-15 16:02:14 PDT 
Comment on attachment 335882 [details]
Patch

Attachment 335882 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/6971035

Number of test failures exceeded the failure limit.
Comment 7 EWS Watchlist 2018-03-15 16:02:16 PDT 
Created attachment 335902 [details]
Archive of layout-test-results from ews126 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews126  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.6
Comment 8 Chris Dumez 2018-03-16 09:15:18 PDT 
Comment on attachment 335882 [details]
Patch

r- given test failures :)
Comment 9 youenn fablet 2018-03-20 08:57:42 PDT 
rdar://problem/38473926
Comment 10 youenn fablet 2018-03-20 10:17:20 PDT 
Created attachment 336129 [details]
Patch
Comment 11 WebKit Commit Bot 2018-03-20 14:53:42 PDT 
Comment on attachment 336129 [details]
Patch

Clearing flags on attachment: 336129

Committed r229774: <https://trac.webkit.org/changeset/229774>
Comment 12 WebKit Commit Bot 2018-03-20 14:53:44 PDT 
All reviewed patches have been landed.  Closing bug.