213526 – REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRoutingArbitratorProxy, WTF::EmptyCounter>::contains<WebKit::AudioSessionRoutingArbitratorProxy> const

RESOLVED FIXED 213526

REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRoutingArbitratorProxy, WTF::EmptyCounter>::contains<WebKit::AudioSessionRoutingArbitratorProxy> const

https://bugs.webkit.org/show_bug.cgi?id=213526

Summary REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRout...

Jer Noble

Reported 2020-06-23 12:29:30 PDT

REGRESSION (r263328): Crash in bool WTF::WeakHashSet<WebKit::AudioSessionRoutingArbitratorProxy, WTF::EmptyCounter>::contains<WebKit::AudioSessionRoutingArbitratorProxy> const

Attachments
Patch (2.76 KB, patch) 2020-06-23 12:31 PDT, Jer Noble	no flags	Details Formatted Diff Diff
Patch (2.76 KB, patch) 2020-06-23 13:53 PDT, Jer Noble	no flags	Details Formatted Diff Diff
Patch (1.60 KB, patch) 2020-06-23 23:34 PDT, Jer Noble	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Jer Noble

Comment 1 2020-06-23 12:30:04 PDT

<rdar://problem/64591777>

Jer Noble

Comment 2 2020-06-23 12:31:57 PDT

Created attachment 402582 [details] Patch

Jer Noble

Comment 3 2020-06-23 13:53:42 PDT

Created attachment 402588 [details] Patch

Jer Noble

Comment 4 2020-06-23 15:20:49 PDT

No crashes when running tests locally.

Jer Noble

Comment 5 2020-06-23 23:17:09 PDT

Whelp, I updated sources, re-built, and re-ran tests and crashes aplenty. The crash log shows an assertion in the UniqueRef operator->() called from WebProcessProxy::shutDown(). So the underlying cause /must/ be that WebProcessProxy was dealloc'd (and it's UniqueRef member's destructor called) sometime before shutDown().

Jer Noble

Comment 6 2020-06-23 23:19:46 PDT

Oh! I bet WebProcessPool::disconnectProcess(WebProcessProxy*) has the side-effect of destroying the WebProcessProxy! And the next line is the UniqueRef operator->() which is showing a crash result. That means the underlying problem has nothing to do with the ASSERT in the patch above, but instead that any call after disconnectProcess(this) is a potential unsafe access of freed memory.

Jer Noble

Comment 7 2020-06-23 23:34:39 PDT

Created attachment 402624 [details] Patch

Jer Noble

Comment 8 2020-06-23 23:55:26 PDT

The above fix definitely eliminated all the crashes seen previously when running run-webkit-tests against a release build.

EWS

Comment 9 2020-06-24 08:24:50 PDT

Committed r263456: <https://trac.webkit.org/changeset/263456> All reviewed patches have been landed. Closing bug and clearing flags on attachment 402624 [details].

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component New Bugs

Assignee

Jer Noble

Reported

2020-06-23 12:29 PDT

Modified

2020-06-24 08:24 PDT History

CC List

8 users Show

URL

Keywords InRadar

Depends on

Blocks