Bug 198766 - Add assertions to help debug crash at WebKit::HistoryEntryDataEncoder::operator<<
Summary: Add assertions to help debug crash at WebKit::HistoryEntryDataEncoder::operat...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Sihui Liu
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-06-11 13:44 PDT by Sihui Liu
Modified: 2019-06-13 11:14 PDT (History)
6 users (show)

See Also:

Attachments
Patch (3.11 KB, patch)
2019-06-11 13:46 PDT, Sihui Liu 		no flags Details | Formatted Diff | Diff
Patch (3.11 KB, patch)
2019-06-11 14:25 PDT, Sihui Liu 		no flags Details | Formatted Diff | Diff
Patch (3.10 KB, patch)
2019-06-12 09:18 PDT, Sihui Liu 		no flags Details | Formatted Diff | Diff
Patch for landing (3.18 KB, patch)
2019-06-12 14:54 PDT, Sihui Liu 		no flags Details | Formatted Diff | Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sihui Liu 2019-06-11 13:44:18 PDT 
...
Comment 1 Sihui Liu 2019-06-11 13:46:03 PDT 
Created attachment 371874 [details]
Patch
Comment 2 Sihui Liu 2019-06-11 14:25:44 PDT 
Created attachment 371879 [details]
Patch
Comment 3 Sihui Liu 2019-06-12 09:18:55 PDT 
Created attachment 371968 [details]
Patch
Comment 4 Geoffrey Garen 2019-06-12 11:15:58 PDT 
Comment on attachment 371968 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=371968&action=review

r=me

> Source/WebKit/Shared/SessionState.h:116
> +    bool isDestructed { false };
> +    ~FrameState() { isDestructed = true; }

This probably deserves a comment that it's only here to help debug an undiagnosed bug, with a Bugzilla or Radar link.
Comment 5 Sihui Liu 2019-06-12 14:54:17 PDT 
Created attachment 371990 [details]
Patch for landing
Comment 6 WebKit Commit Bot 2019-06-12 15:36:37 PDT 
Comment on attachment 371990 [details]
Patch for landing

Clearing flags on attachment: 371990

Committed r246382: <https://trac.webkit.org/changeset/246382>
Comment 7 WebKit Commit Bot 2019-06-12 15:36:38 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 Radar WebKit Bug Importer 2019-06-12 15:39:17 PDT 
<rdar://problem/51686085>
Comment 9 Darin Adler 2019-06-13 09:22:34 PDT 
Comment on attachment 371990 [details]
Patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=371990&action=review

> Source/WebKit/UIProcess/API/C/WKPage.cpp:485
> +    auto data = encodeLegacySessionState(sessionState);
>      if (shouldReturnData)
> -        return toAPI(encodeLegacySessionState(sessionState).leakRef());
> +        return toAPI(data.leakRef());

This isn’t adding an assertion. This is refactoring that causes us to do additional work when shouldReturnData is false. Nothing in the change log makes it clear why this is a desirable change.
Comment 10 Sihui Liu 2019-06-13 11:14:41 PDT 
Comment on attachment 371990 [details]
Patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=371990&action=review

>> Source/WebKit/UIProcess/API/C/WKPage.cpp:485
>> +        return toAPI(data.leakRef());
> 
> This isn’t adding an assertion. This is refactoring that causes us to do additional work when shouldReturnData is false. Nothing in the change log makes it clear why this is a desirable change.

Right, add some explaining here for reference.

Previously the crash traces tell us:
WKPageCopySessionState returns WKSessionStateRef => Some pointer casts by user => WKSessionStateCopyData(WKSessionStateRef) -> encodeLegacySessionState(sessionState) [Crash]

Now:
WKPageCopySessionState [try encodeLegacySessionState(sessionState)] returns WKSessionStateRef => pointer casts => WKSessionStateCopyData(WKSessionStateRef) -> encodeLegacySessionState(sessionState)

If we start to see crashes in WKPageCopySessionState after this change, we can confirm sessionState is bad before the casts.