WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
195141
New string formatting triggers crashes in compositing logging code
https://bugs.webkit.org/show_bug.cgi?id=195141
Summary
New string formatting triggers crashes in compositing logging code
Simon Fraser (smfr)
Reported
2019-02-27 20:13:46 PST
When compositing logging is enabled (-WebCoreLogging="Compositing") in the iOS simulator in debug, then the web process crashes: Thread 0 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_platform.dylib 0x00000004e0363d09 _platform_memmove$VARIANT$Haswell + 41 1 com.apple.WebCore 0x00000004e99fa637 void WTF::StringImpl::copyCharacters<unsigned char>(unsigned char*, unsigned char const*, unsigned int) + 71 (StringImpl.h:1089) 2 com.apple.WebCore 0x00000004e9bb46a4 void WTF::StringTypeAdapter<WTF::HexNumberBuffer, void>::writeTo<unsigned char>(unsigned char*) const + 68 (HexNumber.h:104) 3 com.apple.WebCore 0x00000004ecb93e7e void WTF::StringTypeAdapter<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, void>::writeTo<unsigned char>(unsigned char*) const + 174 (StringConcatenate.h:230) 4 com.apple.WebCore 0x00000004ecb92ba4 void WTF::makeStringAccumulator<unsigned char, WTF::StringTypeAdapter<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<unsigned long long, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void> >(unsigned char*, WTF::StringTypeAdapter<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<unsigned long long, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>) + 164 (StringConcatenate.h:258) 5 com.apple.WebCore 0x00000004ecb92495 WTF::String WTF::tryMakeStringFromAdapters<WTF::StringTypeAdapter<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<unsigned long long, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void> >(WTF::StringTypeAdapter<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<unsigned long long, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>, WTF::StringTypeAdapter<WTF::FormattedNumber, void>, WTF::StringTypeAdapter<char const*, void>) + 1685 (StringConcatenate.h:279) 6 com.apple.WebCore 0x00000004ecb91dd8 WTF::String WTF::tryMakeString<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, char const*, unsigned long long, char const*, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char const*, WTF::FormattedNumber, char const*>(WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, char const*, unsigned long long, char const*, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char const*, WTF::FormattedNumber, char const*) + 648 (StringConcatenate.h:295) 7 com.apple.WebCore 0x00000004ecb6da61 WTF::String WTF::makeString<WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, char const*, unsigned long long, char const*, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char const*, WTF::FormattedNumber, char const*>(WTF::PaddingSpecification<WTF::StringTypeAdapter<WTF::HexNumberBuffer, void> >, char const*, unsigned long long, char const*, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char, WTF::FormattedNumber, char const*, WTF::FormattedNumber, char const*) + 945 (StringConcatenate.h:302) 8 com.apple.WebCore 0x00000004ecb6d013 WebCore::RenderLayerCompositor::logLayerInfo(WebCore::RenderLayer const&, char const*, int) + 1155 (RenderLayerCompositor.cpp:1327) 9 com.apple.WebCore 0x00000004ecb6a05d WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::DumbPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul>&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>, int) + 765 (RenderLayerCompositor.cpp:1202) 10 com.apple.WebCore 0x00000004ecb6a448 WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::DumbPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul>&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>, int) + 1768 (RenderLayerCompositor.cpp:1236) 11 com.apple.WebCore 0x00000004ecb6a448 WebCore::RenderLayerCompositor::updateBackingAndHierarchy(WebCore::RenderLayer&, WTF::Vector<WTF::Ref<WebCore::GraphicsLayer, WTF::DumbPtrTraits<WebCore::GraphicsLayer> >, 0ul, WTF::CrashOnOverflow, 16ul>&, WebCore::ScrollingTreeState&, WTF::OptionSet<WebCore::RenderLayerCompositor::UpdateLevel>, int) + 1768 (RenderLayerCompositor.cpp:1236) 12 com.apple.WebCore 0x00000004ecb3a55c WebCore::RenderLayerCompositor::updateCompositingLayers(WebCore::CompositingUpdateType, WebCore::RenderLayer*) + 2908 (RenderLayerCompositor.cpp:762) Somehow HexNumberBuffer ends up with a bad length: (lldb) fr va m_padding.underlyingAdapter.m_buffer (const WTF::HexNumberBuffer &) m_padding.underlyingAdapter.m_buffer = 0x00007ffeebc8aa80: { characters = (__elems_ = "0.000") length = 631693656 }
Attachments
Add attachment
proposed patch, testcase, etc.
Simon Fraser (smfr)
Comment 1
2019-02-27 20:17:30 PST
It's weird that characters is "0.000" which is obviously one of the other float-formatted strings. The caller is notable in that it takes a lot of Strings things.
Darin Adler
Comment 2
2019-02-27 20:41:17 PST
Looks like a bug in how "pad" combines with "hex". I’ll add unit tests for that, get it working, and re-land the String::format removal patch.
Simon Fraser (smfr)
Comment 3
2019-02-28 11:25:31 PST
My rollout caused storage tests to crash:
https://build.webkit.org/results/Apple%20High%20Sierra%20Debug%20WK1%20(Tests)/r242199%20(8015)/results.html
Do we need to roll out more?
Truitt Savell
Comment 4
2019-03-01 13:58:50 PST
Tracking the crashing tests in
https://bugs.webkit.org/show_bug.cgi?id=195210
Truitt Savell
Comment 5
2019-03-01 16:17:16 PST
I talked with sihui and she found that
https://trac.webkit.org/changeset/242075/webkit
is calling a function from
r242014
and is crashing due to the rollout. Looks like we will need to roll this change out too to resolve the crashing tests.
Darin Adler
Comment 6
2019-03-01 21:47:19 PST
The pad function had an object lifetime bug. Now fixed and checked in. <
https://trac.webkit.org/changeset/242308
> I don’t understand how the other problem was caused by the rollout, so not sure it’s fixed.
Radar WebKit Bug Importer
Comment 7
2019-03-01 21:48:18 PST
<
rdar://problem/48532653
>
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug