186805 – WebCoreNSURLSessionDataTaskClient::redirectReceived() calls WebCore on non-main thread

Bug 186805 - WebCoreNSURLSessionDataTaskClient::redirectReceived() calls WebCore on non-main thread

Summary: WebCoreNSURLSessionDataTaskClient::redirectReceived() calls WebCore on non-ma...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Page Loading (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-06-19 08:39 PDT by Chris Dumez
Modified:	2018-06-19 10:12 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Patch (2.12 KB, patch) 2018-06-19 08:43 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2018-06-19 08:39:32 PDT

WebCoreNSURLSessionDataTaskClient::redirectReceived() calls WebCore on non-main thread:
Thread 6 name:  Dispatch queue: NSOperationQueue 0x1006c5730 (QOS: UNSPECIFIED)
Thread 6 Crashed:
0   WebKit                        	0x00000001918dab74 WebKit::WebProcess::ensureNetworkProcessConnection() + 244 (WebProcess.cpp:1105)
1   WebKit                        	0x00000001918daad0 WebKit::WebProcess::ensureNetworkProcessConnection() + 80 (WebProcess.cpp:1104)
2   WebKit                        	0x0000000191903f24 WebKit::WebResourceLoader::messageSenderConnection() + 16 (WebResourceLoader.cpp:71)
3   WebKit                        	0x00000001916c49e8 IPC::MessageSender::sendMessage(std::__1::unique_ptr<IPC::Encoder, std::__1::default_delete<IPC::Encoder> >, WTF::OptionSet<IPC::SendOption>) + 36 (MessageSender.cpp:39)
4   WebKit                        	0x0000000191904c30 bool IPC::MessageSender::send<Messages::NetworkResourceLoader::ContinueWillSendRequest>(Messages::NetworkResourceLoader::ContinueWillSendRequest const&, unsigned long long, WTF::OptionSet<IPC::SendOption>) + 132 (MessageSender.h:49)
5   WebKit                        	0x0000000191904b9c WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebKit::WebResourceLoader::willSendRequest(WebCore::ResourceRequest&&, WebCore::ResourceResponse&&)::$_0>::call(WebCore::ResourceRequest&&) + 80 (MessageSender.h:39)
6   WebCore                       	0x000000018ae0c524 WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebCore::SubresourceLoader::willSendRequestInternal(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&)::$_0::operator()(WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&, WebCore::ResourceRequest&&)::'lambda'(WebCore::ResourceRequest&&)>::call(WebCore::ResourceRequest&&) + 120 (Function.h:56)
7   WebCore                       	0x000000018ae00d24 WebCore::ResourceLoader::willSendRequestInternal(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&) + 1584 (Function.h:56)
8   WebCore                       	0x000000018ae07f4c WebCore::SubresourceLoader::willSendRequestInternal(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&)::$_0::operator()(WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&, WebCore::ResourceRequest&&) + 356 (SubresourceLoader.cpp:190)
9   WebCore                       	0x000000018ae36448 WTF::Function<void (WebCore::ResourceRequest&&)>::CallableWrapper<WebCore::CachedRawResource::redirectReceived(WebCore::ResourceRequest&&, WebCore::ResourceResponse const&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&)::$_1>::call(WebCore::ResourceRequest&&) + 84 (Function.h:56)
10  WebCore                       	0x000000018ae2c3ec WebCore::iterateClients(WebCore::CachedResourceClientWalker<WebCore::CachedRawResourceClient>&&, WebCore::CachedResourceHandle<WebCore::CachedRawResource>&&, WebCore::ResourceRequest&&, std::__1::unique_ptr<WebCore::ResourceResponse, std::__1::default_delete<WebCore::ResourceResponse> >&&, WTF::CompletionHandler<void (WebCore::ResourceRequest&&)>&&) + 552 (Function.h:56)
11  WebCore                       	0x000000018b36c7f8 WTF::Function<void ()>::CallableWrapper<-[WebCoreNSURLSessionDataTask resource:receivedRedirect:request:completionHandler:]::$_11>::call() + 448 (Function.h:56)
12  Foundation                    	0x0000000182084694 __NSBLOCKOPERATION_IS_CALLING_OUT_TO_A_BLOCK__ + 16 (NSOperation.m:1467)
13  Foundation                    	0x0000000181fc4410 -[NSBlockOperation main] + 72 (NSOperation.m:1486)
14  Foundation                    	0x0000000181fb3ff8 -[__NSOperationInternal _start:] + 848 (NSOperation.m:830)
15  Foundation                    	0x0000000182086298 __NSOQSchedule_f + 404 (NSOperation.m:2081)
16  libdispatch.dylib             	0x0000000180f6ca2c _dispatch_client_callout + 16 (object.m:507)
17  libdispatch.dylib             	0x0000000180f74e8c _dispatch_continuation_pop$VARIANT$mp + 424 (inline_internal.h:2500)
18  libdispatch.dylib             	0x0000000180f737c4 _dispatch_async_redirect_invoke$VARIANT$mp + 604 (queue.c:3426)
19  libdispatch.dylib             	0x0000000180f79ca4 _dispatch_root_queue_drain + 588 (inline_internal.h:2539)
20  libdispatch.dylib             	0x0000000180f799f4 _dispatch_worker_thread3 + 120 (queue.c:6101)
21  libsystem_pthread.dylib       	0x0000000181295044 _pthread_wqthread + 1176 (pthread.c:2286)
22  libsystem_pthread.dylib       	0x0000000181294ba0 start_wqthread + 4

Comment 1 Chris Dumez 2018-06-19 08:39:43 PDT

<rdar://problem/36960714>

Comment 2 Chris Dumez 2018-06-19 08:43:34 PDT

Created attachment 343058 [details]
Patch

Comment 3 Geoffrey Garen 2018-06-19 09:47:08 PDT

Are these failures real?

  js/mozilla/eval/exhaustive-fun-normalcaller-indirect-normalcode.html [ Crash ]
  js/mozilla/eval/exhaustive-fun-strictcaller-indirect-normalcode.html [ Crash ]
  js/mozilla/eval/exhaustive-global-normalcaller-direct-normalcode.html [ Crash ]
  js/mozilla/eval/exhaustive-global-normalcaller-indirect-normalcode.html [ Crash ]
  js/mozilla/eval/exhaustive-global-strictcaller-indirect-normalcode.html [ Crash ]
  js/mozilla/eval/undeclared-name-in-nested-strict-eval.html [ Crash ]

Comment 4 Chris Dumez 2018-06-19 09:47:54 PDT

Comment on attachment 343058 [details]
Patch

Let's wait but I doubt it.

Comment 5 Chris Dumez 2018-06-19 09:49:37 PDT

(In reply to Chris Dumez from comment #4)
> Comment on attachment 343058 [details]
> Patch
> 
> Let's wait but I doubt it.

As I thought, the crashes are happening on the bots:
https://build.webkit.org/results/Apple%20High%20Sierra%20Debug%20WK1%20(Tests)/r232959%20(4297)/results.html

Comment 6 Chris Dumez 2018-06-19 09:50:04 PDT

(In reply to Chris Dumez from comment #5)
> (In reply to Chris Dumez from comment #4)
> > Comment on attachment 343058 [details]
> > Patch
> > 
> > Let's wait but I doubt it.
> 
> As I thought, the crashes are happening on the bots:
> https://build.webkit.org/results/
> Apple%20High%20Sierra%20Debug%20WK1%20(Tests)/r232959%20(4297)/results.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00000001068efae0 WTFCrash + 16 (Assertions.cpp:267)
1   com.apple.JavaScriptCore      	0x0000000106a31d46 JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int)::operator()(JSC::GCSafeConcurrentJSLocker const&, int, int) const + 278 (JSObjectInlines.h:206)
2   com.apple.JavaScriptCore      	0x0000000106a31434 int JSC::Structure::add<(JSC::Structure::ShouldPin)1, JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int)>(JSC::VM&, JSC::PropertyName, unsigned int, JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int) const&) + 772 (StructureInlines.h:402)
3   com.apple.JavaScriptCore      	0x0000000106a3111b int JSC::Structure::addPropertyWithoutTransition<JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int)>(JSC::VM&, JSC::PropertyName, unsigned int, JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int, int) const&) + 59 (StructureInlines.h:444)
4   com.apple.JavaScriptCore      	0x0000000106a2fb9a JSC::JSObject::prepareToPutDirectWithoutTransition(JSC::VM&, JSC::PropertyName, unsigned int, unsigned int, JSC::Structure*) + 138 (JSObjectInlines.h:209)
5   com.apple.JavaScriptCore      	0x00000001072ab4c7 bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)0>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) + 1111 (JSObjectInlines.h:303)
6   com.apple.JavaScriptCore      	0x0000000107c0359c JSC::JSObject::putInlineSlow(JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 2236 (JSObject.cpp:825)
7   com.apple.JavaScriptCore      	0x00000001072aaeb0 JSC::JSObject::putInlineForJSObject(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 1168 (JSObjectInlines.h:242)
8   com.apple.JavaScriptCore      	0x0000000107bfd245 JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 69 (JSObject.cpp:755)
9   com.apple.JavaScriptCore      	0x0000000107b91323 JSC::JSGlobalObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 899 (JSGlobalObject.cpp:1103)
10  com.apple.WebCore             	0x0000000112cf4438 WebCore::JSDOMWindow::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) + 568 (JSDOMWindowCustom.cpp:300)
11  com.apple.JavaScriptCore      	0x000000010782f3d7 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*) + 2775 (Interpreter.cpp:1215)
12  com.apple.JavaScriptCore      	0x0000000107bdc17c JSC::globalFuncEval(JSC::ExecState*) + 1372 (JSGlobalObjectFunctions.cpp:508)

Comment 7 WebKit Commit Bot 2018-06-19 10:12:29 PDT

Comment on attachment 343058 [details]
Patch

Clearing flags on attachment: 343058

Committed r232965: <https://trac.webkit.org/changeset/232965>

Comment 8 WebKit Commit Bot 2018-06-19 10:12:30 PDT

All reviewed patches have been landed.  Closing bug.