227088 – [iOS 15] Crash in IPC::clearAsyncReplyHandlers

Bug 227088 - [iOS 15] Crash in IPC::clearAsyncReplyHandlers

Summary: [iOS 15] Crash in IPC::clearAsyncReplyHandlers

Status:	RESOLVED DUPLICATE of bug 226426

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebKit2 (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-06-16 12:48 PDT by Ali Juma
Modified:	2021-06-16 13:26 PDT (History)
CC List:	5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ali Juma 2021-06-16 12:48:05 PDT

Chrome for iOS is getting a relatively large number of crash reports in IPC::clearAsyncReplyHandlers, on iOS 15.

Most of the crash reports are on iPad. 

Here's the crash stack:

CRASHED [EXC_BAD_ACCESS / KERN_INVALID_ADDRESS @ 0x00000000 ]
0x00000001903e7230	(WebKit + 0x0042f230)		WTF::Detail::CallableWrapper<WebKit::WebPageProxy::handlePreventableTouchEvent(WebKit::NativeWebTouchEvent&)::$_15, void, bool&&>::call(bool&&)
0x00000001903e7224	(WebKit + 0x0042f224)		WTF::Detail::CallableWrapper<WebKit::WebPageProxy::handlePreventableTouchEvent(WebKit::NativeWebTouchEvent&)::$_15, void, bool&&>::call(bool&&)
0x00000001903e6f64	(WebKit + 0x0042ef64)		WTF::Detail::CallableWrapper<unsigned long long IPC::MessageSender::sendWithAsyncReply<Messages::EventDispatcher::TouchEvent, WebKit::WebPageProxy::handlePreventableTouchEvent(WebKit::NativeWebTouchEvent&)::$_15>(Messages::EventDispatcher::TouchEvent&&, WebKit::WebPageProxy::handlePreventableTouchEvent(WebKit::NativeWebTouchEvent&)::$_15&&, unsigned long long, WTF::OptionSet<IPC::SendOption>)::'lambda'(IPC::Decoder*), void, IPC::Decoder*>::call(IPC::Decoder*)
0x000000018ffeda9c	(WebKit + 0x00035a9c)		WTF::CompletionHandler<void (IPC::Decoder*)>::operator()(IPC::Decoder*)
0x000000018ffeda9c	(WebKit + 0x00035a9c)		WTF::CompletionHandler<void (IPC::Decoder*)>::operator()(IPC::Decoder*)
0x000000018ffeae54	(WebKit + 0x00032e54)		IPC::clearAsyncReplyHandlers(IPC::Connection const&)
0x000000018ffea97c	(WebKit + 0x0003297c)		IPC::Connection::~Connection()
0x000000018ffe04b0	(WebKit + 0x000284b0)		WTF::Detail::CallableWrapper<WTF::ThreadSafeRefCounted<IPC::Connection, (WTF::DestructionThread)2>::deref() const::'lambda'(), void>::call()
0x000000018d91c0fc	(JavaScriptCore + 0x00000000010b40fc)		WTF::RunLoop::performWork()
0x000000018d91d5f4	(JavaScriptCore + 0x00000000010b55f4)		WTF::RunLoop::performWork(void*)
0x0000000181754160	(CoreFoundation + 0x000a5160)		__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__
0x00000001817a80d0	(CoreFoundation + 0x000f90d0)		__CFRunLoopDoSource0
0x0000000181710480	(CoreFoundation + 0x00061480)		__CFRunLoopDoSources0
0x00000001817208d4	(CoreFoundation + 0x000718d4)		__CFRunLoopRun
0x000000018172e318	(CoreFoundation + 0x0007f318)		CFRunLoopRunSpecific
0x000000019d0cc5fc	(GraphicsServices + 0x000035fc)		GSEventRunModal
0x0000000183f069ac	(UIKitCore + 0x003d19ac)		-[UIApplication _run]
0x0000000183f06420	(UIKitCore + 0x003d1420)		UIApplicationMain
0x0000000102087f30	(Chrome -chrome_exe_main.mm:66)		main
0x0000000104019218

Comment 1 Wenson Hsieh 2021-06-16 12:53:02 PDT

Seems like a dupe of https://bugs.webkit.org/show_bug.cgi?id=226426?

Comment 2 Ali Juma 2021-06-16 13:26:26 PDT

Thanks, this does seem like a dupe of bug 226426.

*** This bug has been marked as a duplicate of bug 226426 ***