RESOLVED FIXED 199680
Crash under IPC::Connection::waitForMessage() 
https://bugs.webkit.org/show_bug.cgi?id=199680
Summary Crash under IPC::Connection::waitForMessage()
Chris Dumez
Reported 2019-07-10 12:45:23 PDT
Crash under IPC::Connection::waitForMessage(): Thread[0] EXC_BAD_ACCESS (SIGSEGV) (KERN_INVALID_ADDRESS at 0x0000000000000030) [ 0] 0x00007fff44ccc8f4 WebKit`IPC::Connection::waitForMessage(IPC::StringReference, IPC::StringReference, unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) [inlined] std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >::operator bool() const at memory:2637:19 0x00007fff44ccc8e2: cmpxchgb %r14b, (%r13) 0x00007fff44ccc8e7: jne 0x848b4 ; <+698> [inlined] WTF::Lock::lock() at __mutex_base:131 0x00007fff44ccc8e9: movq -0x30(%rbp), %rdx 0x00007fff44ccc8ed: movq 0xe8(%rdx), %rax -> 0x00007fff44ccc8f4: movq 0x30(%rax), %rcx 0x00007fff44ccc8f8: testq %rcx, %rcx 0x00007fff44ccc8fb: je 0x84913 ; <+793> at memory 0x00007fff44ccc8fd: movq $0x0, 0x30(%rax) 0x00007fff44ccc905: movq -0x40(%rbp), %rax [ 0] 0x00007fff44ccc8f4 WebKit`IPC::Connection::waitForMessage(IPC::StringReference, IPC::StringReference, unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) + 762 at Connection.cpp:520 516 SyncMessageState::singleton().dispatchMessages(nullptr); 517 518 std::unique_lock<Lock> lock(m_waitForMessageMutex); 519 -> 520 if (m_waitingForMessage->decoder) { 521 auto decoder = WTFMove(m_waitingForMessage->decoder); 522 m_waitingForMessage = nullptr; 523 return decoder; 524 } [ 1] 0x00007fff44fa4141 WebKit`WebKit::TiledCoreAnimationDrawingAreaProxy::waitForDidUpdateActivityState(unsigned long long) [inlined] bool IPC::Connection::waitForAndDispatchImmediately<Messages::WebPageProxy::DidUpdateActivityState>(unsigned long long, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) + 59 at Connection.h:543:40 539 } 540 541 template<typename T> bool Connection::waitForAndDispatchImmediately(uint64_t destinationID, Seconds timeout, OptionSet<WaitForOption> waitForOptions) 542 { -> 543 std::unique_ptr<Decoder> decoder = waitForMessage(T::receiverName(), T::name(), destinationID, timeout, waitForOptions); 544 if (!decoder) 545 return false; 546 547 ASSERT(decoder->destinationID() == destinationID); [ 1] 0x00007fff44fa4106 WebKit`WebKit::TiledCoreAnimationDrawingAreaProxy::waitForDidUpdateActivityState(unsigned long long) [inlined] bool IPC::Connection::waitForAndDispatchImmediately<Messages::WebPageProxy::DidUpdateActivityState, WebCore::PageIdentifierType>(WTF::ObjectIdentifier<WebCore::PageIdentifierType>, WTF::Seconds, WTF::OptionSet<IPC::WaitForOption>) at Connection.h:217 213 214 template<typename T, typename U> 215 bool waitForAndDispatchImmediately(ObjectIdentifier<U> destinationID, Seconds timeout, OptionSet<WaitForOption> waitForOptions = { }) 216 { -> 217 return waitForAndDispatchImmediately<T>(destinationID.toUInt64(), timeout, waitForOptions); 218 } 219 220 bool sendMessage(std::unique_ptr<Encoder>, OptionSet<SendOption> sendOptions); 221 void sendMessageWithReply(uint64_t requestID, std::unique_ptr<Encoder>, FunctionDispatcher& replyDispatcher, Function<void(std::unique_ptr<Decoder>)>&& replyHandler); [ 1] 0x00007fff44fa4106 WebKit`WebKit::TiledCoreAnimationDrawingAreaProxy::waitForDidUpdateActivityState(unsigned long long) + 30 at TiledCoreAnimationDrawingAreaProxy.mm:125 121 122 void TiledCoreAnimationDrawingAreaProxy::waitForDidUpdateActivityState(ActivityStateChangeID) 123 { 124 Seconds activityStateUpdateTimeout = Seconds::fromMilliseconds(250); -> 125 process().connection()->waitForAndDispatchImmediately<Messages::WebPageProxy::DidUpdateActivityState>(m_webPageProxy.pageID(), activityStateUpdateTimeout, IPC::WaitForOption::InterruptWaitingIfSyncMessageArrives); 126 } 127 128 void TiledCoreAnimationDrawingAreaProxy::willSendUpdateGeometry() 129 { [ 2] 0x00007fff44f2f8e8 WebKit`WebKit::WebPageProxy::dispatchActivityStateChange() [inlined] WebKit::WebPageProxy::waitForDidUpdateActivityState(unsigned long long) + 72 at WebPageProxy.cpp:1883:20 1879 #endif 1880 1881 m_waitingForDidUpdateActivityState = true; 1882 -> 1883 m_drawingArea->waitForDidUpdateActivityState(activityStateChangeID); 1884 } 1885 1886 IntSize WebPageProxy::viewSize() const 1887 {
Attachments
Patch (4.32 KB, patch)
2019-07-10 12:53 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2019-07-10 12:45:37 PDT
<rdar://problem/52500561>
Chris Dumez
Comment 2 2019-07-10 12:53:12 PDT
Created attachment 373858 [details] Patch
Tim Horton
Comment 3 2019-07-10 13:02:56 PDT
Comment on attachment 373858 [details] Patch This will be ... interesting ... in the case of things that waitForAndDispatchImmediately with an infinite timeout, but ok.
WebKit Commit Bot
Comment 4 2019-07-10 13:10:55 PDT
Comment on attachment 373858 [details] Patch Clearing flags on attachment: 373858 Committed r247322: <https://trac.webkit.org/changeset/247322>
WebKit Commit Bot
Comment 5 2019-07-10 13:10:57 PDT
All reviewed patches have been landed. Closing bug.
Carlos Garcia Campos
Comment 6 2019-07-16 01:06:46 PDT
*** Bug 199205 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.