187821 – [ITP] Crash under ResourceLoadStatisticsMemoryStore::removeDataRecords()

Bug 187821 - [ITP] Crash under ResourceLoadStatisticsMemoryStore::removeDataRecords()

Summary: [ITP] Crash under ResourceLoadStatisticsMemoryStore::removeDataRecords()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-07-19 14:47 PDT by Chris Dumez
Modified:	2018-07-19 20:45 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (5.11 KB, patch) 2018-07-19 14:53 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2018-07-19 14:47:20 PDT

Crash under ResourceLoadStatisticsMemoryStore::removeDataRecords():
Thread 0 name:  Dispatch queue: com.apple.main-thread
Thread 0 Crashed ↩:
0   libdispatch.dylib             	0x00000001a451dc3c dispatch_async$VARIANT$armv81 + 208 (inline_internal.h:2596)
1   libdispatch.dylib             	0x00000001a451dba4 dispatch_async$VARIANT$armv81 + 56 (inline_internal.h:2567)
2   JavaScriptCore                	0x00000001ac7c74d4 WTF::WorkQueue::dispatch(WTF::Function<void ()>&&) + 140 (WorkQueueCocoa.cpp:35)
3   WebKit                        	0x00000001b4e8f620 WTF::Function<void (WTF::HashSet<WTF::String, WTF::StringHash, WTF::HashTraits<WTF::String> > const&)>::CallableWrapper<WebKit::ResourceLoadStatisticsMemoryStore::removeDataRecords(WTF::CompletionHandler<void ()>&&)::$_1::operator()()::'lambda'(WTF::HashSet<WTF::String, WTF::StringHash, WTF::HashTraits<WTF::String> > const&)>::call(WTF::HashSet<WTF::String, WTF::StringHash, WTF::HashTraits<WTF::String> > const&) + 172 (ResourceLoadStatisticsMemoryStore.cpp:249)
4   WebKit                        	0x00000001b50498e8 WTF::Function<void (WTF::HashSet<WTF::String, WTF::StringHash, WTF::HashTraits<WTF::String> >)>::operator()(WTF::HashSet<WTF::String, WTF::StringHash, WTF::HashTraits<WTF::String> >) const + 64 (Function.h:56)
5   WebKit                        	0x00000001b50497a8 WTF::Function<void (WTF::HashSet<WTF::String, WTF::StringHash, WTF::HashTraits<WTF::String> >&&)>::CallableWrapper<WebKit::WebProcessProxy::deleteWebsiteDataForTopPrivatelyControlledDomainsInAllPersistentDataStores(WTF::OptionSet<WebKit::WebsiteDataType>, WTF::Vector<WTF::String, 0ul, WTF::CrashOnOverflow, 16ul>&&, bool, WTF::Function<void (WTF::HashSet<WTF::String, WTF::StringHash, WTF::HashTraits<WTF::String> > const&)>&&)::$_1>::call(WTF::HashSet<WTF::String, WTF::StringHash, WTF::HashTraits<WTF::String> >&&) + 224 (WebProcessProxy.cpp:277)
6   JavaScriptCore                	0x00000001ac7aea98 WTF::RunLoop::performWork() + 276 (Function.h:56)
7   JavaScriptCore                	0x00000001ac7aed60 WTF::RunLoop::performWork(void*) + 36 (RunLoopCF.cpp:38)
8   CoreFoundation                	0x00000001a4a9c3cc __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 24 (CFRunLoop.c:1980)
9   CoreFoundation                	0x00000001a4a9c34c __CFRunLoopDoSource0 + 88 (CFRunLoop.c:2015)
10  CoreFoundation                	0x00000001a4a9bc2c __CFRunLoopDoSources0 + 176 (CFRunLoop.c:2051)
11  CoreFoundation                	0x00000001a4a96ad0 __CFRunLoopRun + 1044 (CFRunLoop.c:2922)
12  CoreFoundation                	0x00000001a4a96398 CFRunLoopRunSpecific + 436 (CFRunLoop.c:3247)
13  GraphicsServices              	0x00000001a6d05570 GSEventRunModal + 100 (GSEvent.c:2245)
14  UIKitCore                     	0x00000001d2560f5c UIApplicationMain + 212 (UIApplication.m:4314)
15  SafariViewService             	0x00000001007068bc main + 244 (main.m:60)
16  libdyld.dylib                 	0x00000001a4556ddc start + 4

Comment 1 Chris Dumez 2018-07-19 14:47:33 PDT

<rdar://problem/42112693>

Comment 2 Chris Dumez 2018-07-19 14:53:13 PDT

Created attachment 345384 [details]
Patch

Comment 3 John Wilander 2018-07-19 16:20:13 PDT

Looks good to me. I assume we weren't able to add a test case that caused the crash?

Comment 4 Chris Dumez 2018-07-19 16:42:02 PDT

(In reply to John Wilander from comment #3)
> Looks good to me. I assume we weren't able to add a test case that caused
> the crash?

I assume this code path is exercised on the bots. However, this is racy and to experience the crash, the store would need to get destroyed on the background thread *while* the WebPageProxy operation is going on on the main thread.

Comment 5 David Kilzer (:ddkilzer) 2018-07-19 20:19:02 PDT

Comment on attachment 345384 [details]
Patch

r=me

Comment 6 WebKit Commit Bot 2018-07-19 20:45:05 PDT

Comment on attachment 345384 [details]
Patch

Clearing flags on attachment: 345384

Committed r234020: <https://trac.webkit.org/changeset/234020>

Comment 7 WebKit Commit Bot 2018-07-19 20:45:07 PDT

All reviewed patches have been landed.  Closing bug.