RESOLVED FIXED309648
[GTK][WPE][Win] REGRESSION(309000@main): [ASan][WTR] stack-use-after-return in WTR::runPendingEventsCallback(void*) 
https://bugs.webkit.org/show_bug.cgi?id=309648
Summary [GTK][WPE][Win] REGRESSION(309000@main): [ASan][WTR] stack-use-after-return i...
Fujii Hironori
Reported 2026-03-10 23:12:17 PDT
Created attachment 478626 [details] context-nodrag-crash-log.txt REGRESSION(309000@main): [ASan][WTR] stack-use-after-return in WTR::runPendingEventsCallback(void*) Running layout tests reports a lot of stack-use-after-return with ASan enabled WebKitTestRunner. For example, fast/events/context-nodrag.html. ==416904==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f1a4decd1a0 at pc 0x55617bc96e49 bp 0x7ffde6867710 sp 0x7ffde6867708 WRITE of size 1 at 0x7f1a4decd1a0 thread T0 #0 0x55617bc96e48 in WTR::runPendingEventsCallback(void*) EventSenderProxyGtk.cpp #1 0x7f1a6607c091 in WTF::Detail::CallableWrapper<WKPageDoAfterProcessingAllPendingMouseEvents::$_0, void>::call() UnifiedSource-88d1702b-22.cpp #2 0x7f1a65c8d29e in WebKit::WebPageProxy::mouseEventHandlingCompleted(std::optional<WebKit::WebEventType>, bool, std::optional<WebCore::RemoteUserInputEventData>) UnifiedSource-88d1702b-10.cpp #3 0x7f1a65d31ebc in WebKit::WebPageProxy::didReceiveEvent(IPC::Connection*, WebKit::WebEventType, bool, std::optional<WebCore::RemoteUserInputEventData>&&) UnifiedSource-88d1702b-10.cpp #4 0x7f1a65d31b08 in WebKit::WebPageProxy::didReceiveEventIPC(IPC::Connection&, WebKit::WebEventType, bool, std::optional<WebCore::RemoteUserInputEventData>&&) UnifiedSource-88d1702b-10.cpp #5 0x7f1a6484b566 in WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) WebPageProxyMessageReceiver.cpp #6 0x7f1a6486dc6c in non-virtual thunk to WebKit::WebPageProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) WebPageProxyMessageReceiver.cpp #7 0x7f1a65964733 in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) UnifiedSource-123a7f2f-3.cpp #8 0x7f1a65a7e8ac in WebKit::AuxiliaryProcessProxy::dispatchMessage(IPC::Connection&, IPC::Decoder&) UnifiedSource-88d1702b-1.cpp #9 0x7f1a65ecc59d in WebKit::WebProcessProxy::dispatchMessage(IPC::Connection&, IPC::Decoder&) UnifiedSource-88d1702b-11.cpp #10 0x7f1a648f6240 in WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) WebProcessProxyMessageReceiver.cpp #11 0x7f1a648f928c in non-virtual thunk to WebKit::WebProcessProxy::didReceiveMessage(IPC::Connection&, IPC::Decoder&) WebProcessProxyMessageReceiver.cpp #12 0x7f1a6594a011 in IPC::Connection::dispatchMessage(IPC::Decoder&) UnifiedSource-123a7f2f-1.cpp #13 0x7f1a6594a819 in IPC::Connection::dispatchMessage(WTF::UniqueRef<IPC::Decoder>) UnifiedSource-123a7f2f-1.cpp #14 0x7f1a6594bc71 in IPC::Connection::dispatchIncomingMessages() UnifiedSource-123a7f2f-1.cpp #15 0x7f1a65957b5f in WTF::Detail::CallableWrapper<IPC::Connection::dispatchIncomingMessages()::$_0, void>::call() UnifiedSource-123a7f2f-1.cpp #16 0x7f1a5f44afa8 in WTF::RunLoop::performWork() RunLoop.cpp #17 0x7f1a5f801c48 in WTF::RunLoop::RunLoop()::$_0::__invoke(void*) RunLoopGLib.cpp #18 0x7f1a5f7fdaf0 in WTF::RunLoop::$_3::__invoke(_GSource*, int (*)(void*), void*) RunLoopGLib.cpp #19 0x7f1a5619945d (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5d45d) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3) #20 0x7f1a561f8976 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0xbc976) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3) #21 0x7f1a56198a22 in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x5ca22) (BuildId: 116e142b9b52c8a4dfd403e759e71ab8f95d8bb3) #22 0x55617bc97eec in WTR::TestController::platformRunUntil(bool&, WTF::Seconds) TestControllerGtk.cpp #23 0x55617bc00d24 in WTR::TestController::resetStateToConsistentValues(WTR::TestOptions const&, WTR::TestController::ResetStage)::$_0::operator()() const TestController.cpp #24 0x55617bbff074 in WTR::TestController::resetStateToConsistentValues(WTR::TestOptions const&, WTR::TestController::ResetStage) TestController.cpp #25 0x55617bc5eaf7 in WTR::TestInvocation::invoke() TestInvocation.cpp #26 0x55617bc0b0c6 in WTR::TestController::runTest(char const*) TestController.cpp #27 0x55617bc0b8e4 in WTR::TestController::runTestingServerLoop() TestController.cpp #28 0x55617bbeea85 in WTR::TestController::TestController(int, char const**) TestController.cpp #29 0x55617bca0be0 in main main.cpp #30 0x7f1a521881c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #31 0x7f1a5218828a in __libc_start_main csu/../csu/libc-start.c:360:3 #32 0x55617bb09b64 in _start (/sdk/webkit/WebKitBuild/GTK/Release/bin/WebKitTestRunner+0x1d2b64) (BuildId: d5269ba23e94d5cb)
Attachments
context-nodrag-crash-log.txt (6.13 KB, text/plain)
2026-03-10 23:12 PDT, Fujii Hironori 		no flags
Details
untested-patch (1.95 KB, text/plain)
2026-03-13 06:22 PDT, Anne van Kesteren 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Fujii Hironori
Comment 1 2026-03-12 04:53:25 PDT
Pull request: https://github.com/WebKit/WebKit/pull/60449
Fujii Hironori
Comment 2 2026-03-13 00:19:52 PDT
static void waitForPendingMouseEvents(TestController* testController) { bool done = false; WKPageDoAfterProcessingAllPendingMouseEvents(testController->mainWebView()->page(), &done, runPendingEventsCallback); testController->runUntil(done, 100_ms); } If runUntil times out 100ms, the local variable `done` is written after this function. Mac port doesn't have 100ms timeout. https://github.com/WebKit/WebKit/blob/e03b1b975a22b875bacdc1dbcf5b6206b6095079/Tools/WebKitTestRunner/mac/EventSenderProxy.mm#L396-L398 So, I use TestController::noTimeout. However, deadlock happens. WebKitTestRunner enables FullySynchronousModeIsAllowedForTesting. The Injected Bundle sends GetDumpFrameLoadCallbacks synchronous message. UI process sends Messages::WebPage::MouseEvent at the same time. How to solve this problem?
Anne van Kesteren
Comment 3 2026-03-13 06:12:15 PDT
How is this not what you had before my commit with waitForPendingMouseEvents()? I just moved some code around.
Anne van Kesteren
Comment 4 2026-03-13 06:22:25 PDT
Created attachment 478666 [details] untested-patch I see, I removed the heap-allocated context. What do you think about something like this? The deeper issue seems pre-existing though and not something I introduced.
Fujii Hironori
Comment 5 2026-03-13 06:58:52 PDT
Yup. That's the reason I removed the word "REGRESSION" from the commit title. I removed 100ms timeout by following Mac port implementation. https://github.com/WebKit/WebKit/pull/60449
EWS
Comment 6 2026-03-13 07:10:10 PDT
Committed 309204@main (1e08ec6a9a5b): <https://commits.webkit.org/309204@main> Reviewed commits have been landed. Closing PR #60449 and removing active labels.
Radar WebKit Bug Importer
Comment 7 2026-03-13 07:11:13 PDT
<rdar://problem/172476746>
Fujii Hironori
Comment 8 2026-03-13 19:58:56 PDT
Re-opening for pull request https://github.com/WebKit/WebKit/pull/60611
EWS
Comment 9 2026-03-13 23:28:56 PDT
Committed 309262@main (2001d0220c76): <https://commits.webkit.org/309262@main> Reviewed commits have been landed. Closing PR #60611 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.