Bug 203341 - WebBackForwardCache::removeEntriesMatching() may re-enter and crash
Summary: WebBackForwardCache::removeEntriesMatching() may re-enter and crash
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit2 (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Chris Dumez
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-10-23 15:05 PDT by Chris Dumez
Modified: 2019-10-23 19:29 PDT (History)
7 users (show)

See Also:

Attachments
Patch (6.11 KB, patch)
2019-10-23 15:10 PDT, Chris Dumez 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Dumez 2019-10-23 15:05:57 PDT 
WebBackForwardCache::removeEntriesMatching() may re-enter and crash:
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebKit              	0x00007fff40acb34f WTF::Detail::CallableWrapper<WebKit::WebBackForwardCache::removeEntriesForProcess(WebKit::WebProcessProxy&)::$_1, bool, WebKit::WebBackForwardListItem&>::call(WebKit::WebBackForwardListItem&) + 11
1   com.apple.WebKit              	0x00007fff40ac91db WebKit::WebBackForwardCache::removeEntriesMatching(WTF::Function<bool (WebKit::WebBackForwardListItem&)> const&) + 79
2   com.apple.WebKit              	0x00007fff40ac940d WebKit::WebBackForwardCache::removeEntriesForProcess(WebKit::WebProcessProxy&) + 59
3   com.apple.WebKit              	0x00007fff40b45047 WebKit::WebProcessPool::disconnectProcess(WebKit::WebProcessProxy*) + 91
4   com.apple.WebKit              	0x00007fff40b3ef96 WebKit::WebProcessProxy::shutDown() + 920
5   com.apple.WebKit              	0x00007fff40b52cb2 WebKit::WebProcessProxy::decrementSuspendedPageCount() + 42
6   com.apple.WebKit              	0x00007fff40abc576 WebKit::SuspendedPageProxy::~SuspendedPageProxy() + 512
7   com.apple.WebKit              	0x00007fff40abc6c8 WebKit::SuspendedPageProxy::~SuspendedPageProxy() + 14
8   com.apple.WebKit              	0x00007fff40ac9967 WebKit::WebBackForwardCacheEntry::~WebBackForwardCacheEntry() + 723
9   com.apple.WebKit              	0x00007fff40a0c5a7 std::__1::unique_ptr<WebKit::WebBackForwardCacheEntry, std::__1::default_delete<WebKit::WebBackForwardCacheEntry> >::reset(WebKit::WebBackForwardCacheEntry*) + 25
10  com.apple.WebKit              	0x00007fff40ac91f0 WebKit::WebBackForwardCache::removeEntriesMatching(WTF::Function<bool (WebKit::WebBackForwardListItem&)> const&) + 100
11  com.apple.WebKit              	0x00007fff40ac945a WebKit::WebBackForwardCache::removeEntriesForSession(PAL::SessionID) + 58
12  com.apple.WebKit              	0x00007fff40c152e4 WebKit::WebsiteDataStore::removeData(WTF::OptionSet<WebKit::WebsiteDataType>, WTF::WallTime, WTF::Function<void ()>&&) + 972
13  com.apple.WebKit              	0x00007fff40a504f3 -[WKWebsiteDataStore removeDataOfTypes:modifiedSince:completionHandler:] + 159
14  com.apple.Safari.Shared       	0x00007fff5e92318b -[WBSSiteMetadataManager siteMetadataProvider:getWebViewOfSize:withConfiguration:completionHandler:] + 686
15  com.apple.Safari.Shared       	0x00007fff5e9332f1 -[WBSTouchIconCache webViewMetadataFetchOperation:getWebViewOfSize:withConfiguration:completionHandler:] + 111
16  com.apple.Safari.Shared       	0x00007fff5e93f869 -[WBSWebViewMetadataFetchOperation _setUpWebViewAndStartOffscreenFetching] + 200
17  libdispatch.dylib             	0x7fff69d4183d _dispatch_call_block_and_release + 12 (src/init.c:1452)
18  libdispatch.dylib             	0x7fff69d427d5 _dispatch_client_callout + 8 (src/object.m:495)
19  libdispatch.dylib             	0x7fff69d4de23 _dispatch_main_queue_callback_4CF + 936 (src/inline_internal.h:2497)
20  com.apple.CoreFoundation      	0x7fff2f6663a3 __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ + 9 (RunLoop.subproj/CFRunLoop.c:1749)
21  com.apple.CoreFoundation      	0x7fff2f66598a __CFRunLoopRun + 2042 (RunLoop.subproj/CFRunLoop.c:3069)
22  com.apple.CoreFoundation      	0x7fff2f664f13 CFRunLoopRunSpecific + 466 (RunLoop.subproj/CFRunLoop.c:3192)
23  com.apple.HIToolbox           	0x7fff2e16676d RunCurrentEventLoopInMode + 292 (./Events/EventsCore/EventLoop.c:455)
24  com.apple.HIToolbox           	0x7fff2e166485 ReceiveNextEventCommon + 584 (./Events/EventsCore/EventBlocking.c:354)
25  com.apple.HIToolbox           	0x7fff2e166229 _BlockUntilNextEventMatchingListInModeWithFilter + 64 (./Events/EventsCore/EventBlocking.c:174)
26  com.apple.AppKit              	0x7fff2c7f55c3 _DPSNextEvent + 889 (GraphicsContext.subproj/CGDPSReplacement.m:584)
27  com.apple.AppKit              	0x7fff2c7f439d -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1352 (Events.subproj/appEventRouting.m:1355)
28  com.apple.Safari.framework    	0x00007fff5deda7c8 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 251
29  com.apple.AppKit              	0x7fff2c7eead5 -[NSApplication run] + 658 (AppKit.subproj/NSApplication.m:3309)
30  com.apple.AppKit              	0x7fff2c7e079b NSApplicationMain + 777 (AppKit.subproj/NSApplication.m:8678)
31  com.apple.Safari.framework    	0x00007fff5dec77d0 SafariMain + 480
32  libdyld.dylib                 	0x00007fff69d928a5 start + 1
Comment 1 Chris Dumez 2019-10-23 15:06:08 PDT 
<rdar://problem/56553939>
Comment 2 Chris Dumez 2019-10-23 15:10:46 PDT 
Created attachment 381735 [details]
Patch
Comment 3 Geoffrey Garen 2019-10-23 15:18:39 PDT 
Comment on attachment 381735 [details]
Patch

r=me
Comment 4 Chris Dumez 2019-10-23 19:29:29 PDT 
Comment on attachment 381735 [details]
Patch

Clearing flags on attachment: 381735

Committed r251523: <https://trac.webkit.org/changeset/251523>
Comment 5 Chris Dumez 2019-10-23 19:29:30 PDT 
All reviewed patches have been landed.  Closing bug.