213526 – REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRoutingArbitratorProxy, WTF::EmptyCounter>::contains<WebKit::AudioSessionRoutingArbitratorProxy> const

Bug 213526 - REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRoutingArbitratorProxy, WTF::EmptyCounter>::contains<WebKit::AudioSessionRoutingArbitratorProxy> const

Summary: REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRout...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Jer Noble

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2020-06-23 12:29 PDT by Jer Noble
Modified:	2020-06-24 08:24 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (2.76 KB, patch) 2020-06-23 12:31 PDT, Jer Noble	no flags	Details \| Formatted Diff \| Diff
Patch (2.76 KB, patch) 2020-06-23 13:53 PDT, Jer Noble	no flags	Details \| Formatted Diff \| Diff
Patch (1.60 KB, patch) 2020-06-23 23:34 PDT, Jer Noble	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jer Noble 2020-06-23 12:29:30 PDT

REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRoutingArbitratorProxy, WTF::EmptyCounter>::contains<WebKit::AudioSessionRoutingArbitratorProxy> const

Comment 1 Jer Noble 2020-06-23 12:30:04 PDT

<rdar://problem/64591777>

Comment 2 Jer Noble 2020-06-23 12:31:57 PDT

Created attachment 402582 [details]
Patch

Comment 3 Jer Noble 2020-06-23 13:53:42 PDT

Created attachment 402588 [details]
Patch

Comment 4 Jer Noble 2020-06-23 15:20:49 PDT

No crashes when running tests locally.

Comment 5 Jer Noble 2020-06-23 23:17:09 PDT

Whelp, I updated sources, re-built, and re-ran tests and crashes aplenty. The crash log shows an assertion in the UniqueRef operator->() called from WebProcessProxy::shutDown(). So the underlying cause /must/ be that WebProcessProxy was dealloc'd (and it's UniqueRef member's destructor called) sometime before shutDown().

Comment 6 Jer Noble 2020-06-23 23:19:46 PDT

Oh! I bet WebProcessPool::disconnectProcess(WebProcessProxy*) has the side-effect of destroying the WebProcessProxy! And the next line is the UniqueRef operator->() which is showing a crash result. That means the underlying problem has nothing to do with the ASSERT in the patch above, but instead that any call after disconnectProcess(this) is a potential unsafe access of freed memory.

Comment 7 Jer Noble 2020-06-23 23:34:39 PDT

Created attachment 402624 [details]
Patch

Comment 8 Jer Noble 2020-06-23 23:55:26 PDT

The above fix definitely eliminated all the crashes seen previously when running run-webkit-tests against a release build.

Comment 9 EWS 2020-06-24 08:24:50 PDT

Committed r263456: <https://trac.webkit.org/changeset/263456>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 402624 [details].