WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
229003
ThreadSanitizer: data race in WTF::StringImpl::deref() under WebKit::NetworkCache::IOChannel::~IOChannel()
https://bugs.webkit.org/show_bug.cgi?id=229003
Summary
ThreadSanitizer: data race in WTF::StringImpl::deref() under WebKit::NetworkC...
David Kilzer (:ddkilzer)
Reported
2021-08-11 08:35:12 PDT
ThreadSanitizer: data race in WTF::StringImpl::deref() under WebKit::NetworkCache::IOChannel::~IOChannel(). The WebKit::NetworkCache::IOChannel class is ThreadSafeRefCounted<>, but it doesn't make an isolatedCopy() for its m_path instance variable, resulting in a data race. WARNING: ThreadSanitizer: data race (pid=70289) Read of size 4 at 0x7b3c00008250 by main thread: #0 WTF::StringImpl::deref() <null> (WebKit:x86_64+0x7aca) #1 WebKit::NetworkCache::IOChannel::~IOChannel() <null> (WebKit:x86_64+0x7b5ea6) #2 WebKit::NetworkCache::IOChannel::~IOChannel() <null> (WebKit:x86_64+0x7b5f39) #3 WTF::ThreadSafeRefCounted<WebKit::NetworkCache::IOChannel, (WTF::DestructionThread)0>::deref() const::'lambda'()::operator()() const <null> (WebKit:x86_64+0x7be829) #4 WTF::ThreadSafeRefCounted<WebKit::NetworkCache::IOChannel, (WTF::DestructionThread)0>::deref() const <null> (WebKit:x86_64+0x7be7ea) #5 WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8::~$_8() <null> (WebKit:x86_64+0x7b882b) #6 WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8::~$_8() <null> (WebKit:x86_64+0x7b63b9) #7 WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8>(WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8)::'lambda'(void const*)::operator()(void const*) const <null> (WebKit:x86_64+0x7b860d) #8 WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)> WTF::BlockPtr<void (bool, NSObject<OS_dispatch_data>*, int)>::fromCallable<WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8>(WebKit::NetworkCache::IOChannel::write(unsigned long, WebKit::NetworkCache::Data const&, WTF::WorkQueue&, WTF::Function<void (int)>&&)::$_8)::'lambda'(void const*)::__invoke(void const*) <null> (WebKit:x86_64+0x7b85d9) #9 _Block_release <null> (libsystem_blocks.dylib:x86_64+0x1650) #10 WKXPCServiceMain <null> (WebKit:x86_64+0x22543fe) #11 main <null> (com.apple.WebKit.Networking.Development:x86_64+0x100003e3e) Previous write of size 4 at 0x7b3c00008250 by thread T2: #0 WTF::StringImpl::deref() <null> (WebKit:x86_64+0x7ada) #1 WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22::operator()() const <null> (WebKit:x86_64+0xd98177) #2 WTF::Detail::CallableWrapper<WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22, void>::call() <null> (WebKit:x86_64+0xd97f1d) #3 WTF::Function<void ()>::operator()() const <null> (JavaScriptCore:x86_64+0x2620d) #4 WTF::(anonymous namespace)::DispatchWorkItem::operator()() <null> (JavaScriptCore:x86_64+0x11285d) #5 void WTF::dispatchWorkItem<WTF::(anonymous namespace)::DispatchWorkItem>(void*) <null> (JavaScriptCore:x86_64+0x111849) #6 __tsan::dispatch_callback_wrap(void*) <null> (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x734d1) #7 _dispatch_client_callout <null> (libdispatch.dylib:x86_64+0x34ff) Location is heap block of size 240 at 0x7b3c00008250 allocated by thread T2: #0 __sanitizer_mz_malloc <null> (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x5168a) #1 _malloc_zone_malloc <null> (libsystem_malloc.dylib:x86_64+0x1cf80) #2 bmalloc::Cache::tryAllocateSlowCaseNullCache(bmalloc::HeapKind, unsigned long) <null> (JavaScriptCore:x86_64+0x11d143) #3 bmalloc::Cache::tryAllocate(bmalloc::HeapKind, unsigned long) <null> (JavaScriptCore:x86_64+0x37fd9) #4 WTF::tryFastMalloc(unsigned long) <null> (JavaScriptCore:x86_64+0x36fdf) #5 WTF::FastMalloc::tryMalloc(unsigned long) <null> (JavaScriptCore:x86_64+0x18e4ee5) #6 WTF::String WTF::tryMakeStringFromAdapters<WTF::StringTypeAdapter<WTF::StringAppend<WTF::String, char const*>, void>, WTF::StringTypeAdapter<WTF::String, void> >(WTF::StringTypeAdapter<WTF::StringAppend<WTF::String, char const*>, void>, WTF::StringTypeAdapter<WTF::String, void>) <null> (JavaScriptCore:x86_64+0x46051) #7 WTF::String WTF::tryMakeString<WTF::StringAppend<WTF::String, char const*>, WTF::String>(WTF::StringAppend<WTF::String, char const*>, WTF::String) <null> (JavaScriptCore:x86_64+0x45f66) #8 WTF::StringAppend<WTF::StringAppend<WTF::String, char const*>, WTF::String>::operator WTF::String() const <null> (JavaScriptCore:x86_64+0x44f7d) #9 WTF::FileSystemImpl::pathByAppendingComponent(WTF::String const&, WTF::String const&) <null> (JavaScriptCore:x86_64+0x44bfb) #10 WebKit::NetworkCache::Storage::recordPathForKey(WebKit::NetworkCache::Key const&) const <null> (WebKit:x86_64+0xd6034f) #11 WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22::operator()() const <null> (WebKit:x86_64+0xd97fdd) #12 WTF::Detail::CallableWrapper<WebKit::NetworkCache::Storage::dispatchWriteOperation(std::__1::unique_ptr<WebKit::NetworkCache::Storage::WriteOperation, std::__1::default_delete<WebKit::NetworkCache::Storage::WriteOperation> >)::$_22, void>::call() <null> (WebKit:x86_64+0xd97f1d) #13 WTF::Function<void ()>::operator()() const <null> (JavaScriptCore:x86_64+0x2620d) #14 WTF::(anonymous namespace)::DispatchWorkItem::operator()() <null> (JavaScriptCore:x86_64+0x11285d) #15 void WTF::dispatchWorkItem<WTF::(anonymous namespace)::DispatchWorkItem>(void*) <null> (JavaScriptCore:x86_64+0x111849) #16 __tsan::dispatch_callback_wrap(void*) <null> (libclang_rt.tsan_osx_dynamic.dylib:x86_64+0x734d1) #17 _dispatch_client_callout <null> (libdispatch.dylib:x86_64+0x34ff) Thread T2 (tid=13904706, running) is a GCD worker thread SUMMARY: ThreadSanitizer: data race (WebKitBuild/WebKit.framework/Versions/A/WebKit:x86_64+0x7aca) in WTF::StringImpl::deref()+0x1a
Attachments
Patch v1
(5.01 KB, patch)
2021-08-11 08:47 PDT
,
David Kilzer (:ddkilzer)
cdumez
: review+
ews-feeder
: commit-queue-
Details
Formatted Diff
Diff
Patch v2
(6.07 KB, patch)
2021-08-11 11:47 PDT
,
David Kilzer (:ddkilzer)
no flags
Details
Formatted Diff
Diff
Show Obsolete
(1)
View All
Add attachment
proposed patch, testcase, etc.
David Kilzer (:ddkilzer)
Comment 1
2021-08-11 08:35:36 PDT
Regressed in: Prune least valuable cache entries first
https://bugs.webkit.org/show_bug.cgi?id=142810
Radar WebKit Bug Importer
Comment 2
2021-08-11 08:35:47 PDT
<
rdar://problem/81795626
>
David Kilzer (:ddkilzer)
Comment 3
2021-08-11 08:47:34 PDT
Created
attachment 435349
[details]
Patch v1
David Kilzer (:ddkilzer)
Comment 4
2021-08-11 11:39:24 PDT
Lol...I created a use-after-move bug. Fixing.
David Kilzer (:ddkilzer)
Comment 5
2021-08-11 11:47:48 PDT
Created
attachment 435365
[details]
Patch v2
EWS
Comment 6
2021-08-11 15:33:26 PDT
Committed
r280935
(
240452@main
): <
https://commits.webkit.org/240452@main
> All reviewed patches have been landed. Closing bug and clearing flags on
attachment 435365
[details]
.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug