220445 – Make it safe to re-enter HashMap::clear()

Bug 220445 - Make it safe to re-enter HashMap::clear()

Summary: Make it safe to re-enter HashMap::clear()

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Web Template Framework (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-01-07 16:40 PST by Chris Dumez
Modified:	2021-01-08 07:46 PST (History)
CC List:	7 users (show)

See Also:

Attachments
Patch (3.21 KB, patch) 2021-01-07 16:48 PST, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2021-01-07 16:40:42 PST

Make it safe to re-enter HashMap::clear(). This will fix the following crashes on the GPUProcess bot:
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00000000bbadbeef
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [27650]

VM Regions Near 0xbbadbeef:
--> 
    __TEXT                 0000000106dc3000-0000000106dc4000 [    4K] r-x/r-x SM=COW  /Volumes/VOLUME/*/*.Development

Application Specific Information:
CRASHING TEST: fast/canvas/canvas-overloads-strokeText.html

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x0000000622535c2e WTFCrash + 14 (Assertions.cpp:295)
1   com.apple.WebCore             	0x00000005ff704dfb WTFCrashWithInfo(int, char const*, char const*, int) + 27
2   com.apple.WebCore             	0x00000005ff719db8 WTF::RefCountedBase::hasOneRef() const + 104 (RefCounted.h:55)
3   com.apple.WebCore             	0x00000005ff719c9c WTF::RefCountedBase::applyRefDerefThreadingCheck() const + 28 (RefCounted.h:106)
4   com.apple.WebCore             	0x00000005ff719b0c WTF::RefCountedBase::derefBase() const + 28 (RefCounted.h:130)
5   com.apple.WebCore             	0x00000006006072af WTF::RefCounted<WebCore::ImageBuffer, std::__1::default_delete<WebCore::ImageBuffer> >::deref() const + 31 (RefCounted.h:189)
6   com.apple.WebCore             	0x0000000603b1daf5 WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >::~Ref() + 53 (Ref.h:62)
7   com.apple.WebCore             	0x0000000603b1dab5 WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >::~Ref() + 21 (Ref.h:62)
8   com.apple.WebCore             	0x0000000603b1da8e WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >::~KeyValuePair() + 30 (KeyValuePair.h:33)
9   com.apple.WebCore             	0x0000000603b1d9c5 WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >::~KeyValuePair() + 21 (KeyValuePair.h:33)
10  com.apple.WebCore             	0x0000000603b1d951 WTF::HashTable<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::KeyValuePairTraits, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> > >::deallocateTable(WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >*) + 97 (HashTable.h:1237)
11  com.apple.WebCore             	0x0000000603b23cdb WTF::HashTable<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::KeyValuePairTraits, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> > >::clear() + 59 (HashTable.h:1383)
12  com.apple.WebCore             	0x0000000603b13ce5 WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::clear() + 21 (HashMap.h:475)
13  com.apple.WebCore             	0x0000000603b13c48 WebCore::DisplayList::DisplayList::clear() + 104 (DisplayList.cpp:83)
14  com.apple.WebKit              	0x00000005f19bdbb6 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::clearDisplayList() + 38 (RemoteImageBufferProxy.h:247)
15  com.apple.WebKit              	0x00000005f19bc139 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::changeDestinationImageBuffer(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>) + 105 (RemoteImageBufferProxy.h:237)
16  com.apple.WebKit              	0x00000005f19578a6 WebKit::RemoteRenderingBackendProxy::willAppendItem(WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>) + 198 (RemoteRenderingBackendProxy.cpp:238)
17  com.apple.WebKit              	0x00000005f19bc783 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::willAppendItemOfType(WebCore::DisplayList::ItemType) + 99 (RemoteImageBufferProxy.h:253)
18  com.apple.WebCore             	0x0000000603b36185 WebCore::DisplayList::Recorder::willAppendItemOfType(WebCore::DisplayList::ItemType) + 85 (DisplayListRecorder.cpp:112)
19  com.apple.WebKit              	0x00000005f19bdbe5 void WebCore::DisplayList::Recorder::append<WebCore::DisplayList::FlushContext, WTF::ObjectIdentifier<WebCore::DisplayList::FlushIdentifierType>&>(WTF::ObjectIdentifier<WebCore::DisplayList::FlushIdentifierType>&) + 37 (DisplayListRecorder.h:155)
20  com.apple.WebKit              	0x00000005f19bdb7d WebCore::DisplayList::Recorder::flushContext(WTF::ObjectIdentifier<WebCore::DisplayList::FlushIdentifierType>) + 29 (DisplayListRecorder.h:73)
21  com.apple.WebKit              	0x00000005f19bc040 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::flushDrawingContextAsync() + 160
22  com.apple.WebKit              	0x00000005f19bbf7d WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::flushDrawingContext() + 125 (RemoteImageBufferProxy.h:198)
23  com.apple.WebKit              	0x00000005f19bd79d WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 125 (RemoteImageBufferProxy.h:69)
24  com.apple.WebKit              	0x00000005f19bbd25 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 21 (RemoteImageBufferProxy.h:72)
25  com.apple.WebKit              	0x00000005f19bbd4c WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 28 (RemoteImageBufferProxy.h:66)
26  com.apple.WebCore             	0x000000060060730f std::__1::default_delete<WebCore::ImageBuffer>::operator()(WebCore::ImageBuffer*) const + 47 (memory:2339)
27  com.apple.WebCore             	0x00000006006072d2 WTF::RefCounted<WebCore::ImageBuffer, std::__1::default_delete<WebCore::ImageBuffer> >::deref() const + 66 (RefCounted.h:191)
28  com.apple.WebCore             	0x0000000603b1daf5 WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >::~Ref() + 53 (Ref.h:62)
29  com.apple.WebCore             	0x0000000603b1dab5 WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >::~Ref() + 21 (Ref.h:62)
30  com.apple.WebCore             	0x0000000603b1da8e WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >::~KeyValuePair() + 30 (KeyValuePair.h:33)
31  com.apple.WebCore             	0x0000000603b1d9c5 WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >::~KeyValuePair() + 21 (KeyValuePair.h:33)
32  com.apple.WebCore             	0x0000000603b1d951 WTF::HashTable<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::KeyValuePairTraits, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> > >::deallocateTable(WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >*) + 97 (HashTable.h:1237)
33  com.apple.WebCore             	0x0000000603b23cdb WTF::HashTable<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::KeyValuePairTraits, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> > >::clear() + 59 (HashTable.h:1383)
34  com.apple.WebCore             	0x0000000603b13ce5 WTF::HashMap<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType>, WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RenderingResourceIdentifierType> >, WTF::HashTraits<WTF::Ref<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer> > > >::clear() + 21 (HashMap.h:475)
35  com.apple.WebCore             	0x0000000603b13c48 WebCore::DisplayList::DisplayList::clear() + 104 (DisplayList.cpp:83)
36  com.apple.WebKit              	0x00000005f19bdbb6 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::clearDisplayList() + 38 (RemoteImageBufferProxy.h:247)
37  com.apple.WebKit              	0x00000005f19bc063 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::flushDrawingContextAsync() + 195 (RemoteImageBufferProxy.h:214)
38  com.apple.WebKit              	0x00000005f19bbf7d WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::flushDrawingContext() + 125 (RemoteImageBufferProxy.h:198)
39  com.apple.WebKit              	0x00000005f19bd79d WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 125 (RemoteImageBufferProxy.h:69)
40  com.apple.WebKit              	0x00000005f19bbd25 WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 21 (RemoteImageBufferProxy.h:72)
41  com.apple.WebKit              	0x00000005f19bbd4c WebKit::RemoteImageBufferProxy<WebKit::ImageBufferShareableMappedIOSurfaceBackend>::~RemoteImageBufferProxy() + 28 (RemoteImageBufferProxy.h:66)
42  com.apple.WebCore             	0x000000060060730f std::__1::default_delete<WebCore::ImageBuffer>::operator()(WebCore::ImageBuffer*) const + 47 (memory:2339)
43  com.apple.WebCore             	0x00000006006072d2 WTF::RefCounted<WebCore::ImageBuffer, std::__1::default_delete<WebCore::ImageBuffer> >::deref() const + 66 (RefCounted.h:191)
44  com.apple.WebCore             	0x0000000600607257 WTF::DefaultRefDerefTraits<WebCore::ImageBuffer>::derefIfNotNull(WebCore::ImageBuffer*) + 55 (RefPtr.h:43)
45  com.apple.WebCore             	0x0000000600607219 WTF::RefPtr<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::ImageBuffer> >::~RefPtr() + 41 (RefPtr.h:73)
46  com.apple.WebCore             	0x00000006006071e5 WTF::RefPtr<WebCore::ImageBuffer, WTF::RawPtrTraits<WebCore::ImageBuffer>, WTF::DefaultRefDerefTraits<WebCore::ImageBuffer> >::~RefPtr() + 21 (RefPtr.h:73)
47  com.apple.WebCore             	0x0000000602b39c33 WebCore::HTMLCanvasElement::~HTMLCanvasElement() + 195 (HTMLCanvasElement.cpp:157)
48  com.apple.WebCore             	0x0000000602b39d15 WebCore::HTMLCanvasElement::~HTMLCanvasElement() + 21 (HTMLCanvasElement.cpp:158)
49  com.apple.WebCore             	0x0000000602b39d7c WebCore::HTMLCanvasElement::~HTMLCanvasElement() + 28 (HTMLCanvasElement.cpp:149)
50  com.apple.WebCore             	0x00000006027e45ef WebCore::Node::removedLastRef() + 223 (Node.cpp:2564)
51  com.apple.WebCore             	0x00000005ff9a215f WebCore::Node::deref() const + 527 (Node.h:801)

Comment 1 Chris Dumez 2021-01-07 16:48:04 PST

Created attachment 417223 [details]
Patch

Comment 2 Geoffrey Garen 2021-01-07 20:46:25 PST

Comment on attachment 417223 [details]
Patch

r=me

Comment 3 Chris Dumez 2021-01-08 07:45:26 PST

Comment on attachment 417223 [details]
Patch

Clearing flags on attachment: 417223

Committed r271296: <https://trac.webkit.org/changeset/271296>

Comment 4 Chris Dumez 2021-01-08 07:45:29 PST

All reviewed patches have been landed.  Closing bug.

Comment 5 Radar WebKit Bug Importer 2021-01-08 07:46:16 PST

<rdar://problem/72930238>