229444 – Crash in [RBSTarget targetWithPid:] during WebProcessProxy::shutDown

RESOLVED FIXED 229444

Crash in [RBSTarget targetWithPid:] during WebProcessProxy::shutDown

https://bugs.webkit.org/show_bug.cgi?id=229444

Summary Crash in [RBSTarget targetWithPid:] during WebProcessProxy::shutDown

Ali Juma

Reported 2021-08-24 08:29:39 PDT

Chrome for iOS is getting crash reports with the following stack, including on iOS 15 beta 6. The thrown exception is: 'must specify a valid pid'. Since r259717 ensures the pid is non-zero, perhaps there are cases where the process has already died by the time we try to take an assertion. 0x000000018fa2e708 (CoreFoundation + 0x00129708) __exceptionPreprocess 0x00000001a45387a4 (libobjc.A.dylib + 0x000287a4) objc_exception_throw 0x000000018f9303b4 (CoreFoundation + 0x0002b3b4) +[NSException raise:format:arguments:] 0x0000000190d064c0 (Foundation + 0x0007e4c0) -[NSAssertionHandler handleFailureInMethod:object:file:lineNumber:description:] 0x0000000198e25188 (RunningBoardServices + 0x00027188) +[RBSTarget targetWithProcessIdentifier:] 0x0000000198e2507c (RunningBoardServices + 0x0002707c) +[RBSTarget targetWithPid:] 0x000000019c203588 (WebKit + 0x003eb588) WebKit::ProcessAssertion::ProcessAssertion(int, WTF::String const&, WebKit::ProcessAssertionType) 0x000000019c203f2c (WebKit + 0x003ebf2c) WebKit::ProcessAndUIAssertion::ProcessAndUIAssertion(int, WTF::String const&, WebKit::ProcessAssertionType) 0x000000019bf1fb78 (WebKit + 0x00107b78) IPC::ConnectionTerminationWatchdog::ConnectionTerminationWatchdog(WTF::OSObjectPtr<NSObject<OS_xpc_object>*>&, WTF::Seconds) 0x000000019bf1c0c0 (WebKit + 0x001040c0) IPC::ConnectionTerminationWatchdog::createConnectionTerminationWatchdog(WTF::OSObjectPtr<NSObject<OS_xpc_object>*>&, WTF::Seconds) 0x000000019c11e378 (WebKit + 0x00306378) WebKit::AuxiliaryProcessProxy::shutDownProcess() 0x000000019c1da3f0 (WebKit + 0x003c23f0) WebKit::WebProcessProxy::shutDown() 0x000000019c1e7b48 (WebKit + 0x003cfb48) WebKit::WebProcessProxy::processDidTerminateOrFailedToLaunch() 0x000000019c1e78c0 (WebKit + 0x003cf8c0) WebKit::WebProcessProxy::didClose(IPC::Connection&) 0x000000019be4c524 (WebKit + 0x00034524) WTF::Detail::CallableWrapper<IPC::Connection::connectionDidClose()::$_6, void>::call() 0x0000000199dae15c (JavaScriptCore + 0x00f6515c) WTF::RunLoop::performWork() 0x0000000199daf12c (JavaScriptCore + 0x00f6612c) WTF::RunLoop::performWork(void*) 0x000000018f9a898c (CoreFoundation + 0x000a398c) __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ 0x000000018f9a8888 (CoreFoundation + 0x000a3888) __CFRunLoopDoSource0 0x000000018f9a7b8c (CoreFoundation + 0x000a2b8c) __CFRunLoopDoSources0 0x000000018f9a1b6c (CoreFoundation + 0x0009cb6c) __CFRunLoopRun 0x000000018f9a1304 (CoreFoundation + 0x0009c304) CFRunLoopRunSpecific 0x00000001a7024730 (GraphicsServices + 0x00003730) GSEventRunModal 0x000000019241f758 (UIKitCore + 0x00bca758) -[UIApplication _run] 0x0000000192424fc8 (UIKitCore + 0x00bcffc8) UIApplicationMain 0x00000001007d0bac (Chrome -chrome_exe_main.mm:65) main 0x000000018f65dcf4 (libdyld.dylib + 0x00001cf4) start

Attachments
Patch (2.15 KB, patch) 2021-08-24 09:46 PDT, Chris Dumez	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Chris Dumez

Comment 1 2021-08-24 08:50:55 PDT

I have just discussed this with a RunningBoard engineer. The most likely explanation is that the pid is < 0 (which is possible since pid_t is an int on our Darwin). We get the pid from xpc_connection_get_pid() and I guess this could theoretically return a negative PID (maybe in case of error when the process has already exited). I think we should tweak the PID check on WebKit side to early return if pid <= 0 (instead of doing an early return when !pid). Are you able to write up the patch?

Chris Dumez

Comment 2 2021-08-24 08:51:43 PDT

(In reply to Chris Dumez from comment #1) > I have just discussed this with a RunningBoard engineer. The most likely > explanation is that the pid is < 0 (which is possible since pid_t is an int > on our Darwin). We get the pid from xpc_connection_get_pid() and I guess > this could theoretically return a negative PID (maybe in case of error when > the process has already exited). > > I think we should tweak the PID check on WebKit side to early return if pid > <= 0 (instead of doing an early return when !pid). > > Are you able to write up the patch? By the way, I haven't received such reports for MobileSafari yet, which is a bit odd. I have no idea what Chrome could be doing differently to cause this...

Chris Dumez

Comment 3 2021-08-24 08:55:32 PDT

(In reply to Chris Dumez from comment #2) > (In reply to Chris Dumez from comment #1) > > I have just discussed this with a RunningBoard engineer. The most likely > > explanation is that the pid is < 0 (which is possible since pid_t is an int > > on our Darwin). We get the pid from xpc_connection_get_pid() and I guess > > this could theoretically return a negative PID (maybe in case of error when > > the process has already exited). > > > > I think we should tweak the PID check on WebKit side to early return if pid > > <= 0 (instead of doing an early return when !pid). > > > > Are you able to write up the patch? > > By the way, I haven't received such reports for MobileSafari yet, which is a > bit odd. I have no idea what Chrome could be doing differently to cause > this... Do you know when this crash started for Chrome? And could you give us an idea of the frequency (i.e. is it a top crash?).

Chris Dumez

Comment 4 2021-08-24 09:46:24 PDT

Created attachment 436298 [details] Patch

Ali Juma

Comment 5 2021-08-24 10:07:56 PDT

(In reply to Chris Dumez from comment #3) > (In reply to Chris Dumez from comment #2) > > (In reply to Chris Dumez from comment #1) > > > I have just discussed this with a RunningBoard engineer. The most likely > > > explanation is that the pid is < 0 (which is possible since pid_t is an int > > > on our Darwin). We get the pid from xpc_connection_get_pid() and I guess > > > this could theoretically return a negative PID (maybe in case of error when > > > the process has already exited). > > > > > > I think we should tweak the PID check on WebKit side to early return if pid > > > <= 0 (instead of doing an early return when !pid). > > > > > > Are you able to write up the patch? > > > > By the way, I haven't received such reports for MobileSafari yet, which is a > > bit odd. I have no idea what Chrome could be doing differently to cause > > this... > > Do you know when this crash started for Chrome? And could you give us an > idea of the frequency (i.e. is it a top crash?). We started getting this crash in iOS 14.0 (ideally we'd have filed a WebKit bug earlier but it somehow fell through the cracks until now). It represents about 0.22% of all crashes for the current version of Chrome, so it's not a top crash but it's not completely rare either.

EWS

Comment 6 2021-08-24 12:11:22 PDT

Committed r281511 (240884@main): <https://commits.webkit.org/240884@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 436298 [details].

Radar WebKit Bug Importer

Comment 7 2021-08-24 12:12:20 PDT

<rdar://problem/82303595>

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKit2

Assignee

Chris Dumez

Reported

2021-08-24 08:29 PDT

Modified

2021-08-24 12:12 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks