Bug 204703 - [GTK][PSON] Crash in NetworkProcessProxy::openNetworkProcessConnection
Summary: [GTK][PSON] Crash in NetworkProcessProxy::openNetworkProcessConnection
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-29 08:02 PST by Michael Catanzaro
Modified: 2019-12-02 01:40 PST (History)
6 users (show)

See Also:

Attachments
Patch (3.85 KB, patch)
2019-11-30 07:25 PST, Carlos Garcia Campos 		mcatanzaro: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Catanzaro 2019-11-29 08:02:44 PST 
This crash occurs since 2.27.3 when opening the address bar dropdown and scrolling through results. It doesn't happen always, but it occurs so frequently during regular browser usage that I'll likely roll Epiphany back to 2.26.2.

Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f01c2b2369b in WebKit::WebProcessProxy::sessionID (
    this=this@entry=0x7f00566f8000)
    at ../Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.h:112
112	    PAL::SessionID sessionID() const { return m_sessionID; }

#0  0x00007f01c2b2369b in WebKit::WebProcessProxy::sessionID() const (this=this@entry=0x7f00566f8000)
    at ../Source/WebKit/UIProcess/WebsiteData/WebsiteDataStore.h:112
#1  0x00007f01c2c0bccc in WebKit::NetworkProcessProxy::openNetworkProcessConnection(unsigned long, WebKit::WebProcessProxy&) (this=this@entry=0x7f0148204000, connectionRequestIdentifier=<optimized out>, webProcessProxy=...)
    at ../Source/WebKit/UIProcess/AuxiliaryProcessProxy.h:111
#2  0x00007f01c2c10797 in WebKit::NetworkProcessProxy::getNetworkProcessConnection(WebKit::WebProcessProxy&, WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&)
    (reply=..., webProcessProxy=..., this=0x7f0148204000)
    at ../Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:145
#3  0x00007f01c2c10797 in WebKit::NetworkProcessProxy::getNetworkProcessConnection(WebKit::WebProcessProxy&, WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&)
    (this=0x7f0148204000, webProcessProxy=..., reply=...)
    at ../Source/WebKit/UIProcess/Network/NetworkProcessProxy.cpp:140
#4  0x00007f01c2b38c7e in WebKit::WebProcessPool::getNetworkProcessConnection(WebKit::WebProcessProxy&, WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&)
    (this=<optimized out>, webProcessProxy=..., reply=...) at /usr/include/c++/9.2.0/bits/unique_ptr.h:352
#5  0x00007f01c2b38ca2 in WebKit::WebProcessProxy::getNetworkProcessConnection(WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&) (this=this@entry=0x7f00566f8000, reply=...)
    at DerivedSources/ForwardingHeaders/wtf/WeakPtr.h:100
#6  0x00007f01c28ad137 in IPC::callMemberFunctionImpl<WebKit::WebProcessProxy, void (WebKit::WebProcessProxy::*)(WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&), void (WebKit::NetworkProcessConnectionInfo const&), std::tuple<>>(WebKit::WebProcessProxy*, void (WebKit::WebProcessProxy::*)(WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&), WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&, std::tuple<>&&, std::integer_sequence<unsigned long>)
    (args=<synthetic pointer>, completionHandler=..., function=<optimized out>, object=0x7f00566f8000)
    at ../Source/WebKit/Platform/IPC/HandleMessage.h:59
        completionHandler = 
              {m_function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void, WebKit::NetworkProcessConnectionInfo const&>> = {get() = 0x0}}}
        protectedThis = 
          {static isRef = <error reading variable: Missing ELF symbol "WTF::Ref<WebKit::WebProcessProxy, WTF::DumbPtrTraits<WebKit::WebProcessProxy> >::isRef".>, m_ptr = 0x7f00566f8000}
#7  0x00007f01c28ad137 in IPC::callMemberFunction<WebKit::WebProcessProxy, void (WebKit::WebProcessProxy::*)(WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&), void (WebKit::NetworkProcessConnectionInfo const&), std::tuple<>, std::integer_sequence<unsigned long> >(std::tuple<>&&, WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&, WebKit::WebProcessProxy*, void (WebKit::WebProcessProxy::*)(WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&))
    (args=<synthetic pointer>, function=<optimized out>, object=0x7f00566f8000, completionHandler=...)
    at ../Source/WebKit/Platform/IPC/HandleMessage.h:61
        completionHandler = 
              {m_function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void, WebKit::NetworkProcessConnectionInfo const&>> = {get() = 0x0}}}
        protectedThis = 
          {static isRef = <error reading variable: Missing ELF symbol "WTF::Ref<WebKit::WebProcessProxy, WTF::DumbPtrTraits<WebKit::WebProcessProxy> >::isRef".>, m_ptr = 0x7f00566f8000}
#8  0x00007f01c28ad137 in IPC::handleMessageSynchronous<Messages::WebProcessProxy::GetNetworkProcessConnection, WebKit::WebProcessProxy, void (WebKit::WebProcessProxy::*)(WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&)>(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&, WebKit::WebProcessProxy*, void (WebKit::WebProcessProxy::*)(WTF::CompletionHandler<void (WebKit::NetworkProcessConnectionInfo const&)>&&)) (function=<optimized out>, object=0x7f00566f8000, replyEncoder=..., decoder=..., connection=...)
    at ../Source/WebKit/Platform/IPC/HandleMessage.h:148
        completionHandler = 
              {m_function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void, WebKit::NetworkProcessConnectionInfo const&>> = {get() = 0x0}}}
        protectedThis = {static isRef = <error reading variable: Missing ELF symbol "WTF::Ref<WebKit::WebProcessProxy, WTF::DumbPtrTraits<WebKit::WebProcessProxy> >::isRef".>, m_ptr = 0x7f00566f8000}
#9  0x00007f01c28ad137 in WebKit::WebProcessProxy::didReceiveSyncWebProcessProxyMessage(IPC::Connection&, IPC::Decoder&, std::unique_ptr<IPC::Encoder, std::default_delete<IPC::Encoder> >&) (this=0x7f00566f8000, connection=..., decoder=..., replyEncoder=...) at DerivedSources/WebKit/WebProcessProxyMessageReceiver.cpp:291
        protectedThis = {static isRef = <error reading variable: Missing ELF symbol "WTF::Ref<WebKit::WebProcessProxy, WTF::DumbPtrTraits<WebKit::WebProcessProxy> >::isRef".>, m_ptr = 0x7f00566f8000}
#10 0x00007f01c2a15d5d in IPC::Connection::dispatchSyncMessage(IPC::Decoder&) (this=0x7f007a470320, decoder=...) at ../Source/WebKit/Platform/IPC/Encoder.h:40
        syncRequestID = 1
        replyEncoder = std::unique_ptr<IPC::Encoder> = {get() = 0x0}
#11 0x00007f01c2a15ea1 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) (this=0x7f007a470320, message=std::unique_ptr<IPC::Decoder> = {...}) at /usr/include/c++/9.2.0/bits/unique_ptr.h:352
        isDispatchingMessageWhileWaitingForSyncReply = <optimized out>
        oldDidReceiveInvalidMessage = false
#12 0x00007f01c2a160d7 in IPC::Connection::SyncMessageState::dispatchMessages(IPC::Connection*) (this=this@entry=0x7f01c53fb820 <IPC::Connection::SyncMessageState::singleton()::syncMessageState>, allowedConnection=allowedConnection@entry=0x7f007a470320) at /usr/include/c++/9.2.0/bits/move.h:74
        connectionAndIncomingMessage = @0x7f00566e0100: {connection = {static isRef = <error reading variable: Missing ELF symbol "WTF::Ref<IPC::Connection, WTF::DumbPtrTraits<IPC::Connection> >::isRef".>, m_ptr = 0x7f007a470320}, message = std::unique_ptr<IPC::Decoder> = {get() = 0x0}}
        i = <optimized out>
        messagesToPutBack = {<WTF::VectorBuffer<IPC::Connection::SyncMessageState::ConnectionAndIncomingMessage, 0>> = {<WTF::VectorBufferBase<IPC::Connection::SyncMessageState::ConnectionAndIncomingMessage>> = {m_buffer = 0x0, m_capacity = 0, m_size = 0}, <No data fields>}, <No data fields>}
#13 0x00007f01c2a16545 in IPC::Connection::SyncMessageState::dispatchMessageAndResetDidScheduleDispatchMessagesForConnection(IPC::Connection&) (this=0x7f01c53fb820 <IPC::Connection::SyncMessageState::singleton()::syncMessageState>, connection=...) at ../Source/WebKit/Platform/IPC/Connection.cpp:208
#14 0x00007f01c1de7865 in WTF::Function<void ()>::operator()() const (this=<synthetic pointer>) at ../Source/WTF/wtf/Lock.h:84
        function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f00566eb018}}
        functionsToHandle = 1
#15 0x00007f01c1de7865 in WTF::RunLoop::performWork() (this=0x7f01bc2f5000) at ../Source/WTF/wtf/RunLoop.cpp:107
        function = {m_callableWrapper = std::unique_ptr<WTF::Detail::CallableWrapperBase<void>> = {get() = 0x7f00566eb018}}
        functionsToHandle = 1
#16 0x00007f01c1e33e1d in WTF::RunLoop::<lambda(gpointer)>::operator() (__closure=0x0, userData=<optimized out>) at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:68
#17 0x00007f01c1e33e1d in WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer) () at ../Source/WTF/wtf/glib/RunLoopGLib.cpp:70
#18 0x00007f01c5e4458e in g_main_dispatch (context=0x55eadaadfd90) at ../glib/gmain.c:3185
        dispatch = 0x7f01c1e33e30 <WTF::<lambda(GSource*, GSourceFunc, gpointer)>::_FUN(GSource *, GSourceFunc, gpointer)>
        prev_source = 0x0
        was_in_call = 0
        user_data = 0x7f01bc2f5000
        callback = 0x7f01c1e33e10 <WTF::RunLoop::<lambda(gpointer)>::_FUN(gpointer)>
        cb_funcs = 0x7f01c5f19280 <g_source_callback_funcs>
        cb_data = 0x55eadac44370
        need_destroy = <optimized out>
        source = 0x55eadac09d50
        current = 0x55eadaae8e10
        i = 0
        __func__ = "g_main_dispatch"
#19 0x00007f01c5e4458e in g_main_context_dispatch (context=context@entry=0x55eadaadfd90) at ../glib/gmain.c:3850
#20 0x00007f01c5e44940 in g_main_context_iterate (context=context@entry=0x55eadaadfd90, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at ../glib/gmain.c:3923
        max_priority = 2147483647
        timeout = 697
        some_ready = 1
        nfds = <optimized out>
        allocated_nfds = <optimized out>
        fds = 0x55eadad7edd0
#21 0x00007f01c5e449e3 in g_main_context_iteration (context=context@entry=0x55eadaadfd90, may_block=may_block@entry=1) at ../glib/gmain.c:3984
        retval = <optimized out>
#22 0x00007f01c605e4f5 in g_application_run (application=0x55eadaad4720 [EphyShell], argc=<optimized out>, argv=<optimized out>) at ../gio/gapplication.c:2559
        arguments = 0x55eadabf38e0
        status = 0
        context = 0x55eadaadfd90
        acquired_context = 1
        __func__ = "g_application_run"
#23 0x000055eada08d0cd in main (argc=1, argv=0x7ffd680c1648) at ../src/ephy-main.c:427
        option_context = 0x55eadaa939b0
        option_group = 0x55eadaa93a30
        error = 0x0
        user_time = 0
        arbitrary_url = 0
        ctx = 0x55eadac018f0
        mode = EPHY_EMBED_SHELL_MODE_BROWSER
        status = 32765
        flags = EPHY_FILE_HELPERS_ENSURE_EXISTS
        desktop_info = 0x0
Comment 1 Michael Catanzaro 2019-11-29 10:35:54 PST 
I think it would be an assertion failure in debug builds. WebProcessProxy::sessionID() gets called before m_websiteDataStore is set.
Comment 2 Michael Catanzaro 2019-11-29 11:03:52 PST 
OK, here's a 100% reproducer:

 * Load a website in the web view, e.g. https://webkit.org
 * Load a different website in the same web view, e.g. https://gnome.org. This triggers the creation of a new WebProcessProxy and a process swap. The new WebProcessProxy uses the same WebsiteDataStore as the original, and all works fine.
 * Ctrl+L to open the address bar dropdown, hold the down arrow key. A new WebProcessProxy is created (not sure why, is it for prewarming?) without any WebsiteDataStore.

Then WebProcessProxy::getNetworkProcessConnection() gets called from somewhere, and we crash because WebProcessProxy::setWebsiteDataStore() has not been called yet.
Comment 3 Michael Catanzaro 2019-11-29 11:04:13 PST 
(In reply to Michael Catanzaro from comment #0)
> It doesn't happen always, but it occurs so
> frequently during regular browser usage that I'll likely roll Epiphany back
> to 2.26.2.

I'll just disable PSON for now.
Comment 4 Michael Catanzaro 2019-11-29 11:07:31 PST 
(In reply to Michael Catanzaro from comment #2)
>  * Load a different website in the same web view, e.g. https://gnome.org.
> This triggers the creation of a new WebProcessProxy and a process swap. The
> new WebProcessProxy uses the same WebsiteDataStore as the original, and all
> works fine.
>  * Ctrl+L to open the address bar dropdown, hold the down arrow key. A new
> WebProcessProxy is created (not sure why, is it for prewarming?) without any
> WebsiteDataStore.

I missed a step here. After you Ctrl+L, you have to type some characters to display history results. Just pressing the down arrow does nothing unless you type first.
Comment 5 Carlos Garcia Campos 2019-11-30 06:49:02 PST 
(In reply to Michael Catanzaro from comment #2)
> OK, here's a 100% reproducer:
> 
>  * Load a website in the web view, e.g. https://webkit.org
>  * Load a different website in the same web view, e.g. https://gnome.org.
> This triggers the creation of a new WebProcessProxy and a process swap. The
> new WebProcessProxy uses the same WebsiteDataStore as the original, and all
> works fine.
>  * Ctrl+L to open the address bar dropdown, hold the down arrow key. A new
> WebProcessProxy is created (not sure why, is it for prewarming?) without any
> WebsiteDataStore.

If it only happens with the keyboard, but not with the mouse, I would blame the DNS prefetch that we start when selecting entries of the dropdown list.

> Then WebProcessProxy::getNetworkProcessConnection() gets called from
> somewhere, and we crash because WebProcessProxy::setWebsiteDataStore() has
> not been called yet.
Comment 6 Carlos Garcia Campos 2019-11-30 07:25:47 PST 
Created attachment 384542 [details]
Patch
Comment 7 EWS Watchlist 2019-11-30 07:26:47 PST 
Thanks for the patch. If this patch contains new public API please make sure it follows the guidelines for new WebKit2 GTK+ API. See http://trac.webkit.org/wiki/WebKitGTK/AddingNewWebKit2API
Comment 8 Michael Catanzaro 2019-11-30 07:41:50 PST 
Comment on attachment 384542 [details]
Patch

Nice, thanks
Comment 9 Michael Catanzaro 2019-11-30 07:43:07 PST 
(In reply to Michael Catanzaro from comment #1)
> I think it would be an assertion failure in debug builds.
> WebProcessProxy::sessionID() gets called before m_websiteDataStore is set.

I think I would change this to be a RELEASE_ASSERT(). It seems somewhat fragile and that will likely help debugging in the future.
Comment 10 Carlos Garcia Campos 2019-12-02 01:40:40 PST 
Committed r252980: <https://trac.webkit.org/changeset/252980>