WebKit Bugzilla
New
Browse
Search+
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
298835
[WTF] Span debug iterator asserts in StringImpl::removeCharactersImpl under parseCacheControlDirectives
https://bugs.webkit.org/show_bug.cgi?id=298835
Summary
[WTF] Span debug iterator asserts in StringImpl::removeCharactersImpl under p...
Teng Huang
Reported
2025-09-14 04:57:34 PDT
The statement ```unsigned outc = from.begin() - characters.begin();``` make the WebProcess crashed. In the Debug mode std::span::_Span_iterator check的iterators from.begin() and characters.begin(),it found that some pointers in the two iterators are not identical,and then make the whole process crashed. In the Release mode the macro _ITERATOR_DEBUG_LEVEL is 0,the checking logic is disabled,so everything looks ok. How to reproduce? 1、Build the debug model minibrowser with macro _ITERATOR_DEBUG_LEVEL=2; 2、Set your default home page to
https://163.com
for minibrowser; 3、Start minibrowser,use procdump64 to attach the WebkitWebProcess;(for example:procdump64.exe -ma -e 1 -f "" <pid>) 4、Wait a few minutes. the WebKitWebProcess will crash and you will get a dmp file.
Attachments
Add attachment
proposed patch, testcase, etc.
Teng Huang
Comment 1
2025-09-16 01:47:48 PDT
In addition, I am surprised that this function has no unit test. Without unit tests, it is difficult for me to understand what it is trying to do.
Alexey Proskuryakov
Comment 2
2025-09-17 11:42:39 PDT
Thank you for the report! Could you please provide the stack trace? This looks like it could be a cross-platform issue.
Teng Huang
Comment 3
2025-09-17 18:22:49 PDT
The stack trace: 00 0000005f`0cdfebd0 00007ffd`3655ca1d ucrtbased!_invoke_watson+0x2c [minkernel\crts\ucrt\src\appcrt\misc\invalid_parameter.cpp @ 237] 01 0000005f`0cdfec00 00007ffd`3a618634 WebCore!std::_Span_iterator<const unsigned char>::operator-+0x9d [C:\Program Files\Microsoft Visual Studio\2022\Preview\VC\Tools\MSVC\14.44.35207\include\span @ 142] 02 0000005f`0cdfec50 00007ffd`3a61847c WebCore!WTF::StringImpl::removeCharactersImpl<unsigned char,`lambda at D:\webkit\WebKit\Source\WebCore\platform\network\CacheValidation.cpp:284:68'>+0x164 [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\text\StringImpl.h @ 1349] 03 0000005f`0cdfed80 00007ffd`3a612135 WebCore!WTF::StringImpl::removeCharacters<`lambda at D:\webkit\WebKit\Source\WebCore\platform\network\CacheValidation.cpp:284:68'>+0x7c [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\text\StringImpl.h @ 1370] 04 0000005f`0cdfee10 00007ffd`3a611a9f WebCore!WTF::String::removeCharacters<`lambda at D:\webkit\WebKit\Source\WebCore\platform\network\CacheValidation.cpp:284:68'>+0x65 [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\text\WTFString.h @ 542] 05 0000005f`0cdfee80 00007ffd`3a676b91 WebCore!WebCore::parseCacheControlDirectives+0x7f [D:\webkit\WebKit\Source\WebCore\platform\network\CacheValidation.cpp @ 287] 06 0000005f`0cdff0e0 00007ffd`3a676c59 WebCore!WebCore::ResourceResponseBase::parseCacheControlDirectives+0xb1 [D:\webkit\WebKit\Source\WebCore\platform\network\ResourceResponseBase.cpp @ 688] 07 0000005f`0cdff140 00007ffd`39d93d13 WebCore!WebCore::ResourceResponseBase::cacheControlContainsNoStore+0x29 [D:\webkit\WebKit\Source\WebCore\platform\network\ResourceResponseBase.cpp @ 703] 08 0000005f`0cdff180 00007ffd`39d93225 WebCore!WebCore::CachedResource::deleteIfPossible::<lambda_2>::operator()+0x23 [D:\webkit\WebKit\Source\WebCore\loader\cache\CachedResource.cpp @ 648] 09 0000005f`0cdff1c0 00007ffd`39d94d58 WebCore!WebCore::CachedResource::deleteIfPossible+0x175 [D:\webkit\WebKit\Source\WebCore\loader\cache\CachedResource.cpp @ 646] 0a 0000005f`0cdff270 00007ffd`39d95a35 WebCore!WebCore::CachedResource::unregisterHandle+0xe8 [D:\webkit\WebKit\Source\WebCore\loader\cache\CachedResource.cpp @ 849] 0b 0000005f`0cdff2c0 00007ffd`390ae573 WebCore!WebCore::CachedResourceHandleBase::~CachedResourceHandleBase+0x35 [D:\webkit\WebKit\Source\WebCore\loader\cache\CachedResourceHandle.cpp @ 62] 0c 0000005f`0cdff300 00007ffd`39dbb771 WebCore!WebCore::CachedResourceHandle<WebCore::CachedResource>::~CachedResourceHandle+0x13 [D:\webkit\WebKit\WebKitBuild\Debug\WebCore\PrivateHeaders\WebCore\CachedResource.h @ 71] 0d 0000005f`0cdff330 00007ffd`39dbb743 WebCore!WTF::KeyValuePairHashTraits<WTF::HashTraits<WTF::String>,WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> > >::customDeleteBucket+0x21 [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\HashTraits.h @ 422] 0e 0000005f`0cdff360 00007ffd`39dbb683 WebCore!WTF::hashTraitsDeleteBucket<WTF::HashMap<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource>,WTF::DefaultHash<WTF::String>,WTF::HashTraits<WTF::String>,WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::HashTableTraits,1,WTF::FastMalloc>::KeyValuePairTraits,WTF::KeyValuePair<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource> > >+0x13 [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\HashTraits.h @ 340] 0f 0000005f`0cdff390 00007ffd`39dbb612 WebCore!WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource> > >,WTF::DefaultHash<WTF::String>,WTF::HashMap<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource>,WTF::DefaultHash<WTF::String>,WTF::HashTraits<WTF::String>,WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::HashTableTraits,1,WTF::FastMalloc>::KeyValuePairTraits,WTF::HashTraits<WTF::String>,WTF::FastMalloc>::deleteBucket+0x13 [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\HashTable.h @ 588] 10 0000005f`0cdff3c0 00007ffd`39dbb5dc WebCore!WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource> > >,WTF::DefaultHash<WTF::String>,WTF::HashMap<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource>,WTF::DefaultHash<WTF::String>,WTF::HashTraits<WTF::String>,WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::HashTableTraits,1,WTF::FastMalloc>::KeyValuePairTraits,WTF::HashTraits<WTF::String>,WTF::FastMalloc>::remove+0x22 [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\HashTable.h @ 1059] 11 0000005f`0cdff400 00007ffd`39dbb589 WebCore!WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource> > >,WTF::DefaultHash<WTF::String>,WTF::HashMap<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource>,WTF::DefaultHash<WTF::String>,WTF::HashTraits<WTF::String>,WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::HashTableTraits,1,WTF::FastMalloc>::KeyValuePairTraits,WTF::HashTraits<WTF::String>,WTF::FastMalloc>::removeAndInvalidateWithoutEntryConsistencyCheck+0x2c [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\HashTable.h @ 1039] 12 0000005f`0cdff440 00007ffd`39dbb3be WebCore!WTF::HashTable<WTF::String,WTF::KeyValuePair<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::KeyValuePairKeyExtractor<WTF::KeyValuePair<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource> > >,WTF::DefaultHash<WTF::String>,WTF::HashMap<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource>,WTF::DefaultHash<WTF::String>,WTF::HashTraits<WTF::String>,WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::HashTableTraits,1,WTF::FastMalloc>::KeyValuePairTraits,WTF::HashTraits<WTF::String>,WTF::FastMalloc>::removeWithoutEntryConsistencyCheck+0x79 [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\HashTable.h @ 1085] 13 0000005f`0cdff4c0 00007ffd`39daa8c5 WebCore!WTF::HashMap<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource>,WTF::DefaultHash<WTF::String>,WTF::HashTraits<WTF::String>,WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::HashTableTraits,1,WTF::FastMalloc>::remove+0x9e [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\HashMap.h @ 552] 14 0000005f`0cdff580 00007ffd`39d96162 WebCore!WTF::HashMap<WTF::String,WebCore::CachedResourceHandle<WebCore::CachedResource>,WTF::DefaultHash<WTF::String>,WTF::HashTraits<WTF::String>,WTF::HashTraits<WebCore::CachedResourceHandle<WebCore::CachedResource> >,WTF::HashTableTraits,1,WTF::FastMalloc>::remove+0x45 [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\HashMap.h @ 564] 15 0000005f`0cdff600 00007ffd`39db91d6 WebCore!WebCore::CachedResourceLoader::garbageCollectDocumentResources+0x2a2 [D:\webkit\WebKit\Source\WebCore\loader\cache\CachedResourceLoader.cpp @ 1713] 16 0000005f`0cdff770 00007ffd`39db9167 WebCore!WebCore::Timer::Timer<WebCore::CachedResourceLoader,WebCore::CachedResourceLoader>::<lambda_1>::operator()+0x46 [D:\webkit\WebKit\WebKitBuild\Debug\WebCore\PrivateHeaders\WebCore\Timer.h @ 166] 17 0000005f`0cdff7c0 00007ffd`3592433e WebCore!WTF::Detail::CallableWrapper<`lambda at D:\webkit\WebKit\WebKitBuild\Debug\WebCore\PrivateHeaders\WebCore\Timer.h:163:22',void>::call+0x17 [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53] 18 0000005f`0cdff7f0 00007ffd`37c111c7 WebCore!WTF::Function<void ()>::operator()+0x8e [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 82] 19 0000005f`0cdff830 00007ffd`3a2291ce WebCore!WebCore::Timer::fired+0x17 [D:\webkit\WebKit\WebKitBuild\Debug\WebCore\PrivateHeaders\WebCore\Timer.h @ 201] 1a 0000005f`0cdff860 00007ffd`3a22baee WebCore!WebCore::ThreadTimers::sharedTimerFiredInternal+0x35e [D:\webkit\WebKit\Source\WebCore\platform\ThreadTimers.cpp @ 133] 1b 0000005f`0cdff940 00007ffd`3a22baa7 WebCore!WebCore::ThreadTimers::setSharedTimer::<lambda_0>::operator()+0x1e [D:\webkit\WebKit\Source\WebCore\platform\ThreadTimers.cpp @ 73] 1c 0000005f`0cdff970 00007ffd`3592433e WebCore!WTF::Detail::CallableWrapper<`lambda at D:\webkit\WebKit\Source\WebCore\platform\ThreadTimers.cpp:73:39',void>::call+0x17 [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 53] 1d 0000005f`0cdff9a0 00007ffd`3a1baf2d WebCore!WTF::Function<void ()>::operator()+0x8e [D:\webkit\WebKit\WebKitBuild\Debug\WTF\Headers\wtf\Function.h @ 82] 1e 0000005f`0cdff9e0 00007ffd`35a72dd8 WebCore!WebCore::MainThreadSharedTimer::fired+0x8d [D:\webkit\WebKit\Source\WebCore\platform\MainThreadSharedTimer.cpp @ 86] 1f 0000005f`0cdffa20 00007ffe`77497cf6 WebCore!WebCore::TimerWindowWndProc+0xa8 [D:\webkit\WebKit\Source\WebCore\platform\win\MainThreadSharedTimerWin.cpp @ 89] 20 0000005f`0cdffa70 00007ffe`7749584d user32!UserCallWinProcCheckWow+0x356 *** WARNING: Unable to verify checksum for JavaScriptCore.dll 21 0000005f`0cdffbd0 00007ffd`59599242 user32!DispatchMessageWorker+0x1dd *** WARNING: Unable to verify checksum for WebKit2.dll 22 0000005f`0cdffc50 00007ffd`43332303 JavaScriptCore!WTF::RunLoop::run+0x52 [D:\webkit\WebKit\Source\WTF\wtf\win\RunLoopWin.cpp @ 84] 23 0000005f`0cdffcc0 00007ffd`433321b7 WebKit2!WebKit::AuxiliaryProcessMainBase<WebKit::WebProcess,1>::run+0x83 [D:\webkit\WebKit\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 77] 24 0000005f`0cdffd10 00007ffd`43332161 WebKit2!WebKit::AuxiliaryProcessMain<WebKit::WebProcessMainWin>+0x47 [D:\webkit\WebKit\Source\WebKit\Shared\AuxiliaryProcessMain.h @ 103] *** WARNING: Unable to verify checksum for WebKitWebProcess.exe 25 0000005f`0cdffdb0 00007ff6`db72101c WebKit2!WebKit::WebProcessMain+0x91 [D:\webkit\WebKit\Source\WebKit\WebProcess\win\WebProcessMainWin.cpp @ 44] 26 0000005f`0cdffdf0 00007ff6`db7213f9 WebKitWebProcess!main+0x1c [D:\webkit\WebKit\Source\WebKit\WebProcess\EntryPoint\win\WebProcessMain.cpp @ 35] 27 0000005f`0cdffe30 00007ff6`db721532 WebKitWebProcess!invoke_main+0x39 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 79] 28 0000005f`0cdffe80 00007ff6`db7215be WebKitWebProcess!__scrt_common_main_seh+0x132 [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 288] 29 0000005f`0cdffef0 00007ff6`db7215de WebKitWebProcess!__scrt_common_main+0xe [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl @ 331] 2a 0000005f`0cdfff20 00007ffe`773de8d7 WebKitWebProcess!mainCRTStartup+0xe [D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp @ 17] 2b 0000005f`0cdfff50 00007ffe`77c08d9c kernel32!BaseThreadInitThunk+0x17 2c 0000005f`0cdfff80 00000000`00000000 ntdll!RtlUserThreadStart+0x2c
Teng Huang
Comment 4
2025-09-17 19:32:12 PDT
The WebKitNetworkProcess will also crash for the same reason:
> WebCore.dll!WTF::StringImpl::removeCharactersImpl<unsigned char,`lambda at D:\webkit\WebKit\Source\WebCore\platform\network\CacheValidation.cpp:284:68'>(std::span<const unsigned char,18446744073709551615> characters, const WebCore::parseCacheControlDirectives::<lambda_7> & findMatch) 行 1343 C++
WebCore.dll!WTF::StringImpl::removeCharacters<`lambda at D:\webkit\WebKit\Source\WebCore\platform\network\CacheValidation.cpp:284:68'>(const WebCore::parseCacheControlDirectives::<lambda_7> & findMatch) 行 1367 C++ WebCore.dll!WTF::String::removeCharacters<`lambda at D:\webkit\WebKit\Source\WebCore\platform\network\CacheValidation.cpp:284:68'>(const WebCore::parseCacheControlDirectives::<lambda_7> & findMatch) 行 542 C++ WebCore.dll!WebCore::parseCacheControlDirectives(const WebCore::HTTPHeaderMap & headers) 行 287 C++ WebCore.dll!WebCore::ResourceResponseBase::parseCacheControlDirectives() 行 688 C++ WebCore.dll!WebCore::ResourceResponseBase::cacheControlContainsNoCache() 行 696 C++ WebKit2.dll!WebKit::NetworkCache::responseNeedsRevalidation(WebKit::NetworkSession & networkSession, const WebCore::ResourceResponse & response, WTF::WallTime timestamp, std::optional<WTF::Seconds> maxStale) 行 186 C++ WebKit2.dll!WebKit::NetworkCache::responseNeedsRevalidation(WebKit::NetworkSession & networkSession, const WebCore::ResourceResponse & response, const WebCore::ResourceRequest & request, WTF::WallTime timestamp) 行 221 C++ WebKit2.dll!WebKit::NetworkCache::makeUseDecision(WebKit::NetworkProcess & networkProcess, PAL::SessionID sessionID, const WebKit::NetworkCache::Entry & entry, const WebCore::ResourceRequest & request) 行 243 C++ WebKit2.dll!WebKit::NetworkCache::Cache::retrieve::<lambda_4>::operator()<WebKit::NetworkCache::Storage::Record,WebKit::NetworkCache::Storage::Timings>(WebKit::NetworkCache::Storage::Record record, WebKit::NetworkCache::Storage::Timings timings) 行 444 C++ WebKit2.dll!WTF::Detail::CallableWrapper<`lambda at D:\webkit\WebKit\Source\WebKit\NetworkProcess\cache\NetworkCache.cpp:431:47',bool,WebKit::NetworkCache::Storage::Record &&,const WebKit::NetworkCache::Storage::Timings &>::call(WebKit::NetworkCache::Storage::Record && in, const WebKit::NetworkCache::Storage::Timings & in) 行 53 C++ WebKit2.dll!WTF::Function<bool (WebKit::NetworkCache::Storage::Record &&, const WebKit::NetworkCache::Storage::Timings &)>::operator()(WebKit::NetworkCache::Storage::Record && in, const WebKit::NetworkCache::Storage::Timings & in) 行 82 C++ WebKit2.dll!WTF::CompletionHandler<bool (WebKit::NetworkCache::Storage::Record &&, const WebKit::NetworkCache::Storage::Timings &)>::operator()(WebKit::NetworkCache::Storage::Record && in, const WebKit::NetworkCache::Storage::Timings & in) 行 79 C++ WebKit2.dll!WebKit::NetworkCache::Storage::ReadOperation::finish() 行 173 C++ WebKit2.dll!WebKit::NetworkCache::Storage::finishReadOperation(WTF::ObjectIdentifierGeneric<WebKit::NetworkCache::Storage::ReadOperationIdentifierType,WTF::ObjectIdentifierMainThreadAccessTraits<unsigned long long>,unsigned long long> identifier) 行 923 C++ WebKit2.dll!WebKit::NetworkCache::Storage::readBlobIfNecessary::<lambda_22>::operator()() 行 913 C++ WebKit2.dll!WTF::Detail::CallableWrapper<`lambda at D:\webkit\WebKit\Source\WebKit\NetworkProcess\cache\NetworkCacheStorage.cpp:906:39',void>::call() 行 53 C++ JavaScriptCore.dll!WTF::Function<void ()>::operator()() 行 82 C++ JavaScriptCore.dll!WTF::RunLoop::performWork() 行 149 C++ JavaScriptCore.dll!WTF::RunLoop::wndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) 行 59 C++ JavaScriptCore.dll!WTF::RunLoop::RunLoopWndProc(HWND__ * hWnd, unsigned int message, unsigned __int64 wParam, __int64 lParam) 行 41 C++ [外部代码] JavaScriptCore.dll!WTF::RunLoop::run() 行 84 C++ WebKit2.dll!WebKit::AuxiliaryProcessMainBase<WebKit::NetworkProcess,0>::run(int argc, char * * argv) 行 77 C++ WebKit2.dll!WebKit::AuxiliaryProcessMain<WebKit::NetworkProcessMainCurl>(int argc, char * * argv) 行 103 C++ WebKit2.dll!WebKit::NetworkProcessMain(int argc, char * * argv) 行 50 C++ WebKitNetworkProcess.exe!main(int argc, char * * argv) 行 35 C++ [外部代码]
Radar WebKit Bug Importer
Comment 5
2025-09-18 08:47:31 PDT
<
rdar://problem/160862926
>
Chris Dumez
Comment 6
2025-09-18 16:57:00 PDT
Pull request:
https://github.com/WebKit/WebKit/pull/50965
EWS
Comment 7
2025-09-18 19:49:43 PDT
Committed
300207@main
(3a34ff002af1): <
https://commits.webkit.org/300207@main
> Reviewed commits have been landed. Closing PR #50965 and removing active labels.
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug