Bug 45202 - Intermittent crashes in EventSource::close()
Summary: Intermittent crashes in EventSource::close()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: PC Windows XP
: P1 Normal
Assignee: Nate Chapin
URL:
Keywords: NeedsReduction
Depends on:
Blocks:
 
Reported: 2010-09-03 14:37 PDT by Richard D Klein
Modified: 2022-03-01 02:50 PST (History)
6 users (show)

See Also:

Attachments
crash fix but no test :( (1.26 KB, patch)
2011-08-12 14:24 PDT, Nate Chapin 		no flags Details | Formatted Diff | Diff
+ test (4.29 KB, patch)
2011-08-12 15:16 PDT, Nate Chapin 		webkit.review.bot: commit-queue-
Details | Formatted Diff | Diff
+ test fix (4.19 KB, patch)
2011-08-24 12:17 PDT, Nate Chapin 		ap: review+
Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Richard D Klein 2010-09-03 14:37:05 PDT 
EventSource::close() sometimes crashes when you leave a page on which Server-Sent events are active.  Here's the offending code:

void EventSource::close()
{
    if (m_state == CLOSED)
        return;

    if (m_reconnectTimer.isActive()) {
        m_reconnectTimer.stop();
        unsetPendingActivity(this);
    }

    m_state = CLOSED;
    m_failSilently = true;

    if (m_requestInFlight)
        m_loader->cancel();
}

The crash happens when m_requestInFlight is true, but m_loader is 0.  This should fix it:

    if (m_requestInFlight)
        if (m_loader)
            m_loader->cancel();
Comment 1 Alexey Proskuryakov 2010-09-07 00:01:36 PDT 
I'd say that m_requestInFlight should not be true when there is no request in flight!

We'll need to make a reduced case to be landed as a regression test with a fix.
Comment 2 Richard D Klein 2010-09-10 16:13:37 PDT 
> I'd say that m_requestInFlight should not be true when there is no request in flight!

Good point.  I should have labelled my "fix" as just a workaround.
Comment 3 Alexey Proskuryakov 2011-01-19 17:39:56 PST 
Richard, does this still happen with recent nightly builds? There have been some semi-related fixes made to EventSource, but without steps to reproduce, it's unclear how to proceed.
Comment 4 Nate Chapin 2011-08-12 14:18:49 PDT 
This was also reported at http://code.google.com/p/chromium/issues/detail?id=89155.

It appears this is happening when an EventSource reconnect timer triggers after a navigation away from the current page has begun. In this case, SubresourceLoader::create() will return 0, and EventSource ends up thinking a request is in-flight but has a null m_loader.

I have a fix (don't set "m_requestInFlight = true" in connect() if ThreadableLoader::create() returns 0), but I don't have a good test reduction because it's timing-dependent.
Comment 5 Nate Chapin 2011-08-12 14:24:51 PDT 
Created attachment 103815 [details]
crash fix but no test :(

Is there a good way to ensure an internal timer like EventSource::m_reconnecTimer will fire when we want it to?
Comment 6 Nate Chapin 2011-08-12 15:16:57 PDT 
Created attachment 103826 [details]
+ test

I had a brain cramp when I posted the crash fix, creating a test was straightforward.
Comment 7 WebKit Review Bot 2011-08-12 15:45:56 PDT 
Comment on attachment 103826 [details]
+ test

Attachment 103826 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/9380016

New failing tests:
http/tests/eventsource/eventsource-reconnect-during-navigate-crash.html
Comment 8 Alexey Proskuryakov 2011-08-23 11:35:52 PDT 
Nate, what is the status of this patch? It's marked for review, but its test is failing.
Comment 9 Nate Chapin 2011-08-23 11:42:45 PDT 
Comment on attachment 103826 [details]
+ test


Sorry, I've gotten distracted.  I need to borrow a linux box so I can figure out why the test is failing.

Obsoleting until then.
Comment 10 Nate Chapin 2011-08-24 12:17:10 PDT 
Created attachment 105040 [details]
+ test fix
Comment 11 Alexey Proskuryakov 2011-08-24 12:25:29 PDT 
Comment on attachment 105040 [details]
+ test fix

View in context: https://bugs.webkit.org/attachment.cgi?id=105040&action=review

r=me. It would be great if you could get rid of EventSender before landing.

> LayoutTests/http/tests/eventsource/eventsource-reconnect-during-navigate-crash.html:16
> +        eventSender.mouseMoveTo(a.offsetLeft + 2, a.offsetTop + 2);
> +        eventSender.mouseDown();
> +        eventSender.mouseUp();

Does no other way to navigate work? I would expect that setting window.location is no different.

It would be nice to have the test work in browser and in ports that don't' support eventSender.

> LayoutTests/http/tests/eventsource/resources/wait-then-notify-done.php:7
> +sleep(1);
> +echo "<script> if (window.layoutTestController) layoutTestController.notifyDone()</script>\n";

Sadness.
Comment 12 Nate Chapin 2011-08-24 12:44:40 PDT 
(In reply to comment #11)
> (From update of attachment 105040 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=105040&action=review
> 
> r=me. It would be great if you could get rid of EventSender before landing.
> 
> > LayoutTests/http/tests/eventsource/eventsource-reconnect-during-navigate-crash.html:16
> > +        eventSender.mouseMoveTo(a.offsetLeft + 2, a.offsetTop + 2);
> > +        eventSender.mouseDown();
> > +        eventSender.mouseUp();
> 
> Does no other way to navigate work? I would expect that setting window.location is no different.
> 
> It would be nice to have the test work in browser and in ports that don't' support eventSender.

You're right, a window.location navigation reproduces the crash.  Will fix before landing.

> 
> > LayoutTests/http/tests/eventsource/resources/wait-then-notify-done.php:7
> > +sleep(1);
> > +echo "<script> if (window.layoutTestController) layoutTestController.notifyDone()</script>\n";
> 
> Sadness.
 
I agree.  :(
Comment 13 Nate Chapin 2011-08-24 13:20:36 PDT 
http://trac.webkit.org/changeset/93726