Bug 199680 - Crash under IPC::Connection::waitForMessage()
Summary: Crash under IPC::Connection::waitForMessage()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
: 199205 (view as bug list)
Depends on:
Blocks:
 
Reported: 2019-07-10 12:45 PDT by Chris Dumez
Modified: 2019-07-16 01:06 PDT (History)
8 users (show)

See Also:

Attachments
Patch (4.32 KB, patch)
2019-07-10 12:53 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2019-07-10 12:45:23 PDT 
Crash under IPC::Connection::waitForMessage():
Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000030)
[  0] 0x00007fff44ccc8f4 WebKit`IPC::Connection::waitForMessage(IPC::StringReference, IPC::StringReference, unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) [inlined] std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >::operator bool() const at memory:2637:19

     0x00007fff44ccc8e2: cmpxchgb %r14b, (%r13)
     0x00007fff44ccc8e7:      jne 0x848b4              ; <+698> [inlined] WTF::Lock::lock() at __mutex_base:131
     0x00007fff44ccc8e9:     movq -0x30(%rbp), %rdx
     0x00007fff44ccc8ed:     movq 0xe8(%rdx), %rax
 ->  0x00007fff44ccc8f4:     movq 0x30(%rax), %rcx
     0x00007fff44ccc8f8:    testq %rcx, %rcx
     0x00007fff44ccc8fb:       je 0x84913              ; <+793> at memory
     0x00007fff44ccc8fd:     movq $0x0, 0x30(%rax)
     0x00007fff44ccc905:     movq -0x40(%rbp), %rax

[  0] 0x00007fff44ccc8f4 WebKit`IPC::Connection::waitForMessage(IPC::StringReference, IPC::StringReference, unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) + 762 at Connection.cpp:520
       516 	        SyncMessageState::singleton().dispatchMessages(nullptr);
       517 	
       518 	        std::unique_lock<Lock> lock(m_waitForMessageMutex);
       519 	
    -> 520 	        if (m_waitingForMessage->decoder) {
       521 	            auto decoder = WTFMove(m_waitingForMessage->decoder);
       522 	            m_waitingForMessage = nullptr;
       523 	            return decoder;
       524 	        }
    
[  1] 0x00007fff44fa4141 WebKit`WebKit::TiledCoreAnimationDrawingAreaProxy::waitForDidUpdateActivityState(unsigned long long) [inlined] bool IPC::Connection::waitForAndDispatchImmediately<Messages::WebPageProxy::DidUpdateActivityState>(unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) + 59 at Connection.h:543:40
       539 	}
       540 	
       541 	template<typename T> bool Connection::waitForAndDispatchImmediately(uint64_t destinationID, Seconds timeout, OptionSet<WaitForOption> waitForOptions)
       542 	{
    -> 543 	    std::unique_ptr<Decoder> decoder = waitForMessage(T::receiverName(), T::name(), destinationID, timeout, waitForOptions);
       544 	    if (!decoder)
       545 	        return false;
       546 	
       547 	    ASSERT(decoder->destinationID() == destinationID);
    
[  1] 0x00007fff44fa4106 WebKit`WebKit::TiledCoreAnimationDrawingAreaProxy::waitForDidUpdateActivityState(unsigned long long) [inlined] bool IPC::Connection::waitForAndDispatchImmediately<Messages::WebPageProxy::DidUpdateActivityState, WebCore::PageIdentifierType>(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) at Connection.h:217
       213 	    
       214 	    template<typename T, typename U>
       215 	    bool waitForAndDispatchImmediately(ObjectIdentifier<U> destinationID, Seconds timeout, OptionSet<WaitForOption> waitForOptions = { })
       216 	    {
    -> 217 	        return waitForAndDispatchImmediately<T>(destinationID.toUInt64(), timeout, waitForOptions);
       218 	    }
       219 	
       220 	    bool sendMessage(std::unique_ptr<Encoder>, OptionSet<SendOption> sendOptions);
       221 	    void sendMessageWithReply(uint64_t requestID, std::unique_ptr<Encoder>, FunctionDispatcher& replyDispatcher, Function<void(std::unique_ptr<Decoder>)>&& replyHandler);
    
[  1] 0x00007fff44fa4106 WebKit`WebKit::TiledCoreAnimationDrawingAreaProxy::waitForDidUpdateActivityState(unsigned long long) + 30 at TiledCoreAnimationDrawingAreaProxy.mm:125
       121 	
       122 	void TiledCoreAnimationDrawingAreaProxy::waitForDidUpdateActivityState(ActivityStateChangeID)
       123 	{
       124 	    Seconds activityStateUpdateTimeout = Seconds::fromMilliseconds(250);
    -> 125 	    process().connection()->waitForAndDispatchImmediately<Messages::WebPageProxy::DidUpdateActivityState>(m_webPageProxy.pageID(), activityStateUpdateTimeout, IPC::WaitForOption::InterruptWaitingIfSyncMessageArrives);
       126 	}
       127 	
       128 	void TiledCoreAnimationDrawingAreaProxy::willSendUpdateGeometry()
       129 	{
    
[  2] 0x00007fff44f2f8e8 WebKit`WebKit::WebPageProxy::dispatchActivityStateChange() [inlined] WebKit::WebPageProxy::waitForDidUpdateActivityState(unsigned long long) + 72 at WebPageProxy.cpp:1883:20
       1879	#endif
       1880	
       1881	    m_waitingForDidUpdateActivityState = true;
       1882	
    -> 1883	    m_drawingArea->waitForDidUpdateActivityState(activityStateChangeID);
       1884	}
       1885	
       1886	IntSize WebPageProxy::viewSize() const
       1887	{
Comment 1 Chris Dumez 2019-07-10 12:45:37 PDT 
<rdar://problem/52500561>
Comment 2 Chris Dumez 2019-07-10 12:53:12 PDT 
Created attachment 373858 [details]
Patch
Comment 3 Tim Horton 2019-07-10 13:02:56 PDT 
Comment on attachment 373858 [details]
Patch

This will be ... interesting ... in the case of things that waitForAndDispatchImmediately with an infinite timeout, but ok.
Comment 4 WebKit Commit Bot 2019-07-10 13:10:55 PDT 
Comment on attachment 373858 [details]
Patch

Clearing flags on attachment: 373858

Committed r247322: <https://trac.webkit.org/changeset/247322>
Comment 5 WebKit Commit Bot 2019-07-10 13:10:57 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 6 Carlos Garcia Campos 2019-07-16 01:06:46 PDT 
*** Bug 199205 has been marked as a duplicate of this bug. ***