RESOLVED FIXED 213526
REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRoutingArbitratorProxy, WTF::EmptyCounter>::contains<WebKit::AudioSessionRoutingArbitratorProxy> const
https://bugs.webkit.org/show_bug.cgi?id=213526
Summary REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRout...
Jer Noble
Reported 2020-06-23 12:29:30 PDT
REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRoutingArbitratorProxy, WTF::EmptyCounter>::contains<WebKit::AudioSessionRoutingArbitratorProxy> const
Attachments
Patch (2.76 KB, patch)
2020-06-23 12:31 PDT, Jer Noble
no flags
Patch (2.76 KB, patch)
2020-06-23 13:53 PDT, Jer Noble
no flags
Patch (1.60 KB, patch)
2020-06-23 23:34 PDT, Jer Noble
no flags
Jer Noble
Comment 1 2020-06-23 12:30:04 PDT
Jer Noble
Comment 2 2020-06-23 12:31:57 PDT
Jer Noble
Comment 3 2020-06-23 13:53:42 PDT
Jer Noble
Comment 4 2020-06-23 15:20:49 PDT
No crashes when running tests locally.
Jer Noble
Comment 5 2020-06-23 23:17:09 PDT
Whelp, I updated sources, re-built, and re-ran tests and crashes aplenty. The crash log shows an assertion in the UniqueRef operator->() called from WebProcessProxy::shutDown(). So the underlying cause /must/ be that WebProcessProxy was dealloc'd (and it's UniqueRef member's destructor called) sometime before shutDown().
Jer Noble
Comment 6 2020-06-23 23:19:46 PDT
Oh! I bet WebProcessPool::disconnectProcess(WebProcessProxy*) has the side-effect of destroying the WebProcessProxy! And the next line is the UniqueRef operator->() which is showing a crash result. That means the underlying problem has nothing to do with the ASSERT in the patch above, but instead that any call after disconnectProcess(this) is a potential unsafe access of freed memory.
Jer Noble
Comment 7 2020-06-23 23:34:39 PDT
Jer Noble
Comment 8 2020-06-23 23:55:26 PDT
The above fix definitely eliminated all the crashes seen previously when running run-webkit-tests against a release build.
EWS
Comment 9 2020-06-24 08:24:50 PDT
Committed r263456: <https://trac.webkit.org/changeset/263456> All reviewed patches have been landed. Closing bug and clearing flags on attachment 402624 [details].
Note You need to log in before you can comment on or make changes to this bug.