226653 – Flaky crash under UserMediaCaptureManagerProxy::SourceProxy::~SourceProxy() on the bots

Bug 226653 - Flaky crash under UserMediaCaptureManagerProxy::SourceProxy::~SourceProxy() on the bots

Summary: Flaky crash under UserMediaCaptureManagerProxy::SourceProxy::~SourceProxy() o...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	Media (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Chris Dumez

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-06-04 11:07 PDT by Chris Dumez
Modified:	2021-06-12 15:10 PDT (History)
CC List:	9 users (show)

See Also:	226931

Attachments
Patch (2.11 KB, patch) 2021-06-04 11:24 PDT, Chris Dumez	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2021-06-04 11:07:25 PDT

Flaky crash under UserMediaCaptureManagerProxy::SourceProxy::~SourceProxy() on the bots:

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000004
Exception Note:        EXC_CORPSE_NOTIFY

Termination Signal:    Segmentation fault: 11
Termination Reason:    Namespace SIGNAL, Code 0xb
Terminating Process:   exc handler [70570]

VM Regions Near 0x4:
--> 
    __TEXT                 000000010d705000-000000010d706000 [    4K] r-x/r-x SM=COW  /Volumes/VOLUME/*/*.Development

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.WebKit              	0x000000010d9a1558 IPC::Semaphore::encode(IPC::Encoder&) const + 14
1   com.apple.WebKit              	0x000000010db9704d void IPC::TupleEncoder<4ul, WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType> const&, WebKit::SharedMemory::IPCHandle const&, WebCore::CAAudioStreamDescription const&, unsigned long long, IPC::Semaphore const&, WTF::MediaTime const&, unsigned long>::encode<IPC::Encoder>(IPC::Encoder&, std::__1::tuple<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType> const&, WebKit::SharedMemory::IPCHandle const&, WebCore::CAAudioStreamDescription const&, unsigned long long, IPC::Semaphore const&, WTF::MediaTime const&, unsigned long> const&) + 57
2   com.apple.WebKit              	0x000000010db9700a void IPC::TupleEncoder<7ul, WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType> const&, WebKit::SharedMemory::IPCHandle const&, WebCore::CAAudioStreamDescription const&, unsigned long long, IPC::Semaphore const&, WTF::MediaTime const&, unsigned long>::encode<IPC::Encoder>(IPC::Encoder&, std::__1::tuple<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType> const&, WebKit::SharedMemory::IPCHandle const&, WebCore::CAAudioStreamDescription const&, unsigned long long, IPC::Semaphore const&, WTF::MediaTime const&, unsigned long> const&) + 94
3   com.apple.WebKit              	0x000000010db96f6a bool IPC::Connection::send<Messages::RemoteCaptureSampleManager::AudioStorageChanged>(Messages::RemoteCaptureSampleManager::AudioStorageChanged&&, unsigned long long, WTF::OptionSet<IPC::SendOption>) + 74
4   com.apple.WebKit              	0x000000010db96e20 WebKit::UserMediaCaptureManagerProxy::SourceProxy::storageChanged(WebKit::SharedMemory*, WebCore::CAAudioStreamDescription const&, unsigned long) + 170
5   com.apple.WebKit              	0x000000010da2591a WebKit::SharedRingBufferStorage::deallocate() + 56
6   com.apple.WebCore             	0x000000011271a4e2 WebCore::CARingBuffer::~CARingBuffer() + 18
7   com.apple.WebKit              	0x000000010db967e5 std::__1::unique_ptr<WebCore::CARingBuffer, std::__1::default_delete<WebCore::CARingBuffer> >::reset(WebCore::CARingBuffer*) + 25
8   com.apple.WebKit              	0x000000010db966f2 WebKit::UserMediaCaptureManagerProxy::SourceProxy::~SourceProxy() + 192
9   com.apple.WebKit              	0x000000010db96084 WebKit::UserMediaCaptureManagerProxy::SourceProxy::~SourceProxy() + 14
10  com.apple.WebKit              	0x000000010db97a09 WTF::HashTable<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType>, WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType>, std::__1::unique_ptr<WebKit::UserMediaCaptureManagerProxy::SourceProxy, std::__1::default_delete<WebKit::UserMediaCaptureManagerProxy::SourceProxy> > >, WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType>, std::__1::unique_ptr<WebKit::UserMediaCaptureManagerProxy::SourceProxy, std::__1::default_delete<WebKit::UserMediaCaptureManagerProxy::SourceProxy> > > >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType> >, WTF::HashMap<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType>, std::__1::unique_ptr<WebKit::UserMediaCaptureManagerProxy::SourceProxy, std::__1::default_delete<WebKit::UserMediaCaptureManagerProxy::SourceProxy> >, WTF::DefaultHash<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType> >, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType> >, WTF::HashTraits<std::__1::unique_ptr<WebKit::UserMediaCaptureManagerProxy::SourceProxy, std::__1::default_delete<WebKit::UserMediaCaptureManagerProxy::SourceProxy> > >, WTF::HashTableTraits>::KeyValuePairTraits, WTF::HashTraits<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType> > >::remove(WTF::KeyValuePair<WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType>, std::__1::unique_ptr<WebKit::UserMediaCaptureManagerProxy::SourceProxy, std::__1::default_delete<WebKit::UserMediaCaptureManagerProxy::SourceProxy> > >*) + 37
11  com.apple.WebKit              	0x000000010db94847 WebKit::UserMediaCaptureManagerProxy::end(WTF::ObjectIdentifier<WebCore::RealtimeMediaSourceIdentifierType>) + 99
12  com.apple.WebKit              	0x000000010d844d42 WebKit::GPUConnectionToWebProcess::dispatchMessage(IPC::Connection&, IPC::Decoder&) + 192
13  com.apple.WebKit              	0x000000010d7fed26 WebKit::GPUConnectionToWebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) + 460
14  com.apple.WebKit              	0x000000010d728e31 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) + 221
15  com.apple.WebKit              	0x000000010d729071 IPC::Connection::dispatchOneIncomingMessage() + 169
16  com.apple.JavaScriptCore      	0x00000001157f6311 WTF::RunLoop::performWork() + 513
17  com.apple.JavaScriptCore      	0x00000001157f6be2 WTF::RunLoop::performWork(void*) + 34
18  com.apple.CoreFoundation      	0x00007fff38c3f884 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17
19  com.apple.CoreFoundation      	0x00007fff38c3f823 __CFRunLoopDoSource0 + 103
20  com.apple.CoreFoundation      	0x00007fff38c3f63d __CFRunLoopDoSources0 + 209
21  com.apple.CoreFoundation      	0x00007fff38c3e359 __CFRunLoopRun + 937
22  com.apple.CoreFoundation      	0x00007fff38c3d953 CFRunLoopRunSpecific + 466
23  com.apple.Foundation          	0x00007fff3b2fb1c8 -[NSRunLoop(NSRunLoop) runMode:beforeDate:] + 212
24  com.apple.Foundation          	0x00007fff3b3adc6f -[NSRunLoop(NSRunLoop) run] + 76
25  libxpc.dylib                  	0x00007fff72fb34ea _xpc_objc_main.cold.4 + 49
26  libxpc.dylib                  	0x00007fff72fb3430 _xpc_objc_main + 559
27  libxpc.dylib                  	0x00007fff72fb2f63 xpc_main + 377
28  com.apple.WebKit              	0x000000010d8ed86a WebKit::XPCServiceMain(int, char const**) + 266
29  libdyld.dylib                 	0x00007fff72d61cc9 start + 1

Thread 4:: Dispatch queue: MockAudioSharedUnit Capture Queue
0   com.apple.WebKit              	0x000000010d9a20b7 WebKit::makeMemoryEntry(unsigned long, unsigned long, WebKit::SharedMemory::Protection, unsigned int) + 4
1   com.apple.WebKit              	0x000000010d9a255a WebKit::SharedMemory::createSendRight(WebKit::SharedMemory::Protection) const + 54
2   com.apple.WebKit              	0x000000010d9a24da WebKit::SharedMemory::createHandle(WebKit::SharedMemory::Handle&, WebKit::SharedMemory::Protection) + 90
3   com.apple.WebKit              	0x000000010db96db1 WebKit::UserMediaCaptureManagerProxy::SourceProxy::storageChanged(WebKit::SharedMemory*, WebCore::CAAudioStreamDescription const&, unsigned long) + 59
4   com.apple.WebKit              	0x000000010da25895 WebKit::SharedRingBufferStorage::allocate(unsigned long, WebCore::CAAudioStreamDescription const&, unsigned long) + 85
5   com.apple.WebCore             	0x000000011271af41 WebCore::CARingBuffer::allocate(WebCore::CAAudioStreamDescription const&, unsigned long) + 225
6   com.apple.WebKit              	0x000000010db96452 WebKit::UserMediaCaptureManagerProxy::SourceProxy::audioSamplesAvailable(WTF::MediaTime const&, WebCore::PlatformAudioData const&, WebCore::AudioStreamDescription const&, unsigned long) + 554
7   com.apple.WebCore             	0x00000001128832bf WebCore::RealtimeMediaSource::audioSamplesAvailable(WTF::MediaTime const&, WebCore::PlatformAudioData const&, WebCore::AudioStreamDescription const&, unsigned long) + 287
8   com.apple.WebCore             	0x00000001128a232a WebCore::BaseAudioSharedUnit::audioSamplesAvailable(WTF::MediaTime const&, WebCore::PlatformAudioData const&, WebCore::AudioStreamDescription const&, unsigned long) + 298
9   com.apple.WebCore             	0x0000000111a5990f WebCore::MockAudioSharedUnit::emitSampleBuffers(unsigned int) + 111
10  com.apple.WebCore             	0x0000000111a599ff WebCore::MockAudioSharedUnit::render(WTF::Seconds) + 175
11  libdispatch.dylib             	0x00007fff72d076c4 _dispatch_call_block_and_release + 12
12  libdispatch.dylib             	0x00007fff72d08658 _dispatch_client_callout + 8
13  libdispatch.dylib             	0x00007fff72d0dc44 _dispatch_lane_serial_drain + 597
14  libdispatch.dylib             	0x00007fff72d0e5d6 _dispatch_lane_invoke + 363
15  libdispatch.dylib             	0x00007fff72d17c09 _dispatch_workloop_worker_thread + 596
16  libsystem_pthread.dylib       	0x00007fff72f66a3d _pthread_wqthread + 290
17  libsystem_pthread.dylib       	0x00007fff72f65b77 start_wqthread + 15

The SourceProxy destructor takes care of calling invalidate() on the SharedRingBufferStorage before destroying the CARingBuffer to avoid having SourceProxy::storageChanged() called in the middle of destruction. However, the background thread may reconstruct the RingBuffer right after the invalidate call and we will still crash in this case.

Comment 1 Chris Dumez 2021-06-04 11:24:13 PDT

Created attachment 430595 [details]
Patch

Comment 2 EWS 2021-06-04 15:17:47 PDT

Committed r278500 (238507@main): <https://commits.webkit.org/238507@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 430595 [details].

Comment 3 Radar WebKit Bug Importer 2021-06-04 15:18:21 PDT

<rdar://problem/78887963>