200378 – [Curl] Crash while destructing a URL in ~SocketStreamHandle due to data race

Bug 200378 - [Curl] Crash while destructing a URL in ~SocketStreamHandle due to data race

Summary: [Curl] Crash while destructing a URL in ~SocketStreamHandle due to data race

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Platform (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Fujii Hironori

URL:
Keywords:	InRadar

Duplicates (1):	200266 (view as bug list)
Depends on:
Blocks:

Reported:	2019-08-01 20:19 PDT by Fujii Hironori
Modified:	2019-08-04 18:43 PDT (History)
CC List:	6 users (show)

See Also:	200266

Attachments
CrashLog_45dc_2019-08-02_12-10-23-628.txt (90.24 KB, text/plain) 2019-08-01 20:25 PDT, Fujii Hironori	no flags	Details
Patch (3.17 KB, patch) 2019-08-01 21:04 PDT, Fujii Hironori	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Fujii Hironori 2019-08-01 20:19:55 PDT

[Curl] double free of URL in ~SocketStreamHandle

python ./Tools/Scripts/run-webkit-tests --debug --wincairo --no-new-test-results --fully-parallel --iterations=50 http/tests/websocket/tests/hybi

>    Frame[00]  Triage Symbol: [ntdll!RtlReportFatalFailure+0x9]
>    Frame[01]  Ignore Symbol: [ntdll!RtlReportCriticalFailure+0x97]
>    Frame[02]  Ignore Symbol: [ntdll!RtlpHeapHandleError+0x12]
>    Frame[03]  Triage Symbol: [ntdll!RtlpHpHeapHandleError+0x7a]
>    Frame[04]  Ignore Symbol: [ntdll!RtlpLogHeapFailure+0x45]
>    Frame[05]  Triage Symbol: [ntdll!RtlpFreeHeapInternal+0x80d]
>    Frame[06]  Ignore Symbol: [ntdll!RtlFreeHeap+0x51]
>    Frame[07]  Triage Symbol: [ucrtbase!_free_base+0x1b]
>    Frame[08]  Ignore Symbol: [WTF!WTF::fastFree+0x14]
>    Frame[09]  Triage Symbol: [WTF!WTF::StringImpl::destroy+0x1d]
>    Frame[0a]  Triage Symbol: [WTF!WTF::StringImpl::deref+0x31]
>    Frame[0b]  Triage Symbol: [WTF!WTF::derefIfNotNull<WTF::StringImpl>+0x1f]
>    Frame[0c]  Triage Symbol: [WTF!WTF::RefPtr<WTF::StringImpl,WTF::DumbPtrTraits<WTF::StringImpl> >::~RefPtr+0x38]
>    Frame[0d]  Triage Symbol: [WTF!WTF::String::~String+0x13]
>    Frame[0e]  Triage Symbol: [WTF!WTF::URL::~URL+0x13]
>    Frame[0f]  Triage Symbol: [WebKit2!WebCore::SocketStreamHandle::~SocketStreamHandle+0x22]
>    Frame[10]  Triage Symbol: [WebKit2!WebCore::SocketStreamHandleImpl::~SocketStreamHandleImpl+0xba]
>    Frame[11]  Triage Symbol: [WebKit2!WebCore::SocketStreamHandleImpl::~SocketStreamHandleImpl+0x2c]
>    Frame[12]  Triage Symbol: [WebKit2!WTF::ThreadSafeRefCounted<WebCore::SocketStreamHandle,WTF::DestructionThread::Main>::deref::<unnamed-tag>::operator+0x41]
>    Frame[13]  Triage Symbol: [WebKit2!WTF::ThreadSafeRefCounted<WebCore::SocketStreamHandle,WTF::DestructionThread::Main>::deref+0x8f]
>    Frame[14]  Triage Symbol: [WebKit2!WTF::Ref<WebCore::SocketStreamHandleImpl,WTF::DumbPtrTraits<WebCore::SocketStreamHandleImpl> >::~Ref+0x33]
>    Frame[15]  Triage Symbol: [WebKit2!WebKit::NetworkSocketStream::~NetworkSocketStream+0x49]
>    Frame[16]  Triage Symbol: [WebKit2!WebKit::NetworkSocketStream::~NetworkSocketStream+0x2c]
>    Frame[17]  Triage Symbol: [WebKit2!WTF::RefCounted<WebKit::NetworkSocketStream>::deref+0x60]
>    Frame[18]  Triage Symbol: [WebKit2!WTF::derefIfNotNull<WebKit::NetworkSocketStream>+0x26]
>    Frame[19]  Triage Symbol: [WebKit2!WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> >::~RefPtr+0x38]
>    Frame[1a]  Triage Symbol: [WebKit2!WTF::KeyValuePairHashTraits<WTF::HashTraits<unsigned long long>,WTF::HashTraits<WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> > > >::customDeleteBucket+0x21]
>    Frame[1b]  Triage Symbol: [WebKit2!WTF::hashTraitsDeleteBucket<WTF::HashMap<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> >,WTF::IntHash<unsigned long long>,WTF::HashTraits<unsigned long long>,WTF::HashTraits<WTF::RefPtr<WebKit::Netw+0x13]
>    Frame[1c]  Triage Symbol: [WebKit2!WTF::HashTable<unsigned long long,WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> > >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSo+0x13]
>    Frame[1d]  Triage Symbol: [WebKit2!WTF::HashTable<unsigned long long,WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> > >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSo+0x25]
>    Frame[1e]  Triage Symbol: [WebKit2!WTF::HashTable<unsigned long long,WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> > >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSo+0x2c]
>    Frame[1f]  Triage Symbol: [WebKit2!WTF::HashTable<unsigned long long,WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> > >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<unsigned long long,WTF::RefPtr<WebKit::NetworkSo+0x84]
>    Frame[20]  Triage Symbol: [WebKit2!WTF::HashMap<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> >,WTF::IntHash<unsigned long long>,WTF::HashTraits<unsigned long long>,WTF::HashTraits<WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtr+0xae]
>    Frame[21]  Triage Symbol: [WebKit2!WTF::HashMap<unsigned long long,WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtrTraits<WebKit::NetworkSocketStream> >,WTF::IntHash<unsigned long long>,WTF::HashTraits<unsigned long long>,WTF::HashTraits<WTF::RefPtr<WebKit::NetworkSocketStream,WTF::DumbPtr+0x48]
>    Frame[22]  Triage Symbol: [WebKit2!WebKit::NetworkConnectionToWebProcess::didReceiveMessage+0x342]
>    Frame[23]  Triage Symbol: [WebKit2!IPC::Connection::dispatchMessage+0x226]
>    Frame[24]  Triage Symbol: [WebKit2!IPC::Connection::dispatchMessage+0x295]
>    Frame[25]  Triage Symbol: [WebKit2!IPC::Connection::dispatchOneIncomingMessage+0x11d]
>    Frame[26]  Triage Symbol: [WebKit2!IPC::Connection::enqueueIncomingMessage::<unnamed-tag>::operator+0x5c]
>    Frame[27]  Triage Symbol: [WebKit2!WTF::Detail::CallableWrapper<`lambda at ..\..\Source\WebKit\Platform\IPC\Connection.cpp:974:30',void>::call+0x17]
>    Frame[28]  Triage Symbol: [WTF!WTF::Function<void +0x90]
>    Frame[29]  Triage Symbol: [WTF!WTF::RunLoop::performWork+0x126]
>    Frame[2a]  Ignore Symbol: [WTF!WTF::RunLoop::wndProc+0x75]
>    Frame[2b]  Ignore Symbol: [WTF!WTF::RunLoop::RunLoopWndProc+0x59]
>    Frame[2c]  Triage Symbol: [USER32!UserCallWinProcCheckWow+0x2bd]
>    Frame[2d]  Triage Symbol: [USER32!DispatchMessageWorker+0x1e2]
>    Frame[2e]  Triage Symbol: [WTF!WTF::RunLoop::run+0x63]
>    Frame[2f]  Triage Symbol: [WebKit2!WebKit::AuxiliaryProcessMain<WebKit::NetworkProcess,WebKit::AuxiliaryProcessMainBase>+0xa5]
>    Frame[30]  Triage Symbol: [WebKit2!WebKit::NetworkProcessMainWin+0x1b]
>    Frame[31]  Triage Symbol: [WebKitNetworkProcess!main+0x1c]
>    Frame[32]  Triage Symbol: [WebKitNetworkProcess!__scrt_common_main_seh+0x10c]
>    Frame[33]  Triage Symbol: [KERNEL32!BaseThreadInitThunk+0x14]
>    Frame[34]  Triage Symbol: [ntdll!RtlUserThreadStart+0x21]

Comment 1 Fujii Hironori 2019-08-01 20:21:10 PDT

URL::isolatedCopy() is called in the worker thread. It should be called in the main thread.

Comment 2 Fujii Hironori 2019-08-01 20:25:48 PDT

Created attachment 375385 [details]
CrashLog_45dc_2019-08-02_12-10-23-628.txt

Comment 3 Fujii Hironori 2019-08-01 21:04:41 PDT

Created attachment 375391 [details]
Patch

Comment 4 WebKit Commit Bot 2019-08-02 14:32:17 PDT

Comment on attachment 375391 [details]
Patch

Clearing flags on attachment: 375391

Committed r248182: <https://trac.webkit.org/changeset/248182>

Comment 5 WebKit Commit Bot 2019-08-02 14:32:18 PDT

All reviewed patches have been landed.  Closing bug.

Comment 6 Radar WebKit Bug Importer 2019-08-02 14:33:21 PDT

<rdar://problem/53880042>

Comment 7 Fujii Hironori 2019-08-04 18:43:59 PDT

*** Bug 200266 has been marked as a duplicate of this bug. ***