RESOLVED MOVED280416
Repeated crashes in WebCore::PlatformSpeechSynthesizer::initializeVoiceList() 
https://bugs.webkit.org/show_bug.cgi?id=280416
Summary Repeated crashes in WebCore::PlatformSpeechSynthesizer::initializeVoiceList()
Chris BeHanna
Reported 2024-09-26 10:35:04 PDT
Created attachment 472695 [details] CrashReporter output Despite disabling all extensions, clearing the cache, booting into safe mode, and starting the browser with the shift key, I am able to 100% reproduce a crash in InitializeVoiceList(), even if I just let the browser sit idle. Of note, if I create a new user on my Mac and run the browser in that new user's environment, I do not get the crash. I am at a loss as to figure out what in my environment reliably produces this crash. I do not have VoiceOver or any such accessibility items turned on. I've attached the complete CrashReporter output. I'm pasting the stack trace of the crashed thread inline so that it will be searchable. I now have a debug build of WebKit main and will try to repro there as well. Crashed Thread: 0 Dispatch queue: create-voices-avspeech Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6 Terminating Process: Safari [31895] Application Specific Information: abort() called Thread 0 Crashed:: Dispatch queue: create-voices-avspeech 0 libsystem_kernel.dylib 0x7ff80aaa5d96 __pthread_kill + 10 1 libsystem_pthread.dylib 0x7ff80aadeebd pthread_kill + 262 2 libsystem_c.dylib 0x7ff80aa04a79 abort + 126 3 libc++abi.dylib 0x7ff80aa97922 abort_message + 241 4 libc++abi.dylib 0x7ff80aa8a12a demangling_terminate_handler() + 266 5 libobjc.A.dylib 0x7ff80a726b4a _objc_terminate() + 96 6 libc++abi.dylib 0x7ff80aa96d7b std::__terminate(void (*)()) + 6 7 libc++abi.dylib 0x7ff80aa96d36 std::terminate() + 54 8 libdispatch.dylib 0x7ff80a93ddd0 _dispatch_client_callout + 28 9 libdispatch.dylib 0x7ff80a94ad3c _dispatch_lane_barrier_sync_invoke_and_complete + 60 10 TextToSpeech 0x7ff91e659e13 0x7ff91e639000 + 134675 11 TextToSpeech 0x7ff91e659caf 0x7ff91e639000 + 134319 12 WebCore 0x7ff90c1ea6b7 WebCore::PlatformSpeechSynthesizer::initializeVoiceList() + 119 13 WebCore 0x7ff90de54838 WebCore::PlatformSpeechSynthesizer::voiceList() const + 24 14 WebKit 0x7ff90f81eb3b WebKit::WebPageProxy::speechSynthesisVoiceList(WTF::CompletionHandler<void (WTF::Vector<WebKit::WebSpeechSynthesisVoice, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>&&)>&&) + 33 15 WebKit 0x7ff90fc82efa WebKit::WebPageProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, WTF::UniqueRef<IPC::Encoder>&) + 9216 16 WebKit 0x7ff90fd3aaf4 IPC::MessageReceiverMap::dispatchSyncMessage(IPC::Connection&, IPC::Decoder&, WTF::UniqueRef<IPC::Encoder>&) + 268 17 WebKit 0x7ff90f858e73 WebKit::WebProcessProxy::didReceiveSyncMessage(IPC::Connection&, IPC::Decoder&, WTF::UniqueRef<IPC::Encoder>&) + 41 18 WebKit 0x7ff90fd36491 IPC::Connection::dispatchSyncMessage(IPC::Decoder&) + 177 19 WebKit 0x7ff90fd367b7 IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder>>) + 489 20 WebKit 0x7ff90fd3266c IPC::Connection::SyncMessageState::ConnectionAndIncomingMessage::dispatch() + 42 21 WebKit 0x7ff90fd3801f WTF::Detail::CallableWrapper<IPC::Connection::SyncMessageState::processIncomingMessage(IPC::Connection&, std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder>>&)::$_5, void>::call() + 639 22 JavaScriptCore 0x7ff827d1877e WTF::RunLoop::performWork() + 430 23 JavaScriptCore 0x7ff827d1955a WTF::RunLoop::performWork(void*) + 26 24 CoreFoundation 0x7ff80abbc087 __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 25 CoreFoundation 0x7ff80abbc029 __CFRunLoopDoSource0 + 157 26 CoreFoundation 0x7ff80abbbdf4 __CFRunLoopDoSources0 + 215 27 CoreFoundation 0x7ff80abbaa71 __CFRunLoopRun + 919 28 CoreFoundation 0x7ff80abba112 CFRunLoopRunSpecific + 557 29 HIToolbox 0x7ff8155d9a09 RunCurrentEventLoopInMode + 292 30 HIToolbox 0x7ff8155d9646 ReceiveNextEventCommon + 201 31 HIToolbox 0x7ff8155d9561 _BlockUntilNextEventMatchingListInModeWithFilter + 66 32 AppKit 0x7ff80e22a171 _DPSNextEvent + 880 33 AppKit 0x7ff80eb3eaf0 -[NSApplication(NSEventRouting) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 1273 34 Safari 0x7ff91a67490c -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 217 35 AppKit 0x7ff80e21b585 -[NSApplication run] + 603 36 AppKit 0x7ff80e1ef4f3 NSApplicationMain + 816 37 Safari 0x7ff91aa50f84 SafariMain + 518 38 dyld 0x7ff80a753345 start + 1909
Attachments
CrashReporter output (79.22 KB, text/plain)
2024-09-26 10:35 PDT, Chris BeHanna 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2024-09-30 10:11:36 PDT
rdar://126271259 Thank you for the report. It looks like a web page is calling `speechSynthesis.getVoices()` API, most likely to attempt fingerprinting. You may be able to reproduce this more reliably by executing this code in Web Inspector or in a test file. This is a problem in an underlying system framework, not in WebKit, so I'm marking this issue as RESOLVED/MOVED. However, please do post anything else that you may discover that could help isolate this issue, and I'll pass it over. I suspect that text to speech settings are either corrupted or non-default in some way that triggers the bug. Also, what is the system language for the user account where this reproduces?
Chris BeHanna
Comment 2 2024-09-30 10:46:22 PDT
Should an underlying framework be able to *crash* WebKit? Would it be more user-friendly to pop up an error dialog and continue on? As it is, it was extremely difficult to get to the bottom of this (which someone finally did): deleting ~/Library/Preferences/com.apple.SpeechSelection.plist cured it. To answer the locale question: language is U.S. English.
Alexey Proskuryakov
Comment 3 2024-09-30 11:03:02 PDT
Did you happen to keep a copy of com.apple.SpeechSelection.plist? That would help Apple get to the bottom of this. As for underlying frameworks causing crashes, yes, this is the nature of how things work, it is not possible to recover from such error conditions.
Note You need to log in before you can comment on or make changes to this bug.